The current comment implies that we only strip sensitive
environment variables on executing a setuid program. This is
true but incomplete. The AT_SECURE flag is set whenever a
security transition occurs, such as executing a setuid program,
SELinux security transition, executing a file with file capabilities,
etc...
Fixup the comments.
Change-Id: I30a73992adfde14d6e5f642b3a1ead2ee56726be
}
static bool __is_unsafe_environment_variable(const char* name) {
- // None of these should be allowed in setuid programs.
+ // None of these should be allowed when the AT_SECURE auxv
+ // flag is set. This flag is set to inform userspace that a
+ // security transition has occurred, for example, as a result
+ // of executing a setuid program or the result of an SELinux
+ // security transition.
static constexpr const char* UNSAFE_VARIABLE_NAMES[] = {
"GCONV_PATH",
"GETCONF_DIR",