Filter environment variables

Save all environment variables for later use in the application, clear
environment and re-apply only whitelisted variables for the main
firejail process. The whitelisted environment is only used by C
library. Sandboxed tools will get further variables used
internally (FIREJAIL_*).

All variables will be reapplied for the firejailed application.

This also lifts the length restriction for environment variables,
except for the variables used by Firejail itself or the sandboxed
tools.

1 files changed, 3 insertions, 4 deletions

diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index d811fe45a..1f94d86cd 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -268,8 +268,7 @@ static void sandbox_if_up(Bridge *br) {
 
 static void chk_chroot(void) {
         // if we are starting firejail inside some other container technology, we don't care about this
-        char *mycont = getenv("container");
-        if (mycont)
+        if (env_get("container"))
                 return;
 
         // check if this is a regular chroot
@@ -419,7 +418,7 @@ static int ok_to_run(const char *program) {
                         return 1;
         }
         else { // search $PATH
-                char *path1 = getenv("PATH");
+                const char *path1 = env_get("PATH");
                 if (path1) {
                         if (arg_debug)
                                 printf("Searching $PATH for %s\n", program);
@@ -465,7 +464,7 @@ void start_application(int no_sandbox, int fd, char *set_sandbox_status) {
         // set environment
         if (no_sandbox == 0) {
                 env_defaults();
-                env_apply();
+                env_apply_all();
         }
         // restore original umask
         umask(orig_umask);