tequilaOS/platform_bionic
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_bionic/libc
History
Nick Kralevich 99cec1892d Don't honor LD_CONFIG_FILE across security transitions 
For security reasons, when a binary is executed which causes a security
transition (eg, a setuid binary, setgid binary, filesystem capabilities,
or SELinux domain transition), the AT_SECURE flag is set. This causes
certain blacklisted environment variables to be stripped before the
process is executed. The list of blacklisted environment variables is
stored in UNSAFE_VARIABLE_NAMES. Generally speaking, most environment
variables used internally by libc show up in this list.

Commit 02586a2a34 ("linker: the
global group is added to all built-in namespaces", Aug 2017) added
support for the environment variable LD_CONFIG_FILE. This debug build
only feature allows the caller to specify the path to the loader
configuration file. Like other linker environment variables, setting
this variable allows the calling process to control executed code of the
called process, which has security implications (on debuggable builds
only).

Add LD_CONFIG_FILE to UNSAFE_VARIABLE_NAMES. This has the effect of
stripping, on all build types, the LD_CONFIG_FILE environment variable.
This has three advantages:

1) Prevents security bugs should LD_CONFIG_FILE ever be inadvertantly
exposed on a production build.
2) Makes the behavior of userdebug and user builds more similar, helping
prevent build-type dependent bugs where someone may come to rely on this
debug-only feature.
3) Protect droidfood users against malicious applications which can
trigger a security transition, eg, the execution of crash_dump or the
renderscript compiler.

Alternative considered but rejected:

If we treated LD_CONFIG_FILE like LD_PRELOAD, we could expose this on
all build types, and remove the build-type dependent behavior. But this
is contrary to enh's Aug 02 2017 guidance at
https://android-review.googlesource.com/c/platform/bionic/+/449956

  i'm still uncomfortable about LD_CONFIG_FILE because i'd like
  to be reducing the number of environment variables that affect
  the linker in P rather than increasing them.

Test: atest CtsBionicTestCases
Test: atest linker-unit-tests
Change-Id: I82d286546ee079b5cde04428dc89941c253c2d20
2019-04-26 12:08:54 -07:00
..
arch-arm Merge "Implement __gnu_[u]ldivmod_helper methods in libc" 2019-04-23 05:54:33 +00:00
arch-arm64 Generate assembler system call stubs via genrule. 2019-04-16 12:31:00 -07:00
arch-common/bionic Change crtbrand for host bionic 2018-10-22 17:15:22 -07:00
arch-mips Generate assembler system call stubs via genrule. 2019-04-16 12:31:00 -07:00
arch-mips64/bionic Generate assembler system call stubs via genrule. 2019-04-16 12:31:00 -07:00
arch-x86 Generate assembler system call stubs via genrule. 2019-04-16 12:31:00 -07:00
arch-x86_64 Generate assembler system call stubs via genrule. 2019-04-16 12:31:00 -07:00
async_safe Mark lib_async_safe_headers as supporting linux_bionic 2019-02-19 09:47:40 -08:00
bionic Don't honor LD_CONFIG_FILE across security transitions 2019-04-26 12:08:54 -07:00
dns Merge "Replace android_open_proxy with dns_open_proxy" 2018-11-28 12:21:33 +00:00
include Merge "threads.h: Add C11 thread support." 2019-04-24 20:33:08 +00:00
kernel Generate assembler system call stubs via genrule. 2019-04-16 12:31:00 -07:00
malloc_debug Remove gMallocLeakZygoteChild. 2019-04-16 11:22:06 -07:00
malloc_hooks Move all leak info functions to android_mallopt. 2019-04-19 11:27:02 -07:00
private Merge "Move all leak info functions to android_mallopt." 2019-04-23 17:45:01 +00:00
seccomp Add support for seccomp filter that limits setresuid/setresgid. 2019-01-19 09:09:30 +01:00
stdio Merge "Typo fix in comment. O_CLOEXEC is e, not x." 2019-03-26 22:00:31 +00:00
stdlib Add PR_SET_VMA and PR_SET_VMA_ANON_NAME to <sys/prctl.h>. 2018-08-22 10:36:23 -07:00
system_properties libasync_safe: stop clobbering other folks' identifiers. 2019-02-14 14:23:13 -08:00
tools Move libdl and linker to static NOTICE files. 2019-04-19 14:18:07 -07:00
tzcode strptime: support everything that strftime supports. 2019-03-26 19:07:40 -07:00
upstream-freebsd Add reallocarray(3). 2018-09-26 14:24:18 -07:00
upstream-netbsd Sync with upstream NetBSD. 2019-02-13 14:17:18 -08:00
upstream-openbsd Switch to OpenBSD div/ldiv/lldiv. 2019-02-05 16:48:22 -08:00
versioner-dependencies Unified sysroot: kill arch-specific include dirs. 2017-10-12 13:19:51 -07:00
Android.bp Merge "threads.h: Add C11 thread support." 2019-04-24 20:33:08 +00:00
fs_config_generator.py
libc.map.txt Merge "threads.h: Add C11 thread support." 2019-04-24 20:33:08 +00:00
libstdc++.map.txt Mark new/delete as weak in the NDK stubs. 2017-07-28 11:01:33 -07:00
MODULE_LICENSE_BSD
NOTICE Move libdl and linker to static NOTICE files. 2019-04-19 14:18:07 -07:00
SECCOMP_BLACKLIST_APP.TXT Blacklist setregid(32) for apps. 2019-01-22 17:22:54 +01:00
SECCOMP_BLACKLIST_COMMON.TXT Split zygote's seccomp filter into two 2018-01-04 12:28:40 -08:00
SECCOMP_WHITELIST_APP.TXT Move pipe, open, and getdents from the APP to COMMON seccomp whitelist. 2018-09-11 19:20:34 -04:00
SECCOMP_WHITELIST_COMMON.TXT Move pipe, open, and getdents from the APP to COMMON seccomp whitelist. 2018-09-11 19:20:34 -04:00
SECCOMP_WHITELIST_GLOBAL.TXT Create global seccomp policy. 2017-07-21 20:30:21 -07:00
SECCOMP_WHITELIST_SYSTEM.TXT Add bpf syscall to seccomp whitelist 2018-01-18 12:08:34 -08:00
symbol_ordering Remove gMallocLeakZygoteChild. 2019-04-16 11:22:06 -07:00
SYSCALLS.TXT Generate assembler system call stubs via genrule. 2019-04-16 12:31:00 -07:00
version_script.txt