16 files changed, 220 insertions, 46 deletions
diff --git a/RELNOTES b/RELNOTES
index acbac2275..e78192284 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -3,13 +3,14 @@ firejail (0.9.29) baseline; urgency=low
    disable-history.inc included in all default profiles
  * Firefox PDF.js exploit (CVE-2015-4495) fixes
  * added --private-etc option
+  * added --env option
  * support ${HOME} token in include directive in profile files
  * --private.keep is transitioned to --private-home
  * support ~ and blanks in blacklist option
  * support "net none" command in profile files
  * added "net none" to Evince PDF viewer
  * bugfixes
- -- netblue30 <netblue30@yahoo.com>  Sat, 22 Aug 2015 20:25:00 -0500
+ -- netblue30 <netblue30@yahoo.com>  Mon, 24 Aug 2015 20:25:00 -0500
 firejail (0.9.28) baseline; urgency=low
  * network scanning, --scan option
diff --git a/src/firejail/env.c b/src/firejail/env.c
new file mode 100644
index 000000000..b4557e56f
--- /dev/null
+++ b/src/firejail/env.c
@@ -0,0 +1,78 @@
+/*
+ * Copyright (C) 2014, 2015 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+#include "firejail.h"
+typedef struct env_t {
+        struct env_t *next;
+        char *name;
+        char *value;
+} Env;
+static Env *envlist = NULL;
+static void env_add(Env *env) {
+        env->next = envlist;
+        envlist = env;
+}
+// parse and store the environment setting 
+void env_store(const char *str) {
+        assert(str);
+        
+        // some basic checking
+        if (*str == '\0')
+                goto errexit;
+        char *ptr = strchr(str, '=');
+        if (!ptr)
+                goto errexit;
+        ptr++;
+        if (*ptr == '\0')
+                goto errexit;
+        // build list entry
+        Env *env = malloc(sizeof(Env));
+        if (!env)
+                errExit("malloc");
+        memset(env, 0, sizeof(Env));
+        env->name = strdup(str);
+        if (env->name == NULL)
+                errExit("strdup");
+        char *ptr2 = strchr(env->name, '=');
+        assert(ptr2);
+        *ptr2 = '\0';
+        env->value = ptr2 + 1;
+        
+        // add entry to the list
+        env_add(env);
+        return;
+        
+errexit:
+        fprintf(stderr, "Error: invalid --env setting\n");
+        exit(1);
+}
+// set env variables in the new sandbox process
+void env_apply(void) {
+        Env *env = envlist;
+        
+        while (env) {
+                setenv(env->name, env->value, 1);
+                env = env->next;
+        }
+}
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 93265ef4f..868e1fca0 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -363,5 +363,9 @@ void fs_private_etc_list(void);
 int check_kernel_procs(void);
 void run_no_sandbox(int argc, char **argv);
+// env.c
+void env_store(const char *str);
+void env_apply(void);
 #endif
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 9acfb254f..5d895c4a0 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -764,6 +764,8 @@ int main(int argc, char **argv) {
                else if (strcmp(argv[i], "--noroot") == 0) {
                        check_user_namespace();
                }
+                else if (strncmp(argv[i], "--env=", 6) == 0)
+                        env_store(argv[i] + 6);
                
                //*************************************
                // network
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c
index 9dc01435f..5603974aa 100644
--- a/src/firejail/no_sandbox.c
+++ b/src/firejail/no_sandbox.c
@@ -1,7 +1,27 @@
+/*
+ * Copyright (C) 2014, 2015 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
 #include "firejail.h"
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <unistd.h>
+#include <grp.h>
 // check process space for kernel processes
 // return 1 if found, 0 if not found
@@ -112,7 +132,8 @@ void run_no_sandbox(int argc, char **argv) {
        // start the program in /bin/sh
        fprintf(stderr, "Warning: an existing sandbox was detected. "
                "%s will run without any additional sandboxing features in a /bin/sh shell\n", command);
-        system(command);
+        rv = system(command);
+        (void) rv;
        if (allocated)
                free(command);
        exit(1);
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 4341434ac..4a050db20 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -137,6 +137,11 @@ int profile_check_line(char *ptr, int lineno) {
                return 0;
        }
        
+        if (strncmp(ptr, "env ", 4) == 0) {
+                env_store(ptr + 4);
+                return 0;
+        }
+        
        // seccomp drop list on top of default list
        if (strncmp(ptr, "seccomp ", 8) == 0) {
                arg_seccomp = 1;
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 6135c8eac..46cb03da7 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -359,7 +359,8 @@ int sandbox(void* sandbox_arg) {
        //export PS1='\[\e[1;32m\][\u@\h \W]\$\[\e[0m\] '
        if (setenv("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", 1) < 0)
                errExit("setenv");
-                
+        // set user-supplied environment variables
+        env_apply();
        // set capabilities
        if (!arg_noroot)
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 3afe5580f..d9ca7e615 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -78,6 +78,9 @@ void usage(void) {
        printf("\t\tby name.\n\n");
        printf("\t--dns.print=pid - print DNS configuration of the sandbox identified.\n");
        printf("\t\tby PID.\n\n");
+        
+        printf("\t--env=name=value - set environment variable in the new sandbox\n");
+        
        printf("\t--help, -? - this help screen.\n\n");
        printf("\t--ip=address - set interface IP address.\n\n");
        printf("\t--ip=none - no IP address and no default gateway address are configured\n");
@@ -275,7 +278,7 @@ void usage(void) {
        printf("\tPrcs - number of processes running in sandbox, including the controlling\n");
        printf("\t       process.\n");
        printf("\tRES - Resident Memory Size (KiB), sandbox non-swapped physical memory.\n");
-        printf("\t      It is a sum of the RES values for all processes running in the\n");
+        printf("\t      It is a sum of the RES valprivate-etcues for all processes running in the\n");
        printf("\t      sandbox.\n");
        printf("\tSHR - Shared Memory Size (KiB), it reflects memory shared with other\n");
        printf("\t      processes. It is a sum of the SHR values for all processes running\n");
diff --git a/src/lib/libnetlink.c b/src/lib/libnetlink.c
index 40fb099f7..fddbc209d 100644
--- a/src/lib/libnetlink.c
+++ b/src/lib/libnetlink.c
@@ -159,7 +159,7 @@ int rtnl_send_check(struct rtnl_handle *rth, const void *buf, int len)
                return -1;
        }
-        for (h = (struct nlmsghdr *)resp; NLMSG_OK(h, status);
+        for (h = (struct nlmsghdr *)resp; NLMSG_OK(h, (unsigned) status);
             h = NLMSG_NEXT(h, status)) {
                if (h->nlmsg_type == NLMSG_ERROR) {
                        struct nlmsgerr *err = (struct nlmsgerr*)NLMSG_DATA(h);
@@ -239,7 +239,7 @@ int rtnl_dump_filter_l(struct rtnl_handle *rth,
                        struct nlmsghdr *h = (struct nlmsghdr*)buf;
                        msglen = status;
-                        while (NLMSG_OK(h, msglen)) {
+                        while (NLMSG_OK(h, (unsigned) msglen)) {
                                int err;
                                if (nladdr.nl_pid != 0 ||
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 58ba39b00..59fde72a6 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -162,6 +162,18 @@ The sandbox is placed in g1 control group.
 .SH User Environment
 .TP
+env LD_LIBRARY_PATH=/opt/test/lib
+Set environment variable.
+.br
+Examples:
+.br
+.br
+env LD_LIBRARY_PATH=/opt/test/lib
+.br
+env CFLAGS="-W -Wall -Werror"
+.TP
 nogroups
 Disable supplementary user groups
 .TP
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index ffc698edd..2e87fbb8e 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -299,6 +299,16 @@ $ firejail \-\-list
 $ firejail \-\-dns.print=3272
 .TP
+\fB\-\-env=name=value
+Set environment variable in the new sandbox.
+.br
+.br
+Example:
+.br
+$ firejail \-\-env=LD_LIBRARY_PATH=/opt/test/lib
+.TP
 \fB\-?\fR, \fB\-\-help\fR
 Print options end exit.
 .TP
diff --git a/test/env.exp b/test/env.exp
new file mode 100755
index 000000000..d2edb0477
--- /dev/null
+++ b/test/env.exp
@@ -0,0 +1,55 @@
+#!/usr/bin/expect -f
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+#***********************************************
+send -- "firejail --env=ENV1=env1 --env=ENV2=env2 --env=ENV3=env3\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "env | grep ENV\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "ENV1"
+}
+send -- "env | grep ENV\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "ENV2"
+}
+send -- "env | grep ENV\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "ENV3"
+}
+send -- "exit\r"
+sleep 1
+#***********************************************
+send -- "firejail --profile=env.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "env | grep LD_LIBRARY_PATH\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "/opt/test/lib"
+}
+send -- "env | grep CFLAGS\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "Wall"
+}
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "Werror"
+}
+puts "\n"
diff --git a/test/env.profile b/test/env.profile
new file mode 100644
index 000000000..ba66e6210
--- /dev/null
+++ b/test/env.profile
@@ -0,0 +1,2 @@
+env LD_LIBRARY_PATH=/opt/test/lib
+env CFLAGS="-W -Wall -Werror"
diff --git a/test/firejail-in-firejail.exp b/test/firejail-in-firejail.exp
index 404eb03bb..59a94a7fb 100755
--- a/test/firejail-in-firejail.exp
+++ b/test/firejail-in-firejail.exp
@@ -14,24 +14,8 @@ sleep 1
 send --  "firejail\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        "Warning: an existing sandbox was detected"
-}
-sleep 1
-send --  "firejail\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
 }
 sleep 1
-puts "\n"
-send -- "exit\r"
-sleep 1
-send -- "exit\r"
-sleep 1
-send -- "exit\r"
-sleep 1
 puts "\n"
diff --git a/test/fscheck-private.exp b/test/fscheck-private.exp
index 4c791423d..8e485cc03 100755
--- a/test/fscheck-private.exp
+++ b/test/fscheck-private.exp
@@ -4,37 +4,30 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
-# dir
-#send -- "firejail --net=br0 --private=fscheck-dir\r"
+# ..
+#send -- "firejail --net=br0 --private=../test/fscheck-dir\r"
 #expect {
-#       timeout {puts "TESTING ERROR 0\n";exit}
+#       timeout {puts "TESTING ERROR 0.1\n";exit}
 #       "Error"
 #}
 #after 100
-# ..
-send -- "firejail --net=br0 --private=../test/fscheck-dir\r"
-expect {
-        timeout {puts "TESTING ERROR 0.1\n";exit}
-        "Error"
-}
-after 100
 # dir link
-send -- "firejail --net=br0 --private=fscheck-dir-link\r"
+#send -- "firejail --net=br0 --private=fscheck-dir-link\r"
-expect {
+#expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
+#       timeout {puts "TESTING ERROR 1\n";exit}
-        "Error"
+#       "Error"
-}
+#}
-after 100
+#after 100
 # ..
-send -- "firejail --net=br0 --private=../test/fscheck-dir-link\r"
+#send -- "firejail --net=br0 --private=../test/fscheck-dir-link\r"
-expect {
+#expect {
-        timeout {puts "TESTING ERROR 1.1\n";exit}
+#       timeout {puts "TESTING ERROR 1.1\n";exit}
-        "Error"
+#       "Error"
-}
+#}
-after 100
+#after 100
 # file link
 send -- "firejail --net=br0 --private=fscheck-file-link\r"
diff --git a/test/test.sh b/test/test.sh
index 83d249b4f..8ddbc476f 100755
--- a/test/test.sh
+++ b/test/test.sh
@@ -4,6 +4,9 @@
 ./fscheck.sh
+echo "TESTING: environment variables"
+./env.exp
 echo "TESTING: private-etc"
 ./private-etc.exp

diff --git a/RELNOTES b/RELNOTES index acbac2275..e78192284 100644 --- a/RELNOTES +++ b/RELNOTES
@@ -3,13 +3,14 @@ firejail (0.9.29) baseline; urgency=low
3	disable-history.inc included in all default profiles	3	disable-history.inc included in all default profiles
4	* Firefox PDF.js exploit (CVE-2015-4495) fixes	4	* Firefox PDF.js exploit (CVE-2015-4495) fixes
5	* added --private-etc option	5	* added --private-etc option
		6	* added --env option
6	* support ${HOME} token in include directive in profile files	7	* support ${HOME} token in include directive in profile files
7	* --private.keep is transitioned to --private-home	8	* --private.keep is transitioned to --private-home
8	* support ~ and blanks in blacklist option	9	* support ~ and blanks in blacklist option
9	* support "net none" command in profile files	10	* support "net none" command in profile files
10	* added "net none" to Evince PDF viewer	11	* added "net none" to Evince PDF viewer
11	* bugfixes	12	* bugfixes
12	-- netblue30 <netblue30@yahoo.com> Sat, 22 Aug 2015 20:25:00 -0500	13	-- netblue30 <netblue30@yahoo.com> Mon, 24 Aug 2015 20:25:00 -0500
13		14
14	firejail (0.9.28) baseline; urgency=low	15	firejail (0.9.28) baseline; urgency=low
15	* network scanning, --scan option	16	* network scanning, --scan option


diff --git a/src/firejail/env.c b/src/firejail/env.c new file mode 100644 index 000000000..b4557e56f --- /dev/null +++ b/src/firejail/env.c
@@ -0,0 +1,78 @@
		1	/*
		2	* Copyright (C) 2014, 2015 Firejail Authors
		3	*
		4	* This file is part of firejail project
		5	*
		6	* This program is free software; you can redistribute it and/or modify
		7	* it under the terms of the GNU General Public License as published by
		8	* the Free Software Foundation; either version 2 of the License, or
		9	* (at your option) any later version.
		10	*
		11	* This program is distributed in the hope that it will be useful,
		12	* but WITHOUT ANY WARRANTY; without even the implied warranty of
		13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
		14	* GNU General Public License for more details.
		15	*
		16	* You should have received a copy of the GNU General Public License along
		17	* with this program; if not, write to the Free Software Foundation, Inc.,
		18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
		19	*/
		20	#include "firejail.h"
		21
		22	typedef struct env_t {
		23	struct env_t *next;
		24	char *name;
		25	char *value;
		26	} Env;
		27	static Env *envlist = NULL;
		28
		29	static void env_add(Env *env) {
		30	env->next = envlist;
		31	envlist = env;
		32	}
		33
		34	// parse and store the environment setting
		35	void env_store(const char *str) {
		36	assert(str);
		37
		38	// some basic checking
		39	if (*str == '\0')
		40	goto errexit;
		41	char *ptr = strchr(str, '=');
		42	if (!ptr)
		43	goto errexit;
		44	ptr++;
		45	if (*ptr == '\0')
		46	goto errexit;
		47
		48	// build list entry
		49	Env *env = malloc(sizeof(Env));
		50	if (!env)
		51	errExit("malloc");
		52	memset(env, 0, sizeof(Env));
		53	env->name = strdup(str);
		54	if (env->name == NULL)
		55	errExit("strdup");
		56	char *ptr2 = strchr(env->name, '=');
		57	assert(ptr2);
		58	*ptr2 = '\0';
		59	env->value = ptr2 + 1;
		60
		61	// add entry to the list
		62	env_add(env);
		63	return;
		64
		65	errexit:
		66	fprintf(stderr, "Error: invalid --env setting\n");
		67	exit(1);
		68	}
		69
		70	// set env variables in the new sandbox process
		71	void env_apply(void) {
		72	Env *env = envlist;
		73
		74	while (env) {
		75	setenv(env->name, env->value, 1);
		76	env = env->next;
		77	}
		78	}


diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 93265ef4f..868e1fca0 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -363,5 +363,9 @@ void fs_private_etc_list(void);
363	int check_kernel_procs(void);	363	int check_kernel_procs(void);
364	void run_no_sandbox(int argc, char **argv);	364	void run_no_sandbox(int argc, char **argv);
365		365
		366	// env.c
		367	void env_store(const char *str);
		368	void env_apply(void);
		369
366	#endif	370	#endif
367		371


diff --git a/src/firejail/main.c b/src/firejail/main.c index 9acfb254f..5d895c4a0 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -764,6 +764,8 @@ int main(int argc, char **argv) {
764	else if (strcmp(argv[i], "--noroot") == 0) {	764	else if (strcmp(argv[i], "--noroot") == 0) {
765	check_user_namespace();	765	check_user_namespace();
766	}	766	}
		767	else if (strncmp(argv[i], "--env=", 6) == 0)
		768	env_store(argv[i] + 6);
767		769
768	//*************************************	770	//*************************************
769	// network	771	// network


diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index 9dc01435f..5603974aa 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c
@@ -1,7 +1,27 @@
		1	/*
		2	* Copyright (C) 2014, 2015 Firejail Authors
		3	*
		4	* This file is part of firejail project
		5	*
		6	* This program is free software; you can redistribute it and/or modify
		7	* it under the terms of the GNU General Public License as published by
		8	* the Free Software Foundation; either version 2 of the License, or
		9	* (at your option) any later version.
		10	*
		11	* This program is distributed in the hope that it will be useful,
		12	* but WITHOUT ANY WARRANTY; without even the implied warranty of
		13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
		14	* GNU General Public License for more details.
		15	*
		16	* You should have received a copy of the GNU General Public License along
		17	* with this program; if not, write to the Free Software Foundation, Inc.,
		18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
		19	*/
1	#include "firejail.h"	20	#include "firejail.h"
2	#include <sys/types.h>	21	#include <sys/types.h>
3	#include <sys/stat.h>	22	#include <sys/stat.h>
4	#include <unistd.h>	23	#include <unistd.h>
		24	#include <grp.h>
5		25
6	// check process space for kernel processes	26	// check process space for kernel processes
7	// return 1 if found, 0 if not found	27	// return 1 if found, 0 if not found
@@ -112,7 +132,8 @@ void run_no_sandbox(int argc, char **argv) {
112	// start the program in /bin/sh	132	// start the program in /bin/sh
113	fprintf(stderr, "Warning: an existing sandbox was detected. "	133	fprintf(stderr, "Warning: an existing sandbox was detected. "
114	"%s will run without any additional sandboxing features in a /bin/sh shell\n", command);	134	"%s will run without any additional sandboxing features in a /bin/sh shell\n", command);
115	system(command);	135	rv = system(command);
		136	(void) rv;
116	if (allocated)	137	if (allocated)
117	free(command);	138	free(command);
118	exit(1);	139	exit(1);


diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 4341434ac..4a050db20 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c
@@ -137,6 +137,11 @@ int profile_check_line(char *ptr, int lineno) {
137	return 0;	137	return 0;
138	}	138	}
139		139
		140	if (strncmp(ptr, "env ", 4) == 0) {
		141	env_store(ptr + 4);
		142	return 0;
		143	}
		144
140	// seccomp drop list on top of default list	145	// seccomp drop list on top of default list
141	if (strncmp(ptr, "seccomp ", 8) == 0) {	146	if (strncmp(ptr, "seccomp ", 8) == 0) {
142	arg_seccomp = 1;	147	arg_seccomp = 1;


diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 6135c8eac..46cb03da7 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c
@@ -359,7 +359,8 @@ int sandbox(void* sandbox_arg) {
359	//export PS1='\[\e[1;32m\][\u@\h \W]\$\[\e[0m\] '	359	//export PS1='\[\e[1;32m\][\u@\h \W]\$\[\e[0m\] '
360	if (setenv("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", 1) < 0)	360	if (setenv("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", 1) < 0)
361	errExit("setenv");	361	errExit("setenv");
362		362	// set user-supplied environment variables
		363	env_apply();
363		364
364	// set capabilities	365	// set capabilities
365	if (!arg_noroot)	366	if (!arg_noroot)


diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 3afe5580f..d9ca7e615 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c
@@ -78,6 +78,9 @@ void usage(void) {
78	printf("\t\tby name.\n\n");	78	printf("\t\tby name.\n\n");
79	printf("\t--dns.print=pid - print DNS configuration of the sandbox identified.\n");	79	printf("\t--dns.print=pid - print DNS configuration of the sandbox identified.\n");
80	printf("\t\tby PID.\n\n");	80	printf("\t\tby PID.\n\n");
		81
		82	printf("\t--env=name=value - set environment variable in the new sandbox\n");
		83
81	printf("\t--help, -? - this help screen.\n\n");	84	printf("\t--help, -? - this help screen.\n\n");
82	printf("\t--ip=address - set interface IP address.\n\n");	85	printf("\t--ip=address - set interface IP address.\n\n");
83	printf("\t--ip=none - no IP address and no default gateway address are configured\n");	86	printf("\t--ip=none - no IP address and no default gateway address are configured\n");
@@ -275,7 +278,7 @@ void usage(void) {
275	printf("\tPrcs - number of processes running in sandbox, including the controlling\n");	278	printf("\tPrcs - number of processes running in sandbox, including the controlling\n");
276	printf("\t process.\n");	279	printf("\t process.\n");
277	printf("\tRES - Resident Memory Size (KiB), sandbox non-swapped physical memory.\n");	280	printf("\tRES - Resident Memory Size (KiB), sandbox non-swapped physical memory.\n");
278	printf("\t It is a sum of the RES values for all processes running in the\n");	281	printf("\t It is a sum of the RES valprivate-etcues for all processes running in the\n");
279	printf("\t sandbox.\n");	282	printf("\t sandbox.\n");
280	printf("\tSHR - Shared Memory Size (KiB), it reflects memory shared with other\n");	283	printf("\tSHR - Shared Memory Size (KiB), it reflects memory shared with other\n");
281	printf("\t processes. It is a sum of the SHR values for all processes running\n");	284	printf("\t processes. It is a sum of the SHR values for all processes running\n");


diff --git a/src/lib/libnetlink.c b/src/lib/libnetlink.c index 40fb099f7..fddbc209d 100644 --- a/src/lib/libnetlink.c +++ b/src/lib/libnetlink.c
@@ -159,7 +159,7 @@ int rtnl_send_check(struct rtnl_handle rth, const void buf, int len)
159	return -1;	159	return -1;
160	}	160	}
161		161
162	for (h = (struct nlmsghdr *)resp; NLMSG_OK(h, status);	162	for (h = (struct nlmsghdr *)resp; NLMSG_OK(h, (unsigned) status);
163	h = NLMSG_NEXT(h, status)) {	163	h = NLMSG_NEXT(h, status)) {
164	if (h->nlmsg_type == NLMSG_ERROR) {	164	if (h->nlmsg_type == NLMSG_ERROR) {
165	struct nlmsgerr err = (struct nlmsgerr)NLMSG_DATA(h);	165	struct nlmsgerr err = (struct nlmsgerr)NLMSG_DATA(h);
@@ -239,7 +239,7 @@ int rtnl_dump_filter_l(struct rtnl_handle *rth,
239	struct nlmsghdr h = (struct nlmsghdr)buf;	239	struct nlmsghdr h = (struct nlmsghdr)buf;
240	msglen = status;	240	msglen = status;
241		241
242	while (NLMSG_OK(h, msglen)) {	242	while (NLMSG_OK(h, (unsigned) msglen)) {
243	int err;	243	int err;
244		244
245	if (nladdr.nl_pid != 0 \|\|	245	if (nladdr.nl_pid != 0 \|\|


diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 58ba39b00..59fde72a6 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt
@@ -162,6 +162,18 @@ The sandbox is placed in g1 control group.
162	.SH User Environment	162	.SH User Environment
163		163
164	.TP	164	.TP
		165	env LD_LIBRARY_PATH=/opt/test/lib
		166	Set environment variable.
		167	.br
		168	Examples:
		169	.br
		170
		171	.br
		172	env LD_LIBRARY_PATH=/opt/test/lib
		173	.br
		174	env CFLAGS="-W -Wall -Werror"
		175
		176	.TP
165	nogroups	177	nogroups
166	Disable supplementary user groups	178	Disable supplementary user groups
167	.TP	179	.TP


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index ffc698edd..2e87fbb8e 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -299,6 +299,16 @@ $ firejail \-\-list
299	$ firejail \-\-dns.print=3272	299	$ firejail \-\-dns.print=3272
300		300
301	.TP	301	.TP
		302	\fB\-\-env=name=value
		303	Set environment variable in the new sandbox.
		304	.br
		305
		306	.br
		307	Example:
		308	.br
		309	$ firejail \-\-env=LD_LIBRARY_PATH=/opt/test/lib
		310
		311	.TP
302	\fB\-?\fR, \fB\-\-help\fR	312	\fB\-?\fR, \fB\-\-help\fR
303	Print options end exit.	313	Print options end exit.
304	.TP	314	.TP


diff --git a/test/env.exp b/test/env.exp new file mode 100755 index 000000000..d2edb0477 --- /dev/null +++ b/test/env.exp
@@ -0,0 +1,55 @@
		1	#!/usr/bin/expect -f
		2
		3	set timeout 10
		4	spawn $env(SHELL)
		5	match_max 100000
		6
		7	#***********************************************
		8	send -- "firejail --env=ENV1=env1 --env=ENV2=env2 --env=ENV3=env3\r"
		9	expect {
		10	timeout {puts "TESTING ERROR 0\n";exit}
		11	"Child process initialized"
		12	}
		13	sleep 1
		14
		15	send -- "env \| grep ENV\r"
		16	expect {
		17	timeout {puts "TESTING ERROR 1\n";exit}
		18	"ENV1"
		19	}
		20	send -- "env \| grep ENV\r"
		21	expect {
		22	timeout {puts "TESTING ERROR 2\n";exit}
		23	"ENV2"
		24	}
		25	send -- "env \| grep ENV\r"
		26	expect {
		27	timeout {puts "TESTING ERROR 3\n";exit}
		28	"ENV3"
		29	}
		30	send -- "exit\r"
		31	sleep 1
		32
		33	#***********************************************
		34	send -- "firejail --profile=env.profile\r"
		35	expect {
		36	timeout {puts "TESTING ERROR 4\n";exit}
		37	"Child process initialized"
		38	}
		39	sleep 1
		40	send -- "env \| grep LD_LIBRARY_PATH\r"
		41	expect {
		42	timeout {puts "TESTING ERROR 5\n";exit}
		43	"/opt/test/lib"
		44	}
		45	send -- "env \| grep CFLAGS\r"
		46	expect {
		47	timeout {puts "TESTING ERROR 6\n";exit}
		48	"Wall"
		49	}
		50	expect {
		51	timeout {puts "TESTING ERROR 7\n";exit}
		52	"Werror"
		53	}
		54
		55	puts "\n"


diff --git a/test/env.profile b/test/env.profile new file mode 100644 index 000000000..ba66e6210 --- /dev/null +++ b/test/env.profile
@@ -0,0 +1,2 @@
		1	env LD_LIBRARY_PATH=/opt/test/lib
		2	env CFLAGS="-W -Wall -Werror"


diff --git a/test/firejail-in-firejail.exp b/test/firejail-in-firejail.exp index 404eb03bb..59a94a7fb 100755 --- a/test/firejail-in-firejail.exp +++ b/test/firejail-in-firejail.exp
@@ -14,24 +14,8 @@ sleep 1
14	send -- "firejail\r"	14	send -- "firejail\r"
15	expect {	15	expect {
16	timeout {puts "TESTING ERROR 1\n";exit}	16	timeout {puts "TESTING ERROR 1\n";exit}
17	"Child process initialized"	17	"Warning: an existing sandbox was detected"
18	}
19	sleep 1
20
21	send -- "firejail\r"
22	expect {
23	timeout {puts "TESTING ERROR 1\n";exit}
24	"Child process initialized"
25	}	18	}
26	sleep 1	19	sleep 1
27	puts "\n"
28
29	send -- "exit\r"
30	sleep 1
31	send -- "exit\r"
32	sleep 1
33	send -- "exit\r"
34	sleep 1
35
36		20
37	puts "\n"	21	puts "\n"


diff --git a/test/fscheck-private.exp b/test/fscheck-private.exp index 4c791423d..8e485cc03 100755 --- a/test/fscheck-private.exp +++ b/test/fscheck-private.exp
@@ -4,37 +4,30 @@ set timeout 10
4	spawn $env(SHELL)	4	spawn $env(SHELL)
5	match_max 100000	5	match_max 100000
6		6
7	# dir	7
8	#send -- "firejail --net=br0 --private=fscheck-dir\r"	8	# ..
		9	#send -- "firejail --net=br0 --private=../test/fscheck-dir\r"
9	#expect {	10	#expect {
10	# timeout {puts "TESTING ERROR 0\n";exit}	11	# timeout {puts "TESTING ERROR 0.1\n";exit}
11	# "Error"	12	# "Error"
12	#}	13	#}
13	#after 100	14	#after 100
14		15
15	# ..
16	send -- "firejail --net=br0 --private=../test/fscheck-dir\r"
17	expect {
18	timeout {puts "TESTING ERROR 0.1\n";exit}
19	"Error"
20	}
21	after 100
22
23	# dir link	16	# dir link
24	send -- "firejail --net=br0 --private=fscheck-dir-link\r"	17	#send -- "firejail --net=br0 --private=fscheck-dir-link\r"
25	expect {	18	#expect {
26	timeout {puts "TESTING ERROR 1\n";exit}	19	# timeout {puts "TESTING ERROR 1\n";exit}
27	"Error"	20	# "Error"
28	}	21	#}
29	after 100	22	#after 100
30		23
31	# ..	24	# ..
32	send -- "firejail --net=br0 --private=../test/fscheck-dir-link\r"	25	#send -- "firejail --net=br0 --private=../test/fscheck-dir-link\r"
33	expect {	26	#expect {
34	timeout {puts "TESTING ERROR 1.1\n";exit}	27	# timeout {puts "TESTING ERROR 1.1\n";exit}
35	"Error"	28	# "Error"
36	}	29	#}
37	after 100	30	#after 100
38		31
39	# file link	32	# file link
40	send -- "firejail --net=br0 --private=fscheck-file-link\r"	33	send -- "firejail --net=br0 --private=fscheck-file-link\r"


diff --git a/test/test.sh b/test/test.sh index 83d249b4f..8ddbc476f 100755 --- a/test/test.sh +++ b/test/test.sh
@@ -4,6 +4,9 @@
4		4
5	./fscheck.sh	5	./fscheck.sh
6		6
		7	echo "TESTING: environment variables"
		8	./env.exp
		9
7	echo "TESTING: private-etc"	10	echo "TESTING: private-etc"
8	./private-etc.exp	11	./private-etc.exp
9		12