coreutils: Protect against env -a for security

[oech3]

env -a false ls does not fail. Works under masked /proc.
Closes #10135

[github-actions]

GNU testsuite comparison:

Skip an intermittent issue tests/tty/tty-eof (fails in this run but passes in the 'main' branch)
Skipping an intermittent issue tests/misc/usage_vs_getopt (passes in this run but fails in the 'main' branch)
Skipping an intermittent issue tests/shuf/shuf-reservoir (passes in this run but fails in the 'main' branch)
Skipping an intermittent issue tests/sort/sort-stale-thread-mem (passes in this run but fails in the 'main' branch)
Note: The gnu test tests/basenc/bounded-memory is now being skipped but was previously passing.

[github-actions]

GNU testsuite comparison:

Skip an intermittent issue tests/shuf/shuf-reservoir (fails in this run but passes in the 'main' branch)
Skip an intermittent issue tests/sort/sort-stale-thread-mem (fails in this run but passes in the 'main' branch)

[codspeed-hq]

Merging this PR will not alter performance

✅ 298 untouched benchmarks
⏩ 48 skipped benchmarks¹

---

_{Comparing oech3:auxval (2d60946) with main (d202b45)}

Footnotes

1. 48 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩

[github-actions]

GNU testsuite comparison:

GNU test failed: tests/cut/bounded-memory. tests/cut/bounded-memory is passing on 'main'. Maybe you have to rebase?
Congrats! The gnu test tests/pr/bounded-memory is no longer failing!

[ChrisDryden]

I think it would make sense for this code to go into the validation.rs file instead of in the main.rs, then you don't have to worry about importing libc.

It would be good to have an additional integration test that shows the env -a working

[github-actions]

GNU testsuite comparison:

Congrats! The gnu test tests/tail/tail-n0f is now passing!

[github-actions]

GNU testsuite comparison:

Skip an intermittent issue tests/shuf/shuf-reservoir (fails in this run but passes in the 'main' branch)
Skip an intermittent issue tests/sort/sort-stale-thread-mem (fails in this run but passes in the 'main' branch)
Congrats! The gnu test tests/tail/tail-n0f is now passing!

[github-actions]

GNU testsuite comparison:

Congrats! The gnu test tests/tail/tail-n0f is now passing!

[github-actions]

GNU testsuite comparison:

GNU test failed: tests/cut/bounded-memory. tests/cut/bounded-memory is passing on 'main'. Maybe you have to rebase?
GNU test failed: tests/pr/bounded-memory. tests/pr/bounded-memory is passing on 'main'. Maybe you have to rebase?
Congrats! The gnu test tests/tail/tail-n0f is now passing!

[github-actions]

GNU testsuite comparison:

GNU test failed: tests/env/env. tests/env/env is passing on 'main'. Maybe you have to rebase?
Skipping an intermittent issue tests/tail/follow-name (passes in this run but fails in the 'main' branch)

[github-actions]

GNU testsuite comparison:

GNU test failed: tests/env/env. tests/env/env is passing on 'main'. Maybe you have to rebase?
Skip an intermittent issue tests/tty/tty-eof (fails in this run but passes in the 'main' branch)
Note: The gnu test tests/cp/copy-FMR is now being skipped but was previously passing.
Note: The gnu test tests/shuf/shuf-reservoir is now being skipped but was previously passing.
Note: The gnu test tests/sort/sort-stale-thread-mem is now being skipped but was previously passing.
Note: The gnu test tests/sort/sort-u-FMR is now being skipped but was previously passing.
Skip an intermittent issue tests/pr/bounded-memory (was skipped on 'main', now failing)

[github-actions]

GNU testsuite comparison:

GNU test failed: tests/cp/parent-perm-race. tests/cp/parent-perm-race is passing on 'main'. Maybe you have to rebase?
GNU test failed: tests/env/env. tests/env/env is passing on 'main'. Maybe you have to rebase?
Skip an intermittent issue tests/date/date-locale-hour (fails in this run but passes in the 'main' branch)
Skip an intermittent issue tests/tty/tty-eof (fails in this run but passes in the 'main' branch)
Note: The gnu test tests/cp/copy-FMR is now being skipped but was previously passing.
Note: The gnu test tests/csplit/csplit-heap is now being skipped but was previously passing.
Note: The gnu test tests/shuf/shuf-reservoir is now being skipped but was previously passing.
Note: The gnu test tests/sort/sort-stale-thread-mem is now being skipped but was previously passing.
Note: The gnu test tests/sort/sort-u-FMR is now being skipped but was previously passing.
Skip an intermittent issue tests/pr/bounded-memory (was skipped on 'main', now failing)

[github-actions]

GNU testsuite comparison:

Skip an intermittent issue tests/tty/tty-eof (fails in this run but passes in the 'main' branch)
Note: The gnu test tests/cp/copy-FMR is now being skipped but was previously passing.
Note: The gnu test tests/rm/many-dir-entries-vs-OOM is now being skipped but was previously passing.
Note: The gnu test tests/seq/seq-epipe is now being skipped but was previously passing.
Note: The gnu test tests/shuf/shuf-reservoir is now being skipped but was previously passing.
Note: The gnu test tests/sort/sort-stale-thread-mem is now being skipped but was previously passing.
Note: The gnu test tests/sort/sort-u-FMR is now being skipped but was previously passing.
Note: The gnu test tests/tail/tail-n0f is now being skipped but was previously passing.
Congrats! The gnu test tests/pr/bounded-memory is now passing!

[oech3]

I was considering calling true under the symlink chain:
invalid-name -> coreutils -> true for better symlink support.
Does it cover some usecase for shebang call?

[oech3]

Is read()ing #! faster than reading /proc/self/exe?

[oech3]

I did too many conversion for file pathes. Please drop them by review...

[github-actions]

GNU testsuite comparison:

Skip an intermittent issue tests/date/date-locale-hour (fails in this run but passes in the 'main' branch)
Note: The gnu test tests/cp/copy-FMR is now being skipped but was previously passing.
Note: The gnu test tests/shuf/shuf-reservoir is now being skipped but was previously passing.
Note: The gnu test tests/sort/sort-stale-thread-mem is now being skipped but was previously passing.
Note: The gnu test tests/sort/sort-u-FMR is now being skipped but was previously passing.
Congrats! The gnu test tests/tail/pipe-f is now passing!

[github-actions]

GNU testsuite comparison:

GNU test failed: tests/misc/io-errors. tests/misc/io-errors is passing on 'main'. Maybe you have to rebase?
Skipping an intermittent issue tests/date/date-locale-hour (passes in this run but fails in the 'main' branch)
Note: The gnu test tests/cp/copy-FMR is now being skipped but was previously passing.
Note: The gnu test tests/cut/cut-huge-range is now being skipped but was previously passing.
Note: The gnu test tests/shuf/shuf-reservoir is now being skipped but was previously passing.
Note: The gnu test tests/sort/sort-stale-thread-mem is now being skipped but was previously passing.
Note: The gnu test tests/sort/sort-u-FMR is now being skipped but was previously passing.
Note: The gnu test tests/tail/tail-n0f is now being skipped but was previously passing.
Note: The gnu test tests/env/env-signal-handler was skipped on 'main' but is now failing.

[github-actions]

GNU testsuite comparison:

Skip an intermittent issue tests/date/resolution (fails in this run but passes in the 'main' branch)
Skipping an intermittent issue tests/pr/bounded-memory (passes in this run but fails in the 'main' branch)
Note: The gnu test tests/cp/copy-FMR is now being skipped but was previously passing.
Note: The gnu test tests/shuf/shuf-reservoir is now being skipped but was previously passing.
Note: The gnu test tests/sort/sort-stale-thread-mem is now being skipped but was previously passing.
Note: The gnu test tests/sort/sort-u-FMR is now being skipped but was previously passing.
Note: The gnu test tests/env/env-signal-handler was skipped on 'main' but is now failing.

[github-actions]

GNU testsuite comparison:

Note: The gnu test tests/cp/copy-FMR is now being skipped but was previously passing.
Note: The gnu test tests/dd/no-allocate is now being skipped but was previously passing.
Note: The gnu test tests/shuf/shuf-reservoir is now being skipped but was previously passing.
Note: The gnu test tests/sort/sort-stale-thread-mem is now being skipped but was previously passing.
Note: The gnu test tests/sort/sort-u-FMR is now being skipped but was previously passing.

[oech3]

is this ok?

[oech3]

@Ecordonnier ok?

[sylvestre]

same comment about rustix ?
why not libc or nix?

[oech3]

In this case, nix or libc's getauxval can be hijacked by LD_PRELOAD. Directly scanning stack prevends it.

[oech3]

#10773 (comment)

[sylvestre]

seems overkill to add rustix for this for now

[oech3]

Why? Multi-call binary is called many times. We should bypass overhead of linker if possible. Also this is already part of dependency tree.

[sylvestre]

i would prefer we extract the code/method from rustix to do it here

[oech3]

Extracting AT_EXECFN is low-level operation. We would achieve unsafe and magic constant.