Filter environment variables #3322
Conversation
topimiettinen
added
enhancement
|
The commit eliminates the difference between start_application(0, fp) and start_application(1, fp) as now variables are applied unconditionally (because some of them don't exist anymore after clearenv()). To be honest, I'm not sure if there is now a change in behavior in some cases. |
|
Actually I'm pretty sure that all variables changed with setenv() in main Firejail process may be overwritten with the original values. So those setenv()s have to be changed to env_store()s. |
topimiettinen
changed the title
src/firejail/env.c
Outdated
| "LC_MESSAGES", | ||
| "PATH", | ||
| "SHELL", | ||
| "TMP", |
A while back I had what I think is the same problem with sanitizing the umask. So if you like you can look out for |
topimiettinen
force-pushed
the
filter-environment-variables
branch
3 times, most recently
from
8820019
to
d30d3d5
Compare
|
In this version, the variables which Firejail uses internally are also moved to env storage for consistency. Thus the whitelist only applies to variables used by external libraries (libc/pthreads, libapparmor) and then it can be much shorter: only LANG, LANGUAGE, LC_MESSAGES. Perhaps the sandboxed helper apps (fseccomp & friends) should also be run with a short list of variables: LANG etc. and internal variables starting with FIREJAIL_, otherwise they might need similar sanitizing (or perhaps they also need some sanitizing in any case to be sure). Only the final user app should get all variables restored. |
topimiettinen
force-pushed
the
filter-environment-variables
branch
2 times, most recently
from
86b4331
to
4bb57a1
Compare
|
Latest build failure happens because tests expect that using |
topimiettinen
force-pushed
the
filter-environment-variables
branch
from
4bb57a1
to
21711c8
Compare
|
@topimiettinen ping? Any progress here? ;) We're all struggling (from env length checks) without your work ;) |
topimiettinen
force-pushed
the
filter-environment-variables
branch
from
21711c8
to
d791942
Compare
|
Sorry, I actually made a version which lets FIREJAIL_TEST_ARGUMENTS pass, but forgot to follow up. Thanks for the reminder. Let's see what the CIs think of the rebased version. |
Save all environment variables for later use in the application, clear environment and re-apply only whitelisted variables for the main firejail process. The whitelisted environment is only used by C library. Sandboxed tools will get further variables used internally (FIREJAIL_*). All variables will be reapplied for the firejailed application. This also lifts the length restriction for environment variables, except for the variables used by Firejail itself or the sandboxed tools.
topimiettinen
force-pushed
the
filter-environment-variables
branch
from
d791942
to
1c7ea15
Compare
|
Adding also PATH let the CI pass! |
topimiettinen
changed the title
|
@netblue30 ping? :D |
|
all merged! |
Save all environment variables for later use in sandboxes, clear
environment and re-apply only whitelisted variables for the main
firejail process. All variables will be reapplied for the sandboxes by
env_apply().