From 0e7e1f3ee2faf1e80a6d57a04aeadbf2566531da Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Fri, 10 Nov 2023 07:10:36 -0500
Subject: [PATCH] isolation: Also reset environment

Otherwise in some cases the containers/image stack can try
to look at things like `$HOME` which might be set to `/root`
if we're running outside of systemd, and that can cause
permission denials.
---
 lib/src/isolation.rs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/src/isolation.rs b/lib/src/isolation.rs
index 48c6bca7..02c41b57 100644
--- a/lib/src/isolation.rs
+++ b/lib/src/isolation.rs
@@ -31,6 +31,7 @@ pub(crate) fn unprivileged_subprocess(binary: &str, user: &str) -> Command {
     cmd.args([
         "--no-new-privs",
         "--init-groups",
+        "--reset-env",
         "--reuid",
         user,
         "--bounding-set",