AppArmor如何进行“环境清理"? [英] How does AppArmor do "Environment Scrubbing"?

问题描述

AppArmor文档提到了使应用程序能够执行带有或不带有环境清理的其他程序的功能.显然，经过清理的环境更安全，但是文档似乎并未确切指定环境清理的发生方式.

什么是环境清理?AppArmor做什么来清理环境?

解决方案

环境清理"是删除各种可能会影响二进制文件行为的危险"环境变量-例如，LD_PRELOAD可以用于使动态链接器引入代码，这些代码实际上可以对程序的运行进行任意更改；可以设置一些变量以将跟踪输出输出到具有众所周知名称的文件；等

作为安全措施，通常对setuid/setgid二进制文件执行此清理操作，但是内核提供了一个挂钩，以允许安全模块也为任意其他二进制文件启用它.

内核的ELF加载程序代码使用此代码钩子来设置要传递给二进制文件的信息的辅助向量"中的AT_SECURE条目. (请参见此处和此处 AppArmor代码中该钩子的作用.)

在用户空间中开始执行时，动态链接程序代码的主体，并导致 解决方案

"Environment scrubbing" is the removal of various "dangerous" environment variables which may be used to affect the behaviour of a binary - for example, LD_PRELOAD can be used to make the dynamic linker pull in code which can make essentially arbitrary changes to the running of a program; some variables can be set to cause trace output to files with well-known names; etc.

This scrubbing is normally performed for setuid/setgid binaries as a security measure, but the kernel provides a hook to allow security modules to enable it for arbitrary other binaries as well.

The kernel's ELF loader code uses this hook to set the AT_SECURE entry in the "auxiliary vector" of information which is passed to the binary. (See here and here for the implementation of this hook in the AppArmor code.)

As execution starts in userspace, the dynamic linker picks up this value and uses it to set the __libc_enable_secure flag; you'll see that the same routine also contains the code which sets this flag for setuid/setgid binaries. (There is equivalent code elsewhere for binaries which are statically linked.)

__libc_enable_secure affects a number of places in the main body of the dynamic linker code, and causes a list of specific environment variables to be removed.

这篇关于AppArmor如何进行“环境清理"?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！