Run NaClEnvCleanser in standalone sel_ldr (in addition to sel_main_chrome). Add a couple of ld.so...

src/trusted/service_runtime/sel_main.c

 /*
  * Copyright (c) 2011 The Native Client Authors. All rights reserved.
  * Use of this source code is governed by a BSD-style license that can be
  * found in the LICENSE file.
  */
 
 /*
  * NaCl Simple/secure ELF loader (NaCl SEL).
  */
 #include "native_client/src/include/portability.h"
 #include "native_client/src/include/portability_io.h"
 
+#if NACL_OSX
+#include <crt_externs.h>
+#endif
+
 #include <errno.h>
 #include <limits.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 
 #if NACL_ARCH(NACL_BUILD_ARCH) == NACL_arm || NACL_SANDBOX_FIXED_AT_ZERO == 1
 /* Required for our use of mallopt -- see below. */
 #include <malloc.h>
 #endif
 
 #include "native_client/src/shared/gio/gio.h"
 #include "native_client/src/shared/imc/nacl_imc_c.h"
 #include "native_client/src/shared/platform/nacl_check.h"
 #include "native_client/src/shared/platform/nacl_exit.h"
 #include "native_client/src/shared/platform/nacl_log.h"
 #include "native_client/src/shared/platform/nacl_sync.h"
 #include "native_client/src/shared/platform/nacl_sync_checked.h"
 #include "native_client/src/shared/srpc/nacl_srpc.h"
 
 #include "native_client/src/trusted/perf_counter/nacl_perf_counter.h"
+#include "native_client/src/trusted/service_runtime/env_cleanser.h"
 #include "native_client/src/trusted/service_runtime/include/sys/fcntl.h"
 #include "native_client/src/trusted/service_runtime/nacl_app.h"
 #include "native_client/src/trusted/service_runtime/nacl_all_modules.h"
 #include "native_client/src/trusted/service_runtime/nacl_config_dangerous.h"
 #include "native_client/src/trusted/service_runtime/nacl_globals.h"
 #include "native_client/src/trusted/service_runtime/nacl_signal.h"
 #include "native_client/src/trusted/service_runtime/nacl_syscall_common.h"
 #include "native_client/src/trusted/service_runtime/nacl_valgrind_hooks.h"
 #include "native_client/src/trusted/service_runtime/outer_sandbox.h"
 #include "native_client/src/trusted/service_runtime/sel_ldr.h"
@@ skipping 141 matching lines @@
   int                           log_desc;
   int                           verbosity = 0;
   int                           fuzzing_quit_after_load = 0;
   int                           debug_mode_bypass_acl_checks = 0;
   int                           debug_mode_ignore_validator = 0;
   int                           stub_out_mode = 0;
   int                           skip_qualification = 0;
   int                           enable_debug_stub = 0;
   int                           handle_signals = 0;
   struct NaClPerfCounter        time_all_main;
+  const char                    **envp;
+  struct NaClEnvCleanser        env_cleanser;
 
 
   const char* sandbox_fd_string;
 
+#if NACL_OSX
+  /* Mac dynamic libraries cannot access the environ variable directly. */
+  envp = (const char **) *_NSGetEnviron();
+#else
+  /* Overzealous code style check is overzealous. */
+  /* @IGNORE_LINES_FOR_CODE_HYGIENE[1] */
+  extern char **environ;
+  envp = (const char **) environ;
+#endif
+
 #if NACL_ARCH(NACL_BUILD_ARCH) == NACL_arm || NACL_SANDBOX_FIXED_AT_ZERO == 1
   /*
    * Set malloc not to use mmap even for large allocations.  This is currently
    * necessary when we must use a specific area of RAM for the sandbox.
    *
    * During startup, before the sandbox is set up, the sel_ldr allocates a chunk
    * of memory to store the untrusted code.  Normally such an allocation would
    * go into the sel_ldr's heap area, but the allocation is typically large --
    * at least hundreds of KiB.  The default malloc configuration on Linux (at
    * least) switches to mmap for such allocations, and mmap will select
@@ skipping 578 matching lines @@
             "Not running app code since errcode is %s (%d)\n",
             NaClErrorString(errcode),
             errcode);
     goto done;
   }
 
   if (!DynArraySet(&env_vars, env_vars.num_entries, NULL)) {
     NaClLog(LOG_FATAL, "Adding env_vars NULL terminator failed\n");
   }
 
+  NaClEnvCleanserCtor(&env_cleanser, 0);
+  if (!NaClEnvCleanserInit(&env_cleanser, envp,
+          (char const *const *)env_vars.ptr_array)) {
+    NaClLog(LOG_FATAL, "Failed to initialise env cleanser\n");
+  }
+
   /*
    * only nap->ehdrs.e_entry is usable, no symbol table is
    * available.
    */
   if (!NaClCreateMainThread(nap,
                             argc - optind,
                             argv + optind,
-                            (const char **) env_vars.ptr_array)) {
+                            NaClEnvCleanserEnvironment(&env_cleanser))) {
     fprintf(stderr, "creating main thread failed\n");
     goto done;
   }
+
+  NaClEnvCleanserDtor(&env_cleanser);
+
   NaClPerfCounterMark(&time_all_main, "CreateMainThread");
   NaClPerfCounterIntervalLast(&time_all_main);
   DynArrayDtor(&env_vars);
 
   ret_code = NaClWaitForMainThreadToExit(nap);
   NaClPerfCounterMark(&time_all_main, "WaitForMainThread");
   NaClPerfCounterIntervalLast(&time_all_main);
 
   NaClPerfCounterMark(&time_all_main, "SelMainEnd");
   NaClPerfCounterIntervalTotal(&time_all_main);
@@ skipping 26 matching lines @@
   if (handle_signals) NaClSignalHandlerFini();
   NaClAllModulesFini();
 
   WINDOWS_EXCEPTION_CATCH;
 
   NaClExit(ret_code);
 
   /* Unreachable, but having the return prevents a compiler error. */
   return ret_code;
 }