Linux sandbox: save full list of SUID unsafe environment variables.

chrome/browser/zygote_host_linux.cc

 // Copyright (c) 2009 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/zygote_host_linux.h"
 
 #include <unistd.h>
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <sys/stat.h>
 
 #include "base/command_line.h"
 #include "base/eintr_wrapper.h"
 #include "base/logging.h"
 #include "base/path_service.h"
 #include "base/pickle.h"
 #include "base/process_util.h"
 #include "base/string_util.h"
 #include "base/unix_domain_socket_posix.h"
 
 #include "chrome/browser/renderer_host/render_sandbox_host_linux.h"
 #include "chrome/common/chrome_constants.h"
 #include "chrome/common/chrome_switches.h"
 
+#include "sandbox/linux/suid/suid_unsafe_environment_variables.h"
+
+static void SaveSUIDUnsafeEnvironmentVariables() {
+  // The ELF loader will clear many environment variables so we save them to
+  // different names here so that the SUID sandbox can resolve them for the
+  // renderer.
+
+  for (unsigned i = 0; kSUIDUnsafeEnvironmentVariables[i]; ++i) {
+    const char* const envvar = kSUIDUnsafeEnvironmentVariables[i];
+    char* const saved_envvar = SandboxSavedEnvironmentVariable(envvar);
+    if (!saved_envvar)
+      continue;
+
+    const char* const value = getenv(envvar);
+    if (value)
+      setenv(saved_envvar, value, 1 /* overwrite */);
+    else
+      unsetenv(saved_envvar);

[Evan Martin, 2009/07/17 21:10:57]

I wonder if we should unsetenv() all existing SANDBOX_FOO here so that any extra
ones from the env don't get used by the child.  Maybe that's excessive.

[agl, 2009/07/17 21:35:09]

We already control all the SANDBOX_ values: either we set them ourselves or we
clear them.

+
+    free(saved_envvar);
+  }
+}
+
 ZygoteHost::ZygoteHost() {
   std::wstring chrome_path;
   CHECK(PathService::Get(base::FILE_EXE, &chrome_path));
   CommandLine cmd_line(chrome_path);
 
   cmd_line.AppendSwitchWithValue(switches::kProcessType,
                                  switches::kZygoteProcess);
 
   int fds[2];
   CHECK(socketpair(PF_UNIX, SOCK_SEQPACKET, 0, fds) == 0);
@@ skipping 22 matching lines @@
   if (!sandbox_binary)
     sandbox_binary = LINUX_SANDBOX_PATH;
 #endif
 
   if (sandbox_binary && stat(sandbox_binary, &st) == 0) {
     if (access(sandbox_binary, X_OK) == 0 &&
         (st.st_mode & S_ISUID) &&
         (st.st_mode & S_IXOTH)) {
       cmd_line.PrependWrapper(ASCIIToWide(sandbox_binary));
 
-      // SUID binaries clear LD_LIBRARY_PATH. However, the sandbox binary needs
-      // to run its child processes with the correct LD_LIBRARY_PATH so we save
-      // a copy here:
-      const char* ld_library_path = getenv("LD_LIBRARY_PATH");
-      if (ld_library_path)
-        setenv("SANDBOX_LD_LIBRARY_PATH", ld_library_path, 1 /* overwrite */);
+      SaveSUIDUnsafeEnvironmentVariables();
     } else {
       LOG(FATAL) << "The SUID sandbox helper binary was found, but is not "
                     "configured correctly. Rather than run without sandboxing "
                     "I'm aborting now. You need to make sure that "
                  << sandbox_binary << " is mode 4755.";
     }
   }
 
   // Start up the sandbox host process and get the file descriptor for the
   // renderers to talk to it.
@@ skipping 78 matching lines @@
       !read_pickle.ReadBool(&iter, &tmp_child_exited)) {
     LOG(WARNING) << "Error parsing DidProcessCrash response from zygote.";
     return false;
   }
 
   if (child_exited)
     *child_exited = tmp_child_exited;
 
   return did_crash;
 }