mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2025-01-21 20:15:17 +00:00
Block all use of getenv with syntax-check
The use of getenv is typically insecure, and we want people to use our wrappers, to force them to think about setuid needs. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> (cherry picked from commit 71b21f12bece1127b28b404f11f57b4c2d48983a)
This commit is contained in:
parent
97f3a8d878
commit
d47659dcc2
8
cfg.mk
8
cfg.mk
@ -842,6 +842,11 @@ sc_prohibit_unbounded_arrays_in_rpc:
|
||||
halt='Arrays in XDR must have a upper limit set for <NNN>' \
|
||||
$(_sc_search_regexp)
|
||||
|
||||
sc_prohibit_getenv:
|
||||
@prohibit='\b(secure_)?getenv *\(' \
|
||||
exclude='exempt from syntax-check' \
|
||||
halt='Use virGetEnv{Allow,Block}SUID instead of getenv' \
|
||||
$(_sc_search_regexp)
|
||||
|
||||
# We don't use this feature of maint.mk.
|
||||
prev_version_file = /dev/null
|
||||
@ -1011,3 +1016,6 @@ exclude_file_name_regexp--sc_prohibit_include_public_headers_brackets = \
|
||||
|
||||
exclude_file_name_regexp--sc_prohibit_int_ijk = \
|
||||
^(src/remote_protocol-structs|src/remote/remote_protocol.x|cfg.mk|include/)$
|
||||
|
||||
exclude_file_name_regexp--sc_prohibit_getenv = \
|
||||
^tests/.*\.[ch]$$
|
||||
|
@ -2128,7 +2128,7 @@ cleanup:
|
||||
*/
|
||||
const char *virGetEnvBlockSUID(const char *name)
|
||||
{
|
||||
return secure_getenv(name);
|
||||
return secure_getenv(name); /* exempt from syntax-check-rules */
|
||||
}
|
||||
|
||||
|
||||
@ -2142,7 +2142,7 @@ const char *virGetEnvBlockSUID(const char *name)
|
||||
*/
|
||||
const char *virGetEnvAllowSUID(const char *name)
|
||||
{
|
||||
return getenv(name);
|
||||
return getenv(name); /* exempt from syntax-check-rules */
|
||||
}
|
||||
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user