Cleanup ANDROID_DNS_MODE and BIONIC_DNSCACHE
For security reasons, when a binary is executed which causes a security
transition (eg, a setuid binary, setgid binary, filesystem capabilities,
or SELinux domain transition), the AT_SECURE flag is set. This causes
certain blacklisted environment variables to be stripped before the
process is executed. The list of blacklisted environment variables is
stored in UNSAFE_VARIABLE_NAMES. Generally speaking, most environment
variables used internally by libc show up in this list.
Add ANDROID_DNS_MODE to the list of unsafe variables.
Similar to RESOLV_HOST_CONF and RES_OPTIONS (which are already
blacklisted), this variable controls how name resolution requests are
handled. Allowing ANDROID_DNS_MODE to be set across a security
boundary could induce resolution failures or otherwise impact
name resolution.
Remove BIONIC_DNSCACHE. This does not appear to be used, and setting
this variable across a security boundary could cause name resolution
problems.
Test: Android compiles and runs with no obvious problems.
Change-Id: I835a7b42d6afbc9c67866594c7951cfd9b355d81
diff --git a/libc/bionic/libc_init_common.cpp b/libc/bionic/libc_init_common.cpp
index 9094fc5..970a49c 100644
--- a/libc/bionic/libc_init_common.cpp
+++ b/libc/bionic/libc_init_common.cpp
@@ -244,6 +244,7 @@
// of executing a setuid program or the result of an SELinux
// security transition.
static constexpr const char* UNSAFE_VARIABLE_NAMES[] = {
+ "ANDROID_DNS_MODE",
"GCONV_PATH",
"GETCONF_DIR",
"HOSTALIASES",