From patchwork Tue Mar 16 07:06:04 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Siddhesh Poyarekar X-Patchwork-Id: 42573 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 455A93854814; Tue, 16 Mar 2021 07:06:21 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 455A93854814 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1615878381; bh=2SRxV9gNyen2tfKkXsghhvchRkQfnBOy6YY9xtwcjN8=; h=To:Subject:Date:List-Id:List-Unsubscribe:List-Archive:List-Post: List-Help:List-Subscribe:From:Reply-To:Cc:From; b=Rg4g9eab1dUUN+49nql/WA3QP6wtdQukCB9kyoK5z0snKqVLk3kvgCWUT+HixtSjB +sPgG/e3/CkQlsAdUiy8P6r33+DWqxrWUcYAyL3TNjDU+7o40FUE4PBwYldVR+CyEh xd+iOMYcWAW4fgyTvP4yU8agaszNhQGakZ5PokE0= X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from aye.elm.relay.mailchannels.net (aye.elm.relay.mailchannels.net [23.83.212.6]) by sourceware.org (Postfix) with ESMTPS id 0F2783858034 for ; Tue, 16 Mar 2021 07:06:18 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 0F2783858034 X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 242EA541E71; Tue, 16 Mar 2021 07:06:18 +0000 (UTC) Received: from pdx1-sub0-mail-a59.g.dreamhost.com (100-96-11-34.trex.outbound.svc.cluster.local [100.96.11.34]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 6E77A541158; Tue, 16 Mar 2021 07:06:17 +0000 (UTC) X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from pdx1-sub0-mail-a59.g.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384) by 100.96.11.34 (trex/6.1.1); Tue, 16 Mar 2021 07:06:17 +0000 X-MC-Relay: Neutral X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Ski-Spot: 74d8aeda67096415_1615878377705_3188814602 X-MC-Loop-Signature: 1615878377705:937414491 X-MC-Ingress-Time: 1615878377705 Received: from pdx1-sub0-mail-a59.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a59.g.dreamhost.com (Postfix) with ESMTP id 288028A69E; Tue, 16 Mar 2021 00:06:17 -0700 (PDT) Received: from rhbox.redhat.com (unknown [1.186.101.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a59.g.dreamhost.com (Postfix) with ESMTPSA id 7F827801E1; Tue, 16 Mar 2021 00:06:15 -0700 (PDT) X-DH-BACKEND: pdx1-sub0-mail-a59 To: libc-alpha@sourceware.org Subject: [PATCH v2 0/4] tunables and setxid programs Date: Tue, 16 Mar 2021 12:36:04 +0530 Message-Id: <20210316070608.329892-1-siddhesh@sourceware.org> X-Mailer: git-send-email 2.29.2 MIME-Version: 1.0 X-Spam-Status: No, score=-3487.2 required=5.0 tests=BAYES_00, JMQ_SPF_NEUTRAL, KAM_DMARC_NONE, KAM_DMARC_STATUS, RCVD_IN_BARRACUDACENTRAL, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2, SPF_HELO_NONE, SPF_NEUTRAL, TXREP autolearn=no autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Siddhesh Poyarekar via Libc-alpha From: Siddhesh Poyarekar Reply-To: Siddhesh Poyarekar Cc: adhemerval-zanella@linaro.org Errors-To: libc-alpha-bounces@sourceware.org Sender: "Libc-alpha" When parse_tunables tries to erase a tunable marked as SXID_ERASE for setuid programs, it ends up setting the envvar string iterator incorrectly, because of which it may parse the next tunable incorrectly. Given that currently the implementation allows malformed and unrecognized tunables pass through, it may even allow SXID_ERASE tunables to go through. This change revamps the SXID_ERASE implementation so that: - Only valid tunables are written back to the tunestr string, because of which children of SXID programs will only inherit a clean list of identified tunables that are not SXID_ERASE. - Unrecognized tunables get scrubbed off from the environment and subsequently from the child environment. - This has the side-effect that a tunable that is not identified by the setxid binary, will not be passed on to a non-setxid child even if the child could have identified that tunable. This may break applications that expect this behaviour but expecting such tunables to cross the SXID boundary is wrong. The setuid test for tunables has been bolstered to test different combinations of tunable values to ensure that the behaviour is now consistent. Siddhesh Poyarekar (4): support: Add capability to fork an sgid child tst-env-setuid: Use support_capture_subprogram_self_sgid Enhance setuid-tunables test Fix SXID_ERASE behavior in setuid programs (BZ #27471) elf/Makefile | 2 - elf/dl-tunables.c | 56 ++++---- elf/tst-env-setuid-tunables.c | 118 +++++++++++++--- elf/tst-env-setuid.c | 197 ++------------------------ stdlib/tst-secure-getenv.c | 199 +++------------------------ support/capture_subprocess.h | 6 + support/check.h | 12 ++ support/subprocess.h | 5 + support/support_capture_subprocess.c | 114 +++++++++++++++ support/support_subprocess.c | 13 ++ 10 files changed, 304 insertions(+), 418 deletions(-)