cmdline: add ability to passthrough current envvars
This commit is contained in:
parent
25004a5545
commit
c7dd18c612
17
cmdline.cc
17
cmdline.cc
@ -93,7 +93,7 @@ struct custom_option custom_opts[] = {
|
||||
{ { "quiet", no_argument, NULL, 'q' }, "Log warning and more important messages only" },
|
||||
{ { "really_quiet", no_argument, NULL, 'Q' }, "Log fatal messages only" },
|
||||
{ { "keep_env", no_argument, NULL, 'e' }, "Pass all environment variables to the child process (default: all envvars are cleared)" },
|
||||
{ { "env", required_argument, NULL, 'E' }, "Additional environment variable (can be used multiple times)" },
|
||||
{ { "env", required_argument, NULL, 'E' }, "Additional environment variable (can be used multiple times). If the envvar doesn't contain '=' (e.g. just the 'DISPLAY' string), the current envvar value will be used" },
|
||||
{ { "keep_caps", no_argument, NULL, 0x0501 }, "Don't drop any capabilities" },
|
||||
{ { "cap", required_argument, NULL, 0x0509 }, "Retain this capability, e.g. CAP_PTRACE (can be specified multiple times)" },
|
||||
{ { "silent", no_argument, NULL, 0x0502 }, "Redirect child process' fd:0/1/2 to /dev/null" },
|
||||
@ -187,6 +187,19 @@ static void cmdlineUsage(const char* pname) {
|
||||
LOG_HELP_BOLD(" nsjail -Me --chroot / --disable_proc -- /bin/echo \"ABC\"");
|
||||
}
|
||||
|
||||
void addEnv(nsjconf_t* nsjconf, const std::string& env) {
|
||||
if (env.find('=') != std::string::npos) {
|
||||
nsjconf->envs.push_back(env);
|
||||
return;
|
||||
}
|
||||
char* e = getenv(env.c_str());
|
||||
if (!e) {
|
||||
nsjconf->envs.push_back(env);
|
||||
return;
|
||||
}
|
||||
nsjconf->envs.push_back(std::string(env).append("=").append(e));
|
||||
}
|
||||
|
||||
void logParams(nsjconf_t* nsjconf) {
|
||||
switch (nsjconf->mode) {
|
||||
case MODE_LISTEN_TCP:
|
||||
@ -606,7 +619,7 @@ std::unique_ptr<nsjconf_t> parseArgs(int argc, char* argv[]) {
|
||||
nsjconf->use_execveat = true;
|
||||
break;
|
||||
case 'E':
|
||||
nsjconf->envs.push_back(optarg);
|
||||
addEnv(nsjconf.get(), optarg);
|
||||
break;
|
||||
case 'u': {
|
||||
std::vector<std::string> subopts = util::strSplit(optarg, ':');
|
||||
|
@ -25,6 +25,7 @@
|
||||
#include <stdint.h>
|
||||
|
||||
#include <memory>
|
||||
#include <string>
|
||||
|
||||
#include "nsjail.h"
|
||||
|
||||
@ -32,6 +33,7 @@ namespace cmdline {
|
||||
|
||||
uint64_t parseRLimit(int res, const char* optarg, unsigned long mul);
|
||||
void logParams(nsjconf_t* nsjconf);
|
||||
void addEnv(nsjconf_t* nsjconf, const std::string& env);
|
||||
std::unique_ptr<nsjconf_t> parseArgs(int argc, char* argv[]);
|
||||
|
||||
} // namespace cmdline
|
||||
|
@ -125,7 +125,7 @@ static bool configParseInternal(nsjconf_t* nsjconf, const nsjail::NsJailConfig&
|
||||
|
||||
nsjconf->keep_env = njc.keep_env();
|
||||
for (ssize_t i = 0; i < njc.envar_size(); i++) {
|
||||
nsjconf->envs.push_back(njc.envar(i));
|
||||
cmdline::addEnv(nsjconf, njc.envar(i));
|
||||
}
|
||||
|
||||
nsjconf->keep_caps = njc.keep_caps();
|
||||
|
@ -115,7 +115,8 @@ message NsJailConfig {
|
||||
/* Should the current environment variables be kept
|
||||
when executing the binary */
|
||||
optional bool keep_env = 19 [default = false];
|
||||
/* EnvVars to be set before executing binaries */
|
||||
/* EnvVars to be set before executing binaries. If the envvar doesn't contain '='
|
||||
(e.g. just the 'DISPLAY' string), the current envvar value will be used */
|
||||
repeated string envar = 20;
|
||||
|
||||
/* Should capabilities be preserved or dropped */
|
||||
|
@ -28,7 +28,7 @@ cwd: "/user"
|
||||
time_limit: 0
|
||||
|
||||
envar: "HOME=/user"
|
||||
envar: "DISPLAY=:0"
|
||||
envar: "DISPLAY"
|
||||
envar: "TMP=/tmp"
|
||||
|
||||
rlimit_as: 4096
|
||||
|
@ -28,7 +28,7 @@ cwd: "/user"
|
||||
time_limit: 0
|
||||
|
||||
envar: "HOME=/user"
|
||||
envar: "DISPLAY=:0"
|
||||
envar: "DISPLAY"
|
||||
envar: "TMP=/tmp"
|
||||
|
||||
rlimit_as: 4096
|
||||
|
@ -22,7 +22,7 @@ time_limit: 0
|
||||
clone_newnet: false
|
||||
|
||||
envar: "HOME=/user"
|
||||
envar: "DISPLAY=:0"
|
||||
envar: "DISPLAY"
|
||||
envar: "TMP=/tmp"
|
||||
|
||||
rlimit_as: 4096
|
||||
|
@ -14,7 +14,7 @@ cwd: "/user"
|
||||
|
||||
time_limit: 1000
|
||||
|
||||
envar: "DISPLAY=:0"
|
||||
envar: "DISPLAY"
|
||||
envar: "HOME=/user"
|
||||
envar: "TMP=/tmp"
|
||||
|
||||
|
@ -16,11 +16,11 @@ cwd: "/user"
|
||||
time_limit: 0
|
||||
|
||||
envar: "HOME=/user"
|
||||
envar: "DISPLAY=:0"
|
||||
envar: "DISPLAY"
|
||||
envar: "TMP=/tmp"
|
||||
envar: "FONTCONFIG_FILE=/etc/fonts/fonts.conf"
|
||||
envar: "FC_CONFIG_FILE=/etc/fonts/fonts.conf"
|
||||
envar: "LANG=en_US.UTF-8"
|
||||
envar: "LANG"
|
||||
|
||||
rlimit_as: 4096
|
||||
rlimit_cpu_type: INF
|
||||
|
2
nsjail.1
2
nsjail.1
@ -92,7 +92,7 @@ Log fatal messages only
|
||||
Pass all environment variables be passed process (default: all envvars are cleared)
|
||||
.TP
|
||||
\fB\-\-env\fR|\fB\-E\fR VALUE
|
||||
Additional environment variable (can be used multiple times)
|
||||
Additional environment variable (can be used multiple times). If the envvar doesn't contain '=' (e.g. just the 'DISPLAY' string), the current envvar value will be used
|
||||
.TP
|
||||
\fB\-\-keep_caps\fR
|
||||
Don't drop any capabilities
|
||||
|
Loading…
Reference in New Issue
Block a user