glibc/scripts
Adhemerval Zanella 9c96c87d60 elf: Ignore GLIBC_TUNABLES for setuid/setgid binaries
The tunable privilege levels were a retrofit to try and keep the malloc
tunable environment variables' behavior unchanged across security
boundaries.  However, CVE-2023-4911 shows how tricky can be
tunable parsing in a security-sensitive environment.

Not only parsing, but the malloc tunable essentially changes some
semantics on setuid/setgid processes.  Although it is not a direct
security issue, allowing users to change setuid/setgid semantics is not
a good security practice, and requires extra code and analysis to check
if each tunable is safe to use on all security boundaries.

It also means that security opt-in features, like aarch64 MTE, would
need to be explicit enabled by an administrator with a wrapper script
or with a possible future system-wide tunable setting.

Co-authored-by: Siddhesh Poyarekar  <siddhesh@sourceware.org>
Reviewed-by: DJ Delorie <dj@redhat.com>
2023-11-21 16:15:42 -03:00
..
abi-versions.awk Remove bitrotten --enable-oldest-abi (bug 6652). 2014-09-16 17:45:03 +00:00
abilist.awk Add GLIBC_ABI_DT_RELR for DT_RELR support 2022-04-26 10:16:11 -07:00
backport-support.sh Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
build-many-glibcs.py Use Linux 6.6 in build-many-glibcs.py 2023-10-31 13:36:51 +00:00
check-c++-types.sh Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
check-execstack.awk check-execstack: Permit sysdeps to xfail some libs 2018-07-20 03:28:14 +02:00
check-initfini.awk Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
check-installed-headers.sh scripts: Fix fortify checks if compiler does not support _FORTIFY_SOURCE=3 2023-07-20 17:58:26 -03:00
check-local-headers.sh Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
check-localplt.awk Extend local PLT reference check 2015-07-29 11:58:06 -07:00
check-obsolete-constructs.py Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
check-textrel.awk Do check-textrel test using readelf rather than a build-time C program. 2012-05-01 13:27:11 -07:00
check-wrapper-headers.py Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
check-wx-segment.py Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
config-uname.sh Rejigger header generation for default uname implementation. 2010-08-24 11:56:52 -07:00
config.guess Update scripts/config.* files from upstream GNU config version 2022-07-19 09:32:19 -03:00
config.sub Update scripts/config.* files from upstream GNU config version 2022-07-19 09:32:19 -03:00
cpp Make shebang interpreter directives consistent 2016-01-07 04:03:21 -05:00
cross-test-ssh.sh Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
documented.sh crypt: Remove libcrypt support 2023-10-30 13:03:59 -03:00
dso-ordering-test.py Fix all the remaining misspellings -- BZ 25337 2023-06-02 01:39:48 +00:00
evaluate-test.sh Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
firstversions.awk Fix bug in firstversions.awk version range handling. 2012-01-28 12:02:44 -05:00
gen-as-const.py Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
gen-libc-abis Make shebang interpreter directives consistent 2016-01-07 04:03:21 -05:00
gen-libc-modules.awk Auto-generate libc-modules.h 2014-11-19 12:16:00 +05:30
gen-posix-conf-vars.awk Remove uses of sprintf in gen-posix-conf-vars.awk 2015-01-02 11:16:35 +05:30
gen-rrtypes.py Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
gen-sorted.awk Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
gen-tunables.awk elf: Ignore GLIBC_TUNABLES for setuid/setgid binaries 2023-11-21 16:15:42 -03:00
glibc_shared_code.py Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
glibcelf.py Fix all the remaining misspellings -- BZ 25337 2023-06-02 01:39:48 +00:00
glibcextract.py Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
glibcpp.py Fix all the remaining misspellings -- BZ 25337 2023-06-02 01:39:48 +00:00
glibcsymbols.py Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
haveversions.awk Don't build libnsl for new ABIs 2018-09-24 10:23:10 +02:00
install-sh Update miscellaneous files from upstream sources. 2018-12-06 17:21:47 +00:00
lib-names.awk Clean up gnu/lib-names.h generation (bug 14171). 2014-09-26 17:33:04 +00:00
lint-makefiles.sh Add lint-makefiles Makefile linting test. 2023-06-02 21:43:05 -04:00
list-fixed-bugs.py Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
list-sources.sh Update scripts/list-sources.sh for ports repository merge. 2014-06-26 21:30:07 +00:00
localplt.awk scripts/localplt.awk: Handle DT_JMPREL with empty PLT (for C-SKY) 2022-10-27 11:36:44 +02:00
merge-test-results.sh Format test results closer to what DejaGnu does 2023-11-03 12:58:17 +00:00
mkinstalldirs Update miscellaneous files from upstream sources. 2018-12-06 17:21:47 +00:00
move-if-change Sync move-if-change from Gnulib, updating copyright 2022-01-01 11:42:26 -08:00
move-symbol-to-libc.py Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
pylint Implement benchmarking script in python 2014-03-21 17:32:50 +05:30
pylintrc Fix all the remaining misspellings -- BZ 25337 2023-06-02 01:39:48 +00:00
rellns-sh Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
sort-makefile-lines.py Fix a few more typos I missed in previous round -- BZ 25337 2023-06-02 23:46:32 +00:00
soversions.awk Remove bitrotten --enable-oldest-abi (bug 6652). 2014-09-16 17:45:03 +00:00
sysd-rules.awk sysd-rules: Cut down the number of rtld-% pattern rules 2016-09-20 10:41:05 +02:00
test_printers_common.py Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
test_printers_exceptions.py Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
test-installation.pl Update copyright dates not handled by scripts/update-copyrights 2023-01-06 21:45:36 +00:00
tst-elf-edit.py Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
tst-ld-trace.py Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
update-abilist.sh Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
update-copyrights Remove 'grp' and merge into 'nss' and 'posix' 2023-10-24 12:30:59 +02:00
vcstocl_quirks.py Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
versionlist.awk Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
versions.awk Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00