From 90c8cd49f7540cff4b29deb3b78903b855faa07d Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Thu, 17 Jun 2021 11:04:29 +0100 Subject: [PATCH 1/2] test-run: Test --setenv, --unsetenv Signed-off-by: Simon McVittie --- tests/test-run.sh | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/tests/test-run.sh b/tests/test-run.sh index 1cc048b..5ba65f7 100755 --- a/tests/test-run.sh +++ b/tests/test-run.sh @@ -80,7 +80,7 @@ if [ -z "${BWRAP_MUST_WORK-}" ] && ! $RUN true; then skip Seems like bwrap is not working at all. Maybe setuid is not working fi -echo "1..55" +echo "1..56" # Test help ${BWRAP} --help > help.txt @@ -531,4 +531,13 @@ $RUN \ assert_file_has_content file-permissions '^640$' echo "ok - files have expected permissions" +FOO= BAR=baz $RUN --setenv FOO bar sh -c 'echo "$FOO$BAR"' > stdout +assert_file_has_content stdout barbaz +FOO=wrong BAR=baz $RUN --setenv FOO bar sh -c 'echo "$FOO$BAR"' > stdout +assert_file_has_content stdout barbaz +FOO=wrong BAR=baz $RUN --unsetenv FOO sh -c 'printf "%s%s" "$FOO" "$BAR"' > stdout +printf baz > reference +assert_files_equal stdout reference +echo "ok - environment manipulation" + echo "ok - End of test" From 8f72ceb2c42a2d93c858b8775a88f13b891c8120 Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Tue, 12 Jan 2021 10:45:14 +0000 Subject: [PATCH 2/2] Add --clearenv option This allows environment variables to be set when running bwrap itself (perhaps a custom LD_LIBRARY_PATH), but cleared for the command that runs in the container, without having to enumerate all the variables. Because PWD is set later, as a side-effect of changing directory, this actually clears everything except PWD. A portable program would check for clearenv() (and if not found, fall back to using environ = NULL), but bubblewrap is Linux-specific, and Linux C libraries (at least glibc and musl) do have clearenv(). Signed-off-by: Simon McVittie --- bubblewrap.c | 5 +++++ tests/test-run.sh | 3 +++ utils.c | 7 +++++++ utils.h | 1 + 4 files changed, 16 insertions(+) diff --git a/bubblewrap.c b/bubblewrap.c index 6b91f22..b5b86ee 100644 --- a/bubblewrap.c +++ b/bubblewrap.c @@ -244,6 +244,7 @@ usage (int ecode, FILE *out) " --gid GID Custom gid in the sandbox (requires --unshare-user or --userns)\n" " --hostname NAME Custom hostname in the sandbox (requires --unshare-uts)\n" " --chdir DIR Change directory to DIR\n" + " --clearenv Unset all environment variables\n" " --setenv VAR VALUE Set an environment variable\n" " --unsetenv VAR Unset an environment variable\n" " --lock-file DEST Take a lock on DEST while sandbox is running\n" @@ -2084,6 +2085,10 @@ parse_args_recurse (int *argcp, argv += 1; argc -= 1; } + else if (strcmp (arg, "--clearenv") == 0) + { + xclearenv (); + } else if (strcmp (arg, "--setenv") == 0) { if (argc < 3) diff --git a/tests/test-run.sh b/tests/test-run.sh index 5ba65f7..426eeca 100755 --- a/tests/test-run.sh +++ b/tests/test-run.sh @@ -538,6 +538,9 @@ assert_file_has_content stdout barbaz FOO=wrong BAR=baz $RUN --unsetenv FOO sh -c 'printf "%s%s" "$FOO" "$BAR"' > stdout printf baz > reference assert_files_equal stdout reference +FOO=wrong BAR=wrong $RUN --clearenv /usr/bin/env > stdout +echo "PWD=$(pwd -P)" > reference +assert_files_equal stdout reference echo "ok - environment manipulation" echo "ok - End of test" diff --git a/utils.c b/utils.c index ea15158..2c06afe 100644 --- a/utils.c +++ b/utils.c @@ -230,6 +230,13 @@ has_prefix (const char *str, return strncmp (str, prefix, strlen (prefix)) == 0; } +void +xclearenv (void) +{ + if (clearenv () != 0) + die_with_error ("clearenv failed"); +} + void xsetenv (const char *name, const char *value, int overwrite) { diff --git a/utils.h b/utils.h index 8c4db61..b107171 100644 --- a/utils.h +++ b/utils.h @@ -62,6 +62,7 @@ void *xrealloc (void *ptr, size_t size); char *xstrdup (const char *str); void strfreev (char **str_array); +void xclearenv (void); void xsetenv (const char *name, const char *value, int overwrite);