Gitiles
Code Review Sign In
gerrit.omnirom.org / android_bionic / 99cec1892d62f1fc089540636e9806a66e371ebc^! / . / libc / bionic / libc_init_common.cpp
commit99cec1892d62f1fc089540636e9806a66e371ebc[log] [tgz]
authorNick Kralevich <nnk@google.com>Fri Apr 26 11:25:02 2019 -0700
committerNick Kralevich <nnk@google.com>Fri Apr 26 12:08:54 2019 -0700
tree48129760fe7cbde52c588736e064f24e1fa12629
parent9f193e14edb6ce80c8cb43045bf90bdab2180716 [diff] [blame]
Don't honor LD_CONFIG_FILE across security transitions

For security reasons, when a binary is executed which causes a security
transition (eg, a setuid binary, setgid binary, filesystem capabilities,
or SELinux domain transition), the AT_SECURE flag is set. This causes
certain blacklisted environment variables to be stripped before the
process is executed. The list of blacklisted environment variables is
stored in UNSAFE_VARIABLE_NAMES. Generally speaking, most environment
variables used internally by libc show up in this list.

Commit 02586a2a34e6acfccf359b94db840f422b6c0231 ("linker: the
global group is added to all built-in namespaces", Aug 2017) added
support for the environment variable LD_CONFIG_FILE. This debug build
only feature allows the caller to specify the path to the loader
configuration file. Like other linker environment variables, setting
this variable allows the calling process to control executed code of the
called process, which has security implications (on debuggable builds
only).

Add LD_CONFIG_FILE to UNSAFE_VARIABLE_NAMES. This has the effect of
stripping, on all build types, the LD_CONFIG_FILE environment variable.
This has three advantages:

1) Prevents security bugs should LD_CONFIG_FILE ever be inadvertantly
exposed on a production build.
2) Makes the behavior of userdebug and user builds more similar, helping
prevent build-type dependent bugs where someone may come to rely on this
debug-only feature.
3) Protect droidfood users against malicious applications which can
trigger a security transition, eg, the execution of crash_dump or the
renderscript compiler.

Alternative considered but rejected:

If we treated LD_CONFIG_FILE like LD_PRELOAD, we could expose this on
all build types, and remove the build-type dependent behavior. But this
is contrary to enh's Aug 02 2017 guidance at
https://android-review.googlesource.com/c/platform/bionic/+/449956

  i'm still uncomfortable about LD_CONFIG_FILE because i'd like
  to be reducing the number of environment variables that affect
  the linker in P rather than increasing them.

Test: atest CtsBionicTestCases
Test: atest linker-unit-tests
Change-Id: I82d286546ee079b5cde04428dc89941c253c2d20

diff --git a/libc/bionic/libc_init_common.cpp b/libc/bionic/libc_init_common.cpp
index b229cda..42787d5 100644
--- a/libc/bionic/libc_init_common.cpp
+++ b/libc/bionic/libc_init_common.cpp

@@ -232,6 +232,7 @@
     "LD_AOUT_LIBRARY_PATH",
     "LD_AOUT_PRELOAD",
     "LD_AUDIT",
+    "LD_CONFIG_FILE",
     "LD_DEBUG",
     "LD_DEBUG_OUTPUT",
     "LD_DYNAMIC_WEAK",