[apparmor] [PATCH] add --set-env option to aa-sandbox and move os.chdir()

Steve Beattie steve at nxnw.org
Thu Feb 6 19:50:59 UTC 2014 

On Thu, Feb 06, 2014 at 02:34:12PM -0500, Jamie Strandboge wrote:
> = aa-sandbox_move_chdir.patch =
> 
> Move os.chdir(old_cwd) to before the aa-exec call it remove the side-effect of
> the chdir to $HOME when using Xpra. This was such a minor change I didn't split
> it out.
> 
> Acked-By: Jamie Strandboge <jamie at canonical.com>
This part, Acked-by: Steve Beattie <steve at nxnw.org>

> = aa-sandbox_add_set-env_option.patch =
> 
> Adjust aa-sandbox to add the --set-env to set an environment variable in the
> environment used by the sandboxed application. Eg:
> 
> $ aa-sandbox --set-env="TMPDIR=/some/where" --set-env="FOO=bar" ...

A couple of issues below:

> === modified file 'utils/aa-sandbox.pod'
> --- utils/aa-sandbox.pod	2012-08-29 13:49:15 +0000
> +++ utils/aa-sandbox.pod	2014-02-06 19:18:00 +0000
> @@ -109,6 +109,11 @@
>  
>  The starting geometry for the Xephyr(1) server to use.
>  
> +=item --set-env=ENVVAR=VALUE
> +
> +Set the environment variable ENVVAR to VALUE before launching the application.
> +This option may be specified multiple times.
> +
>  =back
>  
>  =head1 EXAMPLES
> 
> === modified file 'utils/apparmor/sandbox.py'
> --- utils/apparmor/sandbox.py	2013-04-09 13:31:39 +0000
> +++ utils/apparmor/sandbox.py	2014-02-06 19:10:08 +0000
> @@ -74,6 +74,11 @@
>                        dest='profile',
>                        default=None,
>                        help='Specify an existing profile (see aa-status)')
> +    parser.add_option('--set-env',
> +                      dest='setenv_vars',
> +                      help="Set environment variables before exex",
> +                      metavar="VAR=VALUE",
> +                      action='append')
>  
>      (my_opt, my_args) = parser.parse_args()
>      if my_opt.debug:
> @@ -714,6 +720,13 @@
>      # Only used with dynamic profiles
>      required_rules = ['audit deny @{HOME}/.Xauthority mrwlk,']
>  
> +    for e in opt.setenv_vars:
> +        if '=' not in e:
> +            continue
> +        (key, val) = e.split("=", 1)
> +        x.new_environ[key] = val
> +    print(x.new_environ)

Did the print leak in?

Also, this is in run_xsandbox(). Do you not need to do something
similar in run_sandbox(), or is there a reason to expect not to
support setting/modifying environment variables for non-graphical apps?

> +
>      # aa-exec
>      try:
>          rc, report = aa_exec(command, opt, x.new_environ, required_rules)

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140206/f1807741/attachment.pgp>

More information about the AppArmor mailing list