giomodule: Make it easier to avoid dlopening GIO modules
Various projects that want to avoid loading non-builtin GIO modules for security or robustness reasons have equivalents of this gnome-session code, which must be run before starting a second thread:
static void
initialize_gio (void)
{
char *disable_fuse = NULL;
char *use_vfs = NULL;
disable_fuse = g_strdup (g_getenv ("GVFS_DISABLE_FUSE"));
use_vfs = g_strdup (g_getenv ("GIO_USE_VFS"));
g_setenv ("GVFS_DISABLE_FUSE", "1", TRUE);
g_setenv ("GIO_USE_VFS", "local", TRUE);
g_vfs_get_default ();
if (use_vfs) {
g_setenv ("GIO_USE_VFS", use_vfs, TRUE);
g_free (use_vfs);
} else {
g_unsetenv ("GIO_USE_VFS");
}
if (disable_fuse) {
g_setenv ("GVFS_DISABLE_FUSE", disable_fuse, TRUE);
g_free (disable_fuse);
} else {
g_unsetenv ("GVFS_DISABLE_FUSE");
}
}
This has a few issues:
-
You have to know which VFS backend, etc., is the "safe" one, and all the right environment variables to set.
-
It's a lot of code for something conceptually simple. Projects that won't run a subprocess can get away with a simpler version that just sets the environment variables and never unsets them, but that isn't useful for something like gnome-session where the whole point is to launch subprocesses.
-
If you're doing this for security or robustness reasons, it isn't ideal: GIO will still
dlopen()
all the GIO modules, even if it isn't going to instantiate any objects out of them. In the Steam container runtime, which has a bundled copy of GLib, this manifests as a runtime linker error: the older bundled GIO loads modules from the OS that require a much newer GLib, causingdlopen()
to fail. I realised while writing this issue that this could even be a security issue, reported separately as #2168 (closed) - I'm leaving this as confidential until #2168 (closed) is either fixed, or confirmed to be a non-issue.
I would like there to be an official way - either an API call or an environment variable - to completely disable GIO loadable modules for the current process, so that only the backends that are hard-coded into GIO will be considered.
(Full disclosure: right now, the reason I really want this is so that I can backport it into the ancient version of GLib that is in the Steam Runtime, and use it in GLib-based tools that ship with a bundled copy of that GLib. However, I think it would also be useful in current GNOME, for example for gnome-session.)