From 3b81e1f2c331644ced87d26a943b22eed6242b8f Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Thu, 3 Nov 2016 10:53:51 -0400
Subject: security: env variables

---
 RELNOTES                   |  4 +++-
 src/firejail/bandwidth.c   |  1 +
 src/firejail/fs_bin.c      |  1 +
 src/firejail/fs_etc.c      |  1 +
 src/firejail/netfilter.c   |  3 +++
 src/firejail/run_symlink.c |  1 +
 src/firejail/sandbox.c     | 16 ++++++++++------
 src/firejail/sbox.c        |  1 +
 src/firejail/x11.c         | 13 ++++++++++---
 9 files changed, 31 insertions(+), 10 deletions(-)

diff --git a/RELNOTES b/RELNOTES
index 037f41a9b..3a9ccaa4b 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -2,8 +2,10 @@ firejail (0.9.45) baseline; urgency=low
   * development version, work in progress
   * security: overwrite /etc/resolv.conf found by Martin Carpenter
   * secuirty: TOCTOU exploit for --get and --put found by Daniel Hodson
+  * security: invalid environment exploit found by Martin Carpener
+  * security: split most of networking code in a separate executable
+  * security: split seccomp filter code code in a separate executable
   * feature: allow root user access to /dev/shm (--noblacklist=/dev/shm)
-  * feature: split most of networking code in a separate executable
   * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire
   * bugfixes
  -- netblue30 <netblue30@yahoo.com>  Sun, 23 Oct 2016 08:00:00 -0500
diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c
index 4a1df9c67..ab9714afe 100644
--- a/src/firejail/bandwidth.c
+++ b/src/firejail/bandwidth.c
@@ -462,6 +462,7 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in
 	arg[1] = "-c";
 	arg[2] = cmd;
 	arg[3] = NULL;
+	assert(getenv("LD_PRELOAD") == NULL);	
 	execvp(arg[0], arg);
 	
 	// it will never get here
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c
index f59944735..d6fee0608 100644
--- a/src/firejail/fs_bin.c
+++ b/src/firejail/fs_bin.c
@@ -191,6 +191,7 @@ static void duplicate(char *fname) {
 				char *f;
 				if (asprintf(&f, "%s/%s", RUN_BIN_DIR, fname) == -1)
 					errExit("asprintf");
+				assert(getenv("LD_PRELOAD") == NULL);	
 				execlp(RUN_CP_COMMAND, RUN_CP_COMMAND, "-a", actual_path, f, NULL);
 				perror("execlp");
 				_exit(1);
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c
index b86d5eb74..4f3417236 100644
--- a/src/firejail/fs_etc.c
+++ b/src/firejail/fs_etc.c
@@ -105,6 +105,7 @@ static void duplicate(char *fname) {
 		char *f;
 		if (asprintf(&f, "/etc/%s", fname) == -1)
 			errExit("asprintf");
+		assert(getenv("LD_PRELOAD") == NULL);	
 		execlp(RUN_CP_COMMAND, RUN_CP_COMMAND, "-a", "--parents", f, RUN_MNT_DIR, NULL);
 		perror("execlp");
 		_exit(1);
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c
index c1f9a2c37..efef45d90 100644
--- a/src/firejail/netfilter.c
+++ b/src/firejail/netfilter.c
@@ -144,6 +144,7 @@ void netfilter(const char *fname) {
 
 		// wipe out environment variables
 		environ = NULL;
+		assert(getenv("LD_PRELOAD") == NULL);	
 		execl(iptables_restore, iptables_restore, NULL);
 		perror("execl");
 		_exit(1);
@@ -163,6 +164,7 @@ void netfilter(const char *fname) {
 			if (setregid(0, 0))
 				errExit("setregid");
 			environ = NULL;
+			assert(getenv("LD_PRELOAD") == NULL);	
 			execl(iptables, iptables, "-vL", NULL);
 			perror("execl");
 			_exit(1);
@@ -257,6 +259,7 @@ void netfilter6(const char *fname) {
 
 		// wipe out environment variables
 		environ = NULL;
+		assert(getenv("LD_PRELOAD") == NULL);	
 		execl(ip6tables_restore, ip6tables_restore, NULL);
 		perror("execl");
 		_exit(1);
diff --git a/src/firejail/run_symlink.c b/src/firejail/run_symlink.c
index 020e70b80..8aa2fe53f 100644
--- a/src/firejail/run_symlink.c
+++ b/src/firejail/run_symlink.c
@@ -106,6 +106,7 @@ void run_symlink(int argc, char **argv) {
 		a[i + 2] = argv[i + 1];
 	}
 	a[i + 2] = NULL;
+	assert(getenv("LD_PRELOAD") == NULL);	
 	execvp(a[0], a); 
 
 	perror("execvp");
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 3942e4da6..e3c95283d 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -260,6 +260,7 @@ void start_audit(void) {
 	char *audit_prog;
 	if (asprintf(&audit_prog, "%s/firejail/faudit", LIBDIR) == -1)
 		errExit("asprintf");
+	assert(getenv("LD_PRELOAD") == NULL);	
 	execl(audit_prog, audit_prog, NULL);
 	perror("execl");
 	exit(1);
@@ -268,6 +269,15 @@ void start_audit(void) {
 void start_application(void) {
 //if (setsid() == -1)
 //errExit("setsid");
+
+	// set environment
+	env_defaults();
+	env_apply();
+	if (arg_debug) {
+		printf("starting application\n");
+		printf("LD_PRELOAD=%s\n", getenv("LD_PRELOAD"));
+	}
+	
 	//****************************************
 	// audit
 	//****************************************
@@ -787,12 +797,6 @@ assert(0);
 		}
 	}
 	
-	// set environment
-	env_defaults();
-	
-	// set user-supplied environment variables
-	env_apply();
-
 	// set nice
 	if (arg_nice) {
 		errno = 0;
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c
index 6499b7005..a5a067090 100644
--- a/src/firejail/sbox.c
+++ b/src/firejail/sbox.c
@@ -165,6 +165,7 @@ int sbox_run(unsigned filter, int num, ...) {
 		else if (filter & SBOX_USER)
 			drop_privs(1);
 
+		assert(getenv("LD_PRELOAD") == NULL);	
 		if (arg[0])	// get rid of scan-build warning
 			execvp(arg[0], arg);
 		else
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index c79f1a74e..6cba95501 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -311,7 +311,8 @@ void x11_start_xephyr(int argc, char **argv) {
 	if (server == 0) {
 		if (arg_debug)
 			printf("Starting xephyr...\n");
-	
+
+		assert(getenv("LD_PRELOAD") == NULL);	
 		execvp(server_argv[0], server_argv);
 		perror("execvp");
 		_exit(1);
@@ -353,6 +354,7 @@ void x11_start_xephyr(int argc, char **argv) {
 		if (!arg_quiet)
 			printf("\n*** Attaching to Xephyr display %d ***\n\n", display);
 
+		assert(getenv("LD_PRELOAD") == NULL);	
 		execvp(jail_argv[0], jail_argv);
 		perror("execvp");
 		_exit(1);
@@ -432,6 +434,7 @@ void x11_start_xpra(int argc, char **argv) {
 			dup2(fd_null,2);
 		}
 	
+		assert(getenv("LD_PRELOAD") == NULL);	
 		execvp(server_argv[0], server_argv);
 		perror("execvp");
 		_exit(1);
@@ -478,6 +481,7 @@ void x11_start_xpra(int argc, char **argv) {
 		if (!arg_quiet)
 			printf("\n*** Attaching to xpra display %d ***\n\n", display);
 
+		assert(getenv("LD_PRELOAD") == NULL);	
 		execvp(attach_argv[0], attach_argv);
 		perror("execvp");
 		_exit(1);
@@ -508,6 +512,7 @@ void x11_start_xpra(int argc, char **argv) {
 	if (jail < 0)
 		errExit("fork");
 	if (jail == 0) {
+		assert(getenv("LD_PRELOAD") == NULL);	
 		if (firejail_argv[0]) // shut up llvm scan-build
 			execvp(firejail_argv[0], firejail_argv);
 		perror("execvp");
@@ -534,6 +539,7 @@ void x11_start_xpra(int argc, char **argv) {
 					dup2(fd_null,1);
 					dup2(fd_null,2);
 				}
+				assert(getenv("LD_PRELOAD") == NULL);	
 				execvp(stop_argv[0], stop_argv);
 				perror("execvp");
 				_exit(1);
@@ -664,11 +670,12 @@ void x11_xorg(void) {
 			errExit("setreuid");
 		if (setregid(0, 0) < 0)
 			errExit("setregid");
-		
+
 		char *display = getenv("DISPLAY");
 		if (!display)
 			display = ":0.0";
-			
+		
+		assert(getenv("LD_PRELOAD") == NULL);	
 		execlp("/usr/bin/xauth", "/usr/bin/xauth", "-f", RUN_XAUTHORITY_SEC_FILE,
 			"generate", display, "MIT-MAGIC-COOKIE-1", "untrusted", NULL); 
 		
-- 
cgit v1.2.3-54-g00ecf