Skip to content

Commit

Permalink
fixup! Add loader.env.[ENVIRON] = {passthrough=true} manifest option
Browse files Browse the repository at this point in the history
Signed-off-by: Dmitrii Kuvaiskii <[email protected]>
  • Loading branch information
Dmitrii Kuvaiskii committed Sep 17, 2021
1 parent c9769c6 commit 32ecfd4
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 4 deletions.
6 changes: 3 additions & 3 deletions Documentation/manifest-syntax.rst
Original file line number Diff line number Diff line change
Expand Up @@ -193,9 +193,9 @@ are "consumed" by ``insecure__use_host_env``).
.. note ::
It is tempting to try to passthrough all environment variables using
``insecure__use_host_env`` and then disallow some of them using ``passthrough
= false``. However, this deny list approach is intentionally prohibited for
security reasons. Graphene loudly fails if any ``passthrough = false``
manifest options are set.
= false``. However, this deny list approach is intentionally prohibited
because it's inherently insecure (doesn't provide any real security).
Graphene loudly fails if ``passthrough = false`` manifest options are set.
Disabling ASLR
^^^^^^^^^^^^^^
Expand Down
3 changes: 2 additions & 1 deletion Pal/src/db_main.c
Original file line number Diff line number Diff line change
Expand Up @@ -547,7 +547,8 @@ noreturn void pal_main(uint64_t instance_id, /* current instance id */

// TODO: Envs from file should be able to override ones from the manifest, but current
// code makes this hard to implement.
ret = build_envs(orig_environments, use_host_env || env_src_file, &final_environments);
ret = build_envs(orig_environments, /*propagate=*/use_host_env || env_src_file,
&final_environments);
if (ret < 0)
INIT_FAIL(-ret, "Building the final environment based on the original environment and the"
" manifest failed");
Expand Down

0 comments on commit 32ecfd4

Please sign in to comment.