| Elliott Hughes | 18a206c | 2012-10-29 17:37:13 -0700 | [diff] [blame] | 1 | /* | 
|  | 2 | * Copyright (C) 2010 The Android Open Source Project | 
|  | 3 | * All rights reserved. | 
|  | 4 | * | 
|  | 5 | * Redistribution and use in source and binary forms, with or without | 
|  | 6 | * modification, are permitted provided that the following conditions | 
|  | 7 | * are met: | 
|  | 8 | *  * Redistributions of source code must retain the above copyright | 
|  | 9 | *    notice, this list of conditions and the following disclaimer. | 
|  | 10 | *  * Redistributions in binary form must reproduce the above copyright | 
|  | 11 | *    notice, this list of conditions and the following disclaimer in | 
|  | 12 | *    the documentation and/or other materials provided with the | 
|  | 13 | *    distribution. | 
|  | 14 | * | 
|  | 15 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS | 
|  | 16 | * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT | 
|  | 17 | * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS | 
|  | 18 | * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE | 
|  | 19 | * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, | 
|  | 20 | * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, | 
|  | 21 | * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS | 
|  | 22 | * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED | 
|  | 23 | * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, | 
|  | 24 | * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT | 
|  | 25 | * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | 
|  | 26 | * SUCH DAMAGE. | 
|  | 27 | */ | 
|  | 28 |  | 
|  | 29 | #include "linker_environ.h" | 
|  | 30 |  | 
|  | 31 | #include <linux/auxvec.h> | 
|  | 32 | #include <stddef.h> | 
|  | 33 | #include <stdlib.h> | 
|  | 34 | #include <unistd.h> | 
|  | 35 |  | 
| Elliott Hughes | 42b2c6a | 2013-02-07 10:14:39 -0800 | [diff] [blame] | 36 | #include <private/KernelArgumentBlock.h> | 
|  | 37 |  | 
| Elliott Hughes | 18a206c | 2012-10-29 17:37:13 -0700 | [diff] [blame] | 38 | static char** _envp; | 
|  | 39 | static bool _AT_SECURE_value = true; | 
|  | 40 |  | 
|  | 41 | bool get_AT_SECURE() { | 
|  | 42 | return _AT_SECURE_value; | 
|  | 43 | } | 
|  | 44 |  | 
| Elliott Hughes | 42b2c6a | 2013-02-07 10:14:39 -0800 | [diff] [blame] | 45 | static void __init_AT_SECURE(KernelArgumentBlock& args) { | 
| Elliott Hughes | 18a206c | 2012-10-29 17:37:13 -0700 | [diff] [blame] | 46 | // Check auxv for AT_SECURE first to see if program is setuid, setgid, | 
|  | 47 | // has file caps, or caused a SELinux/AppArmor domain transition. | 
| Elliott Hughes | 42b2c6a | 2013-02-07 10:14:39 -0800 | [diff] [blame] | 48 | bool kernel_supplied_AT_SECURE; | 
|  | 49 | _AT_SECURE_value = args.getauxval(AT_SECURE, &kernel_supplied_AT_SECURE); | 
| Elliott Hughes | 18a206c | 2012-10-29 17:37:13 -0700 | [diff] [blame] | 50 |  | 
|  | 51 | // We don't support ancient kernels. | 
| Elliott Hughes | 42b2c6a | 2013-02-07 10:14:39 -0800 | [diff] [blame] | 52 | if (!kernel_supplied_AT_SECURE) { | 
|  | 53 | const char* msg = "FATAL: kernel did not supply AT_SECURE\n"; | 
|  | 54 | write(2, msg, strlen(msg)); | 
|  | 55 | exit(EXIT_FAILURE); | 
|  | 56 | } | 
| Elliott Hughes | 18a206c | 2012-10-29 17:37:13 -0700 | [diff] [blame] | 57 | } | 
|  | 58 |  | 
| Elliott Hughes | 0894b2c | 2012-11-02 12:40:11 -0700 | [diff] [blame] | 59 | // Check if the environment variable definition at 'envstr' | 
|  | 60 | // starts with '<name>=', and if so return the address of the | 
|  | 61 | // first character after the equal sign. Otherwise return NULL. | 
|  | 62 | static const char* env_match(const char* envstr, const char* name) { | 
|  | 63 | size_t i = 0; | 
|  | 64 |  | 
|  | 65 | while (envstr[i] == name[i] && name[i] != '\0') { | 
|  | 66 | ++i; | 
|  | 67 | } | 
|  | 68 |  | 
|  | 69 | if (name[i] == '\0' && envstr[i] == '=') { | 
|  | 70 | return envstr + i + 1; | 
|  | 71 | } | 
|  | 72 |  | 
|  | 73 | return NULL; | 
|  | 74 | } | 
|  | 75 |  | 
|  | 76 | static bool __is_valid_environment_variable(const char* name) { | 
|  | 77 | // According to its sources, the kernel uses 32*PAGE_SIZE by default | 
|  | 78 | // as the maximum size for an env. variable definition. | 
|  | 79 | const int MAX_ENV_LEN = 32*4096; | 
|  | 80 |  | 
|  | 81 | if (name == NULL) { | 
|  | 82 | return false; | 
|  | 83 | } | 
|  | 84 |  | 
|  | 85 | // Parse the string, looking for the first '=' there, and its size. | 
|  | 86 | int pos = 0; | 
|  | 87 | int first_equal_pos = -1; | 
|  | 88 | while (pos < MAX_ENV_LEN) { | 
|  | 89 | if (name[pos] == '\0') { | 
|  | 90 | break; | 
|  | 91 | } | 
|  | 92 | if (name[pos] == '=' && first_equal_pos < 0) { | 
|  | 93 | first_equal_pos = pos; | 
|  | 94 | } | 
|  | 95 | pos++; | 
|  | 96 | } | 
|  | 97 |  | 
|  | 98 | // Check that it's smaller than MAX_ENV_LEN (to detect non-zero terminated strings). | 
|  | 99 | if (pos >= MAX_ENV_LEN) { | 
|  | 100 | return false; | 
|  | 101 | } | 
|  | 102 |  | 
|  | 103 | // Check that it contains at least one equal sign that is not the first character | 
|  | 104 | if (first_equal_pos < 1) { | 
|  | 105 | return false; | 
|  | 106 | } | 
|  | 107 |  | 
|  | 108 | return true; | 
|  | 109 | } | 
|  | 110 |  | 
|  | 111 | static bool __is_unsafe_environment_variable(const char* name) { | 
| Elliott Hughes | 18a206c | 2012-10-29 17:37:13 -0700 | [diff] [blame] | 112 | // None of these should be allowed in setuid programs. | 
|  | 113 | static const char* const UNSAFE_VARIABLE_NAMES[] = { | 
|  | 114 | "GCONV_PATH", | 
|  | 115 | "GETCONF_DIR", | 
|  | 116 | "HOSTALIASES", | 
|  | 117 | "LD_AOUT_LIBRARY_PATH", | 
|  | 118 | "LD_AOUT_PRELOAD", | 
|  | 119 | "LD_AUDIT", | 
|  | 120 | "LD_DEBUG", | 
|  | 121 | "LD_DEBUG_OUTPUT", | 
|  | 122 | "LD_DYNAMIC_WEAK", | 
|  | 123 | "LD_LIBRARY_PATH", | 
|  | 124 | "LD_ORIGIN_PATH", | 
|  | 125 | "LD_PRELOAD", | 
|  | 126 | "LD_PROFILE", | 
|  | 127 | "LD_SHOW_AUXV", | 
|  | 128 | "LD_USE_LOAD_BIAS", | 
|  | 129 | "LOCALDOMAIN", | 
|  | 130 | "LOCPATH", | 
|  | 131 | "MALLOC_CHECK_", | 
|  | 132 | "MALLOC_TRACE", | 
|  | 133 | "NIS_PATH", | 
|  | 134 | "NLSPATH", | 
|  | 135 | "RESOLV_HOST_CONF", | 
|  | 136 | "RES_OPTIONS", | 
|  | 137 | "TMPDIR", | 
|  | 138 | "TZDIR", | 
|  | 139 | NULL | 
|  | 140 | }; | 
|  | 141 | for (size_t i = 0; UNSAFE_VARIABLE_NAMES[i] != NULL; ++i) { | 
| Elliott Hughes | 0894b2c | 2012-11-02 12:40:11 -0700 | [diff] [blame] | 142 | if (env_match(name, UNSAFE_VARIABLE_NAMES[i]) != NULL) { | 
|  | 143 | return true; | 
|  | 144 | } | 
| Elliott Hughes | 18a206c | 2012-10-29 17:37:13 -0700 | [diff] [blame] | 145 | } | 
| Elliott Hughes | 0894b2c | 2012-11-02 12:40:11 -0700 | [diff] [blame] | 146 | return false; | 
| Elliott Hughes | 18a206c | 2012-10-29 17:37:13 -0700 | [diff] [blame] | 147 | } | 
|  | 148 |  | 
| Elliott Hughes | 0894b2c | 2012-11-02 12:40:11 -0700 | [diff] [blame] | 149 | static void __sanitize_environment_variables() { | 
| Elliott Hughes | 18a206c | 2012-10-29 17:37:13 -0700 | [diff] [blame] | 150 | char** src  = _envp; | 
|  | 151 | char** dst = _envp; | 
|  | 152 | for (; src[0] != NULL; ++src) { | 
| Elliott Hughes | 0894b2c | 2012-11-02 12:40:11 -0700 | [diff] [blame] | 153 | if (!__is_valid_environment_variable(src[0])) { | 
| Elliott Hughes | 18a206c | 2012-10-29 17:37:13 -0700 | [diff] [blame] | 154 | continue; | 
|  | 155 | } | 
| Elliott Hughes | 0894b2c | 2012-11-02 12:40:11 -0700 | [diff] [blame] | 156 | // Remove various unsafe environment variables if we're loading a setuid program. | 
|  | 157 | if (get_AT_SECURE() && __is_unsafe_environment_variable(src[0])) { | 
|  | 158 | continue; | 
|  | 159 | } | 
| Elliott Hughes | 18a206c | 2012-10-29 17:37:13 -0700 | [diff] [blame] | 160 | dst[0] = src[0]; | 
|  | 161 | ++dst; | 
|  | 162 | } | 
|  | 163 | dst[0] = NULL; | 
|  | 164 | } | 
|  | 165 |  | 
| Elliott Hughes | 42b2c6a | 2013-02-07 10:14:39 -0800 | [diff] [blame] | 166 | void linker_env_init(KernelArgumentBlock& args) { | 
| Elliott Hughes | 18a206c | 2012-10-29 17:37:13 -0700 | [diff] [blame] | 167 | // Store environment pointer - can't be NULL. | 
| Elliott Hughes | 42b2c6a | 2013-02-07 10:14:39 -0800 | [diff] [blame] | 168 | _envp = args.envp; | 
| Elliott Hughes | 18a206c | 2012-10-29 17:37:13 -0700 | [diff] [blame] | 169 |  | 
| Elliott Hughes | 42b2c6a | 2013-02-07 10:14:39 -0800 | [diff] [blame] | 170 | __init_AT_SECURE(args); | 
| Elliott Hughes | 0894b2c | 2012-11-02 12:40:11 -0700 | [diff] [blame] | 171 | __sanitize_environment_variables(); | 
| Elliott Hughes | 18a206c | 2012-10-29 17:37:13 -0700 | [diff] [blame] | 172 | } | 
|  | 173 |  | 
| Elliott Hughes | 18a206c | 2012-10-29 17:37:13 -0700 | [diff] [blame] | 174 | const char* linker_env_get(const char* name) { | 
|  | 175 | if (name == NULL || name[0] == '\0') { | 
|  | 176 | return NULL; | 
|  | 177 | } | 
|  | 178 |  | 
|  | 179 | for (char** p = _envp; p[0] != NULL; ++p) { | 
| Elliott Hughes | 0894b2c | 2012-11-02 12:40:11 -0700 | [diff] [blame] | 180 | const char* val = env_match(p[0], name); | 
| Elliott Hughes | 18a206c | 2012-10-29 17:37:13 -0700 | [diff] [blame] | 181 | if (val != NULL) { | 
|  | 182 | if (val[0] == '\0') { | 
|  | 183 | return NULL; // Return NULL for empty strings. | 
|  | 184 | } | 
|  | 185 | return val; | 
|  | 186 | } | 
|  | 187 | } | 
|  | 188 | return NULL; | 
|  | 189 | } |