libc_init_common.cpp: Clarify when environment stripping occurs

The current comment implies that we only strip sensitive environment variables on executing a setuid program. This is true but incomplete. The AT_SECURE flag is set whenever a security transition occurs, such as executing a setuid program, SELinux security transition, executing a file with file capabilities, etc... Fixup the comments. Change-Id: I30a73992adfde14d6e5f642b3a1ead2ee56726be
2015-11-10 16:39:29 -08:00 · 2015-11-10 16:39:29 -08:00 · 2fb02651c8
commit 2fb02651c8
parent 2a7f1b335d
1 changed files with 5 additions and 1 deletions
--- a/libc/bionic/libc_init_common.cpp
+++ b/libc/bionic/libc_init_common.cpp
@ -245,7 +245,11 @@ static bool __is_valid_environment_variable(const char* name) {
 }

 static bool __is_unsafe_environment_variable(const char* name) {
-  // None of these should be allowed in setuid programs.
+  // None of these should be allowed when the AT_SECURE auxv
+  // flag is set. This flag is set to inform userspace that a
+  // security transition has occurred, for example, as a result
+  // of executing a setuid program or the result of an SELinux
+  // security transition.
  static constexpr const char* UNSAFE_VARIABLE_NAMES[] = {
    "GCONV_PATH",
    "GETCONF_DIR",