From 6bb01b6e6365ced7ca23c9ebecfaf1ea159d5ae2 Mon Sep 17 00:00:00 2001 From: Nick Kralevich Date: Sat, 7 Mar 2015 13:37:05 -0800 Subject: [PATCH] linker: Allow an app to update it's own LD_LIBRARY_PATH When the kernel executes a program which is setuid, setgid, has file capabilities, or causes an SELinux domain transition, the AT_SECURE flag is set. This flag instructs the dynamic linker to prune any dangerous environment variables passed across security boundaries. For SELinux in particular, whether this flag is set depends on the the "noatsecure" process permission. If that permission does not exist, then AT_SECURE=1 whenever a domain transition occurs. In https://android-review.googlesource.com/129971 , Android stopped using noatsecure when executing init services. In https://android-review.googlesource.com/130610 , init was flipped back into SELinux enforcing mode, making ag/129971 active. The combination of those two changes ensured that AT_SECURE=1 was set when executing init spawned services. In particular, AT_SECURE=1 is set when init executes zygote. Due to the forking nature of zygote, AT_SECURE remains untouched when executing zygote's children. This causes problems for the code added in https://android-review.googlesource.com/48409 . Specifically, if AT_SECURE=1, an attempt to call android_update_LD_LIBRARY_PATH() is silently ignored. This causes problems when art tries to adjust the LD_LIBRARY_PATH for Android apps. Ultimately, apps are unable to find shared libraries they depend on. As discussed in bug 7896159, there's no security reason for preventing an application from updating it's own LD_LIBRARY_PATH. We only need to prune LD_LIBRARY_PATH when transitioning across security boundaries, but not when we're entirely within a security boundary. Remove the AT_SECURE check within do_android_update_LD_LIBRARY_PATH(). It's unneeded and prevents an application from modifying it's own LD_LIBRARY_PATH. This allows an application to specify a location where it's dlopen()ed shared libraries should be loaded from. There is no change to AT_SECURE handling in __sanitize_environment_variables(). We continue to honor it there to prevent using security sensitive environment variables across an exec boundary. Bug: 19559835 Change-Id: If4af2ee8e84265aaa0c93de8b281208b20d7942a --- linker/linker.cpp | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/linker/linker.cpp b/linker/linker.cpp index 87fce95c2..9ba83ecc2 100644 --- a/linker/linker.cpp +++ b/linker/linker.cpp @@ -1241,9 +1241,7 @@ void do_android_get_LD_LIBRARY_PATH(char* buffer, size_t buffer_size) { } void do_android_update_LD_LIBRARY_PATH(const char* ld_library_path) { - if (!get_AT_SECURE()) { - parse_LD_LIBRARY_PATH(ld_library_path); - } + parse_LD_LIBRARY_PATH(ld_library_path); } soinfo* do_dlopen(const char* name, int flags, const android_dlextinfo* extinfo) {