commit: 1b0f7b0d035a10ba172b659abbe425c8523bdb96 Author: Michał Górny <mgorny <AT> gentoo <DOT> org> AuthorDate: Mon Feb 12 18:14:07 2018 +0000 Commit: Michał Górny <mgorny <AT> gentoo <DOT> org> CommitDate: Mon Feb 12 19:05:27 2018 +0000 URL: https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=1b0f7b0d
Disable environment propagation if sandbox is disabled Do not enforce restoring sandbox variables in the environment if sandbox is explicitly disabled. This makes it possible to set SANDBOX_ON=0 and then unset LD_PRELOAD without having to resort to ugly hacks to prevent sandbox from restoring itself. The only limitation is that if user sets SANDBOX_ON=0 first, then wipes the environment, he will no longer be able to reenable sandbox via doing SANDBOX_ON=1. However, it is rather unlikely that such a thing would need to happen in real use. Bug: https://bugs.gentoo.org/592750 libsandbox/libsandbox.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c index c126aa1..9ef13b1 100644 --- a/libsandbox/libsandbox.c +++ b/libsandbox/libsandbox.c @@ -1142,6 +1142,11 @@ char **sb_check_envp(char **envp, size_t *mod_cnt, bool insert) char *found_vars[num_vars]; size_t found_var_cnt; + /* If sandbox is explicitly disabled, do not propagate the vars + * and just return user's envp */ + if (!sbcontext.on) + return envp; + /* First figure out how many vars are already in the env */ found_var_cnt = 0; memset(found_vars, 0, sizeof(found_vars));
