diff options
| author | Adhemerval Zanella <adhemerval.zanella@linaro.org> | 2023-11-06 17:25:36 -0300 |
|---|---|---|
| committer | Adhemerval Zanella <adhemerval.zanella@linaro.org> | 2023-11-21 16:15:42 -0300 |
| commit | 9c96c87d60eafa4d78406e606e92b42bd4b570ad (patch) | |
| tree | f2b1db62e65cdf8cae4e058bea8e40aae847dc16 /elf/dl-tunables.list | |
| parent | a72a4eb10b2d9aef7a53f9d2facf166a685d85fb (diff) | |
| download | glibc-9c96c87d60eafa4d78406e606e92b42bd4b570ad.zip glibc-9c96c87d60eafa4d78406e606e92b42bd4b570ad.tar.gz glibc-9c96c87d60eafa4d78406e606e92b42bd4b570ad.tar.bz2 | |
elf: Ignore GLIBC_TUNABLES for setuid/setgid binaries
The tunable privilege levels were a retrofit to try and keep the malloc
tunable environment variables' behavior unchanged across security
boundaries. However, CVE-2023-4911 shows how tricky can be
tunable parsing in a security-sensitive environment.
Not only parsing, but the malloc tunable essentially changes some
semantics on setuid/setgid processes. Although it is not a direct
security issue, allowing users to change setuid/setgid semantics is not
a good security practice, and requires extra code and analysis to check
if each tunable is safe to use on all security boundaries.
It also means that security opt-in features, like aarch64 MTE, would
need to be explicit enabled by an administrator with a wrapper script
or with a possible future system-wide tunable setting.
Co-authored-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Reviewed-by: DJ Delorie <dj@redhat.com>
Diffstat (limited to 'elf/dl-tunables.list')
| -rw-r--r-- | elf/dl-tunables.list | 17 |
1 files changed, 0 insertions, 17 deletions
diff --git a/elf/dl-tunables.list b/elf/dl-tunables.list index 888d2ed..720a8ac 100644 --- a/elf/dl-tunables.list +++ b/elf/dl-tunables.list @@ -21,14 +21,6 @@ # minval: Optional minimum acceptable value # maxval: Optional maximum acceptable value # env_alias: An alias environment variable -# security_level: Specify security level of the tunable for AT_SECURE binaries. -# Valid values are: -# -# SXID_ERASE: (default) Do not read and do not pass on to -# child processes. -# SXID_IGNORE: Do not read, but retain for non-AT_SECURE -# subprocesses. -# NONE: Read all the time. glibc { malloc { @@ -41,7 +33,6 @@ glibc { top_pad { type: SIZE_T env_alias: MALLOC_TOP_PAD_ - security_level: SXID_IGNORE default: 131072 } perturb { @@ -49,35 +40,29 @@ glibc { minval: 0 maxval: 0xff env_alias: MALLOC_PERTURB_ - security_level: SXID_IGNORE } mmap_threshold { type: SIZE_T env_alias: MALLOC_MMAP_THRESHOLD_ - security_level: SXID_IGNORE } trim_threshold { type: SIZE_T env_alias: MALLOC_TRIM_THRESHOLD_ - security_level: SXID_IGNORE } mmap_max { type: INT_32 env_alias: MALLOC_MMAP_MAX_ - security_level: SXID_IGNORE minval: 0 } arena_max { type: SIZE_T env_alias: MALLOC_ARENA_MAX minval: 1 - security_level: SXID_IGNORE } arena_test { type: SIZE_T env_alias: MALLOC_ARENA_TEST minval: 1 - security_level: SXID_IGNORE } tcache_max { type: SIZE_T @@ -91,7 +76,6 @@ glibc { mxfast { type: SIZE_T minval: 0 - security_level: SXID_IGNORE } hugetlb { type: SIZE_T @@ -158,7 +142,6 @@ glibc { type: INT_32 minval: 0 maxval: 255 - security_level: SXID_IGNORE } decorate_maps { type: INT_32 |