6 files changed, 72 insertions, 25 deletions
diff --git a/src/firejail/env.c b/src/firejail/env.c
index 54a6b0036..1a6236407 100644
--- a/src/firejail/env.c
+++ b/src/firejail/env.c
@@ -27,12 +27,27 @@ typedef struct env_t {
        struct env_t *next;
        char *name;
        char *value;
+        ENV_OP op;
 } Env;
 static Env *envlist = NULL;
 static void env_add(Env *env) {
-        env->next = envlist;
+        env->next = NULL;
-        envlist = env;
+        
+        // add the new entry at the end of the list
+        if (envlist == NULL) {
+                envlist = env;
+                return;
+        }
+        
+        Env *ptr = envlist;
+        while (1) {
+                if (ptr->next == NULL) {
+                        ptr->next = env;
+                        break;
+                }
+                ptr = ptr->next;
+        }
 }
 // load IBUS env variables
@@ -87,7 +102,7 @@ void env_ibus_load(void) {
                        if (arg_debug)
                                printf("%s\n", buf);
                        EUID_USER();
-                        env_store(buf);
+                        env_store(buf, SETENV);
                        EUID_ROOT();
                }
@@ -126,7 +141,7 @@ void env_defaults(void) {
 }
 // parse and store the environment setting 
-void env_store(const char *str) {
+void env_store(const char *str, ENV_OP op) {
        EUID_ASSERT();
        assert(str);
        
@@ -134,11 +149,13 @@ void env_store(const char *str) {
        if (*str == '\0')
                goto errexit;
        char *ptr = strchr(str, '=');
-        if (!ptr)
+        if (op == SETENV) {
-                goto errexit;
+                if (!ptr)
-        ptr++;
+                        goto errexit;
-        if (*ptr == '\0')
+                ptr++;
-                goto errexit;
+                if (*ptr == '\0')
+                        goto errexit;
+        }
        // build list entry
        Env *env = malloc(sizeof(Env));
@@ -148,10 +165,13 @@ void env_store(const char *str) {
        env->name = strdup(str);
        if (env->name == NULL)
                errExit("strdup");
-        char *ptr2 = strchr(env->name, '=');
+        if (op == SETENV) {
-        assert(ptr2);
+                char *ptr2 = strchr(env->name, '=');
-        *ptr2 = '\0';
+                assert(ptr2);
-        env->value = ptr2 + 1;
+                *ptr2 = '\0';
+                env->value = ptr2 + 1;
+        }
+        env->op = op;
        
        // add entry to the list
        env_add(env);
@@ -167,8 +187,13 @@ void env_apply(void) {
        Env *env = envlist;
        
        while (env) {
-                if (setenv(env->name, env->value, 1) < 0)
+                if (env->op == SETENV) {
-                        errExit("setenv");
+                        if (setenv(env->name, env->value, 1) < 0)
+                                errExit("setenv");
+                }
+                else if (env->op == RMENV) {
+                        unsetenv(env->name);
+                }
                env = env->next;
        }
 }
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 3d0e9a51b..590646f23 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -493,7 +493,12 @@ int check_kernel_procs(void);
 void run_no_sandbox(int argc, char **argv);
 // env.c
-void env_store(const char *str);
+typedef enum {
+        SETENV = 0,
+        RMENV
+} ENV_OP;
+void env_store(const char *str, ENV_OP op);
 void env_apply(void);
 void env_defaults(void);
 void env_ibus_load(void);
diff --git a/src/firejail/main.c b/src/firejail/main.c
index b1dd7d32c..a0225be15 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1465,7 +1465,9 @@ int main(int argc, char **argv) {
                        arg_nonewprivs = 1;
                }
                else if (strncmp(argv[i], "--env=", 6) == 0)
-                        env_store(argv[i] + 6);
+                        env_store(argv[i] + 6, SETENV);
+                else if (strncmp(argv[i], "--rmenv=", 8) == 0)
+                        env_store(argv[i] + 8, RMENV);
                else if (strcmp(argv[i], "--nosound") == 0) {
                        arg_nosound = 1;
                }
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index bb834bf19..1106ed84e 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -457,7 +457,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
        }
        
        if (strncmp(ptr, "env ", 4) == 0) {
-                env_store(ptr + 4);
+                env_store(ptr + 4, SETENV);
+                return 0;
+        }
+        if (strncmp(ptr, "rmenv ", 6) == 0) {
+                env_store(ptr + 6, RMENV);
                return 0;
        }
        
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 1efc247b5..b67300618 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -208,6 +208,7 @@ void usage(void) {
        
        printf("    --quiet - turn off Firejail's output.\n\n");
        printf("    --read-only=dirname_or_filename - set directory or file read-only..\n\n");
+        printf("    --read-write=dirname_or_filename - set directory or file read-write..\n\n");
        printf("    --rlimit-fsize=number - set the maximum file size that can be created\n");
        printf("\tby a process.\n\n");
        printf("    --rlimit-nofile=number - set the maximum number of files that can be\n");
@@ -216,7 +217,7 @@ void usage(void) {
        printf("\tcreated for the real user ID of the calling process.\n\n");
        printf("    --rlimit-sigpending=number - set the maximum number of pending signals\n");
        printf("\tfor a process.\n\n");
-        printf("    --read-write=dirname_or_filename - set directory or file read-write..\n\n");
+        printf("    --rmenv=name - remove environment variable in the new sandbox.\n\n");
 #ifdef HAVE_NETWORK     
        printf("    --scan - ARP-scan all the networks from inside a network namespace.\n");
        printf("\tThis makes it possible to detect macvlan kernel device drivers\n");
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index cb555980d..8d20cf36b 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1172,6 +1172,15 @@ make the whitelist read-only. Example:
 $ firejail --whitelist=~/work --read-only=~ --read-only=~/work
 .TP
+\fB\-\-read-write=dirname_or_filename
+By default, the sandbox mounts system directories read-only.
+These directories are /etc, /var, /usr, /bin, /sbin, /lib, /lib32, /libx32 and /lib64. 
+Use this option to mount read-write files or directories inside the system directories.
+This option is available only to root user. It has no effect when --chroot or --overlay are also set. In these
+cases the system directories are mounted read-write.
+.TP
 \fB\-\-rlimit-fsize=number
 Set the maximum file size that can be created by a process.
 .TP
@@ -1185,13 +1194,14 @@ Set the maximum number of processes that can be created for the real user ID of
 Set the maximum number of pending signals for a process.
 .TP
-\fB\-\-read-write=dirname_or_filename
+\fB\-\-rmenv=name
-By default, the sandbox mounts system directories read-only.
+Remove environment variable in the new sandbox.
-These directories are /etc, /var, /usr, /bin, /sbin, /lib, /lib32, /libx32 and /lib64. 
+.br
-Use this option to mount read-write files or directories inside the system directories.
-This option is available only to root user. It has no effect when --chroot or --overlay are also set. In these
+.br
-cases the system directories are mounted read-write.
+Example:
+.br
+$ firejail \-\-rmenv=DBUS_SESSION_BUS_ADDRESS
 .TP
 \fB\-\-scan

diff --git a/src/firejail/env.c b/src/firejail/env.c index 54a6b0036..1a6236407 100644 --- a/src/firejail/env.c +++ b/src/firejail/env.c
@@ -27,12 +27,27 @@ typedef struct env_t {
27	struct env_t *next;	27	struct env_t *next;
28	char *name;	28	char *name;
29	char *value;	29	char *value;
		30	ENV_OP op;
30	} Env;	31	} Env;
31	static Env *envlist = NULL;	32	static Env *envlist = NULL;
32		33
33	static void env_add(Env *env) {	34	static void env_add(Env *env) {
34	env->next = envlist;	35	env->next = NULL;
35	envlist = env;	36
		37	// add the new entry at the end of the list
		38	if (envlist == NULL) {
		39	envlist = env;
		40	return;
		41	}
		42
		43	Env *ptr = envlist;
		44	while (1) {
		45	if (ptr->next == NULL) {
		46	ptr->next = env;
		47	break;
		48	}
		49	ptr = ptr->next;
		50	}
36	}	51	}
37		52
38	// load IBUS env variables	53	// load IBUS env variables
@@ -87,7 +102,7 @@ void env_ibus_load(void) {
87	if (arg_debug)	102	if (arg_debug)
88	printf("%s\n", buf);	103	printf("%s\n", buf);
89	EUID_USER();	104	EUID_USER();
90	env_store(buf);	105	env_store(buf, SETENV);
91	EUID_ROOT();	106	EUID_ROOT();
92	}	107	}
93		108
@@ -126,7 +141,7 @@ void env_defaults(void) {
126	}	141	}
127		142
128	// parse and store the environment setting	143	// parse and store the environment setting
129	void env_store(const char *str) {	144	void env_store(const char *str, ENV_OP op) {
130	EUID_ASSERT();	145	EUID_ASSERT();
131	assert(str);	146	assert(str);
132		147
@@ -134,11 +149,13 @@ void env_store(const char *str) {
134	if (*str == '\0')	149	if (*str == '\0')
135	goto errexit;	150	goto errexit;
136	char *ptr = strchr(str, '=');	151	char *ptr = strchr(str, '=');
137	if (!ptr)	152	if (op == SETENV) {
138	goto errexit;	153	if (!ptr)
139	ptr++;	154	goto errexit;
140	if (*ptr == '\0')	155	ptr++;
141	goto errexit;	156	if (*ptr == '\0')
		157	goto errexit;
		158	}
142		159
143	// build list entry	160	// build list entry
144	Env *env = malloc(sizeof(Env));	161	Env *env = malloc(sizeof(Env));
@@ -148,10 +165,13 @@ void env_store(const char *str) {
148	env->name = strdup(str);	165	env->name = strdup(str);
149	if (env->name == NULL)	166	if (env->name == NULL)
150	errExit("strdup");	167	errExit("strdup");
151	char *ptr2 = strchr(env->name, '=');	168	if (op == SETENV) {
152	assert(ptr2);	169	char *ptr2 = strchr(env->name, '=');
153	*ptr2 = '\0';	170	assert(ptr2);
154	env->value = ptr2 + 1;	171	*ptr2 = '\0';
		172	env->value = ptr2 + 1;
		173	}
		174	env->op = op;
155		175
156	// add entry to the list	176	// add entry to the list
157	env_add(env);	177	env_add(env);
@@ -167,8 +187,13 @@ void env_apply(void) {
167	Env *env = envlist;	187	Env *env = envlist;
168		188
169	while (env) {	189	while (env) {
170	if (setenv(env->name, env->value, 1) < 0)	190	if (env->op == SETENV) {
171	errExit("setenv");	191	if (setenv(env->name, env->value, 1) < 0)
		192	errExit("setenv");
		193	}
		194	else if (env->op == RMENV) {
		195	unsetenv(env->name);
		196	}
172	env = env->next;	197	env = env->next;
173	}	198	}
174	}	199	}


diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 3d0e9a51b..590646f23 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -493,7 +493,12 @@ int check_kernel_procs(void);
493	void run_no_sandbox(int argc, char **argv);	493	void run_no_sandbox(int argc, char **argv);
494		494
495	// env.c	495	// env.c
496	void env_store(const char *str);	496	typedef enum {
		497	SETENV = 0,
		498	RMENV
		499	} ENV_OP;
		500
		501	void env_store(const char *str, ENV_OP op);
497	void env_apply(void);	502	void env_apply(void);
498	void env_defaults(void);	503	void env_defaults(void);
499	void env_ibus_load(void);	504	void env_ibus_load(void);


diff --git a/src/firejail/main.c b/src/firejail/main.c index b1dd7d32c..a0225be15 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -1465,7 +1465,9 @@ int main(int argc, char **argv) {
1465	arg_nonewprivs = 1;	1465	arg_nonewprivs = 1;
1466	}	1466	}
1467	else if (strncmp(argv[i], "--env=", 6) == 0)	1467	else if (strncmp(argv[i], "--env=", 6) == 0)
1468	env_store(argv[i] + 6);	1468	env_store(argv[i] + 6, SETENV);
		1469	else if (strncmp(argv[i], "--rmenv=", 8) == 0)
		1470	env_store(argv[i] + 8, RMENV);
1469	else if (strcmp(argv[i], "--nosound") == 0) {	1471	else if (strcmp(argv[i], "--nosound") == 0) {
1470	arg_nosound = 1;	1472	arg_nosound = 1;
1471	}	1473	}


diff --git a/src/firejail/profile.c b/src/firejail/profile.c index bb834bf19..1106ed84e 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c
@@ -457,7 +457,11 @@ int profile_check_line(char ptr, int lineno, const char fname) {
457	}	457	}
458		458
459	if (strncmp(ptr, "env ", 4) == 0) {	459	if (strncmp(ptr, "env ", 4) == 0) {
460	env_store(ptr + 4);	460	env_store(ptr + 4, SETENV);
		461	return 0;
		462	}
		463	if (strncmp(ptr, "rmenv ", 6) == 0) {
		464	env_store(ptr + 6, RMENV);
461	return 0;	465	return 0;
462	}	466	}
463		467


diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 1efc247b5..b67300618 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c
@@ -208,6 +208,7 @@ void usage(void) {
208		208
209	printf(" --quiet - turn off Firejail's output.\n\n");	209	printf(" --quiet - turn off Firejail's output.\n\n");
210	printf(" --read-only=dirname_or_filename - set directory or file read-only..\n\n");	210	printf(" --read-only=dirname_or_filename - set directory or file read-only..\n\n");
		211	printf(" --read-write=dirname_or_filename - set directory or file read-write..\n\n");
211	printf(" --rlimit-fsize=number - set the maximum file size that can be created\n");	212	printf(" --rlimit-fsize=number - set the maximum file size that can be created\n");
212	printf("\tby a process.\n\n");	213	printf("\tby a process.\n\n");
213	printf(" --rlimit-nofile=number - set the maximum number of files that can be\n");	214	printf(" --rlimit-nofile=number - set the maximum number of files that can be\n");
@@ -216,7 +217,7 @@ void usage(void) {
216	printf("\tcreated for the real user ID of the calling process.\n\n");	217	printf("\tcreated for the real user ID of the calling process.\n\n");
217	printf(" --rlimit-sigpending=number - set the maximum number of pending signals\n");	218	printf(" --rlimit-sigpending=number - set the maximum number of pending signals\n");
218	printf("\tfor a process.\n\n");	219	printf("\tfor a process.\n\n");
219	printf(" --read-write=dirname_or_filename - set directory or file read-write..\n\n");	220	printf(" --rmenv=name - remove environment variable in the new sandbox.\n\n");
220	#ifdef HAVE_NETWORK	221	#ifdef HAVE_NETWORK
221	printf(" --scan - ARP-scan all the networks from inside a network namespace.\n");	222	printf(" --scan - ARP-scan all the networks from inside a network namespace.\n");
222	printf("\tThis makes it possible to detect macvlan kernel device drivers\n");	223	printf("\tThis makes it possible to detect macvlan kernel device drivers\n");


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index cb555980d..8d20cf36b 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -1172,6 +1172,15 @@ make the whitelist read-only. Example:
1172	$ firejail --whitelist=~/work --read-only=~ --read-only=~/work	1172	$ firejail --whitelist=~/work --read-only=~ --read-only=~/work
1173		1173
1174	.TP	1174	.TP
		1175	\fB\-\-read-write=dirname_or_filename
		1176	By default, the sandbox mounts system directories read-only.
		1177	These directories are /etc, /var, /usr, /bin, /sbin, /lib, /lib32, /libx32 and /lib64.
		1178	Use this option to mount read-write files or directories inside the system directories.
		1179
		1180	This option is available only to root user. It has no effect when --chroot or --overlay are also set. In these
		1181	cases the system directories are mounted read-write.
		1182
		1183	.TP
1175	\fB\-\-rlimit-fsize=number	1184	\fB\-\-rlimit-fsize=number
1176	Set the maximum file size that can be created by a process.	1185	Set the maximum file size that can be created by a process.
1177	.TP	1186	.TP
@@ -1185,13 +1194,14 @@ Set the maximum number of processes that can be created for the real user ID of
1185	Set the maximum number of pending signals for a process.	1194	Set the maximum number of pending signals for a process.
1186		1195
1187	.TP	1196	.TP
1188	\fB\-\-read-write=dirname_or_filename	1197	\fB\-\-rmenv=name
1189	By default, the sandbox mounts system directories read-only.	1198	Remove environment variable in the new sandbox.
1190	These directories are /etc, /var, /usr, /bin, /sbin, /lib, /lib32, /libx32 and /lib64.	1199	.br
1191	Use this option to mount read-write files or directories inside the system directories.
1192		1200
1193	This option is available only to root user. It has no effect when --chroot or --overlay are also set. In these	1201	.br
1194	cases the system directories are mounted read-write.	1202	Example:
		1203	.br
		1204	$ firejail \-\-rmenv=DBUS_SESSION_BUS_ADDRESS
1195		1205
1196	.TP	1206	.TP
1197	\fB\-\-scan	1207	\fB\-\-scan