1 /*
2 * Copyright (C) 2010 The Android Open Source Project
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * * Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * * Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in
12 * the documentation and/or other materials provided with the
13 * distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
16 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
17 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
18 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
19 * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
21 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
22 * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
23 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
24 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
25 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 * SUCH DAMAGE.
27 */
29 #include "linker_environ.h"
31 #include <linux/auxvec.h>
32 #include <stddef.h>
33 #include <stdlib.h>
34 #include <unistd.h>
36 #include "private/KernelArgumentBlock.h"
38 static char** _envp;
39 static bool _AT_SECURE_value = true;
41 bool get_AT_SECURE() {
42 return _AT_SECURE_value;
43 }
45 static void __init_AT_SECURE(KernelArgumentBlock& args) {
46 // Check auxv for AT_SECURE first to see if program is setuid, setgid,
47 // has file caps, or caused a SELinux/AppArmor domain transition.
48 bool kernel_supplied_AT_SECURE;
49 _AT_SECURE_value = args.getauxval(AT_SECURE, &kernel_supplied_AT_SECURE);
51 // We don't support ancient kernels.
52 if (!kernel_supplied_AT_SECURE) {
53 const char* msg = "FATAL: kernel did not supply AT_SECURE\n";
54 write(2, msg, strlen(msg));
55 exit(EXIT_FAILURE);
56 }
57 }
59 // Check if the environment variable definition at 'envstr'
60 // starts with '<name>=', and if so return the address of the
61 // first character after the equal sign. Otherwise return NULL.
62 static const char* env_match(const char* envstr, const char* name) {
63 size_t i = 0;
65 while (envstr[i] == name[i] && name[i] != '\0') {
66 ++i;
67 }
69 if (name[i] == '\0' && envstr[i] == '=') {
70 return envstr + i + 1;
71 }
73 return NULL;
74 }
76 static bool __is_valid_environment_variable(const char* name) {
77 // According to its sources, the kernel uses 32*PAGE_SIZE by default
78 // as the maximum size for an env. variable definition.
79 const int MAX_ENV_LEN = 32*4096;
81 if (name == NULL) {
82 return false;
83 }
85 // Parse the string, looking for the first '=' there, and its size.
86 int pos = 0;
87 int first_equal_pos = -1;
88 while (pos < MAX_ENV_LEN) {
89 if (name[pos] == '\0') {
90 break;
91 }
92 if (name[pos] == '=' && first_equal_pos < 0) {
93 first_equal_pos = pos;
94 }
95 pos++;
96 }
98 // Check that it's smaller than MAX_ENV_LEN (to detect non-zero terminated strings).
99 if (pos >= MAX_ENV_LEN) {
100 return false;
101 }
103 // Check that it contains at least one equal sign that is not the first character
104 if (first_equal_pos < 1) {
105 return false;
106 }
108 return true;
109 }
111 static bool __is_unsafe_environment_variable(const char* name) {
112 // None of these should be allowed in setuid programs.
113 static const char* const UNSAFE_VARIABLE_NAMES[] = {
114 "GCONV_PATH",
115 "GETCONF_DIR",
116 "HOSTALIASES",
117 "LD_AOUT_LIBRARY_PATH",
118 "LD_AOUT_PRELOAD",
119 "LD_AUDIT",
120 "LD_DEBUG",
121 "LD_DEBUG_OUTPUT",
122 "LD_DYNAMIC_WEAK",
123 "LD_LIBRARY_PATH",
124 "LD_ORIGIN_PATH",
125 "LD_PRELOAD",
126 "LD_PROFILE",
127 "LD_SHOW_AUXV",
128 "LD_USE_LOAD_BIAS",
129 "LOCALDOMAIN",
130 "LOCPATH",
131 "MALLOC_CHECK_",
132 "MALLOC_TRACE",
133 "NIS_PATH",
134 "NLSPATH",
135 "RESOLV_HOST_CONF",
136 "RES_OPTIONS",
137 "TMPDIR",
138 "TZDIR",
139 NULL
140 };
141 for (size_t i = 0; UNSAFE_VARIABLE_NAMES[i] != NULL; ++i) {
142 if (env_match(name, UNSAFE_VARIABLE_NAMES[i]) != NULL) {
143 return true;
144 }
145 }
146 return false;
147 }
149 static void __sanitize_environment_variables() {
150 char** src = _envp;
151 char** dst = _envp;
152 for (; src[0] != NULL; ++src) {
153 if (!__is_valid_environment_variable(src[0])) {
154 continue;
155 }
156 // Remove various unsafe environment variables if we're loading a setuid program.
157 if (get_AT_SECURE() && __is_unsafe_environment_variable(src[0])) {
158 continue;
159 }
160 dst[0] = src[0];
161 ++dst;
162 }
163 dst[0] = NULL;
164 }
166 void linker_env_init(KernelArgumentBlock& args) {
167 // Store environment pointer - can't be NULL.
168 _envp = args.envp;
170 __init_AT_SECURE(args);
171 __sanitize_environment_variables();
172 }
174 const char* linker_env_get(const char* name) {
175 if (name == NULL || name[0] == '\0') {
176 return NULL;
177 }
179 for (char** p = _envp; p[0] != NULL; ++p) {
180 const char* val = env_match(p[0], name);
181 if (val != NULL) {
182 if (val[0] == '\0') {
183 return NULL; // Return NULL for empty strings.
184 }
185 return val;
186 }
187 }
188 return NULL;
189 }