Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
The AppArmor documentation mentions giving applications the ability to execute other programs with or without enviroment scrubbing. Apparently a scrubbed environment is more secure, but the documentation doesn’t seem to specify exactly how environment scrubbing happens.
What is environment scrubbing and what does AppArmor do to scrub the environment?
“Environment scrubbing” is the removal of various “dangerous” environment variables which may be used to affect the behaviour of a binary – for example,
LD_PRELOADcan be used to make the dynamic linker pull in code which can make essentially arbitrary changes to the running of a program; some variables can be set to cause trace output to files with well-known names; etc.This scrubbing is normally performed for setuid/setgid binaries as a security measure, but the kernel provides a hook to allow security modules to enable it for arbitrary other binaries as well.
The kernel’s ELF loader code uses this hook to set the
AT_SECUREentry in the “auxiliary vector” of information which is passed to the binary. (See here and here for the implementation of this hook in the AppArmor code.)As execution starts in userspace, the dynamic linker picks up this value and uses it to set the
__libc_enable_secureflag; you’ll see that the same routine also contains the code which sets this flag for setuid/setgid binaries. (There is equivalent code elsewhere for binaries which are statically linked.)__libc_enable_secureaffects a number of places in the main body of the dynamic linker code, and causes a list of specific environment variables to be removed.