1/*
2 * Copyright (C) 2010 The Android Open Source Project
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *  * Redistributions of source code must retain the above copyright
9 *    notice, this list of conditions and the following disclaimer.
10 *  * Redistributions in binary form must reproduce the above copyright
11 *    notice, this list of conditions and the following disclaimer in
12 *    the documentation and/or other materials provided with the
13 *    distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
16 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
17 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
18 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
19 * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
21 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
22 * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
23 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
24 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
25 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 * SUCH DAMAGE.
27 */
28
29#include "linker_environ.h"
30
31#include <linux/auxvec.h>
32#include <stddef.h>
33#include <stdlib.h>
34#include <unistd.h>
35
36#include "private/KernelArgumentBlock.h"
37
38static char** _envp;
39static bool _AT_SECURE_value = true;
40
41bool get_AT_SECURE() {
42  return _AT_SECURE_value;
43}
44
45static void __init_AT_SECURE(KernelArgumentBlock& args) {
46  // Check auxv for AT_SECURE first to see if program is setuid, setgid,
47  // has file caps, or caused a SELinux/AppArmor domain transition.
48  bool kernel_supplied_AT_SECURE;
49  _AT_SECURE_value = args.getauxval(AT_SECURE, &kernel_supplied_AT_SECURE);
50
51  // We don't support ancient kernels.
52  if (!kernel_supplied_AT_SECURE) {
53    const char* msg = "FATAL: kernel did not supply AT_SECURE\n";
54    write(2, msg, strlen(msg));
55    exit(EXIT_FAILURE);
56  }
57}
58
59// Check if the environment variable definition at 'envstr'
60// starts with '<name>=', and if so return the address of the
61// first character after the equal sign. Otherwise return NULL.
62static const char* env_match(const char* envstr, const char* name) {
63  size_t i = 0;
64
65  while (envstr[i] == name[i] && name[i] != '\0') {
66    ++i;
67  }
68
69  if (name[i] == '\0' && envstr[i] == '=') {
70    return envstr + i + 1;
71  }
72
73  return NULL;
74}
75
76static bool __is_valid_environment_variable(const char* name) {
77  // According to its sources, the kernel uses 32*PAGE_SIZE by default
78  // as the maximum size for an env. variable definition.
79  const int MAX_ENV_LEN = 32*4096;
80
81  if (name == NULL) {
82    return false;
83  }
84
85  // Parse the string, looking for the first '=' there, and its size.
86  int pos = 0;
87  int first_equal_pos = -1;
88  while (pos < MAX_ENV_LEN) {
89    if (name[pos] == '\0') {
90      break;
91    }
92    if (name[pos] == '=' && first_equal_pos < 0) {
93      first_equal_pos = pos;
94    }
95    pos++;
96  }
97
98  // Check that it's smaller than MAX_ENV_LEN (to detect non-zero terminated strings).
99  if (pos >= MAX_ENV_LEN) {
100    return false;
101  }
102
103  // Check that it contains at least one equal sign that is not the first character
104  if (first_equal_pos < 1) {
105    return false;
106  }
107
108  return true;
109}
110
111static bool __is_unsafe_environment_variable(const char* name) {
112  // None of these should be allowed in setuid programs.
113  static const char* const UNSAFE_VARIABLE_NAMES[] = {
114      "GCONV_PATH",
115      "GETCONF_DIR",
116      "HOSTALIASES",
117      "LD_AOUT_LIBRARY_PATH",
118      "LD_AOUT_PRELOAD",
119      "LD_AUDIT",
120      "LD_DEBUG",
121      "LD_DEBUG_OUTPUT",
122      "LD_DYNAMIC_WEAK",
123      "LD_LIBRARY_PATH",
124      "LD_ORIGIN_PATH",
125      "LD_PRELOAD",
126      "LD_PROFILE",
127      "LD_SHOW_AUXV",
128      "LD_USE_LOAD_BIAS",
129      "LOCALDOMAIN",
130      "LOCPATH",
131      "MALLOC_CHECK_",
132      "MALLOC_TRACE",
133      "NIS_PATH",
134      "NLSPATH",
135      "RESOLV_HOST_CONF",
136      "RES_OPTIONS",
137      "TMPDIR",
138      "TZDIR",
139      NULL
140  };
141  for (size_t i = 0; UNSAFE_VARIABLE_NAMES[i] != NULL; ++i) {
142    if (env_match(name, UNSAFE_VARIABLE_NAMES[i]) != NULL) {
143      return true;
144    }
145  }
146  return false;
147}
148
149static void __sanitize_environment_variables() {
150  char** src  = _envp;
151  char** dst = _envp;
152  for (; src[0] != NULL; ++src) {
153    if (!__is_valid_environment_variable(src[0])) {
154      continue;
155    }
156    // Remove various unsafe environment variables if we're loading a setuid program.
157    if (get_AT_SECURE() && __is_unsafe_environment_variable(src[0])) {
158        continue;
159    }
160    dst[0] = src[0];
161    ++dst;
162  }
163  dst[0] = NULL;
164}
165
166void linker_env_init(KernelArgumentBlock& args) {
167  // Store environment pointer - can't be NULL.
168  _envp = args.envp;
169
170  __init_AT_SECURE(args);
171  __sanitize_environment_variables();
172}
173
174const char* linker_env_get(const char* name) {
175  if (name == NULL || name[0] == '\0') {
176    return NULL;
177  }
178
179  for (char** p = _envp; p[0] != NULL; ++p) {
180    const char* val = env_match(p[0], name);
181    if (val != NULL) {
182      if (val[0] == '\0') {
183        return NULL; // Return NULL for empty strings.
184      }
185      return val;
186    }
187  }
188  return NULL;
189}
190