Replace setenv with env list supporting host passthrough

2026-04-22 20:47:01 +02:00
parent 76c5be0e72
commit 494da52fc6
7 changed files with 266 additions and 62 deletions
@@ -5,7 +5,7 @@ use crate::agents;
 use crate::blacklist;
 use crate::env;
 use crate::seccomp;
-use crate::{SandboxConfig, SandboxError, SandboxMode};
+use crate::{EnvEntry, SandboxConfig, SandboxError, SandboxMode};

 pub fn build_command(config: &SandboxConfig) -> Result<Command, SandboxError> {
    let mut cmd = Command::new("bwrap");
@@ -71,9 +71,21 @@ fn add_env_policy(cmd: &mut Command, config: &SandboxConfig) {
 }

 fn add_user_env_overrides(cmd: &mut Command, config: &SandboxConfig) {
-    for (key, value) in &config.setenv {
-        cmd.arg("--setenv").arg(key).arg(value);
+    let mut keep_keys: Vec<String> = Vec::new();
+    for entry in &config.env {
+        match entry {
+            EnvEntry::Set(key, value) => {
+                cmd.arg("--setenv").arg(key).arg(value);
+            }
+            EnvEntry::Keep(key) => keep_keys.push(key.clone()),
+        }
    }
+
+    if !keep_keys.is_empty() {
+        let parent_env: Vec<(String, String)> = std::env::vars().collect();
+        cmd.args(env::keepenv_args(&keep_keys, &parent_env));
+    }
+
    for key in &config.unsetenv {
        cmd.arg("--unsetenv").arg(key);
    }