CVE-2025-53945

@@ -257,6 +257,9 @@ func updateCache(ctx context.Context, fsys apkfs.FullFS) error {
 	if err := cacheFile.Write(lsc); err != nil {
 		return fmt.Errorf("writing /etc/ld.so.cache: %w", err)
 	}
+	if err := fsys.Chmod("etc/ld.so.cache", 0644); err != nil {
+		return fmt.Errorf("chmod /etc/ld.so.cache: %w", err)
+	}
 
 	return nil
 }

@@ -0,0 +1,15 @@
+# Binaries for programs and plugins
+*.exe
+*.exe~
+*.dll
+*.so
+*.dylib
+
+# Test binary, built with `go test -c`
+*.test
+
+# Output of the go coverage tool, specifically when used with LiteIDE
+*.out
+
+# Dependency directories (remove the comment below to include it)
+# vendor/

@@ -0,0 +1,603 @@
+// Copyright 2023 Chainguard, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package ldsocache
+
+import (
+	"bytes"
+	"debug/elf"
+	"encoding/binary"
+	"errors"
+	"fmt"
+	"io"
+	"io/fs"
+	"log"
+	"os"
+	"path/filepath"
+	"slices"
+	"strings"
+	"unsafe"
+)
+
+const debug = false
+
+const ldsoMagic = "glibc-ld.so.cache"
+const ldsoVersion = "1.1"
+const ldsoExtensionMagic = 0xEAA42174
+
+const (
+	FlagANY                 uint32 = 0xffff
+	FlagTYPEMASK            uint32 = 0x00ff
+	FlagLIBC4               uint32 = 0x0000
+	FlagELF                 uint32 = 0x0001
+	FlagELFLIBC5            uint32 = 0x0002
+	FlagELFLIBC6            uint32 = 0x0003
+	FlagREQUIREDMASK        uint32 = 0xff00
+	FlagSPARCLIB64          uint32 = 0x0100
+	FlagX8664LIB64          uint32 = 0x0300
+	FlagS390LIB64           uint32 = 0x0400
+	FlagPOWERPCLIB64        uint32 = 0x0500
+	FlagMIPS64LIBN32        uint32 = 0x0600
+	FlagMIPS64LIBN64        uint32 = 0x0700
+	FlagX8664LIBX32         uint32 = 0x0800
+	FlagARMLIBHF            uint32 = 0x0900
+	FlagAARCH64LIB64        uint32 = 0x0a00
+	FlagARMLIBSF            uint32 = 0x0b00
+	FlagMIPSLIB32NAN2008    uint32 = 0x0c00
+	FlagMIPS64LIBN32NAN2008 uint32 = 0x0d00
+	FlagMIPS64LIBN64NAN2008 uint32 = 0x0e00
+	FlagRISCVFLOATABISOFT   uint32 = 0x0f00
+	FlagRISCVFLOATABIDOUBLE uint32 = 0x1000
+	FlagLARCHFLOATABISOFT   uint32 = 0x1100
+	FlagLARCHFLOATABIDOUBLE uint32 = 0x1200
+)
+
+type LDSORawCacheHeader struct {
+	Magic   [17]byte
+	Version [3]byte
+
+	NumLibs      uint32
+	StrTableSize uint32
+
+	Flags   uint8
+	Unused0 [3]byte
+
+	ExtOffset uint32
+
+	Unused1 [3]uint32
+}
+
+type LDSORawCacheEntry struct {
+	Flags uint32
+
+	// Offsets in string table.
+	Key   uint32
+	Value uint32
+
+	OSVersionNeeded uint32
+	HWCapNeeded     uint64
+}
+
+type LDSOCacheEntry struct {
+	Flags uint32
+
+	Name string
+
+	OSVersionNeeded uint32
+	HWCapNeeded     uint64
+}
+
+type LDSOCacheExtensionHeader struct {
+	Magic uint32
+	Count uint32
+}
+
+type LDSOCacheExtensionSectionHeader struct {
+	Tag    uint32
+	Flags  uint32
+	Offset uint32
+	Size   uint32
+}
+
+type LDSOCacheExtensionSection struct {
+	Header LDSOCacheExtensionSectionHeader
+	Data   []byte
+}
+
+type LDSOCacheFile struct {
+	Header     LDSORawCacheHeader
+	Entries    []LDSOCacheEntry
+	Extensions []LDSOCacheExtensionSection
+}
+
+func Debugf(format string, args ...any) {
+	if !debug {
+		return
+	}
+	log.Printf(format, args...)
+}
+
+// accepts a library name and returns its name and a version
+// ex: "libfoo.so.1" -> "libfoo", "1"
+// ex: "libbar.so" -> "libbar", ""
+//
+// returns an error if realname doesn't comply w/ the name scheme
+func ParseLibFilename(realname string) (string, string, error) {
+	var name string
+	var ver string
+	// ldconfig(8) says it "will look only at files that are named lib*.so*
+	// (for regular shared objects) or ld-*.so* (for the dynamic loader itself).
+	// Other files will be ignored.
+	if !strings.HasPrefix(realname, "lib") && !strings.HasPrefix(realname, "ld-") {
+		return "", "", fmt.Errorf("filename does not start with 'lib' or 'ld-': %s", realname)
+	}
+	if strings.HasSuffix(realname, ".so") {
+		name = strings.TrimSuffix(realname, ".so")
+		ver = ""
+		return name, ver, nil
+	}
+	idx := strings.LastIndex(realname, ".so.")
+	if idx < 1 {
+		return "", "", fmt.Errorf("invalid library name: %s", realname)
+	}
+	name = realname[:idx]
+	ver = realname[idx+len(".so."):]
+
+	return name, ver, nil
+}
+
+// Scan `libdir` for shared libraries. Adds a new entry into `entryMap` for
+// any that don't already have an entry there.
+func AddLDSOCacheEntriesForDir(fsys fs.FS, libdir string, entryMap map[string]LDSOCacheEntry) error {
+	var err error
+	// fs.FS wants all file paths to be relative
+	if filepath.IsAbs(libdir) {
+		libdir, err = filepath.Rel("/", libdir)
+		if err != nil {
+			return err
+		}
+	}
+	dirents, err := fs.ReadDir(fsys, libdir)
+	if err != nil {
+		if errors.Is(err, fs.ErrNotExist) {
+			return nil
+		}
+		return err
+	}
+
+	for _, dirent := range dirents {
+		realname := dirent.Name()
+		fullpath := filepath.Join(libdir, realname)
+		mode := dirent.Type()
+		isLink := (mode&fs.ModeSymlink != 0)
+
+		if isLink {
+			// Stat follows symlinks
+			info, err := fs.Stat(fsys, fullpath)
+			if err != nil {
+				Debugf("Warning: Could not stat %s\n", fullpath)
+				continue
+			}
+			if !info.Mode().IsRegular() {
+				Debugf("DEBUG: Skipping %s, not a link to a regular file\n", fullpath)
+				continue
+			}
+		}
+
+		if !(mode.IsRegular() || isLink) {
+			continue
+		}
+		libf, err := fsys.Open(fullpath)
+		if err != nil {
+			Debugf("Warning: could not open %s\n", fullpath)
+			continue
+		}
+		defer libf.Close()
+		var libfReaderAt io.ReaderAt
+		libfReaderAt, ok := libf.(io.ReaderAt)
+		if !ok {
+			// Ugly: Work around lack of ReaderAt support by
+			// reading the entire file into memory
+			buf, err := fs.ReadFile(fsys, fullpath)
+			if err != nil {
+				Debugf("DEBUG: Unable to open %s\n", fullpath)
+				continue
+			}
+			libf.Close()
+			libfReaderAt = bytes.NewReader(buf)
+		}
+		elflibf, err := elf.NewFile(libfReaderAt)
+		if err != nil {
+			Debugf("DEBUG: Unable to open %s as ELF\n", fullpath)
+			continue
+		}
+		// FIXME: do we need to check for the ELF magic bytes?
+		if elflibf.FileHeader.Type != elf.ET_DYN {
+			continue
+		}
+		flags := uint32(0)
+		flags |= FlagELF
+		// FIXME: Shouldn't just assert this
+		flags |= FlagELFLIBC6
+		sonames, err := elflibf.DynString(elf.DT_SONAME)
+		if err != nil {
+			continue
+		}
+		switch elflibf.FileHeader.Machine {
+		case elf.EM_X86_64:
+			flags |= FlagX8664LIB64
+		case elf.EM_AARCH64:
+			flags |= FlagAARCH64LIB64
+		// FIXME: Add other architectures
+		default:
+			return fmt.Errorf("unknown machine type")
+		}
+		libf.Close()
+
+		// ldconfig will add an entry for a .so file even if it has
+		// no SONAME. Observed with libR.so on Ubuntu.
+		if len(sonames) == 0 && strings.HasSuffix(realname, ".so") {
+			sonames = append(sonames, realname)
+			Debugf("DEBUG: %s has no SONAME, using filename as an SONAME\n", realname)
+		}
+
+		if len(sonames) == 0 && strings.HasSuffix(realname, ".so") {
+			sonames = append(sonames, realname)
+			Debugf("DEBUG: %s has no DT_SONAME, using %s as an SONAME\n", realname, realname)
+		}
+
+		for _, soname := range sonames {
+			fname, _, err := ParseLibFilename(soname)
+			if err != nil {
+				continue
+			}
+			linkname := fname + ".so"
+			if realname != soname && realname != linkname {
+				Debugf("DEBUG: Skipping %s because it doesn't match soname %s or linkname %s\n", realname, soname, linkname)
+				continue
+			}
+			_, ok := entryMap[realname]
+			if ok {
+				continue
+			}
+			entryMap[realname] = LDSOCacheEntry{
+				// fullpath is relative to "/"
+				Name:            filepath.Join("/", fullpath),
+				Flags:           flags,
+				OSVersionNeeded: 0,
+				HWCapNeeded:     0,
+			}
+		}
+	}
+	return nil
+}
+
+func AddLDSOCacheEntriesForDirs(fsys fs.FS, libdirs []string) ([]LDSOCacheEntry, error) {
+	entryMap := map[string]LDSOCacheEntry{}
+
+	for _, libdir := range libdirs {
+		err := AddLDSOCacheEntriesForDir(fsys, libdir, entryMap)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	keys := make([]string, 0, len(entryMap))
+	for k := range entryMap {
+		keys = append(keys, k)
+	}
+	slices.Sort(keys)
+	entries := make([]LDSOCacheEntry, 0, len(entryMap))
+	for _, k := range keys {
+		entries = append(entries, entryMap[k])
+	}
+
+	return entries, nil
+}
+
+func BuildCacheFileForDirs(fsys fs.FS, libdirs []string) (*LDSOCacheFile, error) {
+	entries, err := AddLDSOCacheEntriesForDirs(fsys, libdirs)
+	if err != nil {
+		return nil, err
+	}
+
+	header := LDSORawCacheHeader{
+		Magic:   [17]byte([]byte(ldsoMagic)),
+		Version: [3]byte([]byte(ldsoVersion)),
+		NumLibs: (uint32)(len(entries)),
+	}
+
+	cf := LDSOCacheFile{
+		Header:  header,
+		Entries: entries,
+	}
+
+	return &cf, nil
+}
+
+// LoadCacheFile attempts to load a cache file from disk.  When
+// successful, it returns an LDSOCacheFile pointer which contains
+// all relevant information from the cache file.
+func LoadCacheFile(path string) (*LDSOCacheFile, error) {
+	bindata, err := os.ReadFile(path)
+	if err != nil {
+		return nil, err
+	}
+
+	r := bytes.NewReader(bindata)
+
+	// TODO(kaniini): Use binary.BigEndian for BE targets.
+	header := LDSORawCacheHeader{}
+	if err := binary.Read(r, binary.LittleEndian, &header); err != nil {
+		return nil, err
+	}
+
+	rawlibs := []LDSORawCacheEntry{}
+	for i := uint32(0); i < header.NumLibs; i++ {
+		rawlib := LDSORawCacheEntry{}
+		if err := binary.Read(r, binary.LittleEndian, &rawlib); err != nil {
+			return nil, err
+		}
+
+		rawlibs = append(rawlibs, rawlib)
+	}
+
+	pos, err := r.Seek(0, io.SeekCurrent)
+	if err != nil {
+		return nil, err
+	}
+
+	// The string table is a series of nul-terminated C strings.
+	strtable := make([]byte, header.StrTableSize)
+	if _, err := r.Read(strtable); err != nil {
+		return nil, err
+	}
+
+	// Now build the cache index itself.
+	entries := []LDSOCacheEntry{}
+	for _, rawlib := range rawlibs {
+		entry := LDSOCacheEntry{
+			Flags:           rawlib.Flags,
+			OSVersionNeeded: rawlib.OSVersionNeeded,
+			HWCapNeeded:     rawlib.HWCapNeeded,
+		}
+
+		name := extractShlibName(strtable, rawlib.Value-uint32(pos))
+		entry.Name = name
+
+		entries = append(entries, entry)
+	}
+
+	// Extension data begins at the next 4-byte aligned position.
+	pos, err = r.Seek(0, io.SeekCurrent)
+	if err != nil {
+		return nil, err
+	}
+
+	// Align to nearest 4 byte boundary.
+	alignedPos := (pos & -16) + 8
+	_, err = r.Seek(alignedPos, io.SeekStart)
+	if err != nil {
+		return nil, err
+	}
+
+	file := LDSOCacheFile{
+		Header:  header,
+		Entries: entries,
+	}
+
+	// Check for a cache extension section.
+	extHeader := LDSOCacheExtensionHeader{}
+	if err := binary.Read(r, binary.LittleEndian, &extHeader); err != nil {
+		return &file, nil
+	}
+	if extHeader.Magic != ldsoExtensionMagic {
+		return &file, nil
+	}
+
+	// Parse the extension chunks we understand.
+	sections := []*LDSOCacheExtensionSection{}
+	for i := uint32(0); i < extHeader.Count; i++ {
+		sectionHeader := LDSOCacheExtensionSectionHeader{}
+		if err := binary.Read(r, binary.LittleEndian, &sectionHeader); err != nil {
+			return &file, nil
+		}
+
+		section := &LDSOCacheExtensionSection{Header: sectionHeader}
+		sections = append(sections, section)
+	}
+
+	// Load extension data.
+	for _, section := range sections {
+		pos, err = r.Seek(int64(section.Header.Offset), io.SeekStart)
+		if err != nil {
+			return &file, nil
+		}
+		if pos != int64(section.Header.Offset) {
+			return &file, nil
+		}
+
+		section.Data = make([]byte, section.Header.Size)
+		if _, err := r.Read(section.Data); err != nil {
+			return &file, nil
+		}
+	}
+
+	for _, section := range sections {
+		file.Extensions = append(file.Extensions, *section)
+	}
+
+	return &file, nil
+}
+
+// extractShlibName extracts a shared library from the string table.
+func extractShlibName(strtable []byte, startIdx uint32) string {
+	subset := strtable[startIdx:]
+	terminatorPos := bytes.IndexByte(subset, 0x0)
+
+	if terminatorPos == -1 {
+		return string(subset)
+	}
+
+	return string(subset[:terminatorPos])
+}
+
+func (cf *LDSOCacheFile) Write(w io.Writer) error {
+	buf := &bytes.Buffer{}
+
+	// Calculate the size of the file entry table for use
+	// when calculating the file entry string table offsets.
+	fileEntryTableSize := int(unsafe.Sizeof(LDSORawCacheHeader{}) + (uintptr(len(cf.Entries)) * unsafe.Sizeof(LDSORawCacheEntry{})))
+
+	// Build the string table.
+	lrcEntries := []LDSORawCacheEntry{}
+	stringTable := []byte{}
+	for _, lib := range cf.Entries {
+		cursor := uint32(fileEntryTableSize) + uint32(len(stringTable))
+		entry := []byte(lib.Name)
+		entry = append(entry, byte(0x0))
+		stringTable = append(stringTable, entry...)
+
+		lrcEntry := LDSORawCacheEntry{
+			Flags:           lib.Flags,
+			Key:             cursor + uint32(len(filepath.Dir(lib.Name))+1),
+			Value:           cursor,
+			OSVersionNeeded: lib.OSVersionNeeded,
+			HWCapNeeded:     lib.HWCapNeeded,
+		}
+
+		lrcEntries = append(lrcEntries, lrcEntry)
+	}
+
+	// Write the header section.
+	cf.Header.NumLibs = uint32(len(lrcEntries))
+	cf.Header.StrTableSize = uint32(len(stringTable))
+	if err := cf.Header.Write(buf); err != nil {
+		return err
+	}
+
+	// Write the file entry table.
+	if err := binary.Write(buf, binary.LittleEndian, &lrcEntries); err != nil {
+		return err
+	}
+
+	// Write the string table.
+	if _, err := buf.Write(stringTable); err != nil {
+		return err
+	}
+
+	pos := buf.Len()
+	alignedPos := (pos & ^(0x10 - 1)) + 0x10
+
+	pad := make([]byte, alignedPos-pos)
+	if _, err := buf.Write(pad); err != nil {
+		return err
+	}
+
+	// Write the extension sections.
+	if len(cf.Extensions) > 0 {
+		ehdr := LDSOCacheExtensionHeader{
+			Magic: ldsoExtensionMagic,
+			Count: uint32(len(cf.Extensions)),
+		}
+
+		if err := binary.Write(buf, binary.LittleEndian, &ehdr); err != nil {
+			return err
+		}
+
+		for _, ext := range cf.Extensions {
+			if err := binary.Write(buf, binary.LittleEndian, ext.Header); err != nil {
+				return err
+			}
+		}
+
+		for _, ext := range cf.Extensions {
+			if _, err := buf.Write(ext.Data); err != nil {
+				return err
+			}
+		}
+	}
+
+	_, err := io.Copy(w, buf)
+	return err
+}
+
+// Write writes a header for a cache file to disk.
+func (hdr *LDSORawCacheHeader) Write(w io.Writer) error {
+	if err := binary.Write(w, binary.LittleEndian, hdr); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// Parse an ld.so.conf file, following include directives and globs
+// Return a slice of directory paths
+func ParseLDSOConf(fsys fs.FS, ldsoconf string) ([]string, error) {
+	conf, err := fsys.Open(ldsoconf)
+	if err != nil {
+		Debugf("Warning: Could not open config file %s\n", ldsoconf)
+		return nil, err
+	}
+	defer conf.Close()
+	contents, err := io.ReadAll(conf)
+	if err != nil {
+		Debugf("Warning: Could not read config file %s\n", ldsoconf)
+		return nil, err
+	}
+	libpaths := []string{}
+
+	lines := strings.Split(string(contents), "\n")
+	for _, line := range lines {
+		idx := strings.Index(line, "#")
+		if idx > -1 {
+			line = line[:idx]
+		}
+		line = strings.TrimSpace(line)
+		if len(line) == 0 {
+			continue
+		}
+		glob, isInclude := strings.CutPrefix(line, "include ")
+		if isInclude {
+			glob = strings.TrimSpace(glob)
+			glob = strings.TrimLeft(glob, "/")
+			matches, err := fs.Glob(fsys, glob)
+			if err != nil {
+				Debugf("Warning: glob error in %s: %s", ldsoconf, glob)
+				continue
+			}
+			if len(matches) == 0 {
+				Debugf("Warning: No matches for glob %s in %s\n", glob, ldsoconf)
+			}
+
+			for _, match := range matches {
+				incpaths, err := ParseLDSOConf(fsys, match)
+				if err != nil {
+					Debugf("Warning: Could not parse config file %s\n", match)
+					continue
+				}
+				libpaths = append(libpaths, incpaths...)
+			}
+			return libpaths, nil
+		}
+
+		libpath := line
+		if slices.Contains(libpaths, libpath) {
+			Debugf("Warning: Skipping %s because we've already seen it\n", libpath)
+			continue
+		}
+		libpaths = append(libpaths, libpath)
+	}
+	return libpaths, nil
+}

@@ -0,0 +1,136 @@
+package ldsocache
+
+import (
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func Test_LoadCacheFile(t *testing.T) {
+	cacheFile, err := LoadCacheFile("testdata/ld.so.cache")
+	require.NoError(t, err)
+	require.Equalf(t, uint32(65), cacheFile.Header.NumLibs, "there should be 65 libraries in this cache file")
+	require.Equalf(t, uint32(1421), cacheFile.Header.StrTableSize, "the string table should be 1421 bytes long")
+	require.Equalf(t, 1, len(cacheFile.Extensions), "there must be 1 extension")
+
+	ext := cacheFile.Extensions[0]
+	require.Equalf(t, uint32(0), ext.Header.Tag, "extension data must be tag 0 (generator)")
+	require.Equalf(t, []byte("ldconfig (GNU libc) stable release version 2.36"), ext.Data, "must be generated by glibc 2.36")
+}
+
+func Test_WriteCacheFile(t *testing.T) {
+	cacheFile, err := LoadCacheFile("testdata/ld.so.cache")
+	require.NoError(t, err)
+	out, err := os.Create("testdata/ld.so.cache-new")
+	require.NoError(t, err)
+	err = cacheFile.Write(out)
+	require.NoError(t, err)
+}
+
+func Test_ParseLibFilename(t *testing.T) {
+	name, ver, err := ParseLibFilename("libfoo.so.1")
+	require.NoError(t, err)
+	require.Equal(t, name, "libfoo")
+	require.Equal(t, ver, "1")
+}
+
+func Test_ParseLibFilename_Versioned_DotOne(t *testing.T) {
+	name, ver, err := ParseLibFilename("libfoo.so.1")
+	require.NoError(t, err)
+	require.Equal(t, name, "libfoo")
+	require.Equal(t, ver, "1")
+}
+
+func Test_ParseLibFilename_Versioned_DotOneDotTwo(t *testing.T) {
+	name, ver, err := ParseLibFilename("libfoo.so.1.2")
+	require.NoError(t, err)
+	require.Equal(t, name, "libfoo")
+	require.Equal(t, ver, "1.2")
+}
+
+func Test_ParseLibFilename_Versioned_SoSo_DotOne(t *testing.T) {
+	name, ver, err := ParseLibFilename("libso.so.1")
+	require.NoError(t, err)
+	require.Equal(t, name, "libso")
+	require.Equal(t, ver, "1")
+}
+
+func Test_ParseLibFilename_Unversioned_SoSo(t *testing.T) {
+	name, ver, err := ParseLibFilename("libso.so")
+	require.NoError(t, err)
+	require.Equal(t, name, "libso")
+	require.Equal(t, ver, "")
+}
+
+func Test_ParseLibFilename_Unversioned_SoDotSoDotSo(t *testing.T) {
+	name, ver, err := ParseLibFilename("libso.so.so")
+	require.NoError(t, err)
+	require.Equal(t, name, "libso.so")
+	require.Equal(t, ver, "")
+}
+
+func Test_ParseLibFilename_Versioned_SoDotSoDotSoVer(t *testing.T) {
+	name, ver, err := ParseLibFilename("libso.so.so.7")
+	require.NoError(t, err)
+	require.Equal(t, name, "libso.so")
+	require.Equal(t, ver, "7")
+}
+
+func Test_ParseLibFilename_HangingSo(t *testing.T) {
+	// Unclear if this should be an error
+	name, ver, err := ParseLibFilename("libfoo.so.")
+	require.NoError(t, err)
+	require.Equal(t, name, "libfoo")
+	require.Equal(t, ver, "")
+}
+
+func Test_ParseLibFilename_Versioned_NoName(t *testing.T) {
+	// Unclear if this should be an error
+	name, ver, err := ParseLibFilename("lib.so")
+	require.NoError(t, err)
+	require.Equal(t, name, "lib")
+	require.Equal(t, ver, "")
+}
+
+func Test_ParseLibFilename_NoLibPrefix(t *testing.T) {
+	_, _, err := ParseLibFilename("foo.so.1")
+	require.Error(t, err)
+}
+
+func Test_ParseLibFilename_NoSo(t *testing.T) {
+	_, _, err := ParseLibFilename("libfoo.no.1")
+	require.Error(t, err)
+}
+
+func Test_ParseLDSOConf_Simple(t *testing.T) {
+	fsys := os.DirFS("testdata")
+	dirs, err := ParseLDSOConf(fsys, "ld.so.conf.simple")
+	require.NoError(t, err)
+	require.Equal(t, 1, len(dirs))
+	require.Equal(t, "/lib", dirs[0])
+}
+
+func Test_ParseLDSOConf_Glob(t *testing.T) {
+	fsys := os.DirFS("testdata")
+	dirs, err := ParseLDSOConf(fsys, "ld.so.conf.glob")
+	require.NoError(t, err)
+	require.Contains(t, dirs, "/a/libs")
+	require.Contains(t, dirs, "/b/libs")
+}
+
+// Commented-out because it is uses the host system.
+//
+// func Test_GenerateCacheFile(t *testing.T) {
+// 	libdirs := []string{"/lib"}
+// 	root := os.DirFS("/")
+// 	dirs, err := ParseLDSOConf(root, "etc/ld.so.conf")
+// 	require.NoError(t, err)
+// 	libdirs = append(libdirs, dirs...)
+// 	cacheFile, err := BuildCacheFileForDirs(root, libdirs)
+// 	require.NoError(t, err)
+// 	lsc, err := os.Create("testdata/ld.so.cache-generated")
+// 	require.NoError(t, err)
+// 	err = cacheFile.Write(lsc)
+// 	require.NoError(t, err)
+// }

@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

@@ -0,0 +1,2 @@
+# ldso-cache
+reading and writing of glibc /etc/ld.so.cache files

@@ -0,0 +1 @@
+/a/libs

@@ -0,0 +1 @@
+/b/libs

@@ -0,0 +1 @@
+include ld.so.conf.d/*.conf

@@ -0,0 +1 @@
+/lib

@@ -28,13 +28,13 @@ import (
 	"runtime"
 	"sync"
 
+	"github.com/chainguard-dev/clog"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	v1types "github.com/google/go-containerregistry/pkg/v1/types"
 	gzip "github.com/klauspost/pgzip"
 	"github.com/sigstore/cosign/v2/pkg/oci"
 
-	"github.com/chainguard-dev/clog"
-
+	ldsocache "chainguard.dev/apko/internal/ldso-cache"
 	"chainguard.dev/apko/pkg/apk/apk"
 	"chainguard.dev/apko/pkg/lock"
 	"chainguard.dev/apko/pkg/options"
@@ -236,6 +236,32 @@ func (bc *Context) buildImage(ctx context.Context) ([]*apk.Package, error) {
 		return nil, err
 	}
 
+	if _, err := bc.fs.Stat("etc/ld.so.conf"); err == nil {
+		log.Debug("updating /etc/ld.so.cache")
+		libdirs := []string{"/lib"}
+		dirs, err := ldsocache.ParseLDSOConf(bc.fs, "etc/ld.so.conf")
+		if err != nil {
+			return nil, err
+		}
+		libdirs = append(libdirs, dirs...)
+		cacheFile, err := ldsocache.BuildCacheFileForDirs(
+			bc.fs, libdirs,
+		)
+		if err != nil {
+			return nil, fmt.Errorf("failed generating ldsocache")
+		}
+		lsc, err := bc.fs.Create("etc/ld.so.cache")
+		if err != nil {
+			return nil, fmt.Errorf("unable to create /etc/ld.so.cache")
+		}
+		err = cacheFile.Write(lsc)
+		if err != nil {
+			return nil, fmt.Errorf("unable to write /etc/ld.so.cache")
+		}
+	} else {
+		log.Debug("/etc/ld.so.conf not found, skipping /etc/ld.so.cache update")
+	}
+
 	log.Debug("finished building filesystem")
 
 	return pkgs, nil