diff options
authorMichał Górny <mgorny@gentoo.org>2018-02-12 19:14:07 +0100
committerMichał Górny <mgorny@gentoo.org>2018-02-12 20:05:27 +0100
commit1b0f7b0d035a10ba172b659abbe425c8523bdb96 (patch)
parentPost-release bump to 2.13 (diff)
Disable environment propagation if sandbox is disabled
Do not enforce restoring sandbox variables in the environment if sandbox is explicitly disabled. This makes it possible to set SANDBOX_ON=0 and then unset LD_PRELOAD without having to resort to ugly hacks to prevent sandbox from restoring itself. The only limitation is that if user sets SANDBOX_ON=0 first, then wipes the environment, he will no longer be able to reenable sandbox via doing SANDBOX_ON=1. However, it is rather unlikely that such a thing would need to happen in real use. Bug: https://bugs.gentoo.org/592750
1 files changed, 5 insertions, 0 deletions
diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c
index c126aa1..9ef13b1 100644
--- a/libsandbox/libsandbox.c
+++ b/libsandbox/libsandbox.c
@@ -1142,6 +1142,11 @@ char **sb_check_envp(char **envp, size_t *mod_cnt, bool insert)
char *found_vars[num_vars];
size_t found_var_cnt;
+ /* If sandbox is explicitly disabled, do not propagate the vars
+ * and just return user's envp */
+ if (!sbcontext.on)
+ return envp;
/* First figure out how many vars are already in the env */
found_var_cnt = 0;
memset(found_vars, 0, sizeof(found_vars));