Block KRB5CCNAME from inheriting into sandbox

If this environment variable is set on the host, it's going to mess up authentication in the sandbox. For example, if the host has: KRB5CCNAME=KCM: then the sandboxed process will try to use the host KCM socket, which is not available in the sandboxed environment, rather than the gssproxy socket that we want it to use. We need to unset it to ensure that whatever configuration we ship in the runtime gets used instead. We have switched the GNOME runtime to use an empty krb5.conf and it works as long as we don't break it with this environment variable meant for the host.
flatpak · Sep 19, 2022 · 1c32317 · 1c32317
1 parent 0184e54
commit 1c32317
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 1 deletion.
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
@@ -1887,7 +1887,8 @@ static const ExportData default_exports[] = {
  {"XDG_RUNTIME_DIR", NULL},
 
  /* Some env vars are common enough and will affect the sandbox badly
- if set on the host. We clear these always. */
+ if set on the host. We clear these always. If updating this list,
+ also update the list in flatpak-run.xml. */
  {"PYTHONPATH", NULL},
  {"PERLLIB", NULL},
  {"PERL5LIB", NULL},
@@ -1904,6 +1905,7 @@ static const ExportData default_exports[] = {
  {"GST_PTP_HELPER", NULL},
  {"GST_PTP_HELPER_1_0", NULL},
  {"GST_INSTALL_PLUGINS_HELPER", NULL},
+ {"KRB5CCNAME", NULL},
 };
 
 static const ExportData no_ld_so_cache_exports[] = {

diff --git a/doc/flatpak-run.xml b/doc/flatpak-run.xml
@@ -97,6 +97,7 @@
  <member>PERLLIB</member>
  <member>PERL5LIB</member>
  <member>XCURSOR_PATH</member>
+ <member>KRB5CCNAME</member>
  </simplelist>
  <para>
  Also several environment variables with the prefix "GST_" that are used by gstreamer