// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. // This is a list of environment variables which the ELF loader unsets when // loading a SUID binary. Because they are unset rather than just ignored, they // aren't passed to child processes of SUID processes either. // // We need to save these environment variables before running a SUID sandbox // and restore them before running child processes (but after dropping root). // // List gathered from glibc sources (00ebd7ed58df389a78e41dece058048725cb585e): // sysdeps/unix/sysv/linux/i386/dl-librecon.h // sysdeps/generic/unsecvars.h #ifndef SANDBOX_LINUX_SUID_COMMON_SUID_UNSAFE_ENVIRONMENT_VARIABLES_H_ #define SANDBOX_LINUX_SUID_COMMON_SUID_UNSAFE_ENVIRONMENT_VARIABLES_H_ #include <stddef.h> #include <stdint.h> #include <stdlib.h> // malloc #include <string.h> // memcpy static const char* const kSUIDUnsafeEnvironmentVariables[] = { "LD_AOUT_LIBRARY_PATH", "LD_AOUT_PRELOAD", "GCONV_PATH", "GETCONF_DIR", "HOSTALIASES", "LD_AUDIT", "LD_DEBUG", "LD_DEBUG_OUTPUT", "LD_DYNAMIC_WEAK", "LD_LIBRARY_PATH", "LD_ORIGIN_PATH", "LD_PRELOAD", "LD_PROFILE", "LD_SHOW_AUXV", "LD_USE_LOAD_BIAS", "LOCALDOMAIN", "LOCPATH", "MALLOC_TRACE", "NIS_PATH", "NLSPATH", "RESOLV_HOST_CONF", "RES_OPTIONS", "TMPDIR", "TZDIR", NULL, }; // Return a malloc allocated string containing the 'saved' environment variable // name for a given environment variable. static inline char* SandboxSavedEnvironmentVariable(const char* envvar) { const size_t envvar_len = strlen(envvar); const size_t kMaxSizeT = (size_t) -1; if (envvar_len > kMaxSizeT - 1 - 8) return NULL; const size_t saved_envvarlen = envvar_len + 1 /* NUL terminator */ + 8 /* strlen("SANDBOX_") */; char* const saved_envvar = (char*) malloc(saved_envvarlen); if (!saved_envvar) return NULL; memcpy(saved_envvar, "SANDBOX_", 8); memcpy(saved_envvar + 8, envvar, envvar_len); saved_envvar[8 + envvar_len] = 0; return saved_envvar; } #endif // SANDBOX_LINUX_SUID_COMMON_SUID_UNSAFE_ENVIRONMENT_VARIABLES_H_