Sandbox environment variables

So that the build can't access extra information unintentionally. Particuarly ANDROID_BUILD_TOP is dangerous. In the future PATH should be locked down as well. Bug: 307824623 Test: Added a all_genrules target and built that Change-Id: I88bb0efb0a82529a1c85875a53cf20c8384d07fe
2024-08-27 11:42:26 -07:00
parent c965be6ca2
commit 63ea1f966e
2 changed files with 44 additions and 11 deletions
--- a/cmd/sbox/sbox.go
+++ b/cmd/sbox/sbox.go
@@ -275,7 +275,10 @@ func createEnv(command *sbox_proto.Command) ([]string, error) {
 			if !state.Inherit {
 				return nil, fmt.Errorf("Can't have inherit set to false")
 			}
-			env = append(env, *envVar.Name+"="+os.Getenv(*envVar.Name))
+			val, ok := os.LookupEnv(*envVar.Name)
+			if ok {
+				env = append(env, *envVar.Name+"="+val)
+			}
 		default:
 			return nil, fmt.Errorf("Unhandled state type")
 		}