Clear environment variables for nacl_helper

components/nacl/zygote/nacl_fork_delegate_linux.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "components/nacl/zygote/nacl_fork_delegate_linux.h"
 
 #include <signal.h>
 #include <stdlib.h>
 #include <sys/resource.h>
 #include <sys/socket.h>
 
 #include <set>
 
 #include "base/basictypes.h"
 #include "base/command_line.h"
 #include "base/cpu.h"
 #include "base/files/file_path.h"
 #include "base/files/scoped_file.h"
 #include "base/logging.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/memory/scoped_vector.h"
 #include "base/path_service.h"
 #include "base/pickle.h"
 #include "base/posix/eintr_wrapper.h"
 #include "base/posix/global_descriptors.h"
 #include "base/posix/unix_domain_socket_linux.h"
 #include "base/process/kill.h"
 #include "base/process/launch.h"
+#include "base/strings/string_split.h"
 #include "base/third_party/dynamic_annotations/dynamic_annotations.h"
 #include "build/build_config.h"
 #include "components/nacl/common/nacl_nonsfi_util.h"
 #include "components/nacl/common/nacl_paths.h"
 #include "components/nacl/common/nacl_switches.h"
 #include "components/nacl/loader/nacl_helper_linux.h"
 #include "content/public/common/content_descriptors.h"
 #include "content/public/common/content_switches.h"
 #include "sandbox/linux/suid/client/setuid_sandbox_client.h"
 
 namespace {
 
 // Note these need to match up with their counterparts in nacl_helper_linux.c
 // and nacl_helper_bootstrap_linux.c.
 const char kNaClHelperReservedAtZero[] =
     "--reserved_at_zero=0xXXXXXXXXXXXXXXXX";
 const char kNaClHelperRDebug[] = "--r_debug=0xXXXXXXXXXXXXXXXX";
 
+// This is an environment variable which controls which (if any) other
+// environment variables are passed through to NaCl processes.  e.g.,
+// NACL_ENV_PASSTHROUGH="PATH PWD" would pass both $PATH and $PWD to the child
+// process.
+const char kNaClEnvPassthrough[] = "NACL_ENV_PASSTHROUGH";
+char kNaClEnvPassthroughDelimiter = ',';
+
+// The following environment variables are always passed through if they exist
+// in the parent process.
+const char kNaClExeStderr[] = "NACL_EXE_STDERR";
+const char kNaClExeStdout[] = "NACL_EXE_STDOUT";
+const char kNaClVerbosity[] = "NACLVERBOSITY";
+
 #if defined(ARCH_CPU_X86)
 bool NonZeroSegmentBaseIsSlow() {
   base::CPU cpuid;
   // Using a non-zero segment base is known to be very slow on Intel
   // Atom CPUs.  See "Segmentation-based Memory Protection Mechanism
   // on Intel Atom Microarchitecture: Coding Optimizations" (Leonardo
   // Potenza, Intel).
   //
   // The following list of CPU model numbers is taken from:
   // "Intel 64 and IA-32 Architectures Software Developer's Manual"
@@ skipping 179 matching lines @@
     // The NaCl processes spawned may need to exceed the ambient soft limit
     // on RLIMIT_AS to allocate the untrusted address space and its guard
     // regions.  The nacl_helper itself cannot just raise its own limit,
     // because the existing limit may prevent the initial exec of
     // nacl_helper_bootstrap from succeeding, with its large address space
     // reservation.
     std::vector<int> max_these_limits;
     max_these_limits.push_back(RLIMIT_AS);
     options.maximize_rlimits = &max_these_limits;
 
+    // To avoid information leaks in Non-SFI mode, clear the environment for
+    // the NaCl Helper process.
+    options.clear_environ = true;
+    AddPassthroughEnvToOptions(options);
+
     if (!base::LaunchProcess(argv_to_launch, options, NULL))
       status_ = kNaClHelperLaunchFailed;
     // parent and error cases are handled below
 
     if (enable_layer1_sandbox) {
       // Sanity check that dummy_fd was kept alive for LaunchProcess.
       DCHECK(dummy_fd.is_valid());
     }
   }
   if (IGNORE_EINTR(close(fds[1])) != 0)
@@ skipping 135 matching lines @@
   if (!iter.ReadInt(&remote_exit_code)) {
     LOG(ERROR) << "GetTerminationStatus: pickle failed";
     return false;
   }
 
   *status = static_cast<base::TerminationStatus>(termination_status);
   *exit_code = remote_exit_code;
   return true;
 }
 
+// static
+void NaClForkDelegate::AddPassthroughEnvToOptions(
+    base::LaunchOptions& options) {
+  scoped_ptr<base::Environment> env(base::Environment::Create());
+  std::string pass_through_string;
+  std::vector<std::string> pass_through_vars;
+  if (env->GetVar(kNaClEnvPassthrough, &pass_through_string)) {
+    base::SplitString(
+        pass_through_string, kNaClEnvPassthroughDelimiter, &pass_through_vars);
+  }
+  pass_through_vars.push_back(kNaClExeStderr);
+  pass_through_vars.push_back(kNaClExeStdout);
+  pass_through_vars.push_back(kNaClVerbosity);
+  for (size_t i = 0; i < pass_through_vars.size(); ++i) {
+    std::string temp;
+    if (env->GetVar(pass_through_vars[i].c_str(), &temp))
+      options.environ[pass_through_vars[i]] = temp;
+  }
+}
+
 }  // namespace nacl