From: Nick Kralevich <nnk@google.com>
Date: Wed, 11 Nov 2015 00:39:29 +0000 (-0800)
Subject: libc_init_common.cpp: Clarify when environment stripping occurs
X-Git-Tag: android-x86-7.1-r1~362^2~9^2
X-Git-Url: http://git.osdn.net/view?a=commitdiff_plain;h=2fb02651c894866c220bd64cbcd5fbd14e086b85;p=android-x86%2Fbionic.git

libc_init_common.cpp: Clarify when environment stripping occurs

The current comment implies that we only strip sensitive
environment variables on executing a setuid program. This is
true but incomplete. The AT_SECURE flag is set whenever a
security transition occurs, such as executing a setuid program,
SELinux security transition, executing a file with file capabilities,
etc...

Fixup the comments.

Change-Id: I30a73992adfde14d6e5f642b3a1ead2ee56726be
---

diff --git a/libc/bionic/libc_init_common.cpp b/libc/bionic/libc_init_common.cpp
index 4995414b1..a6837481f 100644
--- a/libc/bionic/libc_init_common.cpp
+++ b/libc/bionic/libc_init_common.cpp
@@ -245,7 +245,11 @@ static bool __is_valid_environment_variable(const char* name) {
 }
 
 static bool __is_unsafe_environment_variable(const char* name) {
-  // None of these should be allowed in setuid programs.
+  // None of these should be allowed when the AT_SECURE auxv
+  // flag is set. This flag is set to inform userspace that a
+  // security transition has occurred, for example, as a result
+  // of executing a setuid program or the result of an SELinux
+  // security transition.
   static constexpr const char* UNSAFE_VARIABLE_NAMES[] = {
     "GCONV_PATH",
     "GETCONF_DIR",