Skip to content

Commit aeb6a7a

Browse files
smcvalexlarsson
authored andcommitted
portal: Convert --env in extra-args into --env-fd
This hides overridden variables from the command-line, which means processes running under other uids can't see them in /proc/*/cmdline, which might be important if they contain secrets. Signed-off-by: Simon McVittie <smcv@collabora.com> Part-of: GHSA-4ppf-fxf6-vxg2
1 parent 6e5ae7a commit aeb6a7a

File tree

1 file changed

+49
-1
lines changed

1 file changed

+49
-1
lines changed

Diff for: portal/flatpak-portal.c

+49-1
Original file line numberDiff line numberDiff line change
@@ -257,6 +257,7 @@ typedef struct
257257
int instance_id_fd;
258258
gboolean set_tty;
259259
int tty;
260+
int env_fd;
260261
} ChildSetupData;
261262

262263
typedef struct
@@ -485,6 +486,9 @@ child_setup_func (gpointer user_data)
485486
if (data->instance_id_fd != -1)
486487
drop_cloexec (data->instance_id_fd);
487488

489+
if (data->env_fd != -1)
490+
drop_cloexec (data->env_fd);
491+
488492
/* Unblock all signals */
489493
sigemptyset (&set);
490494
if (pthread_sigmask (SIG_SETMASK, &set, NULL) == -1)
@@ -782,8 +786,10 @@ handle_spawn (PortalFlatpak *object,
782786
gboolean share_pids;
783787
gboolean notify_start;
784788
gboolean devel;
789+
g_autoptr(GString) env_string = g_string_new ("");
785790

786791
child_setup_data.instance_id_fd = -1;
792+
child_setup_data.env_fd = -1;
787793

788794
if (fd_list != NULL)
789795
fds = g_unix_fd_list_peek_fds (fd_list, &fds_len);
@@ -1044,7 +1050,49 @@ handle_spawn (PortalFlatpak *object,
10441050
else
10451051
{
10461052
for (i = 0; extra_args != NULL && extra_args[i] != NULL; i++)
1047-
g_ptr_array_add (flatpak_argv, g_strdup (extra_args[i]));
1053+
{
1054+
if (g_str_has_prefix (extra_args[i], "--env="))
1055+
{
1056+
const char *var_val = extra_args[i] + strlen ("--env=");
1057+
1058+
if (var_val[0] == '\0' || var_val[0] == '=')
1059+
{
1060+
g_warning ("Environment variable in extra-args has empty name");
1061+
continue;
1062+
}
1063+
1064+
if (strchr (var_val, '=') == NULL)
1065+
{
1066+
g_warning ("Environment variable in extra-args has no value");
1067+
continue;
1068+
}
1069+
1070+
g_string_append (env_string, var_val);
1071+
g_string_append_c (env_string, '\0');
1072+
}
1073+
else
1074+
{
1075+
g_ptr_array_add (flatpak_argv, g_strdup (extra_args[i]));
1076+
}
1077+
}
1078+
}
1079+
1080+
if (env_string->len > 0)
1081+
{
1082+
g_auto(GLnxTmpfile) env_tmpf = { 0, };
1083+
1084+
if (!flatpak_buffer_to_sealed_memfd_or_tmpfile (&env_tmpf, "environ",
1085+
env_string->str,
1086+
env_string->len, &error))
1087+
{
1088+
g_dbus_method_invocation_return_gerror (invocation, error);
1089+
return G_DBUS_METHOD_INVOCATION_HANDLED;
1090+
}
1091+
1092+
child_setup_data.env_fd = glnx_steal_fd (&env_tmpf.fd);
1093+
g_ptr_array_add (flatpak_argv,
1094+
g_strdup_printf ("--env-fd=%d",
1095+
child_setup_data.env_fd));
10481096
}
10491097

10501098
expose_pids = (arg_flags & FLATPAK_SPAWN_FLAGS_EXPOSE_PIDS) != 0;

0 commit comments

Comments
 (0)