the apparmor documentation mentions giving applications ability execute other programs or without enviroment scrubbing. apparently scrubbed environment more secure, documentation doesn't seem specify how environment scrubbing happens.
what environment scrubbing , apparmor scrub environment?
"environment scrubbing" removal of various "dangerous" environment variables may used affect behaviour of binary - example, ld_preload can used make dynamic linker pull in code can make arbitrary changes running of program; variables can set cause trace output files well-known names; etc.
this scrubbing performed setuid/setgid binaries security measure, kernel provides hook allow security modules enable arbitrary other binaries well.
the kernel's elf loader code uses hook set at_secure entry in "auxiliary vector" of information passed binary. (see here , here implementation of hook in apparmor code.)
as execution starts in userspace, dynamic linker picks value , uses set __libc_enable_secure flag; you'll see same routine contains code sets flag setuid/setgid binaries. (there equivalent code elsewhere binaries statically linked.)
__libc_enable_secure affects number of places in main body of dynamic linker code, , causes list of specific environment variables removed.
Comments
Post a Comment