libsandbox: preserve more SANDBOX env vars

While we took pains to preserve the LD_PRELOAD setting, this doesn't
help us too much in practice.  If a process is going out of its way
to blow away LD_PRELOAD, chances are good it's blowing away all vars
it doesn't know about.  That means all of our SANDBOX_XXX settings.

Since a preloaded libsandbox.so is useless w/out its SANDBOX_XXX
env vars, make sure we preserve those as well.

These changes also imply some behavioral differences from older
versions.  Previously, you could `unset` a sandbox var in order
to disable it.  That no longer works.  If you wish to disable
things, you have to explicitly set it to "".

Signed-off-by: Mike Frysinger <vapier@gentoo.org>

1 files changed, 21 insertions, 0 deletions

diff --git a/tests/script-10.sh b/tests/script-10.sh
new file mode 100755
index 0000000..801730e
--- /dev/null
+++ b/tests/script-10.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+# make sure all the SANDBOX env vars make it back in.
+[ "${at_xfail}" = "yes" ] && exit 77 # see script-0
+
+ret=0
+
+out=$(env -i env)
+for var in LOG DEBUG_LOG MESSAGE_PATH DENY READ WRITE PREDICT ON ACTIVE ; do
+	var="SANDBOX_${var}"
+	oval=$(env | grep "^${var}=" | sed 's:^[^=]*=::')
+
+	nval=$(echo "${out}" | sed -n "/^${var}=/s:[^=]*=::p")
+
+	[ "${nval}" != "${oval}" ] && echo "!!! MISMATCH !!!" && ret=1
+	echo "env  [${var}]='${oval}'"
+	echo "env-i[${var}]='${nval}'"
+	[ "${nval}" != "${oval}" ] && echo "!!! MISMATCH !!!"
+	echo
+done
+
+exit ${ret}