[gobject-introspection] libgirepository: Refuse to run in setuid applications

[Colin Walters <walters src gnome org>]

commit 98bb6c91b710a95efe4cfeb303daeec3381b9c98
Author: Colin Walters <walters verbum org>
Date:   Wed Sep 23 14:07:21 2015 -0400

    libgirepository: Refuse to run in setuid applications
    
    We know of at least one privilege escalation path via
    `GI_TYPELIB_PATH`.  I don't want to audit for others.  If someone
    shows up with a use case we can talk.
    
    https://bugzilla.gnome.org/show_bug.cgi?id=755472

 configure.ac                |    2 +-
 girepository/girepository.c |   12 ++++++++++++
 2 files changed, 13 insertions(+), 1 deletions(-)
---
diff --git a/configure.ac b/configure.ac
index b11596b..a41ece1 100644
--- a/configure.ac
+++ b/configure.ac
@@ -247,7 +247,7 @@ AC_C_CONST
 
 # Checks for library functions.
 AC_FUNC_STRTOD
-AC_CHECK_FUNCS([memchr strchr strspn strstr strtol strtoull])
+AC_CHECK_FUNCS([memchr strchr strspn strstr strtol strtoull getauxval])
 AC_CHECK_FUNCS([backtrace backtrace_symbols])
 
 # Python
diff --git a/girepository/girepository.c b/girepository/girepository.c
index 4723c95..97074a8 100644
--- a/girepository/girepository.c
+++ b/girepository/girepository.c
@@ -27,6 +27,10 @@
 #include <string.h>
 #include <stdlib.h>
 
+#ifdef HAVE_GETAUXVAL
+#include <sys/auxv.h>
+#endif
+
 #include <glib.h>
 #include <glib/gprintf.h>
 #include <gmodule.h>
@@ -147,6 +151,14 @@ init_globals (void)
   if (!g_once_init_enter (&initialized))
     return;
 
+#ifdef HAVE_GETAUXVAL
+  if (getauxval (AT_SECURE))
+    {
+      g_printerr ("error: libgirepository.so (gobject-introspection) is not audited for use in setuid 
applications\nSee https://bugzilla.gnome.org/show_bug.cgi?id=755472\n";);
+      _exit (1);
+    }
+#endif
+
   if (default_repository == NULL)
     default_repository = g_object_new (G_TYPE_IREPOSITORY, NULL);