diff options
author | 2020-04-06 21:24:16 +0300 | |
---|---|---|
committer | 2021-02-08 19:19:09 +0200 | |
commit | 1c7ea15b30d49d32a0e3cb79152514f1aeb19397 (patch) | |
tree | 73d5d0f553e08d6d9a64f85c29a5c6df5433cda7 /src/firejail/sandbox.c | |
parent | use ${DOWNLOADS} in lutris.profile (#3955) (diff) | |
download | firejail-1c7ea15b30d49d32a0e3cb79152514f1aeb19397.tar.gz firejail-1c7ea15b30d49d32a0e3cb79152514f1aeb19397.tar.zst firejail-1c7ea15b30d49d32a0e3cb79152514f1aeb19397.zip |
Filter environment variables
Save all environment variables for later use in the application, clear
environment and re-apply only whitelisted variables for the main
firejail process. The whitelisted environment is only used by C
library. Sandboxed tools will get further variables used
internally (FIREJAIL_*).
All variables will be reapplied for the firejailed application.
This also lifts the length restriction for environment variables,
except for the variables used by Firejail itself or the sandboxed
tools.
Diffstat (limited to 'src/firejail/sandbox.c')
-rw-r--r-- | src/firejail/sandbox.c | 7 |
1 files changed, 3 insertions, 4 deletions
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index d811fe45a..1f94d86cd 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -268,8 +268,7 @@ static void sandbox_if_up(Bridge *br) { | |||
268 | 268 | ||
269 | static void chk_chroot(void) { | 269 | static void chk_chroot(void) { |
270 | // if we are starting firejail inside some other container technology, we don't care about this | 270 | // if we are starting firejail inside some other container technology, we don't care about this |
271 | char *mycont = getenv("container"); | 271 | if (env_get("container")) |
272 | if (mycont) | ||
273 | return; | 272 | return; |
274 | 273 | ||
275 | // check if this is a regular chroot | 274 | // check if this is a regular chroot |
@@ -419,7 +418,7 @@ static int ok_to_run(const char *program) { | |||
419 | return 1; | 418 | return 1; |
420 | } | 419 | } |
421 | else { // search $PATH | 420 | else { // search $PATH |
422 | char *path1 = getenv("PATH"); | 421 | const char *path1 = env_get("PATH"); |
423 | if (path1) { | 422 | if (path1) { |
424 | if (arg_debug) | 423 | if (arg_debug) |
425 | printf("Searching $PATH for %s\n", program); | 424 | printf("Searching $PATH for %s\n", program); |
@@ -465,7 +464,7 @@ void start_application(int no_sandbox, int fd, char *set_sandbox_status) { | |||
465 | // set environment | 464 | // set environment |
466 | if (no_sandbox == 0) { | 465 | if (no_sandbox == 0) { |
467 | env_defaults(); | 466 | env_defaults(); |
468 | env_apply(); | 467 | env_apply_all(); |
469 | } | 468 | } |
470 | // restore original umask | 469 | // restore original umask |
471 | umask(orig_umask); | 470 | umask(orig_umask); |