The wording of 'scrubbing environment' implied that all environment variables would be removed, when instead secure-execution mode only removes a small number of environment variables. This patch updates the wording to describe what actually occurs instead: setting AT_SECURE for ld.so's secure-execution mode.
Link: https://gitlab.com/apparmor/apparmor/-/merge_requests/1315 is a merge request that does similar updating for apparmor userspace. Signed-off-by: Ryan Lee <ryan....@canonical.com> --- security/apparmor/domain.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c index 9914a2b130de..c89f4222f2e9 100644 --- a/security/apparmor/domain.c +++ b/security/apparmor/domain.c @@ -720,8 +720,8 @@ static struct aa_label *profile_transition(const struct cred *subj_cred, if (!(perms.xindex & AA_X_UNSAFE)) { if (DEBUG_ON) { - dbg_printk("apparmor: scrubbing environment variables" - " for %s profile=", name); + dbg_printk("apparmor: setting AT_SECURE " + "for %s profile=", name); aa_label_printk(new, GFP_KERNEL); dbg_printk("\n"); } @@ -799,8 +799,8 @@ static int profile_onexec(const struct cred *subj_cred, if (!(perms.xindex & AA_X_UNSAFE)) { if (DEBUG_ON) { - dbg_printk("apparmor: scrubbing environment " - "variables for %s label=", xname); + dbg_printk("apparmor: setting AT_SECURE for " + "%s label=", xname); aa_label_printk(onexec, GFP_KERNEL); dbg_printk("\n"); } @@ -970,7 +970,7 @@ int apparmor_bprm_creds_for_exec(struct linux_binprm *bprm) if (unsafe) { if (DEBUG_ON) { - dbg_printk("scrubbing environment variables for %s " + dbg_printk("setting AT_SECURE for %s " "label=", bprm->filename); aa_label_printk(new, GFP_KERNEL); dbg_printk("\n"); -- 2.43.0
