Sanitize environment variables?
50 views
Skip to first unread message
Angus
Aug 20, 2020, 8:33:54 AM8/20/20
to minijail
When running /bin/env there appears to be information being leaked to the jailed process.
It doesn't appear like minijail does any sanitation of the environment variable space. And there is no flag to do this.
It also helpfully informs the process that it's jailed with: __MINIJAIL_FD=4 unless T=static is specified.
The problem is resolved by running all commands with /bin/env -i but this is not ideal.
Mike Frysinger
Aug 22, 2020, 2:57:52 AM8/22/20
to minijail
you are correct that the minijail0 program today offers no options for tweaking the environment (akin to `env`). it's trivial to run `env` either outside or inside minijail0, so it doesn't seem like a big deal. but if you wanted to send a CL to add a few CLI options to --env-unset/--env-set/--env-clear, that should be fine.
the C library API already has support for passing in custom environments if people want.
i don't know what you mean precisely by "sanitizing the environment", but i don't see minijail0 ever trying to implement a policy of scrubbing the env of vars as it'll vary wildly between people as to what they would expect should be kept or removed.
we should be able to tweak the code to unset __MINIJAIL_FD like we do with LD_PRELOAD. if you're executing an unknown program, the fact that it can see __MINIJAIL_FD in its env is meaningless. if it really wanted to try to detect whether it was being "sandboxed", there are plenty of other ways to probe that information via /proc/ or your own memory map.
-mike
--
You received this message because you are subscribed to the Google Groups "minijail" group.
To unsubscribe from this group and stop receiving emails from it, send an email to minijail+u...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/minijail/a853ad80-9a8c-40d9-a78a-99228ecfdf17n%40chromium.org.
Mike Frysinger
Aug 24, 2020, 5:56:34 PM8/24/20
to minijail
i've fixed up the __MINIJAIL_FD leakage in the latest git version. thanks for pointing it out.
https://r.android.com/1407288
https://r.android.com/1407288
-mike
Mike Frysinger
Aug 28, 2020, 12:45:55 AM8/28/20
to minijail
looks like someone has already posted a CL to implement these env options in `minijail0`
On Sat, Aug 22, 2020 at 2:57 AM Mike Frysinger <vap...@chromium.org> wrote:
Reply all
Reply to author
Forward
0 new messages