Sandbox environment variables So that the build can't access extra information unintentionally. Particuarly ANDROID_BUILD_TOP is dangerous. In the future PATH should be locked down as well. Bug: 307824623 Test: Added a all_genrules target and built that Change-Id: I88bb0efb0a82529a1c85875a53cf20c8384d07fe

commit: 63ea1f966e4969ead5fe6b90f2fd18ad48ddc9d5 [log] [tgz]
author: Cole Faust <colefaust@google.com> Tue Aug 27 11:42:26 2024 -0700
committer: Cole Faust <colefaust@google.com> Tue Sep 03 16:38:28 2024 -0700
tree: 0e94d030e63dae289e6765bc0d65a9a90d5fff81
parent: c965be6ca209c5623a978a29de31c037da4b29cf [diff] [blame]
diff --git a/cmd/sbox/sbox.go b/cmd/sbox/sbox.go
index 6459ea1..f3931a4 100644
--- a/cmd/sbox/sbox.go
+++ b/cmd/sbox/sbox.go

@@ -275,7 +275,10 @@
 			if !state.Inherit {
 				return nil, fmt.Errorf("Can't have inherit set to false")
 			}
-			env = append(env, *envVar.Name+"="+os.Getenv(*envVar.Name))
+			val, ok := os.LookupEnv(*envVar.Name)
+			if ok {
+				env = append(env, *envVar.Name+"="+val)
+			}
 		default:
 			return nil, fmt.Errorf("Unhandled state type")
 		}
commit	63ea1f966e4969ead5fe6b90f2fd18ad48ddc9d5	[log] [tgz]
author	Cole Faust <colefaust@google.com>	Tue Aug 27 11:42:26 2024 -0700
committer	Cole Faust <colefaust@google.com>	Tue Sep 03 16:38:28 2024 -0700
tree	0e94d030e63dae289e6765bc0d65a9a90d5fff81
parent	c965be6ca209c5623a978a29de31c037da4b29cf [diff] [blame]