[apparmor] [PATCH] add --set-env option to aa-sandbox and move os.chdir()
Steve Beattie
steve at nxnw.org
Thu Feb 6 19:50:59 UTC 2014
On Thu, Feb 06, 2014 at 02:34:12PM -0500, Jamie Strandboge wrote:
> = aa-sandbox_move_chdir.patch =
>
> Move os.chdir(old_cwd) to before the aa-exec call it remove the side-effect of
> the chdir to $HOME when using Xpra. This was such a minor change I didn't split
> it out.
>
> Acked-By: Jamie Strandboge <jamie at canonical.com>
This part, Acked-by: Steve Beattie <steve at nxnw.org>
> = aa-sandbox_add_set-env_option.patch =
>
> Adjust aa-sandbox to add the --set-env to set an environment variable in the
> environment used by the sandboxed application. Eg:
>
> $ aa-sandbox --set-env="TMPDIR=/some/where" --set-env="FOO=bar" ...
A couple of issues below:
> === modified file 'utils/aa-sandbox.pod'
> --- utils/aa-sandbox.pod 2012-08-29 13:49:15 +0000
> +++ utils/aa-sandbox.pod 2014-02-06 19:18:00 +0000
> @@ -109,6 +109,11 @@
>
> The starting geometry for the Xephyr(1) server to use.
>
> +=item --set-env=ENVVAR=VALUE
> +
> +Set the environment variable ENVVAR to VALUE before launching the application.
> +This option may be specified multiple times.
> +
> =back
>
> =head1 EXAMPLES
>
> === modified file 'utils/apparmor/sandbox.py'
> --- utils/apparmor/sandbox.py 2013-04-09 13:31:39 +0000
> +++ utils/apparmor/sandbox.py 2014-02-06 19:10:08 +0000
> @@ -74,6 +74,11 @@
> dest='profile',
> default=None,
> help='Specify an existing profile (see aa-status)')
> + parser.add_option('--set-env',
> + dest='setenv_vars',
> + help="Set environment variables before exex",
> + metavar="VAR=VALUE",
> + action='append')
>
> (my_opt, my_args) = parser.parse_args()
> if my_opt.debug:
> @@ -714,6 +720,13 @@
> # Only used with dynamic profiles
> required_rules = ['audit deny @{HOME}/.Xauthority mrwlk,']
>
> + for e in opt.setenv_vars:
> + if '=' not in e:
> + continue
> + (key, val) = e.split("=", 1)
> + x.new_environ[key] = val
> + print(x.new_environ)
Did the print leak in?
Also, this is in run_xsandbox(). Do you not need to do something
similar in run_sandbox(), or is there a reason to expect not to
support setting/modifying environment variables for non-graphical apps?
> +
> # aa-exec
> try:
> rc, report = aa_exec(command, opt, x.new_environ, required_rules)
--
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140206/f1807741/attachment.pgp>
More information about the AppArmor
mailing list