mirror of
https://sourceware.org/git/glibc.git
synced 2025-08-08 17:42:12 +03:00
elf: Ignore GLIBC_TUNABLES for setuid/setgid binaries
The tunable privilege levels were a retrofit to try and keep the malloc tunable environment variables' behavior unchanged across security boundaries. However, CVE-2023-4911 shows how tricky can be tunable parsing in a security-sensitive environment. Not only parsing, but the malloc tunable essentially changes some semantics on setuid/setgid processes. Although it is not a direct security issue, allowing users to change setuid/setgid semantics is not a good security practice, and requires extra code and analysis to check if each tunable is safe to use on all security boundaries. It also means that security opt-in features, like aarch64 MTE, would need to be explicit enabled by an administrator with a wrapper script or with a possible future system-wide tunable setting. Co-authored-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: DJ Delorie <dj@redhat.com>
This commit is contained in:
@@ -61,9 +61,6 @@ $1 == "}" {
|
||||
if (!env_alias[top_ns,ns,tunable]) {
|
||||
env_alias[top_ns,ns,tunable] = "{0}"
|
||||
}
|
||||
if (!security_level[top_ns,ns,tunable]) {
|
||||
security_level[top_ns,ns,tunable] = "SXID_ERASE"
|
||||
}
|
||||
len = length(top_ns"."ns"."tunable)
|
||||
if (len > max_name_len)
|
||||
max_name_len = len
|
||||
@@ -118,17 +115,6 @@ $1 == "}" {
|
||||
if (len > max_alias_len)
|
||||
max_alias_len = len
|
||||
}
|
||||
else if (attr == "security_level") {
|
||||
if (val == "SXID_ERASE" || val == "SXID_IGNORE" || val == "NONE") {
|
||||
security_level[top_ns,ns,tunable] = val
|
||||
}
|
||||
else {
|
||||
printf("Line %d: Invalid value (%s) for security_level: %s, ", NR, val,
|
||||
$0)
|
||||
print("Allowed values are 'SXID_ERASE', 'SXID_IGNORE', or 'NONE'")
|
||||
exit 1
|
||||
}
|
||||
}
|
||||
else if (attr == "default") {
|
||||
if (types[top_ns,ns,tunable] == "STRING") {
|
||||
default_val[top_ns,ns,tunable] = sprintf(".strval = \"%s\"", val);
|
||||
@@ -177,9 +163,9 @@ END {
|
||||
n = indices[2];
|
||||
m = indices[3];
|
||||
printf (" {TUNABLE_NAME_S(%s, %s, %s)", t, n, m)
|
||||
printf (", {TUNABLE_TYPE_%s, %s, %s}, {%s}, false, TUNABLE_SECLEVEL_%s, %s},\n",
|
||||
printf (", {TUNABLE_TYPE_%s, %s, %s}, {%s}, false, %s},\n",
|
||||
types[t,n,m], minvals[t,n,m], maxvals[t,n,m],
|
||||
default_val[t,n,m], security_level[t,n,m], env_alias[t,n,m]);
|
||||
default_val[t,n,m], env_alias[t,n,m]);
|
||||
}
|
||||
print "};"
|
||||
print "#endif"
|
||||
|
Reference in New Issue
Block a user