coreutils: Protect against env -a for security

Author: oech3

Cargo.toml

@@ -422,6 +422,7 @@ clap_mangen = { workspace = true, optional = true }
 clap.workspace = true
 fluent-syntax = { workspace = true, optional = true }
 itertools.workspace = true
+libc.workspace = true
 phf.workspace = true
 selinux = { workspace = true, optional = true }
 textwrap.workspace = true

src/bin/coreutils.rs

@@ -55,8 +55,12 @@ fn main() {
     let is_coreutils = binary_as_util.ends_with("utils");
     let matched_util = utils
         .keys()
+        //*utils is not ls
         .filter(|&&u| binary_as_util.ends_with(u) && !is_coreutils)
-        .max_by_key(|u| u.len()); //Prefer stty more than tty. *utils is not ls
+        //Prefer stty more than tty
+        .max_by_key(|u| u.len())
+        // todo: with coreutils -> ls -> blah symlink chain, blah calls ls
+        ;
 
     let util_name = if let Some(&util) = matched_util {
         Some(OsString::from(util))

src/common/validation.rs

@@ -3,7 +3,7 @@
 // For the full copyright and license information, please view the LICENSE
 // file that was distributed with this source code.
 
-// spell-checker:ignore prefixcat testcat
+// spell-checker:ignore prefixcat testcat getauxval EXECFN
 
 use std::ffi::{OsStr, OsString};
 use std::path::{Path, PathBuf};
@@ -67,15 +67,29 @@ fn get_canonical_util_name(util_name: &str) -> &str {
 }
 
 /// Gets the binary path from command line arguments
-/// # Panics
 /// Panics if the binary path cannot be determined
+#[cfg(not(any(target_os = "linux", target_os = "android")))]
 pub fn binary_path(args: &mut impl Iterator<Item = OsString>) -> PathBuf {
     match args.next() {
         Some(ref s) if !s.is_empty() => PathBuf::from(s),
         _ => std::env::current_exe().unwrap(),
     }
 }
-
+/// protect against env -a
+#[cfg(any(target_os = "linux", target_os = "android"))]
+pub fn binary_path(args: &mut impl Iterator<Item = OsString>) -> PathBuf {
+    use std::ffi::{CStr, OsString};
+    use std::os::unix::ffi::OsStringExt;
+    let p: *const libc::c_char = unsafe { libc::getauxval(libc::AT_EXECFN) as _ };
+    if p.is_null() {
+		use std::io::{Write as _, stderr};
+        let _ = writeln!(stderr(), "getauxval failed");
+        process::exit(1);
+    }
+    let _ = args.next();
+    let n = unsafe { CStr::from_ptr(p) };
+    OsString::from_vec(n.to_bytes().to_vec()).into()
+}
 /// Extracts the binary name from a path
 pub fn name(binary_path: &Path) -> Option<&str> {
     binary_path.file_stem()?.to_str()

tests/by-util/test_env.rs

@@ -722,7 +722,11 @@ fn test_env_with_empty_executable_double_quotes() {
 }
 
 #[test]
-#[cfg(all(unix, feature = "dirname", feature = "echo"))]
+#[cfg(all(
+    all(unix, feature = "dirname", feature = "echo"),
+    not(any(target_os = "linux", target_os = "android"))
+))]
+// protected against hijack at Linux
 fn test_env_overwrite_arg0() {
     let ts = TestScenario::new(util_name!());
 
@@ -746,7 +750,11 @@ fn test_env_overwrite_arg0() {
 }
 
 #[test]
-#[cfg(all(unix, feature = "echo"))]
+#[cfg(all(
+    all(unix, feature = "echo"),
+    not(any(target_os = "linux", target_os = "android"))
+))]
+// protected against hijack at Linux
 fn test_env_arg_argv0_overwrite() {
     let ts = TestScenario::new(util_name!());
 
@@ -794,7 +802,11 @@ fn test_env_arg_argv0_overwrite() {
 }
 
 #[test]
-#[cfg(all(unix, feature = "echo"))]
+#[cfg(all(
+    all(unix, feature = "echo"),
+    not(any(target_os = "linux", target_os = "android"))
+))]
+// protected against hijack at Linux
 fn test_env_arg_argv0_overwrite_mixed_with_string_args() {
     let ts = TestScenario::new(util_name!());