diff options
author | Adhemerval Zanella <adhemerval.zanella@linaro.org> | 2023-11-06 17:25:36 -0300 |
---|---|---|
committer | Adhemerval Zanella <adhemerval.zanella@linaro.org> | 2023-11-21 16:15:42 -0300 |
commit | 9c96c87d60eafa4d78406e606e92b42bd4b570ad (patch) | |
tree | f2b1db62e65cdf8cae4e058bea8e40aae847dc16 /elf/dl-tunable-types.h | |
parent | a72a4eb10b2d9aef7a53f9d2facf166a685d85fb (diff) | |
download | glibc-9c96c87d60eafa4d78406e606e92b42bd4b570ad.tar.gz glibc-9c96c87d60eafa4d78406e606e92b42bd4b570ad.tar.xz glibc-9c96c87d60eafa4d78406e606e92b42bd4b570ad.zip |
elf: Ignore GLIBC_TUNABLES for setuid/setgid binaries
The tunable privilege levels were a retrofit to try and keep the malloc tunable environment variables' behavior unchanged across security boundaries. However, CVE-2023-4911 shows how tricky can be tunable parsing in a security-sensitive environment. Not only parsing, but the malloc tunable essentially changes some semantics on setuid/setgid processes. Although it is not a direct security issue, allowing users to change setuid/setgid semantics is not a good security practice, and requires extra code and analysis to check if each tunable is safe to use on all security boundaries. It also means that security opt-in features, like aarch64 MTE, would need to be explicit enabled by an administrator with a wrapper script or with a possible future system-wide tunable setting. Co-authored-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: DJ Delorie <dj@redhat.com>
Diffstat (limited to 'elf/dl-tunable-types.h')
-rw-r--r-- | elf/dl-tunable-types.h | 10 |
1 files changed, 0 insertions, 10 deletions
diff --git a/elf/dl-tunable-types.h b/elf/dl-tunable-types.h index c88332657e..62d6d9e629 100644 --- a/elf/dl-tunable-types.h +++ b/elf/dl-tunable-types.h @@ -64,16 +64,6 @@ struct _tunable tunable_val_t val; /* The value. */ bool initialized; /* Flag to indicate that the tunable is initialized. */ - tunable_seclevel_t security_level; /* Specify the security level for the - tunable with respect to AT_SECURE - programs. See description of - tunable_seclevel_t to see a - description of the values. - - Note that even if the tunable is - read, it may not get used by the - target module if the value is - considered unsafe. */ /* Compatibility elements. */ const char env_alias[TUNABLE_ALIAS_MAX]; /* The compatibility environment variable name. */ |