aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichał Górny <mgorny@gentoo.org>2018-02-12 19:14:07 +0100
committerMichał Górny <mgorny@gentoo.org>2018-02-12 20:05:27 +0100
commit1b0f7b0d035a10ba172b659abbe425c8523bdb96 (patch)
treecc0301b69e524365e5eca6ad112b27a214181d04
parentPost-release bump to 2.13 (diff)
downloadsandbox-1b0f7b0d035a10ba172b659abbe425c8523bdb96.tar.gz
sandbox-1b0f7b0d035a10ba172b659abbe425c8523bdb96.tar.bz2
sandbox-1b0f7b0d035a10ba172b659abbe425c8523bdb96.zip
Disable environment propagation if sandbox is disabled
Do not enforce restoring sandbox variables in the environment if sandbox is explicitly disabled. This makes it possible to set SANDBOX_ON=0 and then unset LD_PRELOAD without having to resort to ugly hacks to prevent sandbox from restoring itself. The only limitation is that if user sets SANDBOX_ON=0 first, then wipes the environment, he will no longer be able to reenable sandbox via doing SANDBOX_ON=1. However, it is rather unlikely that such a thing would need to happen in real use. Bug: https://bugs.gentoo.org/592750
-rw-r--r--libsandbox/libsandbox.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c
index c126aa1..9ef13b1 100644
--- a/libsandbox/libsandbox.c
+++ b/libsandbox/libsandbox.c
@@ -1142,6 +1142,11 @@ char **sb_check_envp(char **envp, size_t *mod_cnt, bool insert)
char *found_vars[num_vars];
size_t found_var_cnt;
+ /* If sandbox is explicitly disabled, do not propagate the vars
+ * and just return user's envp */
+ if (!sbcontext.on)
+ return envp;
+
/* First figure out how many vars are already in the env */
found_var_cnt = 0;
memset(found_vars, 0, sizeof(found_vars));