diff options
| author | Siddhesh Poyarekar <siddhesh@sourceware.org> | 2017-02-02 15:46:01 +0530 |
|---|---|---|
| committer | Siddhesh Poyarekar <siddhesh@sourceware.org> | 2017-02-02 15:50:16 +0530 |
| commit | 8b9e9c3c0bae497ad5e2d0ae2f333f62feddcc12 (patch) | |
| tree | 06f8dde062044aa45cabbe79e1e36a65ea7a20b5 /elf/dl-tunables.list | |
| parent | 9c8e64485360d08d95884bddc0958cf3a5ca9c5c (diff) | |
tunables: Fix environment variable processing for setuid binaries (bz #21073)
Florian Weimer pointed out that we have three different kinds of
environment variables (and hence tunables):
1. Variables that are removed for setxid processes
2. Variables that are ignored in setxid processes but is passed on to
child processes
3. Variables that are passed on to child processes all the time
Tunables currently only does (2) and (3) when it should be doing (1)
for MALLOC_CHECK_. This patch enhances the is_secure flag in tunables
to an enum value that can specify which of the above three categories
the tunable (and its envvar alias) belongs to.
The default is for tunables to be in (1). Hence, all of the malloc
tunables barring MALLOC_CHECK_ are explicitly specified to belong to
category (2). There were discussions around abolishing category (2)
completely but we can do that as a separate exercise in 2.26.
Tested on x86_64 to verify that there are no regressions.
[BZ #21073]
* elf/dl-tunable-types.h (tunable_seclevel_t): New enum.
* elf/dl-tunables.c (tunables_strdup): Remove.
(get_next_env): Also return the previous envp.
(parse_tunables): Erase tunables of category
TUNABLES_SECLEVEL_SXID_ERASE.
(maybe_enable_malloc_check): Make MALLOC_CHECK_
TUNABLE_SECLEVEL_NONE if /etc/setuid-debug is accessible.
(__tunables_init)[TUNABLES_FRONTEND ==
TUNABLES_FRONTEND_valstring]: Update GLIBC_TUNABLES envvar
after parsing.
[TUNABLES_FRONTEND != TUNABLES_FRONTEND_valstring]: Erase
tunable envvars of category TUNABLES_SECLEVEL_SXID_ERASE.
* elf/dl-tunables.h (struct _tunable): Change member is_secure
to security_level.
* elf/dl-tunables.list: Add security_level annotations for all
tunables.
* scripts/gen-tunables.awk: Recognize and generate enum values
for security_level.
* elf/tst-env-setuid.c: New test case.
* elf/tst-env-setuid-tunables: new test case.
* elf/Makefile (tests-static): Add them.
Diffstat (limited to 'elf/dl-tunables.list')
| -rw-r--r-- | elf/dl-tunables.list | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/elf/dl-tunables.list b/elf/dl-tunables.list index d8cd912559..cb9e8f173b 100644 --- a/elf/dl-tunables.list +++ b/elf/dl-tunables.list @@ -21,8 +21,13 @@ # minval: Optional minimum acceptable value # maxval: Optional maximum acceptable value # env_alias: An alias environment variable -# is_secure: Specify whether the environment variable should be read for -# setuid binaries. +# security_level: Specify security level of the tunable. Valid values are: +# +# SXID_ERASE: (default) Don't read for AT_SECURE binaries and +# removed so that child processes can't read it. +# SXID_IGNORE: Don't read for AT_SECURE binaries, but retained for +# non-AT_SECURE subprocesses. +# SXID_NONE: Read all the time. glibc { malloc { @@ -35,34 +40,41 @@ glibc { top_pad { type: SIZE_T env_alias: MALLOC_TOP_PAD_ + security_level: SXID_IGNORE } perturb { type: INT_32 minval: 0 maxval: 0xff env_alias: MALLOC_PERTURB_ + security_level: SXID_IGNORE } mmap_threshold { type: SIZE_T env_alias: MALLOC_MMAP_THRESHOLD_ + security_level: SXID_IGNORE } trim_threshold { type: SIZE_T env_alias: MALLOC_TRIM_THRESHOLD_ + security_level: SXID_IGNORE } mmap_max { type: INT_32 env_alias: MALLOC_MMAP_MAX_ + security_level: SXID_IGNORE } arena_max { type: SIZE_T env_alias: MALLOC_ARENA_MAX minval: 1 + security_level: SXID_IGNORE } arena_test { type: SIZE_T env_alias: MALLOC_ARENA_TEST minval: 1 + security_level: SXID_IGNORE } } } |