public inbox for glibc-cvs@sourceware.org
help / color / mirror / Atom feed
* [glibc] elf: Add GLIBC_TUNABLES to unsecvars
@ 2023-11-21 20:48 Adhemerval Zanella
0 siblings, 0 replies; only message in thread
From: Adhemerval Zanella @ 2023-11-21 20:48 UTC (permalink / raw)
To: glibc-cvs
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=a72a4eb10b2d9aef7a53f9d2facf166a685d85fb
commit a72a4eb10b2d9aef7a53f9d2facf166a685d85fb
Author: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Date: Mon Nov 6 17:25:35 2023 -0300
elf: Add GLIBC_TUNABLES to unsecvars
setuid/setgid process now ignores any glibc tunables, and filters out
all environment variables that might changes its behavior. This patch
also adds GLIBC_TUNABLES, so any spawned process by setuid/setgid
processes should set tunable explicitly.
Checked on x86_64-linux-gnu.
Reviewed-by: Florian Weimer <fweimer@redhat.com>
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Diff:
---
elf/tst-env-setuid-tunables.c | 32 ++++----------------------------
sysdeps/generic/unsecvars.h | 1 +
2 files changed, 5 insertions(+), 28 deletions(-)
diff --git a/elf/tst-env-setuid-tunables.c b/elf/tst-env-setuid-tunables.c
index f0b92c97e7..2603007b7b 100644
--- a/elf/tst-env-setuid-tunables.c
+++ b/elf/tst-env-setuid-tunables.c
@@ -60,45 +60,21 @@ const char *teststrings[] =
"glibc.not_valid.check=2",
};
-const char *resultstrings[] =
-{
- "glibc.malloc.mmap_threshold=4096",
- "glibc.malloc.mmap_threshold=4096",
- "glibc.malloc.mmap_threshold=4096",
- "glibc.malloc.perturb=0x800",
- "glibc.malloc.perturb=0x800:glibc.malloc.mmap_threshold=4096",
- "glibc.malloc.perturb=0x800:glibc.malloc.mmap_threshold=4096",
- "glibc.malloc.mmap_threshold=4096",
- "glibc.malloc.mmap_threshold=4096",
- "glibc.malloc.mmap_threshold=glibc.malloc.mmap_threshold=4096",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
-};
-
static int
test_child (int off)
{
const char *val = getenv ("GLIBC_TUNABLES");
+ int ret = 1;
printf (" [%d] GLIBC_TUNABLES is %s\n", off, val);
fflush (stdout);
- if (val != NULL && strcmp (val, resultstrings[off]) == 0)
- return 0;
-
if (val != NULL)
- printf (" [%d] Unexpected GLIBC_TUNABLES VALUE %s, expected %s\n",
- off, val, resultstrings[off]);
+ printf (" [%d] Unexpected GLIBC_TUNABLES VALUE %s\n", off, val);
else
- printf (" [%d] GLIBC_TUNABLES environment variable absent\n", off);
-
+ ret = 0;
fflush (stdout);
- return 1;
+ return ret;
}
static int
diff --git a/sysdeps/generic/unsecvars.h b/sysdeps/generic/unsecvars.h
index 8278c50a84..81397fb90b 100644
--- a/sysdeps/generic/unsecvars.h
+++ b/sysdeps/generic/unsecvars.h
@@ -4,6 +4,7 @@
#define UNSECURE_ENVVARS \
"GCONV_PATH\0" \
"GETCONF_DIR\0" \
+ "GLIBC_TUNABLES\0" \
"HOSTALIASES\0" \
"LD_AUDIT\0" \
"LD_DEBUG\0" \
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2023-11-21 20:48 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-11-21 20:48 [glibc] elf: Add GLIBC_TUNABLES to unsecvars Adhemerval Zanella
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).