From c7dd18c6129cd0b3940a62d5a0ec77ecabbf46fd Mon Sep 17 00:00:00 2001 From: Robert Swiecki Date: Sun, 28 Oct 2018 17:15:55 +0100 Subject: [PATCH] cmdline: add ability to passthrough current envvars --- cmdline.cc | 17 +++++++++++++++-- cmdline.h | 2 ++ config.cc | 2 +- config.proto | 3 ++- configs/demo-dont-use-chrome-with-net.cfg | 2 +- configs/firefox-with-cloned-net.cfg | 2 +- configs/firefox-with-net.cfg | 2 +- configs/home-documents-with-xorg-no-net.cfg | 2 +- configs/xchat-with-net.cfg | 4 ++-- nsjail.1 | 2 +- 10 files changed, 27 insertions(+), 11 deletions(-) diff --git a/cmdline.cc b/cmdline.cc index 3dbd99d..0da4c2e 100644 --- a/cmdline.cc +++ b/cmdline.cc @@ -93,7 +93,7 @@ struct custom_option custom_opts[] = { { { "quiet", no_argument, NULL, 'q' }, "Log warning and more important messages only" }, { { "really_quiet", no_argument, NULL, 'Q' }, "Log fatal messages only" }, { { "keep_env", no_argument, NULL, 'e' }, "Pass all environment variables to the child process (default: all envvars are cleared)" }, - { { "env", required_argument, NULL, 'E' }, "Additional environment variable (can be used multiple times)" }, + { { "env", required_argument, NULL, 'E' }, "Additional environment variable (can be used multiple times). If the envvar doesn't contain '=' (e.g. just the 'DISPLAY' string), the current envvar value will be used" }, { { "keep_caps", no_argument, NULL, 0x0501 }, "Don't drop any capabilities" }, { { "cap", required_argument, NULL, 0x0509 }, "Retain this capability, e.g. CAP_PTRACE (can be specified multiple times)" }, { { "silent", no_argument, NULL, 0x0502 }, "Redirect child process' fd:0/1/2 to /dev/null" }, @@ -187,6 +187,19 @@ static void cmdlineUsage(const char* pname) { LOG_HELP_BOLD(" nsjail -Me --chroot / --disable_proc -- /bin/echo \"ABC\""); } +void addEnv(nsjconf_t* nsjconf, const std::string& env) { + if (env.find('=') != std::string::npos) { + nsjconf->envs.push_back(env); + return; + } + char* e = getenv(env.c_str()); + if (!e) { + nsjconf->envs.push_back(env); + return; + } + nsjconf->envs.push_back(std::string(env).append("=").append(e)); +} + void logParams(nsjconf_t* nsjconf) { switch (nsjconf->mode) { case MODE_LISTEN_TCP: @@ -606,7 +619,7 @@ std::unique_ptr parseArgs(int argc, char* argv[]) { nsjconf->use_execveat = true; break; case 'E': - nsjconf->envs.push_back(optarg); + addEnv(nsjconf.get(), optarg); break; case 'u': { std::vector subopts = util::strSplit(optarg, ':'); diff --git a/cmdline.h b/cmdline.h index 9ab5822..f452fe0 100644 --- a/cmdline.h +++ b/cmdline.h @@ -25,6 +25,7 @@ #include #include +#include #include "nsjail.h" @@ -32,6 +33,7 @@ namespace cmdline { uint64_t parseRLimit(int res, const char* optarg, unsigned long mul); void logParams(nsjconf_t* nsjconf); +void addEnv(nsjconf_t* nsjconf, const std::string& env); std::unique_ptr parseArgs(int argc, char* argv[]); } // namespace cmdline diff --git a/config.cc b/config.cc index 0e28b4b..adabf0e 100644 --- a/config.cc +++ b/config.cc @@ -125,7 +125,7 @@ static bool configParseInternal(nsjconf_t* nsjconf, const nsjail::NsJailConfig& nsjconf->keep_env = njc.keep_env(); for (ssize_t i = 0; i < njc.envar_size(); i++) { - nsjconf->envs.push_back(njc.envar(i)); + cmdline::addEnv(nsjconf, njc.envar(i)); } nsjconf->keep_caps = njc.keep_caps(); diff --git a/config.proto b/config.proto index 2f3695b..144ac00 100644 --- a/config.proto +++ b/config.proto @@ -115,7 +115,8 @@ message NsJailConfig { /* Should the current environment variables be kept when executing the binary */ optional bool keep_env = 19 [default = false]; - /* EnvVars to be set before executing binaries */ + /* EnvVars to be set before executing binaries. If the envvar doesn't contain '=' + (e.g. just the 'DISPLAY' string), the current envvar value will be used */ repeated string envar = 20; /* Should capabilities be preserved or dropped */ diff --git a/configs/demo-dont-use-chrome-with-net.cfg b/configs/demo-dont-use-chrome-with-net.cfg index f7aeb1a..690657e 100644 --- a/configs/demo-dont-use-chrome-with-net.cfg +++ b/configs/demo-dont-use-chrome-with-net.cfg @@ -28,7 +28,7 @@ cwd: "/user" time_limit: 0 envar: "HOME=/user" -envar: "DISPLAY=:0" +envar: "DISPLAY" envar: "TMP=/tmp" rlimit_as: 4096 diff --git a/configs/firefox-with-cloned-net.cfg b/configs/firefox-with-cloned-net.cfg index e7cb5bf..eb541e3 100644 --- a/configs/firefox-with-cloned-net.cfg +++ b/configs/firefox-with-cloned-net.cfg @@ -28,7 +28,7 @@ cwd: "/user" time_limit: 0 envar: "HOME=/user" -envar: "DISPLAY=:0" +envar: "DISPLAY" envar: "TMP=/tmp" rlimit_as: 4096 diff --git a/configs/firefox-with-net.cfg b/configs/firefox-with-net.cfg index 75149b4..190f7c2 100644 --- a/configs/firefox-with-net.cfg +++ b/configs/firefox-with-net.cfg @@ -22,7 +22,7 @@ time_limit: 0 clone_newnet: false envar: "HOME=/user" -envar: "DISPLAY=:0" +envar: "DISPLAY" envar: "TMP=/tmp" rlimit_as: 4096 diff --git a/configs/home-documents-with-xorg-no-net.cfg b/configs/home-documents-with-xorg-no-net.cfg index afd7168..cc2514f 100644 --- a/configs/home-documents-with-xorg-no-net.cfg +++ b/configs/home-documents-with-xorg-no-net.cfg @@ -14,7 +14,7 @@ cwd: "/user" time_limit: 1000 -envar: "DISPLAY=:0" +envar: "DISPLAY" envar: "HOME=/user" envar: "TMP=/tmp" diff --git a/configs/xchat-with-net.cfg b/configs/xchat-with-net.cfg index 4bf5c1a..e8d2759 100644 --- a/configs/xchat-with-net.cfg +++ b/configs/xchat-with-net.cfg @@ -16,11 +16,11 @@ cwd: "/user" time_limit: 0 envar: "HOME=/user" -envar: "DISPLAY=:0" +envar: "DISPLAY" envar: "TMP=/tmp" envar: "FONTCONFIG_FILE=/etc/fonts/fonts.conf" envar: "FC_CONFIG_FILE=/etc/fonts/fonts.conf" -envar: "LANG=en_US.UTF-8" +envar: "LANG" rlimit_as: 4096 rlimit_cpu_type: INF diff --git a/nsjail.1 b/nsjail.1 index 292be2a..c1c32aa 100644 --- a/nsjail.1 +++ b/nsjail.1 @@ -92,7 +92,7 @@ Log fatal messages only Pass all environment variables be passed process (default: all envvars are cleared) .TP \fB\-\-env\fR|\fB\-E\fR VALUE -Additional environment variable (can be used multiple times) +Additional environment variable (can be used multiple times). If the envvar doesn't contain '=' (e.g. just the 'DISPLAY' string), the current envvar value will be used .TP \fB\-\-keep_caps\fR Don't drop any capabilities