Files
src/stand/libsa/environment.c
T
Simon J. Gerraty a371b008d1 Add boot_setenv
Move is_restricted_var() to libsa/environment.c so it can be leveraged
by boot_setenv called from subr_boot with not truted input.

Also, allow for local tuning via ENV_IS_RESTRICTED_ALLOWED_LIST and
ENV_IS_RESTRICTED_LIST

Sponsored by:	Hewlett Packard Enterprise Development LP.

Reviewed by:	kevans, imp
Differential Revision:	https://reviews.freebsd.org/D56287
2026-04-07 09:29:07 -07:00

306 lines
7.0 KiB
C

/*
* Copyright (c) 1998 Michael Smith.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/*
* Manage an environment-like space in which string variables may be stored.
* Provide support for some method-like operations for setting/retrieving
* variables in order to allow some type strength.
*/
#include "stand.h"
#include <string.h>
struct env_var *environ = NULL;
/*
* Look up (name) and return it's env_var structure.
*/
struct env_var *
env_getenv(const char *name)
{
struct env_var *ev;
for (ev = environ; ev != NULL; ev = ev->ev_next)
if (!strcmp(ev->ev_name, name))
break;
return (ev);
}
/*
* Some notes:
*
* If the EV_VOLATILE flag is set, a copy of the variable is made.
* If EV_DYNAMIC is set, the variable has been allocated with
* malloc and ownership transferred to the environment.
* If (value) is NULL, the variable is set but has no value.
*/
int
env_setenv(const char *name, int flags, const void *value,
ev_sethook_t sethook, ev_unsethook_t unsethook)
{
struct env_var *ev, *curr, *last;
if ((ev = env_getenv(name)) != NULL) {
/*
* If the new value doesn't have NOKENV set, we'll drop the flag
* if it's set on the entry so that the override propagates
* correctly. We do this *before* sending it to the hook in
* case the hook declines to operate on it (e.g., because the
* value matches what was already set) -- we would still want
* the explicitly set value to propagate.
*/
if (!(flags & EV_NOKENV))
ev->ev_flags &= ~EV_NOKENV;
/*
* If there's a set hook, let it do the work
* (unless we are working for one already).
*/
if ((ev->ev_sethook != NULL) && !(flags & EV_NOHOOK))
return (ev->ev_sethook(ev, flags, value));
/* If there is data in the variable, discard it. */
if (ev->ev_value != NULL && (ev->ev_flags & EV_DYNAMIC) != 0)
free(ev->ev_value);
ev->ev_value = NULL;
ev->ev_flags &= ~EV_DYNAMIC;
} else {
/*
* New variable; create and sort into list
*/
ev = malloc(sizeof(struct env_var));
ev->ev_name = strdup(name);
ev->ev_value = NULL;
ev->ev_flags = 0;
/* hooks can only be set when the variable is instantiated */
ev->ev_sethook = sethook;
ev->ev_unsethook = unsethook;
/* Sort into list */
ev->ev_prev = NULL;
ev->ev_next = NULL;
/* Search for the record to insert before */
for (last = NULL, curr = environ; curr != NULL;
last = curr, curr = curr->ev_next) {
if (strcmp(ev->ev_name, curr->ev_name) < 0) {
if (curr->ev_prev) {
curr->ev_prev->ev_next = ev;
} else {
environ = ev;
}
ev->ev_next = curr;
ev->ev_prev = curr->ev_prev;
curr->ev_prev = ev;
break;
}
}
if (curr == NULL) {
if (last == NULL) {
environ = ev;
} else {
last->ev_next = ev;
ev->ev_prev = last;
}
}
}
/* If we have a new value, use it */
if (flags & EV_VOLATILE) {
ev->ev_value = strdup(value);
flags |= EV_DYNAMIC;
} else {
ev->ev_value = (char *)value;
}
ev->ev_flags |= flags & (EV_DYNAMIC | EV_NOKENV);
return (0);
}
/* coverity[ -tainted_string_return_content ] */
char *
getenv(const char *name)
{
struct env_var *ev;
/* Set but no value gives empty string */
if ((ev = env_getenv(name)) != NULL) {
if (ev->ev_value != NULL)
return (ev->ev_value);
return ("");
}
return (NULL);
}
int
setenv(const char *name, const char *value, int overwrite)
{
/* No guarantees about state, always assume volatile */
if (overwrite || (env_getenv(name) == NULL))
return (env_setenv(name, EV_VOLATILE, value, NULL, NULL));
return (0);
}
int
putenv(char *string)
{
char *value, *copy;
int result;
copy = strdup(string);
if ((value = strchr(copy, '=')) != NULL)
*(value++) = 0;
result = setenv(copy, value, 1);
free(copy);
return (result);
}
int
unsetenv(const char *name)
{
struct env_var *ev;
int err;
err = 0;
if ((ev = env_getenv(name)) == NULL) {
err = ENOENT;
} else {
if (ev->ev_unsethook != NULL)
err = ev->ev_unsethook(ev);
if (err == 0) {
env_discard(ev);
}
}
return (err);
}
void
env_discard(struct env_var *ev)
{
if (ev->ev_prev)
ev->ev_prev->ev_next = ev->ev_next;
if (ev->ev_next)
ev->ev_next->ev_prev = ev->ev_prev;
if (environ == ev)
environ = ev->ev_next;
free(ev->ev_name);
if (ev->ev_value != NULL && (ev->ev_flags & EV_DYNAMIC) != 0)
free(ev->ev_value);
free(ev);
}
int
env_noset(struct env_var *ev __unused, int flags __unused,
const void *value __unused)
{
return (EPERM);
}
bool
is_restricted_var(const char *name)
{
/*
* We impose restrictions if input is not verified/trusted
* allowing for exceptions.
* These entries should probably include the '='
*/
const char *allowed[] = {
"boot_function=",
"boot_phase=",
"boot_recover_cli=",
"boot_recover_volume=",
"boot_safe=",
"boot_set=",
"boot_single=",
"boot_verbose=",
#ifdef ENV_IS_RESTRICTED_ALLOWED_LIST
ENV_IS_RESTRICTED_ALLOWED_LIST,
#endif
NULL,
};
/*
* These are prefixes we want to be careful with.
*/
const char *restricted[] = {
"boot",
"init",
"loader.ve.",
"rootfs",
"secur",
"vfs.",
#ifdef ENV_IS_RESTRICTED_LIST
ENV_IS_RESTRICTED_LIST,
#endif
NULL,
};
const char **cp;
int ok = -1;
for (cp = restricted; *cp; cp++) {
if (strncmp(name, *cp, strlen(*cp)) == 0) {
ok = 0;
break;
}
}
if (!ok) {
for (cp = allowed; *cp; cp++) {
if (strncmp(name, *cp, strlen(*cp)) == 0) {
ok = 1;
break;
}
}
}
return (ok == 0);
}
static bool check_restricted = false;
void
set_check_restricted(bool b)
{
check_restricted = b;
}
/* called from subr_boot with not quite trusted input */
int
boot_setenv(const char *name, const char *value)
{
if (check_restricted && is_restricted_var(name)) {
errno = EPERM;
return -1;
}
return setenv(name, value, 1);
}
int
env_nounset(struct env_var *ev __unused)
{
return (EPERM);
}