chrome/browser/zygote_host_linux.cc - Issue 159025: Linux sandbox: save full list of SUID unsafe environment variables.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: chrome/browser/zygote_host_linux.cc

Issue 159025: Linux sandbox: save full list of SUID unsafe environment variables. (Closed)

Patch Set: ... Created 11 years, 5 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: chrome/browser/zygote_host_linux.cc

diff --git a/chrome/browser/zygote_host_linux.cc b/chrome/browser/zygote_host_linux.cc

index dad473b5ba3f13412ef417cb9036e5ed8181b905..b0558349de8593065a108404b9d3ef1a843563cd 100644

--- a/chrome/browser/zygote_host_linux.cc

+++ b/chrome/browser/zygote_host_linux.cc

@@ -22,6 +22,29 @@

#include "chrome/common/chrome_constants.h"

#include "chrome/common/chrome_switches.h"

+#include "sandbox/linux/suid/suid_unsafe_environment_variables.h"

+static void SaveSUIDUnsafeEnvironmentVariables() {

+ // The ELF loader will clear many environment variables so we save them to

+ // different names here so that the SUID sandbox can resolve them for the

+ // renderer.

+ for (unsigned i = 0; kSUIDUnsafeEnvironmentVariables[i]; ++i) {

+ const char* const envvar = kSUIDUnsafeEnvironmentVariables[i];

+ char* const saved_envvar = SandboxSavedEnvironmentVariable(envvar);

+ if (!saved_envvar)

+ continue;

+ const char* const value = getenv(envvar);

+ if (value)

+ setenv(saved_envvar, value, 1 /* overwrite */);

+ else

+ unsetenv(saved_envvar);

Evan Martin 2009/07/17 21:10:57 I wonder if we should unsetenv() all existing SAND

agl 2009/07/17 21:35:09 We already control all the SANDBOX_ values: either

+ free(saved_envvar);

+ }

ZygoteHost::ZygoteHost() {

std::wstring chrome_path;

CHECK(PathService::Get(base::FILE_EXE, &chrome_path));

@@ -64,12 +87,7 @@ ZygoteHost::ZygoteHost() {

(st.st_mode & S_IXOTH)) {

cmd_line.PrependWrapper(ASCIIToWide(sandbox_binary));

- // SUID binaries clear LD_LIBRARY_PATH. However, the sandbox binary needs

- // to run its child processes with the correct LD_LIBRARY_PATH so we save

- // a copy here:

- const char* ld_library_path = getenv("LD_LIBRARY_PATH");

- if (ld_library_path)

- setenv("SANDBOX_LD_LIBRARY_PATH", ld_library_path, 1 /* overwrite */);

+ SaveSUIDUnsafeEnvironmentVariables();

} else {

LOG(FATAL) << "The SUID sandbox helper binary was found, but is not "

"configured correctly. Rather than run without sandboxing "

« no previous file with comments | « no previous file | sandbox/linux/suid/sandbox.cc » ('j') | sandbox/linux/suid/sandbox.cc » ('J')