From 820de6829fedccffb8b3c32f079436fa7e89273e Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Mon, 24 Aug 2015 09:05:18 -0400
Subject: added --env option

---
 src/firejail/env.c           | 78 ++++++++++++++++++++++++++++++++++++++++++++
 src/firejail/firejail.h      |  4 +++
 src/firejail/main.c          |  2 ++
 src/firejail/no_sandbox.c    | 23 ++++++++++++-
 src/firejail/profile.c       |  5 +++
 src/firejail/sandbox.c       |  3 +-
 src/firejail/usage.c         |  5 ++-
 src/lib/libnetlink.c         |  4 +--
 src/man/firejail-profile.txt | 12 +++++++
 src/man/firejail.txt         | 10 ++++++
 10 files changed, 141 insertions(+), 5 deletions(-)
 create mode 100644 src/firejail/env.c

(limited to 'src')

diff --git a/src/firejail/env.c b/src/firejail/env.c
new file mode 100644
index 000000000..b4557e56f
--- /dev/null
+++ b/src/firejail/env.c
@@ -0,0 +1,78 @@
+/*
+ * Copyright (C) 2014, 2015 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+#include "firejail.h"
+
+typedef struct env_t {
+	struct env_t *next;
+	char *name;
+	char *value;
+} Env;
+static Env *envlist = NULL;
+
+static void env_add(Env *env) {
+	env->next = envlist;
+	envlist = env;
+}
+
+// parse and store the environment setting 
+void env_store(const char *str) {
+	assert(str);
+	
+	// some basic checking
+	if (*str == '\0')
+		goto errexit;
+	char *ptr = strchr(str, '=');
+	if (!ptr)
+		goto errexit;
+	ptr++;
+	if (*ptr == '\0')
+		goto errexit;
+
+	// build list entry
+	Env *env = malloc(sizeof(Env));
+	if (!env)
+		errExit("malloc");
+	memset(env, 0, sizeof(Env));
+	env->name = strdup(str);
+	if (env->name == NULL)
+		errExit("strdup");
+	char *ptr2 = strchr(env->name, '=');
+	assert(ptr2);
+	*ptr2 = '\0';
+	env->value = ptr2 + 1;
+	
+	// add entry to the list
+	env_add(env);
+	return;
+	
+errexit:
+	fprintf(stderr, "Error: invalid --env setting\n");
+	exit(1);
+}
+
+// set env variables in the new sandbox process
+void env_apply(void) {
+	Env *env = envlist;
+	
+	while (env) {
+		setenv(env->name, env->value, 1);
+		env = env->next;
+	}
+}
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 93265ef4f..868e1fca0 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -363,5 +363,9 @@ void fs_private_etc_list(void);
 int check_kernel_procs(void);
 void run_no_sandbox(int argc, char **argv);
 
+// env.c
+void env_store(const char *str);
+void env_apply(void);
+
 #endif
 
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 9acfb254f..5d895c4a0 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -764,6 +764,8 @@ int main(int argc, char **argv) {
 		else if (strcmp(argv[i], "--noroot") == 0) {
 			check_user_namespace();
 		}
+		else if (strncmp(argv[i], "--env=", 6) == 0)
+			env_store(argv[i] + 6);
 		
 		//*************************************
 		// network
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c
index 9dc01435f..5603974aa 100644
--- a/src/firejail/no_sandbox.c
+++ b/src/firejail/no_sandbox.c
@@ -1,7 +1,27 @@
+/*
+ * Copyright (C) 2014, 2015 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
 #include "firejail.h"
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <unistd.h>
+#include <grp.h>
 
 // check process space for kernel processes
 // return 1 if found, 0 if not found
@@ -112,7 +132,8 @@ void run_no_sandbox(int argc, char **argv) {
 	// start the program in /bin/sh
 	fprintf(stderr, "Warning: an existing sandbox was detected. "
 		"%s will run without any additional sandboxing features in a /bin/sh shell\n", command);
-	system(command);
+	rv = system(command);
+	(void) rv;
 	if (allocated)
 		free(command);
 	exit(1);
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 4341434ac..4a050db20 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -137,6 +137,11 @@ int profile_check_line(char *ptr, int lineno) {
 		return 0;
 	}
 	
+	if (strncmp(ptr, "env ", 4) == 0) {
+		env_store(ptr + 4);
+		return 0;
+	}
+	
 	// seccomp drop list on top of default list
 	if (strncmp(ptr, "seccomp ", 8) == 0) {
 		arg_seccomp = 1;
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 6135c8eac..46cb03da7 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -359,7 +359,8 @@ int sandbox(void* sandbox_arg) {
 	//export PS1='\[\e[1;32m\][\u@\h \W]\$\[\e[0m\] '
 	if (setenv("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", 1) < 0)
 		errExit("setenv");
-		
+	// set user-supplied environment variables
+	env_apply();
 
 	// set capabilities
 	if (!arg_noroot)
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 3afe5580f..d9ca7e615 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -78,6 +78,9 @@ void usage(void) {
 	printf("\t\tby name.\n\n");
 	printf("\t--dns.print=pid - print DNS configuration of the sandbox identified.\n");
 	printf("\t\tby PID.\n\n");
+	
+	printf("\t--env=name=value - set environment variable in the new sandbox\n");
+	
 	printf("\t--help, -? - this help screen.\n\n");
 	printf("\t--ip=address - set interface IP address.\n\n");
 	printf("\t--ip=none - no IP address and no default gateway address are configured\n");
@@ -275,7 +278,7 @@ void usage(void) {
 	printf("\tPrcs - number of processes running in sandbox, including the controlling\n");
 	printf("\t       process.\n");
 	printf("\tRES - Resident Memory Size (KiB), sandbox non-swapped physical memory.\n");
-	printf("\t      It is a sum of the RES values for all processes running in the\n");
+	printf("\t      It is a sum of the RES valprivate-etcues for all processes running in the\n");
 	printf("\t      sandbox.\n");
 	printf("\tSHR - Shared Memory Size (KiB), it reflects memory shared with other\n");
 	printf("\t      processes. It is a sum of the SHR values for all processes running\n");
diff --git a/src/lib/libnetlink.c b/src/lib/libnetlink.c
index 40fb099f7..fddbc209d 100644
--- a/src/lib/libnetlink.c
+++ b/src/lib/libnetlink.c
@@ -159,7 +159,7 @@ int rtnl_send_check(struct rtnl_handle *rth, const void *buf, int len)
 		return -1;
 	}
 
-	for (h = (struct nlmsghdr *)resp; NLMSG_OK(h, status);
+	for (h = (struct nlmsghdr *)resp; NLMSG_OK(h, (unsigned) status);
 	     h = NLMSG_NEXT(h, status)) {
 		if (h->nlmsg_type == NLMSG_ERROR) {
 			struct nlmsgerr *err = (struct nlmsgerr*)NLMSG_DATA(h);
@@ -239,7 +239,7 @@ int rtnl_dump_filter_l(struct rtnl_handle *rth,
 			struct nlmsghdr *h = (struct nlmsghdr*)buf;
 			msglen = status;
 
-			while (NLMSG_OK(h, msglen)) {
+			while (NLMSG_OK(h, (unsigned) msglen)) {
 				int err;
 
 				if (nladdr.nl_pid != 0 ||
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 58ba39b00..59fde72a6 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -161,6 +161,18 @@ The sandbox is placed in g1 control group.
 
 .SH User Environment
 
+.TP
+env LD_LIBRARY_PATH=/opt/test/lib
+Set environment variable.
+.br
+Examples:
+.br
+
+.br
+env LD_LIBRARY_PATH=/opt/test/lib
+.br
+env CFLAGS="-W -Wall -Werror"
+
 .TP
 nogroups
 Disable supplementary user groups
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index ffc698edd..2e87fbb8e 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -298,6 +298,16 @@ $ firejail \-\-list
 .br
 $ firejail \-\-dns.print=3272
 
+.TP
+\fB\-\-env=name=value
+Set environment variable in the new sandbox.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-env=LD_LIBRARY_PATH=/opt/test/lib
+
 .TP
 \fB\-?\fR, \fB\-\-help\fR
 Print options end exit.
-- 
cgit v1.2.3-70-g09d2