chrootenv: replace env whitelist with blacklist, closes #32878
This commit is contained in:
parent
c03663a145
commit
0234cd41b4
@ -21,27 +21,38 @@
|
|||||||
#include <sys/stat.h>
|
#include <sys/stat.h>
|
||||||
#include <sys/wait.h>
|
#include <sys/wait.h>
|
||||||
|
|
||||||
char *env_whitelist[] = {"TERM",
|
#define LEN(x) sizeof(x) / sizeof(*x)
|
||||||
"DISPLAY",
|
|
||||||
"XAUTHORITY",
|
|
||||||
"HOME",
|
|
||||||
"XDG_RUNTIME_DIR",
|
|
||||||
"LANG",
|
|
||||||
"SSL_CERT_FILE",
|
|
||||||
"DBUS_SESSION_BUS_ADDRESS"};
|
|
||||||
|
|
||||||
char **env_build(char *names[], size_t len) {
|
char *env_blacklist[] = {};
|
||||||
char *env, **ret = malloc((len + 1) * sizeof(char *)), **ptr = ret;
|
|
||||||
|
|
||||||
for (size_t i = 0; i < len; i++) {
|
char **env_filter(char *envp[]) {
|
||||||
if ((env = getenv(names[i]))) {
|
char **filtered_envp = malloc(sizeof(*envp));
|
||||||
if (asprintf(ptr++, "%s=%s", names[i], env) < 0)
|
size_t n = 0;
|
||||||
errorf(EX_OSERR, "asprintf");
|
|
||||||
|
while (*envp != NULL) {
|
||||||
|
bool blacklisted = false;
|
||||||
|
|
||||||
|
for (size_t i = 0; i < LEN(env_blacklist); i++) {
|
||||||
|
if (!strncmp(*envp, env_blacklist[i], strlen(env_blacklist[i]))) {
|
||||||
|
blacklisted = true;
|
||||||
|
break;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
*ptr = NULL;
|
if (!blacklisted) {
|
||||||
return ret;
|
filtered_envp = realloc(filtered_envp, (n + 2) * sizeof(*envp));
|
||||||
|
|
||||||
|
if (filtered_envp == NULL)
|
||||||
|
errorf(EX_OSERR, "realloc");
|
||||||
|
|
||||||
|
filtered_envp[n++] = *envp;
|
||||||
|
}
|
||||||
|
|
||||||
|
envp++;
|
||||||
|
}
|
||||||
|
|
||||||
|
filtered_envp[n] = NULL;
|
||||||
|
return filtered_envp;
|
||||||
}
|
}
|
||||||
|
|
||||||
void bind(char *from, char *to) {
|
void bind(char *from, char *to) {
|
||||||
@ -67,8 +78,6 @@ char *strjoin(char *dir, char *name) {
|
|||||||
return path;
|
return path;
|
||||||
}
|
}
|
||||||
|
|
||||||
#define LEN(x) sizeof(x) / sizeof(*x)
|
|
||||||
|
|
||||||
char *bind_blacklist[] = {".", "..", "bin", "etc", "host", "usr"};
|
char *bind_blacklist[] = {".", "..", "bin", "etc", "host", "usr"};
|
||||||
|
|
||||||
bool bind_blacklisted(char *name) {
|
bool bind_blacklisted(char *name) {
|
||||||
@ -146,7 +155,7 @@ int nftw_rm(const char *path, const struct stat *sb, int type,
|
|||||||
|
|
||||||
#define REQUIREMENTS "Linux version >= 3.19 built with CONFIG_USER_NS option"
|
#define REQUIREMENTS "Linux version >= 3.19 built with CONFIG_USER_NS option"
|
||||||
|
|
||||||
int main(int argc, char *argv[]) {
|
int main(int argc, char *argv[], char *envp[]) {
|
||||||
if (argc < 2) {
|
if (argc < 2) {
|
||||||
fprintf(stderr, "Usage: %s command [arguments...]\n"
|
fprintf(stderr, "Usage: %s command [arguments...]\n"
|
||||||
"Requires " REQUIREMENTS ".\n",
|
"Requires " REQUIREMENTS ".\n",
|
||||||
@ -213,7 +222,7 @@ int main(int argc, char *argv[]) {
|
|||||||
|
|
||||||
argv++;
|
argv++;
|
||||||
|
|
||||||
if (execvpe(*argv, argv, env_build(env_whitelist, LEN(env_whitelist))) < 0)
|
if (execvpe(*argv, argv, env_filter(envp)) < 0)
|
||||||
errorf(EX_OSERR, "execvpe");
|
errorf(EX_OSERR, "execvpe");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user