Merge "Workaround string-plus-int warning"
diff --git a/libc/bionic/libc_init_common.cpp b/libc/bionic/libc_init_common.cpp
index f1fbfa9..b229cda 100644
--- a/libc/bionic/libc_init_common.cpp
+++ b/libc/bionic/libc_init_common.cpp
@@ -298,11 +298,26 @@
unsigned long is_AT_SECURE = getauxval(AT_SECURE);
if (errno != 0) __early_abort(__LINE__);
- if (is_AT_SECURE) {
- // If this is a setuid/setgid program, close the security hole described in
- // https://www.freebsd.org/security/advisories/FreeBSD-SA-02:23.stdio.asc
+ // Always ensure that STDIN/STDOUT/STDERR exist. This prevents file
+ // descriptor confusion bugs where a parent process closes
+ // STD*, the exec()d process calls open() for an unrelated reason,
+ // the newly created file descriptor is assigned
+ // 0<=FD<=2, and unrelated code attempts to read / write to the STD*
+ // FDs.
+ // In particular, this can be a security bug for setuid/setgid programs.
+ // For example:
+ // https://www.freebsd.org/security/advisories/FreeBSD-SA-02:23.stdio.asc
+ // However, for robustness reasons, we don't limit these protections to
+ // just security critical executables.
+ //
+ // Init is excluded from these protections unless AT_SECURE is set, as
+ // /dev/null and/or /sys/fs/selinux/null will not be available at
+ // early boot.
+ if ((getpid() != 1) || is_AT_SECURE) {
__nullify_closed_stdio();
+ }
+ if (is_AT_SECURE) {
__sanitize_environment_variables(env);
}