libc_init_common.cpp: Clarify when environment stripping occurs

The current comment implies that we only strip sensitive
environment variables on executing a setuid program. This is
true but incomplete. The AT_SECURE flag is set whenever a
security transition occurs, such as executing a setuid program,
SELinux security transition, executing a file with file capabilities,
etc...

Fixup the comments.

Change-Id: I30a73992adfde14d6e5f642b3a1ead2ee56726be

diff --git a/libc/bionic/libc_init_common.cpp b/libc/bionic/libc_init_common.cpp
index 4995414..a683748 100644 (file)
--- a/libc/bionic/libc_init_common.cpp
+++ b/libc/bionic/libc_init_common.cpp
@@ -245,7 +245,11 @@ static bool __is_valid_environment_variable(const char* name) {
 }
 
 static bool __is_unsafe_environment_variable(const char* name) {
-  // None of these should be allowed in setuid programs.
+  // None of these should be allowed when the AT_SECURE auxv
+  // flag is set. This flag is set to inform userspace that a
+  // security transition has occurred, for example, as a result
+  // of executing a setuid program or the result of an SELinux
+  // security transition.
   static constexpr const char* UNSAFE_VARIABLE_NAMES[] = {
     "GCONV_PATH",
     "GETCONF_DIR",