cmdline: add ability to passthrough current envvars

diff --git a/cmdline.cc b/cmdline.cc
index 3dbd99d80c775a9a4b75f763763144529ad691fb..0da4c2e53d0264c402b926bd7e85236e07ab6db5 100644 (file)
--- a/cmdline.cc
+++ b/cmdline.cc
@@ -93,7 +93,7 @@ struct custom_option custom_opts[] = {
     { { "quiet", no_argument, NULL, 'q' }, "Log warning and more important messages only" },
     { { "really_quiet", no_argument, NULL, 'Q' }, "Log fatal messages only" },
     { { "keep_env", no_argument, NULL, 'e' }, "Pass all environment variables to the child process (default: all envvars are cleared)" },
-    { { "env", required_argument, NULL, 'E' }, "Additional environment variable (can be used multiple times)" },
+    { { "env", required_argument, NULL, 'E' }, "Additional environment variable (can be used multiple times). If the envvar doesn't contain '=' (e.g. just the 'DISPLAY' string), the current envvar value will be used" },
     { { "keep_caps", no_argument, NULL, 0x0501 }, "Don't drop any capabilities" },
     { { "cap", required_argument, NULL, 0x0509 }, "Retain this capability, e.g. CAP_PTRACE (can be specified multiple times)" },
     { { "silent", no_argument, NULL, 0x0502 }, "Redirect child process' fd:0/1/2 to /dev/null" },
@@ -187,6 +187,19 @@ static void cmdlineUsage(const char* pname) {
        LOG_HELP_BOLD("  nsjail -Me --chroot / --disable_proc -- /bin/echo \"ABC\"");
 }
 
+void addEnv(nsjconf_t* nsjconf, const std::string& env) {
+       if (env.find('=') != std::string::npos) {
+               nsjconf->envs.push_back(env);
+               return;
+       }
+       char* e = getenv(env.c_str());
+       if (!e) {
+               nsjconf->envs.push_back(env);
+               return;
+       }
+       nsjconf->envs.push_back(std::string(env).append("=").append(e));
+}
+
 void logParams(nsjconf_t* nsjconf) {
        switch (nsjconf->mode) {
        case MODE_LISTEN_TCP:
@@ -606,7 +619,7 @@ std::unique_ptr<nsjconf_t> parseArgs(int argc, char* argv[]) {
                        nsjconf->use_execveat = true;
                        break;
                case 'E':
-                       nsjconf->envs.push_back(optarg);
+                       addEnv(nsjconf.get(), optarg);
                        break;
                case 'u': {
                        std::vector<std::string> subopts = util::strSplit(optarg, ':');

diff --git a/cmdline.h b/cmdline.h
index 9ab5822b505024737a75ffb2c6cc34b39bea0a0f..f452fe02284f0111c736af33d0d74e0a37582861 100644 (file)
--- a/cmdline.h
+++ b/cmdline.h
@@ -25,6 +25,7 @@
 #include <stdint.h>
 
 #include <memory>
+#include <string>
 
 #include "nsjail.h"
 
@@ -32,6 +33,7 @@ namespace cmdline {
 
 uint64_t parseRLimit(int res, const char* optarg, unsigned long mul);
 void logParams(nsjconf_t* nsjconf);
+void addEnv(nsjconf_t* nsjconf, const std::string& env);
 std::unique_ptr<nsjconf_t> parseArgs(int argc, char* argv[]);
 
 }  // namespace cmdline

diff --git a/config.cc b/config.cc
index 0e28b4bbe28adee44845fc9086263436ac5ff7f3..adabf0e83ac54ad969d0e4b533732cc743593dc1 100644 (file)
--- a/config.cc
+++ b/config.cc
@@ -125,7 +125,7 @@ static bool configParseInternal(nsjconf_t* nsjconf, const nsjail::NsJailConfig&
 
        nsjconf->keep_env = njc.keep_env();
        for (ssize_t i = 0; i < njc.envar_size(); i++) {
-               nsjconf->envs.push_back(njc.envar(i));
+               cmdline::addEnv(nsjconf, njc.envar(i));
        }
 
        nsjconf->keep_caps = njc.keep_caps();

diff --git a/config.proto b/config.proto
index 2f3695bef0e9744657dc4dbba84ba6fd4e8af0c6..144ac00f33daf307d64024dba3cf4b1460fa4929 100644 (file)
--- a/config.proto
+++ b/config.proto
@@ -115,7 +115,8 @@ message NsJailConfig {
     /* Should the current environment variables be kept
        when executing the binary */
     optional bool keep_env = 19 [default = false];
-    /* EnvVars to be set before executing binaries */
+    /* EnvVars to be set before executing binaries. If the envvar doesn't contain '='
+       (e.g. just the 'DISPLAY' string), the current envvar value will be used */
     repeated string envar = 20;
 
     /* Should capabilities be preserved or dropped */

diff --git a/configs/demo-dont-use-chrome-with-net.cfg b/configs/demo-dont-use-chrome-with-net.cfg
index f7aeb1afb3c8289448b142ca64e6e61af2cb0a8d..690657e20f5ed966863a39f4f8c83bbb41a2a48c 100644 (file)
--- a/configs/demo-dont-use-chrome-with-net.cfg
+++ b/configs/demo-dont-use-chrome-with-net.cfg
@@ -28,7 +28,7 @@ cwd: "/user"
 time_limit: 0
 
 envar: "HOME=/user"
-envar: "DISPLAY=:0"
+envar: "DISPLAY"
 envar: "TMP=/tmp"
 
 rlimit_as: 4096

diff --git a/configs/firefox-with-cloned-net.cfg b/configs/firefox-with-cloned-net.cfg
index e7cb5bfeebf83233d97175501540e78c3284ada8..eb541e3e76e29724edc743243acfe1bcafaea1b5 100644 (file)
--- a/configs/firefox-with-cloned-net.cfg
+++ b/configs/firefox-with-cloned-net.cfg
@@ -28,7 +28,7 @@ cwd: "/user"
 time_limit: 0
 
 envar: "HOME=/user"
-envar: "DISPLAY=:0"
+envar: "DISPLAY"
 envar: "TMP=/tmp"
 
 rlimit_as: 4096

diff --git a/configs/firefox-with-net.cfg b/configs/firefox-with-net.cfg
index 75149b4520e2a317c26e7dc117146a02fc74338c..190f7c2a864249d60bae65a6ad52a4b6cdf091e2 100644 (file)
--- a/configs/firefox-with-net.cfg
+++ b/configs/firefox-with-net.cfg
@@ -22,7 +22,7 @@ time_limit: 0
 clone_newnet: false
 
 envar: "HOME=/user"
-envar: "DISPLAY=:0"
+envar: "DISPLAY"
 envar: "TMP=/tmp"
 
 rlimit_as: 4096

diff --git a/configs/home-documents-with-xorg-no-net.cfg b/configs/home-documents-with-xorg-no-net.cfg
index afd716839a02a0e01b3926473f11f5e31b72e481..cc2514fb502e6b5e9955c1a68a5688e12e795817 100644 (file)
--- a/configs/home-documents-with-xorg-no-net.cfg
+++ b/configs/home-documents-with-xorg-no-net.cfg
@@ -14,7 +14,7 @@ cwd: "/user"
 
 time_limit: 1000
 
-envar: "DISPLAY=:0"
+envar: "DISPLAY"
 envar: "HOME=/user"
 envar: "TMP=/tmp"
 

diff --git a/configs/xchat-with-net.cfg b/configs/xchat-with-net.cfg
index 4bf5c1a3beb87e8b04b17f68b53c1cc613bff05c..e8d2759332e1e441dc2b58c3678849649264de7c 100644 (file)
--- a/configs/xchat-with-net.cfg
+++ b/configs/xchat-with-net.cfg
@@ -16,11 +16,11 @@ cwd: "/user"
 time_limit: 0
 
 envar: "HOME=/user"
-envar: "DISPLAY=:0"
+envar: "DISPLAY"
 envar: "TMP=/tmp"
 envar: "FONTCONFIG_FILE=/etc/fonts/fonts.conf"
 envar: "FC_CONFIG_FILE=/etc/fonts/fonts.conf"
-envar: "LANG=en_US.UTF-8"
+envar: "LANG"
 
 rlimit_as: 4096
 rlimit_cpu_type: INF

diff --git a/nsjail.1 b/nsjail.1
index 292be2a86ddd6f45f0adf2656e448004af93894e..c1c32aa8490365ea3db2a7f274dbe66efb009f05 100644 (file)
--- a/nsjail.1
+++ b/nsjail.1
@@ -92,7 +92,7 @@ Log fatal messages only
 Pass all environment variables be passed process (default: all envvars are cleared)
 .TP
 \fB\-\-env\fR|\fB\-E\fR VALUE
-Additional environment variable (can be used multiple times)
+Additional environment variable (can be used multiple times). If the envvar doesn't contain '=' (e.g. just the 'DISPLAY' string), the current envvar value will be used
 .TP
 \fB\-\-keep_caps\fR
 Don't drop any capabilities