PVF worker: Prevent access to env vars (#7330)

f22bc242 · Marcin S. · GitHub · 9be0b8a3 · f22bc242 · f22bc242
Commit f22bc242 authored 1 year ago by Marcin S. Committed by GitHub 1 year ago
--- a/polkadot/node/core/pvf/common/src/worker/mod.rs
+++ b/polkadot/node/core/pvf/common/src/worker/mod.rs
@@ -128,6 +128,16 @@ pub fn worker_event_loop<F, Fut>(
 		}
 	}

+	// Delete all env vars to prevent malicious code from accessing them.
+	for (key, _) in std::env::vars() {
+		// TODO: *theoretically* the value (or mere presence) of `RUST_LOG` can be a source of
+		// randomness for malicious code. In the future we can remove it also and log in the host;
+		// see <https://github.com/paritytech/polkadot/issues/7117>.
+		if key != "RUST_LOG" {
+			std::env::remove_var(key);
+		}
+	}
+
 	// Run the main worker loop.
 	let rt = Runtime::new().expect("Creates tokio runtime. If this panics the worker will die and the host will detect that and deal with it.");
 	let err = rt

--- a/polkadot/roadmap/implementers-guide/src/node/utility/pvf-host-and-workers.md
+++ b/polkadot/roadmap/implementers-guide/src/node/utility/pvf-host-and-workers.md
@@ -125,3 +125,10 @@ A basic security mechanism is to make sure that any thread directly interfacing
 with untrusted code does not have access to the file-system. This provides some
 protection against attackers accessing sensitive data or modifying data on the
 host machine.
+
+### Clearing env vars
+
+We clear environment variables before handling untrusted code, because why give
+attackers potentially sensitive data unnecessarily? And even if everything else
+is locked down, env vars can potentially provide a source of randomness (see
+point 1, "Consensus faults" above).