| ... |
... |
@@ -89,6 +89,11 @@ class SandboxBwrap(Sandbox): |
|
89
|
89
|
# Grab the full path of the bwrap binary
|
|
90
|
90
|
bwrap_command = [utils.get_host_tool('bwrap')]
|
|
91
|
91
|
|
|
|
92
|
+ for k, v in env.items():
|
|
|
93
|
+ bwrap_command += ['--setenv', k, v]
|
|
|
94
|
+ for k in os.environ.keys() - env.keys():
|
|
|
95
|
+ bwrap_command += ['--unsetenv', k]
|
|
|
96
|
+
|
|
92
|
97
|
# Create a new pid namespace, this also ensures that any subprocesses
|
|
93
|
98
|
# are cleaned up when the bwrap process exits.
|
|
94
|
99
|
bwrap_command += ['--unshare-pid']
|
| ... |
... |
@@ -194,7 +199,7 @@ class SandboxBwrap(Sandbox): |
|
194
|
199
|
stdin = stack.enter_context(open(os.devnull, "r"))
|
|
195
|
200
|
|
|
196
|
201
|
# Run bubblewrap !
|
|
197
|
|
- exit_code = self.run_bwrap(bwrap_command, stdin, stdout, stderr, env,
|
|
|
202
|
+ exit_code = self.run_bwrap(bwrap_command, stdin, stdout, stderr,
|
|
198
|
203
|
(flags & SandboxFlags.INTERACTIVE))
|
|
199
|
204
|
|
|
200
|
205
|
# Cleanup things which bwrap might have left behind, while
|
| ... |
... |
@@ -245,7 +250,7 @@ class SandboxBwrap(Sandbox): |
|
245
|
250
|
|
|
246
|
251
|
return exit_code
|
|
247
|
252
|
|
|
248
|
|
- def run_bwrap(self, argv, stdin, stdout, stderr, env, interactive):
|
|
|
253
|
+ def run_bwrap(self, argv, stdin, stdout, stderr, interactive):
|
|
249
|
254
|
# Wrapper around subprocess.Popen() with common settings.
|
|
250
|
255
|
#
|
|
251
|
256
|
# This function blocks until the subprocess has terminated.
|
| ... |
... |
@@ -321,7 +326,6 @@ class SandboxBwrap(Sandbox): |
|
321
|
326
|
# The default is to share file descriptors from the parent process
|
|
322
|
327
|
# to the subprocess, which is rarely good for sandboxing.
|
|
323
|
328
|
close_fds=True,
|
|
324
|
|
- env=env,
|
|
325
|
329
|
stdin=stdin,
|
|
326
|
330
|
stdout=stdout,
|
|
327
|
331
|
stderr=stderr,
|
