jserv · February 23, 2013 11:46
diff --git a/disable-selinux.patch b/disable-selinux.patch
 diff --git a/linker/linker_environ.cpp b/linker/linker_environ.cpp
 index edc659a..4a6e4a0 100644
 --- a/linker/linker_environ.cpp
 +++ b/linker/linker_environ.cpp
 @@ -42,20 +42,6 @@ bool get_AT_SECURE() {
   return _AT_SECURE_value;
 }
 
 -static void __init_AT_SECURE(KernelArgumentBlock& args) {
 -  // Check auxv for AT_SECURE first to see if program is setuid, setgid,
 -  // has file caps, or caused a SELinux/AppArmor domain transition.
 -  bool kernel_supplied_AT_SECURE;
 -  _AT_SECURE_value = args.getauxval(AT_SECURE, &kernel_supplied_AT_SECURE);
 -
 -  // We don't support ancient kernels.
 -  if (!kernel_supplied_AT_SECURE) {
 -    const char* msg = "FATAL: kernel did not supply AT_SECURE\n";
 -    write(2, msg, strlen(msg));
 -    exit(EXIT_FAILURE);
 -  }
 -}
 -
 // Check if the environment variable definition at 'envstr'
 // starts with '<name>=', and if so return the address of the
 // first character after the equal sign. Otherwise return NULL.
 @@ -108,44 +94,6 @@ static bool __is_valid_environment_variable(const char* name) {
   return true;
 }
 
 -static bool __is_unsafe_environment_variable(const char* name) {
 -  // None of these should be allowed in setuid programs.
 -  static const char* const UNSAFE_VARIABLE_NAMES[] = {
 -      "GCONV_PATH",
 -      "GETCONF_DIR",
 -      "HOSTALIASES",
 -      "LD_AOUT_LIBRARY_PATH",
 -      "LD_AOUT_PRELOAD",
 -      "LD_AUDIT",
 -      "LD_DEBUG",
 -      "LD_DEBUG_OUTPUT",
 -      "LD_DYNAMIC_WEAK",
 -      "LD_LIBRARY_PATH",
 -      "LD_ORIGIN_PATH",
 -      "LD_PRELOAD",
 -      "LD_PROFILE",
 -      "LD_SHOW_AUXV",
 -      "LD_USE_LOAD_BIAS",
 -      "LOCALDOMAIN",
 -      "LOCPATH",
 -      "MALLOC_CHECK_",
 -      "MALLOC_TRACE",
 -      "NIS_PATH",
 -      "NLSPATH",
 -      "RESOLV_HOST_CONF",
 -      "RES_OPTIONS",
 -      "TMPDIR",
 -      "TZDIR",
 -      NULL
 -  };
 -  for (size_t i = 0; UNSAFE_VARIABLE_NAMES[i] != NULL; ++i) {
 -    if (env_match(name, UNSAFE_VARIABLE_NAMES[i]) != NULL) {
 -      return true;
 -    }
 -  }
 -  return false;
 -}
 -
 static void __sanitize_environment_variables() {
   char** src  = _envp;
   char** dst = _envp;
 @@ -153,10 +101,6 @@ static void __sanitize_environment_variables() {
     if (!__is_valid_environment_variable(src[0])) {
       continue;
     }
 -    // Remove various unsafe environment variables if we're loading a setuid program.
 -    if (get_AT_SECURE() && __is_unsafe_environment_variable(src[0])) {
 -        continue;
 -    }
     dst[0] = src[0];
     ++dst;
   }
 @@ -167,7 +111,6 @@ void linker_env_init(KernelArgumentBlock& args) {
   // Store environment pointer - can't be NULL.
   _envp = args.envp;
 
 -  __init_AT_SECURE(args);
   __sanitize_environment_variables();
 }
	diff --git a/linker/linker_environ.cpp b/linker/linker_environ.cpp
	index edc659a..4a6e4a0 100644
	--- a/linker/linker_environ.cpp
	+++ b/linker/linker_environ.cpp
	@@ -42,20 +42,6 @@ bool get_AT_SECURE() {
	return _AT_SECURE_value;
	}

	-static void __init_AT_SECURE(KernelArgumentBlock& args) {
	- // Check auxv for AT_SECURE first to see if program is setuid, setgid,
	- // has file caps, or caused a SELinux/AppArmor domain transition.
	- bool kernel_supplied_AT_SECURE;
	- _AT_SECURE_value = args.getauxval(AT_SECURE, &kernel_supplied_AT_SECURE);
	-
	- // We don't support ancient kernels.
	- if (!kernel_supplied_AT_SECURE) {
	- const char* msg = "FATAL: kernel did not supply AT_SECURE\n";
	- write(2, msg, strlen(msg));
	- exit(EXIT_FAILURE);
	- }
	-}
	-
	// Check if the environment variable definition at 'envstr'
	// starts with '<name>=', and if so return the address of the
	// first character after the equal sign. Otherwise return NULL.
	@@ -108,44 +94,6 @@ static bool __is_valid_environment_variable(const char* name) {
	return true;
	}

	-static bool __is_unsafe_environment_variable(const char* name) {
	- // None of these should be allowed in setuid programs.
	- static const char* const UNSAFE_VARIABLE_NAMES[] = {
	- "GCONV_PATH",
	- "GETCONF_DIR",
	- "HOSTALIASES",
	- "LD_AOUT_LIBRARY_PATH",
	- "LD_AOUT_PRELOAD",
	- "LD_AUDIT",
	- "LD_DEBUG",
	- "LD_DEBUG_OUTPUT",
	- "LD_DYNAMIC_WEAK",
	- "LD_LIBRARY_PATH",
	- "LD_ORIGIN_PATH",
	- "LD_PRELOAD",
	- "LD_PROFILE",
	- "LD_SHOW_AUXV",
	- "LD_USE_LOAD_BIAS",
	- "LOCALDOMAIN",
	- "LOCPATH",
	- "MALLOC_CHECK_",
	- "MALLOC_TRACE",
	- "NIS_PATH",
	- "NLSPATH",
	- "RESOLV_HOST_CONF",
	- "RES_OPTIONS",
	- "TMPDIR",
	- "TZDIR",
	- NULL
	- };
	- for (size_t i = 0; UNSAFE_VARIABLE_NAMES[i] != NULL; ++i) {
	- if (env_match(name, UNSAFE_VARIABLE_NAMES[i]) != NULL) {
	- return true;
	- }
	- }
	- return false;
	-}
	-
	static void __sanitize_environment_variables() {
	char** src = _envp;
	char** dst = _envp;
	@@ -153,10 +101,6 @@ static void __sanitize_environment_variables() {
	if (!__is_valid_environment_variable(src[0])) {
	continue;
	}
	- // Remove various unsafe environment variables if we're loading a setuid program.
	- if (get_AT_SECURE() && __is_unsafe_environment_variable(src[0])) {
	- continue;
	- }
	dst[0] = src[0];
	++dst;
	}
	@@ -167,7 +111,6 @@ void linker_env_init(KernelArgumentBlock& args) {
	// Store environment pointer - can't be NULL.
	_envp = args.envp;

	- __init_AT_SECURE(args);
	__sanitize_environment_variables();
	}