... |
... |
@@ -87,6 +87,11 @@ class SandboxBwrap(Sandbox): |
87
|
87
|
# Grab the full path of the bwrap binary
|
88
|
88
|
bwrap_command = [utils.get_host_tool('bwrap')]
|
89
|
89
|
|
|
90
|
+ for k, v in env.items():
|
|
91
|
+ bwrap_command += ['--setenv', k, v]
|
|
92
|
+ for k in os.environ.keys() - env.keys():
|
|
93
|
+ bwrap_command += ['--unsetenv', k]
|
|
94
|
+
|
90
|
95
|
# Create a new pid namespace, this also ensures that any subprocesses
|
91
|
96
|
# are cleaned up when the bwrap process exits.
|
92
|
97
|
bwrap_command += ['--unshare-pid']
|
... |
... |
@@ -192,7 +197,7 @@ class SandboxBwrap(Sandbox): |
192
|
197
|
stdin = stack.enter_context(open(os.devnull, "r"))
|
193
|
198
|
|
194
|
199
|
# Run bubblewrap !
|
195
|
|
- exit_code = self.run_bwrap(bwrap_command, stdin, stdout, stderr, env,
|
|
200
|
+ exit_code = self.run_bwrap(bwrap_command, stdin, stdout, stderr,
|
196
|
201
|
(flags & SandboxFlags.INTERACTIVE))
|
197
|
202
|
|
198
|
203
|
# Cleanup things which bwrap might have left behind, while
|
... |
... |
@@ -243,7 +248,7 @@ class SandboxBwrap(Sandbox): |
243
|
248
|
|
244
|
249
|
return exit_code
|
245
|
250
|
|
246
|
|
- def run_bwrap(self, argv, stdin, stdout, stderr, env, interactive):
|
|
251
|
+ def run_bwrap(self, argv, stdin, stdout, stderr, interactive):
|
247
|
252
|
# Wrapper around subprocess.Popen() with common settings.
|
248
|
253
|
#
|
249
|
254
|
# This function blocks until the subprocess has terminated.
|
... |
... |
@@ -319,7 +324,6 @@ class SandboxBwrap(Sandbox): |
319
|
324
|
# The default is to share file descriptors from the parent process
|
320
|
325
|
# to the subprocess, which is rarely good for sandboxing.
|
321
|
326
|
close_fds=True,
|
322
|
|
- env=env,
|
323
|
327
|
stdin=stdin,
|
324
|
328
|
stdout=stdout,
|
325
|
329
|
stderr=stderr,
|