Pass through most environment variables.

Change the approach to environment variables to delete ones that are likely to cause problems instead of only passing through a pre-approved list. This will be neccessary to correctly work as a binfmt handler Fixes: AsahiLinux#52 Signed-off-by: Sasha Finkelstein <[email protected]>
WhatAmISupposedToPutHere · Sep 1, 2024 · 10eac3c · 10eac3c
1 parent ca28bde
commit 10eac3c
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 6 deletions.
diff --git a/crates/krun/src/bin/krun.rs b/crates/krun/src/bin/krun.rs
@@ -1,7 +1,7 @@
 use anyhow::{anyhow, Context, Result};
 use krun::cli_options::{options, Options};
 use krun::cpu::{get_fallback_cores, get_performance_cores};
-use krun::env::{find_krun_exec, prepare_env_vars};
+use krun::env::{find_krun_exec, prepare_vm_env_vars};
 use krun::launch::{launch_or_lock, LaunchResult, DYNAMIC_PORT_RANGE};
 use krun::net::{connect_to_passt, start_passt};
 use krun::types::MiB;
@@ -326,7 +326,7 @@ fn launch_vm(options: Options, net_ready_file: File) -> Result<()> {
     };
 
     let mut env =
-        prepare_env_vars(Vec::new()).context("Failed to prepare environment variables")?;
+        prepare_vm_env_vars(Vec::new()).context("Failed to prepare environment variables")?;
     env.insert(
         "KRUN_SERVER_PORT".to_owned(),
         options.server_port.to_string(),

diff --git a/crates/krun/src/env.rs b/crates/krun/src/env.rs
@@ -22,7 +22,7 @@ const WELL_KNOWN_ENV_VARS: [&str; 5] = [
 /// See https://github.com/AsahiLinux/docs/wiki/Devices
 const ASAHI_SOC_COMPAT_IDS: [&str; 1] = ["apple,arm-platform"];
 
-pub fn prepare_env_vars(env: Vec<(String, Option<String>)>) -> Result<HashMap<String, String>> {
+pub fn prepare_vm_env_vars(env: Vec<(String, Option<String>)>) -> Result<HashMap<String, String>> {
     let mut env_map = HashMap::new();
 
     for key in WELL_KNOWN_ENV_VARS {
@@ -83,6 +83,41 @@ pub fn prepare_env_vars(env: Vec<(String, Option<String>)>) -> Result<HashMap<St
     Ok(env_map)
 }
 
+const DROP_ENV_VARS: [&str; 17] = [
+    "DBUS_SESSION_BUS_ADDRESS",
+    "DISPLAY",
+    "ICEAUTHORITY",
+    "KONSOLE_DBUS_SERVICE",
+    "KONSOLE_DBUS_SESSION",
+    "KONSOLE_DBUS_WINDOW",
+    "MANAGERPID",
+    "PAM_KWALLET5_LOGIN",
+    "SESSION_MANAGER",
+    "SYSTEMD_EXEC_PID",
+    "WAYLAND_DISPLAY",
+    "XAUTHORITY",
+    "XDG_RUNTIME_DIR",
+    "XDG_SEAT",
+    "XDG_SEAT_PATH",
+    "XDG_SESSION_PATH",
+    "XDG_VTNR",
+];
+pub fn prepare_proc_env_vars(env: Vec<(String, Option<String>)>) -> HashMap<String, String> {
+    let mut vars = HashMap::new();
+    for (k, v) in env::vars() {
+        vars.insert(k, v);
+    }
+    for (k, v) in env {
+        if let Some(v) = v {
+            vars.insert(k, v);
+        }
+    }
+    for k in DROP_ENV_VARS {
+        vars.remove(k);
+    }
+    vars
+}
+
 pub fn find_krun_exec<P>(program: P) -> Result<CString>
 where
     P: AsRef<Path>,

diff --git a/crates/krun/src/launch.rs b/crates/krun/src/launch.rs
@@ -20,7 +20,7 @@ use std::time::Duration;
 use utils::env::find_in_path;
 use utils::launch::Launch;
 
-use crate::env::prepare_env_vars;
+use crate::env::prepare_proc_env_vars;
 
 pub const DYNAMIC_PORT_RANGE: Range<u32> = 50000..50200;
 
@@ -142,7 +142,7 @@ pub fn launch_or_lock(
     let cwd = env::current_dir()?;
     if let Some(port) = running_server_port {
         let port: u32 = port.parse()?;
-        let env = prepare_env_vars(env)?;
+        let env = prepare_proc_env_vars(env);
         if let Err(err) = wrapped_launch(port, command, command_args, env, cwd) {
             return Err(anyhow!("could not request launch to server: {err}"));
         }
@@ -188,7 +188,7 @@ pub fn launch_or_lock(
                     }
                 };
                 flock(net_ready, FlockOperation::LockShared)?;
-                let env = prepare_env_vars(env)?;
+                let env = prepare_proc_env_vars(env);
                 let mut tries = 0;
                 loop {
                     match wrapped_launch(