cmdline: add ability to passthrough current envvars

robertswiecki · robertswiecki · commit c7dd18c6129c · 2018-10-28T17:15:55.000+01:00
diff --git a/cmdline.cc b/cmdline.cc
@@ -93,7 +93,7 @@ struct custom_option custom_opts[] = {
     { { "quiet", no_argument, NULL, 'q' }, "Log warning and more important messages only" },
     { { "really_quiet", no_argument, NULL, 'Q' }, "Log fatal messages only" },
     { { "keep_env", no_argument, NULL, 'e' }, "Pass all environment variables to the child process (default: all envvars are cleared)" },
-    { { "env", required_argument, NULL, 'E' }, "Additional environment variable (can be used multiple times)" },
+    { { "env", required_argument, NULL, 'E' }, "Additional environment variable (can be used multiple times). If the envvar doesn't contain '=' (e.g. just the 'DISPLAY' string), the current envvar value will be used" },
     { { "keep_caps", no_argument, NULL, 0x0501 }, "Don't drop any capabilities" },
     { { "cap", required_argument, NULL, 0x0509 }, "Retain this capability, e.g. CAP_PTRACE (can be specified multiple times)" },
     { { "silent", no_argument, NULL, 0x0502 }, "Redirect child process' fd:0/1/2 to /dev/null" },
@@ -187,6 +187,19 @@ static void cmdlineUsage(const char* pname) {
 	LOG_HELP_BOLD("  nsjail -Me --chroot / --disable_proc -- /bin/echo \"ABC\"");
 }
 
+void addEnv(nsjconf_t* nsjconf, const std::string& env) {
+	if (env.find('=') != std::string::npos) {
+		nsjconf->envs.push_back(env);
+		return;
+	}
+	char* e = getenv(env.c_str());
+	if (!e) {
+		nsjconf->envs.push_back(env);
+		return;
+	}
+	nsjconf->envs.push_back(std::string(env).append("=").append(e));
+}
+
 void logParams(nsjconf_t* nsjconf) {
 	switch (nsjconf->mode) {
 	case MODE_LISTEN_TCP:
@@ -606,7 +619,7 @@ std::unique_ptr<nsjconf_t> parseArgs(int argc, char* argv[]) {
 			nsjconf->use_execveat = true;
 			break;
 		case 'E':
-			nsjconf->envs.push_back(optarg);
+			addEnv(nsjconf.get(), optarg);
 			break;
 		case 'u': {
 			std::vector<std::string> subopts = util::strSplit(optarg, ':');
diff --git a/cmdline.h b/cmdline.h
@@ -25,13 +25,15 @@
 #include <stdint.h>
 
 #include <memory>
+#include <string>
 
 #include "nsjail.h"
 
 namespace cmdline {
 
 uint64_t parseRLimit(int res, const char* optarg, unsigned long mul);
 void logParams(nsjconf_t* nsjconf);
+void addEnv(nsjconf_t* nsjconf, const std::string& env);
 std::unique_ptr<nsjconf_t> parseArgs(int argc, char* argv[]);
 
 }  // namespace cmdline
diff --git a/config.cc b/config.cc
@@ -125,7 +125,7 @@ static bool configParseInternal(nsjconf_t* nsjconf, const nsjail::NsJailConfig&
 
 	nsjconf->keep_env = njc.keep_env();
 	for (ssize_t i = 0; i < njc.envar_size(); i++) {
-		nsjconf->envs.push_back(njc.envar(i));
+		cmdline::addEnv(nsjconf, njc.envar(i));
 	}
 
 	nsjconf->keep_caps = njc.keep_caps();
diff --git a/config.proto b/config.proto
@@ -115,7 +115,8 @@ message NsJailConfig {
     /* Should the current environment variables be kept
        when executing the binary */
     optional bool keep_env = 19 [default = false];
-    /* EnvVars to be set before executing binaries */
+    /* EnvVars to be set before executing binaries. If the envvar doesn't contain '='
+       (e.g. just the 'DISPLAY' string), the current envvar value will be used */
     repeated string envar = 20;
 
     /* Should capabilities be preserved or dropped */
diff --git a/configs/demo-dont-use-chrome-with-net.cfg b/configs/demo-dont-use-chrome-with-net.cfg
@@ -28,7 +28,7 @@ cwd: "/user"
 time_limit: 0
 
 envar: "HOME=/user"
-envar: "DISPLAY=:0"
+envar: "DISPLAY"
 envar: "TMP=/tmp"
 
 rlimit_as: 4096
diff --git a/configs/firefox-with-cloned-net.cfg b/configs/firefox-with-cloned-net.cfg
@@ -28,7 +28,7 @@ cwd: "/user"
 time_limit: 0
 
 envar: "HOME=/user"
-envar: "DISPLAY=:0"
+envar: "DISPLAY"
 envar: "TMP=/tmp"
 
 rlimit_as: 4096
diff --git a/configs/firefox-with-net.cfg b/configs/firefox-with-net.cfg
@@ -22,7 +22,7 @@ time_limit: 0
 clone_newnet: false
 
 envar: "HOME=/user"
-envar: "DISPLAY=:0"
+envar: "DISPLAY"
 envar: "TMP=/tmp"
 
 rlimit_as: 4096
diff --git a/configs/home-documents-with-xorg-no-net.cfg b/configs/home-documents-with-xorg-no-net.cfg
@@ -14,7 +14,7 @@ cwd: "/user"
 
 time_limit: 1000
 
-envar: "DISPLAY=:0"
+envar: "DISPLAY"
 envar: "HOME=/user"
 envar: "TMP=/tmp"
 
diff --git a/configs/xchat-with-net.cfg b/configs/xchat-with-net.cfg
@@ -16,11 +16,11 @@ cwd: "/user"
 time_limit: 0
 
 envar: "HOME=/user"
-envar: "DISPLAY=:0"
+envar: "DISPLAY"
 envar: "TMP=/tmp"
 envar: "FONTCONFIG_FILE=/etc/fonts/fonts.conf"
 envar: "FC_CONFIG_FILE=/etc/fonts/fonts.conf"
-envar: "LANG=en_US.UTF-8"
+envar: "LANG"
 
 rlimit_as: 4096
 rlimit_cpu_type: INF
diff --git a/nsjail.1 b/nsjail.1
@@ -92,7 +92,7 @@ Log fatal messages only
 Pass all environment variables be passed process (default: all envvars are cleared)
 .TP
 \fB\-\-env\fR|\fB\-E\fR VALUE
-Additional environment variable (can be used multiple times)
+Additional environment variable (can be used multiple times). If the envvar doesn't contain '=' (e.g. just the 'DISPLAY' string), the current envvar value will be used
 .TP
 \fB\-\-keep_caps\fR
 Don't drop any capabilities

Original file line number	Diff line number	Diff line change
`@@ -125,7 +125,7 @@ static bool configParseInternal(nsjconf_t* nsjconf, const nsjail::NsJailConfig&`
`125`	`125`
`126`	`126`	`nsjconf->keep_env = njc.keep_env();`
`127`	`127`	`for (ssize_t i = 0; i < njc.envar_size(); i++) {`
`128`		`- nsjconf->envs.push_back(njc.envar(i));`
	`128`	`+ cmdline::addEnv(nsjconf, njc.envar(i));`
`129`	`129`	`}`
`130`	`130`
`131`	`131`	`nsjconf->keep_caps = njc.keep_caps();`