libgirepository: Refuse to run in setuid applications

We know of at least one privilege escalation path via `GI_TYPELIB_PATH`. I don't want to audit for others. If someone shows up with a use case we can talk. https://bugzilla.gnome.org/show_bug.cgi?id=755472
author: Colin Walters <walters@verbum.org> 2015-09-23 14:07:21 -0400
committer: Colin Walters <walters@verbum.org> 2015-09-24 11:10:36 -0400
commit: 98bb6c91b710a95efe4cfeb303daeec3381b9c98 (patch)
tree: cafda36fc8bb8a753103a9e0dcb9864a15e65f9f /girepository
parent: 6d0d9938e34df351615d644ea3d2fc667fa6a22f (diff)
download: gobject-introspection-98bb6c91b710a95efe4cfeb303daeec3381b9c98.tar.gz
1 files changed, 12 insertions, 0 deletions
diff --git a/girepository/girepository.c b/girepository/girepository.c
index 4723c951..97074a8c 100644
--- a/girepository/girepository.c
+++ b/girepository/girepository.c
@@ -27,6 +27,10 @@
 #include <string.h>
 #include <stdlib.h>
 
+#ifdef HAVE_GETAUXVAL
+#include <sys/auxv.h>
+#endif
+
 #include <glib.h>
 #include <glib/gprintf.h>
 #include <gmodule.h>
@@ -147,6 +151,14 @@ init_globals (void)
   if (!g_once_init_enter (&initialized))
     return;
 
+#ifdef HAVE_GETAUXVAL
+  if (getauxval (AT_SECURE))
+    {
+      g_printerr ("error: libgirepository.so (gobject-introspection) is not audited for use in setuid applications\nSee https://bugzilla.gnome.org/show_bug.cgi?id=755472\n");
+      _exit (1);
+    }
+#endif
+
   if (default_repository == NULL)
     default_repository = g_object_new (G_TYPE_IREPOSITORY, NULL);
author	Colin Walters <walters@verbum.org>	2015-09-23 14:07:21 -0400
committer	Colin Walters <walters@verbum.org>	2015-09-24 11:10:36 -0400
commit	98bb6c91b710a95efe4cfeb303daeec3381b9c98 (patch)
tree	cafda36fc8bb8a753103a9e0dcb9864a15e65f9f /girepository
parent	6d0d9938e34df351615d644ea3d2fc667fa6a22f (diff)
download	gobject-introspection-98bb6c91b710a95efe4cfeb303daeec3381b9c98.tar.gz