glibc/scripts
Siddhesh Poyarekar 8b9e9c3c0b tunables: Fix environment variable processing for setuid binaries (bz #21073)
Florian Weimer pointed out that we have three different kinds of
environment variables (and hence tunables):

1. Variables that are removed for setxid processes
2. Variables that are ignored in setxid processes but is passed on to
   child processes
3. Variables that are passed on to child processes all the time

Tunables currently only does (2) and (3) when it should be doing (1)
for MALLOC_CHECK_.  This patch enhances the is_secure flag in tunables
to an enum value that can specify which of the above three categories
the tunable (and its envvar alias) belongs to.

The default is for tunables to be in (1).  Hence, all of the malloc
tunables barring MALLOC_CHECK_ are explicitly specified to belong to
category (2).  There were discussions around abolishing category (2)
completely but we can do that as a separate exercise in 2.26.

Tested on x86_64 to verify that there are no regressions.

	[BZ #21073]
	* elf/dl-tunable-types.h (tunable_seclevel_t): New enum.
	* elf/dl-tunables.c (tunables_strdup): Remove.
	(get_next_env): Also return the previous envp.
	(parse_tunables): Erase tunables of category
	TUNABLES_SECLEVEL_SXID_ERASE.
	(maybe_enable_malloc_check): Make MALLOC_CHECK_
	TUNABLE_SECLEVEL_NONE if /etc/setuid-debug is accessible.
	(__tunables_init)[TUNABLES_FRONTEND ==
	TUNABLES_FRONTEND_valstring]: Update GLIBC_TUNABLES envvar
	after parsing.
	[TUNABLES_FRONTEND != TUNABLES_FRONTEND_valstring]: Erase
	tunable envvars of category TUNABLES_SECLEVEL_SXID_ERASE.
	* elf/dl-tunables.h (struct _tunable): Change member is_secure
	to security_level.
	* elf/dl-tunables.list: Add security_level annotations for all
	tunables.
	* scripts/gen-tunables.awk: Recognize and generate enum values
	for security_level.
	* elf/tst-env-setuid.c: New test case.
	* elf/tst-env-setuid-tunables: new test case.
	* elf/Makefile (tests-static): Add them.
2017-02-02 15:50:16 +05:30
..
abi-versions.awk Remove bitrotten --enable-oldest-abi (bug 6652). 2014-09-16 17:45:03 +00:00
abilist.awk Simplify the abilist format 2015-11-06 13:58:53 +01:00
begin-end-check.pl Add rules to run scripts/begin-end-check.pl. 2005-09-17 17:15:50 +00:00
build-many-glibcs.py Avoid parallel GCC install in build-many-glibcs.py. 2017-01-18 23:13:09 +00:00
check-c++-types.sh Update copyright dates with scripts/update-copyrights. 2017-01-01 00:14:16 +00:00
check-execstack.awk Do check-execstack test using readelf rather than a build-time C program. 2012-05-01 13:27:52 -07:00
check-installed-headers.sh Update copyright dates with scripts/update-copyrights. 2017-01-01 00:14:16 +00:00
check-local-headers.sh Update copyright dates with scripts/update-copyrights. 2017-01-01 00:14:16 +00:00
check-localplt.awk Extend local PLT reference check 2015-07-29 11:58:06 -07:00
check-textrel.awk Do check-textrel test using readelf rather than a build-time C program. 2012-05-01 13:27:11 -07:00
config-uname.sh Rejigger header generation for default uname implementation. 2010-08-24 11:56:52 -07:00
config.guess Update config.guess and config.sub to current versions. 2017-01-01 00:29:55 +00:00
config.sub Update config.guess and config.sub to current versions. 2017-01-01 00:29:55 +00:00
cpp Make shebang interpreter directives consistent 2016-01-07 04:03:21 -05:00
cross-test-ssh.sh Update copyright dates with scripts/update-copyrights. 2017-01-01 00:14:16 +00:00
documented.sh Make shebang interpreter directives consistent 2016-01-07 04:03:21 -05:00
evaluate-test.sh Update copyright dates with scripts/update-copyrights. 2017-01-01 00:14:16 +00:00
firstversions.awk Fix bug in firstversions.awk version range handling. 2012-01-28 12:02:44 -05:00
gen-as-const.awk Fix 64-bit platform handling in test cases for generated headers with constants. 2009-08-16 00:39:43 -07:00
gen-libc-abis Make shebang interpreter directives consistent 2016-01-07 04:03:21 -05:00
gen-libc-modules.awk Auto-generate libc-modules.h 2014-11-19 12:16:00 +05:30
gen-posix-conf-vars.awk Remove uses of sprintf in gen-posix-conf-vars.awk 2015-01-02 11:16:35 +05:30
gen-py-const.awk Update copyright dates with scripts/update-copyrights. 2017-01-01 00:14:16 +00:00
gen-rrtypes.py Update copyright dates with scripts/update-copyrights. 2017-01-01 00:14:16 +00:00
gen-sorted.awk Update copyright dates with scripts/update-copyrights. 2017-01-01 00:14:16 +00:00
gen-tunables.awk tunables: Fix environment variable processing for setuid binaries (bz #21073) 2017-02-02 15:50:16 +05:30
install-sh Update miscellaneous files from upstream sources. 2016-12-21 16:05:55 +00:00
lib-names.awk Clean up gnu/lib-names.h generation (bug 14171). 2014-09-26 17:33:04 +00:00
list-fixed-bugs.py Update copyright dates with scripts/update-copyrights. 2017-01-01 00:14:16 +00:00
list-sources.sh Update scripts/list-sources.sh for ports repository merge. 2014-06-26 21:30:07 +00:00
localplt.awk Support PLT and GOT references in local PIC check 2015-10-14 06:00:02 -07:00
merge-test-results.sh Update copyright dates with scripts/update-copyrights. 2017-01-01 00:14:16 +00:00
mkinstalldirs Update miscellaneous files from upstream sources. 2016-12-21 16:05:55 +00:00
move-if-change Update miscellaneous files from upstream sources. 2016-12-21 16:05:55 +00:00
output-format.sed 2004-08-13 Daniel Jacobowitz <dan@debian.org> 2004-08-14 06:54:39 +00:00
pylint Implement benchmarking script in python 2014-03-21 17:32:50 +05:30
pylintrc pylintrc: disable reports 2015-11-11 13:41:57 -05:00
rellns-sh Update copyright dates with scripts/update-copyrights. 2017-01-01 00:14:16 +00:00
soversions.awk Remove bitrotten --enable-oldest-abi (bug 6652). 2014-09-16 17:45:03 +00:00
sysd-rules.awk sysd-rules: Cut down the number of rtld-% pattern rules 2016-09-20 10:41:05 +02:00
test_printers_common.py Update copyright dates with scripts/update-copyrights. 2017-01-01 00:14:16 +00:00
test_printers_exceptions.py Update copyright dates with scripts/update-copyrights. 2017-01-01 00:14:16 +00:00
test-installation.pl Update copyright dates not handled by scripts/update-copyrights. 2017-01-01 00:26:24 +00:00
update-abilist.sh Update copyright dates with scripts/update-copyrights. 2017-01-01 00:14:16 +00:00
update-copyrights Update copyright dates with scripts/update-copyrights. 2017-01-01 00:14:16 +00:00
versionlist.awk Update copyright dates with scripts/update-copyrights. 2017-01-01 00:14:16 +00:00
versions.awk Update copyright dates with scripts/update-copyrights. 2017-01-01 00:14:16 +00:00