envseal 0.3.14

Write-only secret vault with process-level access control — post-agent secret management
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287

//! Environment-variable hostility assessment and child-process sanitization.
//!
//! `LD_PRELOAD` / `DYLD_INSERT_LIBRARIES` etc. inject attacker-controlled
//! code into every child process, so we treat them as a hard block
//! (configurable). Less-fatal vars like `LD_LIBRARY_PATH`, `PYTHONPATH`,
//! `NODE_OPTIONS` are stripped from the child env and optionally block
//! the parent operation when the active security tier requires it.

use std::collections::HashMap;

use crate::error::Error;

/// Environment variables that provide direct code injection into child processes.
///
/// If any of these are set, a malicious library WILL be loaded into the child
/// process. This is a hard block — no override.
pub(crate) const INJECT_ENV_VARS: &[&str] = &[
    // Linux: ld.so loads these before main()
    "LD_PRELOAD",
    "LD_PRELOAD_32",
    "LD_PRELOAD_64",
    "LD_AUDIT",
    // macOS: dyld loads these before main()
    "DYLD_INSERT_LIBRARIES",
];

/// Environment variables that modify library resolution but don't inject code directly.
///
/// These are commonly set on developer workstations (CUDA, custom builds).
/// Since the inject pipeline calls `env_clear()` on the child, these only
/// affect envseal itself (which is statically linked). Warn but don't block.
pub(crate) const SUSPICIOUS_ENV_VARS: &[&str] = &[
    "LD_LIBRARY_PATH",
    "LD_DEBUG",
    "LD_DEBUG_OUTPUT",
    "LD_DYNAMIC_WEAK",
    "LD_ORIGIN_PATH",
    "LD_PROFILE",
    "LD_SHOW_AUXV",
    "DYLD_LIBRARY_PATH",
    "DYLD_FRAMEWORK_PATH",
    "DYLD_FALLBACK_LIBRARY_PATH",
    "PYTHONPATH",
    "BASH_ENV",
    "ENV",
    "NODE_OPTIONS",
    "RUBYOPT",
    "PERL5LIB",
    "JAVA_TOOL_OPTIONS",
    "GLIBC_TUNABLES",
    "GCONV_PATH",
    "LOCPATH",
    "PERL5OPT",
    "JDK_JAVA_OPTIONS",
    "_JAVA_OPTIONS",
    // PYTHONSTARTUP runs arbitrary Python on every interactive
    // python startup — drops a hostile parent env into the child
    // even when no PYTHONPATH manipulation is visible.
    "PYTHONSTARTUP",
    "PYTHONHOME",
    "PYTHONUSERBASE",
    // OPENSSL_CONF picks up a custom config including dynamic
    // engine loading; a hostile path turns every TLS handshake in
    // the child into an attacker-controlled ENGINE call.
    "OPENSSL_CONF",
    "OPENSSL_MODULES",
    // BASH_FUNC_*=...  is how Shellshock-style function exports
    // historically reached child shells. Generic prefixes can't
    // be expressed in a flat list, so the env_for_child path
    // strips anything matching by prefix; see `is_hostile_var`.
];

/// Variable-NAME *prefixes* that mark a hostile inheritance even
/// if the suffix is unique. Used by [`sanitized_env`] alongside
/// the flat blocklists for cases where the dangerous surface is a
/// family of variables (Shellshock-style function exports, etc).
pub(crate) const HOSTILE_VAR_PREFIXES: &[&str] = &[
    // Bash exported functions: `BASH_FUNC_<name>%%=() { … }` or
    // `BASH_FUNC_<name>()=…`. CVE-2014-6271 (Shellshock) inherited
    // functions — bash retired the unprefixed form, but the prefix
    // is still a defense-in-depth strip.
    "BASH_FUNC_",
];

/// Threat level assessed from process environment variables.
#[derive(Debug, PartialEq)]
pub enum EnvironmentThreatLevel {
    /// No hostile or suspicious variables detected.
    Safe,
    /// Suspicious variables like `LD_LIBRARY_PATH` detected.
    Degraded(String),
    /// Direct injection variables like `LD_PRELOAD` detected.
    Hostile(String),
}

/// Assess the process environment for injection and manipulation variables.
#[must_use]
pub fn assess_environment() -> EnvironmentThreatLevel {
    let mut hostile = Vec::new();
    for var in INJECT_ENV_VARS {
        if std::env::var_os(var).is_some() {
            hostile.push(*var);
        }
    }

    if !hostile.is_empty() {
        return EnvironmentThreatLevel::Hostile(format!(
            "direct injection variables detected: {}",
            hostile.join(", ")
        ));
    }

    let mut degraded = Vec::new();
    for var in SUSPICIOUS_ENV_VARS {
        if std::env::var_os(var).is_some() {
            degraded.push(*var);
        }
    }

    if !degraded.is_empty() {
        return EnvironmentThreatLevel::Degraded(format!(
            "suspicious environment variables set: {}",
            degraded.join(", ")
        ));
    }

    EnvironmentThreatLevel::Safe
}

/// Run the environment-injection assessment and emit signals.
///
/// Each detected hostile / suspicious env var becomes one
/// [`super::Signal`] under [`super::Category::EnvironmentInjection`].
/// `INJECT_ENV_VARS` matches produce `Hostile`-severity signals
/// (default policy: block under Hardened+); `SUSPICIOUS_ENV_VARS`
/// matches produce `Degraded` (default: warn-with-friction under
/// Standard, block under Hardened+).
#[must_use]
pub fn assess_env_signals(_ctx: &super::DetectorContext) -> Vec<super::Signal> {
    let mut signals = Vec::new();

    for var in INJECT_ENV_VARS {
        if std::env::var_os(var).is_some() {
            signals.push(super::Signal::new(
                super::SignalId::scoped("env.preload", var),
                super::Category::EnvironmentInjection,
                super::Severity::Hostile,
                "dynamic-loader injection variable set",
                format!("`{var}` is set in our parent environment — every child we exec will load attacker-controlled code"),
                "unset the variable before invoking envseal, or run from a clean shell",
            ));
        }
    }

    for var in SUSPICIOUS_ENV_VARS {
        if std::env::var_os(var).is_some() {
            signals.push(super::Signal::new(
                super::SignalId::scoped("env.suspicious_loader_var", var),
                super::Category::EnvironmentInjection,
                super::Severity::Degraded,
                "suspicious loader configuration variable set",
                format!("`{var}` modifies library resolution"),
                "review whether this var is intentional in this shell",
            ));
        }
    }

    signals
}

/// Enforce environment-injection policy at an execution boundary.
///
/// Single source of truth: every detected env-injection signal is
/// run through the user's [`crate::guard::Policy`] (default table
/// plus any `signal_overrides` / `tier_overrides` from
/// `security.toml`). The first signal whose decided
/// [`crate::guard::Action`] is `Block` aborts execution. Lower-severity
/// outcomes (`Warn` / `Log`) are surfaced on stderr — there is no
/// challenge gate at this stage because env-injection runs before
/// any GUI prompt.
///
/// # Behavior under default policy
///
/// | Tier      | `LD_PRELOAD` set      | `LD_LIBRARY_PATH` set |
/// |-----------|-----------------------|-----------------------|
/// | Standard  | Warn (proceed)        | Warn (proceed)        |
/// | Hardened  | **Block**             | **Block**             |
/// | Lockdown  | **Block**             | **Block**             |
///
/// Override per-signal in `security.toml`:
/// ```toml
/// [signal_overrides]
/// "env.suspicious_loader_var.ld_library_path" = "ignore"
/// ```
///
/// # Errors
/// [`Error::EnvironmentCompromised`] for the first signal whose
/// decided action is `Block`. The error message embeds the signal's
/// label, detail, and mitigation hint so the user knows exactly
/// which variable triggered and how to clear it.
pub fn enforce_env_policy(config: &crate::security_config::SecurityConfig) -> Result<(), Error> {
    // Ambient context — env-var scanning doesn't read any per-op fields.
    let ctx = super::DetectorContext::ambient();
    let signals = assess_env_signals(&ctx);
    // The parallel decide-and-eprintln ladder this function used to
    // implement is exactly what `emit_signals_inline` consolidates
    // for every other in-flight Signal source — single rendering
    // function, single audit-log path, single block conversion.
    super::emit_signals_inline(signals, config)
}

/// Build a sanitized environment for the child process.
///
/// Copies the current environment but strips all injection and suspicious
/// variables. Returns a map of variable name → value for the clean environment.
#[must_use]
pub fn sanitized_env() -> HashMap<String, String> {
    let blocked: std::collections::HashSet<&str> = INJECT_ENV_VARS
        .iter()
        .chain(SUSPICIOUS_ENV_VARS.iter())
        .copied()
        .collect();

    std::env::vars()
        .filter(|(key, _)| {
            if blocked.contains(key.as_str()) {
                return false;
            }
            // Strip Shellshock-style prefixed function exports and
            // anything else matching a hostile prefix.
            if HOSTILE_VAR_PREFIXES
                .iter()
                .any(|prefix| key.starts_with(prefix))
            {
                return false;
            }
            // Strip internal envseal control variables so they are
            // never leaked to child processes.
            !key.starts_with("ENVSEAL_")
        })
        .collect()
}

#[cfg(test)]
mod sanitized_env_tests {
    use super::sanitized_env;

    #[test]
    fn strips_bash_func_prefixed_exports() {
        // Set a fake Shellshock-style export and verify it's
        // dropped by sanitized_env. Done with a unique name to
        // avoid trampling on any real environment in the test
        // runner. Cleanup at the end.
        let key = "BASH_FUNC_envseal_test_marker%%";
        std::env::set_var(key, "() { echo gotcha; }");
        let env = sanitized_env();
        let leaked = env.contains_key(key);
        std::env::remove_var(key);
        assert!(!leaked, "BASH_FUNC_-prefixed export survived sanitized_env");
    }

    #[test]
    fn strips_pythonstartup_and_openssl_conf() {
        std::env::set_var("PYTHONSTARTUP", "/tmp/marker.py");
        std::env::set_var("OPENSSL_CONF", "/tmp/marker.cnf");
        let env = sanitized_env();
        let py = env.contains_key("PYTHONSTARTUP");
        let ssl = env.contains_key("OPENSSL_CONF");
        std::env::remove_var("PYTHONSTARTUP");
        std::env::remove_var("OPENSSL_CONF");
        assert!(!py, "PYTHONSTARTUP survived sanitized_env");
        assert!(!ssl, "OPENSSL_CONF survived sanitized_env");
    }

    #[test]
    fn strips_envseal_internal_vars() {
        std::env::set_var("ENVSEAL_TEST_MARKER", "leaked");
        std::env::set_var("ENVSEAL_MASTER_KEY_PATH", "/secret");
        let env = sanitized_env();
        let leaked1 = env.contains_key("ENVSEAL_TEST_MARKER");
        let leaked2 = env.contains_key("ENVSEAL_MASTER_KEY_PATH");
        std::env::remove_var("ENVSEAL_TEST_MARKER");
        std::env::remove_var("ENVSEAL_MASTER_KEY_PATH");
        assert!(!leaked1, "ENVSEAL_TEST_MARKER survived sanitized_env");
        assert!(!leaked2, "ENVSEAL_MASTER_KEY_PATH survived sanitized_env");
    }
}