fix: forward TMPDIR to sandbox subprocess to honor non-default temp dirs#12776
Open
a7i wants to merge 1 commit intogoogle:masterfrom
Open
fix: forward TMPDIR to sandbox subprocess to honor non-default temp dirs#12776a7i wants to merge 1 commit intogoogle:masterfrom
a7i wants to merge 1 commit intogoogle:masterfrom
Conversation
When creating the sandbox subprocess, the environment is cleared for security. This causes os.TempDir() in the child to always return /tmp, even when the host system uses a different temp directory (e.g. TMPDIR=/realtmp with /tmp as a symlink). The chroot setup then fails because SafeMount detects the symlink mismatch. Forward TMPDIR to the sandbox subprocess when it differs from the default /tmp, so os.TempDir() resolves consistently between parent and child processes. Fixes google#12476
a7i
force-pushed
the
fix/tmpdir-sandbox-env
branch
from
bef4207 to
2729737
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
TMPDIRenvironment variable to the sandbox subprocess when it differs from the default/tmp, so thatos.TempDir()resolves consistently between parent and child processescreateSandboxProcess(), the environment is cleared for security. This causesos.TempDir()in the child (used bysetUpChroot()) to always return/tmp, even when the host uses a different temp directory (e.g.TMPDIR=/realtmpwith/tmpas a symlink). The chroot setup then fails becauseSafeMountdetects the path mismatchFixes #12476
Test plan
TestSandboxEnvTMPDIRForwarding)os.TempDir()(TestSandboxSubprocessTMPDIR)createSandboxProcessenv construction and verifying subprocess behavior (TestSandboxEnvEndToEnd)TestSandboxEnvNoUnintendedLeaks)TestSandboxEnvTMPDIROnlyEntry)/tmpis a symlink to confirm the fix resolves the issueRisk: Low
This change only adds a single environment variable (
TMPDIR) to the sandbox subprocess when it differs from the default/tmp. It does not leak any sensitive information and preserves the security posture of the cleared environment.