diff options
authorPeter Levine <plevine457@gmail.com>2017-09-26 13:59:42 -0400
committerIan Stakenvicius <axs@gentoo.org>2017-10-03 12:42:44 -0400
commitecba8795415dd571f894d457001f28d96c3f8a93 (patch)
parentlibsandbox: Fix path matching not to dumbly match prefixes (diff)
Ensure LD_LIBRARY_PATH is copied to my_envv2.12
Sandbox commit 55087abd8dc9802cf68cade776fe612a3f19f6a1 is for the purpose of preventing a loop or deadlock caused by a package implementing its own libc memory allocation functions, which themselves may call on a sandbox wrapped system calls, whose implementation depends on further calls to such memory functions. If any binaries export such symbols, sandbox assumes the worst and prevents loading of libsandbox.so and instead opts for ptrace. In preventing the loading of libsandbox, it removes all variables whose env_pair.name field matches the name of an environment variable from the environment, for all env_pairs of vars[] in char **sb_check_envp(char **envp, size_t *mod_cnt, bool insert) in "libsandbox/libsandbox.c". This includes not just the usual environment variables prefixed with 'SANDBOX_' but also LD_PRELOAD and LD_LIBRARY_PATH. LD_PRELOAD clearly should be removed. But LD_LIBRARY_PATH would only seem to be trouble if used with LD_PRELOAD. As such it makes sense to me to prevent the removal of LD_LIBRARY_PATH. Given the fact that the the positions of the env_pairs in vars[] are intended to be hard-coded (from libsandbox.c: /* Indices matter -- see init below */), this commit uses the index of the env_pair corresponding to LD_LIBRARY_PATH to prevent its removal.
1 files changed, 2 insertions, 2 deletions
diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c
index 962690e..c126aa1 100644
--- a/libsandbox/libsandbox.c
+++ b/libsandbox/libsandbox.c
@@ -1201,7 +1201,7 @@ char **sb_check_envp(char **envp, size_t *mod_cnt, bool insert)
if (mod_cnt) {
str_list_for_each_item(envp, entry, count) {
for (i = 0; i < num_vars; ++i)
- if (is_env_var(entry, vars[i].name, vars[i].len)) {
+ if (i != 12 && is_env_var(entry, vars[i].name, vars[i].len)) {
goto skip;
@@ -1210,7 +1210,7 @@ char **sb_check_envp(char **envp, size_t *mod_cnt, bool insert)
} else {
for (i = 0; i < num_vars; ++i)
- unsetenv(vars[i].name);
+ if (i != 12) unsetenv(vars[i].name);
} else {
if (mod_cnt) {