Convert preparedEnv to map and implement SetEnv methods

blink-so[bot] · f0ssel · f0ssel · commit d02ebf4578c9 · 2025-09-10T15:06:29.000-04:00
- Convert preparedEnv from []string to map[string]string for better environment management
- Implement SetEnv methods in both Linux and macOS namespace implementations
- Add CommandExecutor accessor method to Jail for SetEnv access
- Update CLI to use SetEnv method for CA certificate environment variables
- Remove Env field from namespace.Config since SetEnv is used instead
- Environment variables now properly managed through SetEnv interface
- Allows dynamic environment variable setting after initialization
- Better encapsulation and control over environment variables

Co-authored-by: f0ssel &lt;19379394+f0ssel@users.noreply.github.com&gt;
diff --git a/cli/cli.go b/cli/cli.go
@@ -147,14 +147,10 @@ func Run(config Config, args []string) error {
 		tlsConfig = certManager.GetTLSConfig()
 	}
 
-	// Create environment map for CA certificate
-	var extraEnv map[string]string = make(map[string]string)
-
 	// Create network namespace configuration
 	nsConfig := namespace.Config{
 		HTTPPort:  8040,
 		HTTPSPort: 8043,
-		Env:       extraEnv,
 	}
 
 	// Create network namespace instance
@@ -212,6 +208,13 @@ func Run(config Config, args []string) error {
 		}
 	}()
 
+	// Open jail (starts network namespace and proxy server)
+	err = jailInstance.Open()
+	if err != nil {
+		logger.Error("Failed to open jail", "error", err)
+		return fmt.Errorf("failed to open jail: %v", err)
+	}
+
 	// Setup CA certificate environment variables if TLS interception is enabled
 	if !config.NoTLSIntercept && certManager != nil {
 		// Get CA certificate for environment
@@ -231,20 +234,13 @@ func Run(config Config, args []string) error {
 
 		// Set standard CA certificate environment variables for common tools
 		// This makes tools like curl, git, etc. trust our dynamically generated CA
-		extraEnv["SSL_CERT_FILE"] = caCertPath       // OpenSSL/LibreSSL-based tools
-		extraEnv["SSL_CERT_DIR"] = configDir         // OpenSSL certificate directory
-		extraEnv["CURL_CA_BUNDLE"] = caCertPath      // curl
-		extraEnv["GIT_SSL_CAINFO"] = caCertPath      // Git
-		extraEnv["REQUESTS_CA_BUNDLE"] = caCertPath  // Python requests
-		extraEnv["NODE_EXTRA_CA_CERTS"] = caCertPath // Node.js
-		extraEnv["JAIL_CA_CERT"] = string(caCertPEM) // Keep for backward compatibility
-	}
-
-	// Open jail (starts network namespace and proxy server)
-	err = jailInstance.Open()
-	if err != nil {
-		logger.Error("Failed to open jail", "error", err)
-		return fmt.Errorf("failed to open jail: %v", err)
+		jailInstance.CommandExecutor().SetEnv("SSL_CERT_FILE", caCertPath)       // OpenSSL/LibreSSL-based tools
+		jailInstance.CommandExecutor().SetEnv("SSL_CERT_DIR", configDir)         // OpenSSL certificate directory
+		jailInstance.CommandExecutor().SetEnv("CURL_CA_BUNDLE", caCertPath)      // curl
+		jailInstance.CommandExecutor().SetEnv("GIT_SSL_CAINFO", caCertPath)      // Git
+		jailInstance.CommandExecutor().SetEnv("REQUESTS_CA_BUNDLE", caCertPath)  // Python requests
+		jailInstance.CommandExecutor().SetEnv("NODE_EXTRA_CA_CERTS", caCertPath) // Node.js
+		jailInstance.CommandExecutor().SetEnv("JAIL_CA_CERT", string(caCertPEM)) // Keep for backward compatibility
 	}
 
 	// Create context for graceful shutdown
@@ -271,4 +267,4 @@ func Run(config Config, args []string) error {
 	}
 
 	return nil
-}
+}
diff --git a/jail.go b/jail.go
@@ -68,6 +68,10 @@ func (j *Jail) Command(command []string) *exec.Cmd {
 	return j.commandExecutor.Command(command)
 }
 
+func (j *Jail) CommandExecutor() Commander {
+	return j.commandExecutor
+}
+
 func (j *Jail) Close() error {
 	// Cancel context to stop proxy server
 	if j.cancel != nil {
diff --git a/namespace/linux.go b/namespace/linux.go
@@ -9,6 +9,7 @@ import (
 	"os/exec"
 	"os/user"
 	"strconv"
+	"strings"
 	"syscall"
 	"time"
 )
@@ -18,7 +19,7 @@ type Linux struct {
 	config      Config
 	namespace   string
 	logger      *slog.Logger
-	preparedEnv []string
+	preparedEnv map[string]string
 	procAttr    *syscall.SysProcAttr
 }
 
@@ -62,11 +63,13 @@ func (l *Linux) Open() error {
 
 	// Prepare environment once during setup
 	l.logger.Debug("Preparing environment")
-	env := os.Environ()
+	l.preparedEnv = make(map[string]string)
 
-	// Add extra environment variables from config
-	for key, value := range l.config.Env {
-		env = append(env, fmt.Sprintf("%s=%s", key, value))
+	// Start with current environment
+	for _, envVar := range os.Environ() {
+		if parts := strings.SplitN(envVar, "=", 2); len(parts) == 2 {
+			l.preparedEnv[parts[0]] = parts[1]
+		}
 	}
 
 	// When running under sudo, restore essential user environment variables
@@ -75,18 +78,15 @@ func (l *Linux) Open() error {
 		user, err := user.Lookup(sudoUser)
 		if err == nil {
 			// Set HOME to original user's home directory
-			env = append(env, fmt.Sprintf("HOME=%s", user.HomeDir))
+			l.preparedEnv["HOME"] = user.HomeDir
 			// Set USER to original username
-			env = append(env, fmt.Sprintf("USER=%s", sudoUser))
+			l.preparedEnv["USER"] = sudoUser
 			// Set LOGNAME to original username (some tools check this instead of USER)
-			env = append(env, fmt.Sprintf("LOGNAME=%s", sudoUser))
+			l.preparedEnv["LOGNAME"] = sudoUser
 			l.logger.Debug("Restored user environment", "home", user.HomeDir, "user", sudoUser)
 		}
 	}
 
-	// Store prepared environment for use in Command method
-	l.preparedEnv = env
-
 	// Prepare process credentials once during setup
 	l.logger.Debug("Preparing process credentials")
 	var gid, uid int
@@ -117,7 +117,7 @@ func (l *Linux) Open() error {
 
 // SetEnv sets an environment variable for commands run in the namespace
 func (l *Linux) SetEnv(key string, value string) {
-
+	l.preparedEnv[key] = value
 }
 
 // Command returns an exec.Cmd configured to run within the network namespace
@@ -133,7 +133,11 @@ func (l *Linux) Command(command []string) *exec.Cmd {
 	cmd := exec.Command("ip", cmdArgs[1:]...)
 
 	// Use prepared environment from Open method
-	cmd.Env = l.preparedEnv
+	env := make([]string, 0, len(l.preparedEnv))
+	for key, value := range l.preparedEnv {
+		env = append(env, fmt.Sprintf("%s=%s", key, value))
+	}
+	cmd.Env = env
 	cmd.Stdin = os.Stdin
 	cmd.Stdout = os.Stdout
 	cmd.Stderr = os.Stderr
diff --git a/namespace/macos.go b/namespace/macos.go
@@ -25,7 +25,7 @@ type MacOSNetJail struct {
 	pfRulesPath   string
 	mainRulesPath string
 	logger        *slog.Logger
-	preparedEnv   []string
+	preparedEnv   map[string]string
 	procAttr      *syscall.SysProcAttr
 }
 
@@ -63,11 +63,13 @@ func (m *MacOSNetJail) Open() error {
 
 	// Prepare environment once during setup
 	m.logger.Debug("Preparing environment")
-	env := os.Environ()
+	m.preparedEnv = make(map[string]string)
 
-	// Add extra environment variables from config
-	for key, value := range m.config.Env {
-		env = append(env, fmt.Sprintf("%s=%s", key, value))
+	// Start with current environment
+	for _, envVar := range os.Environ() {
+		if parts := strings.SplitN(envVar, "=", 2); len(parts) == 2 {
+			m.preparedEnv[parts[0]] = parts[1]
+		}
 	}
 
 	// When running under sudo, restore essential user environment variables
@@ -76,18 +78,15 @@ func (m *MacOSNetJail) Open() error {
 		user, err := user.Lookup(sudoUser)
 		if err == nil {
 			// Set HOME to original user's home directory
-			env = append(env, fmt.Sprintf("HOME=%s", user.HomeDir))
+			m.preparedEnv["HOME"] = user.HomeDir
 			// Set USER to original username
-			env = append(env, fmt.Sprintf("USER=%s", sudoUser))
+			m.preparedEnv["USER"] = sudoUser
 			// Set LOGNAME to original username (some tools check this instead of USER)
-			env = append(env, fmt.Sprintf("LOGNAME=%s", sudoUser))
+			m.preparedEnv["LOGNAME"] = sudoUser
 			m.logger.Debug("Restored user environment", "home", user.HomeDir, "user", sudoUser)
 		}
 	}
 
-	// Store prepared environment for use in Command method
-	m.preparedEnv = env
-
 	// Prepare process credentials once during setup
 	m.logger.Debug("Preparing process credentials")
 	procAttr := &syscall.SysProcAttr{
@@ -123,7 +122,7 @@ func (m *MacOSNetJail) Open() error {
 
 // SetEnv sets an environment variable for commands run in the namespace
 func (m *MacOSNetJail) SetEnv(key string, value string) {
-
+	m.preparedEnv[key] = value
 }
 
 // Execute runs the command with the network jail group membership
@@ -136,7 +135,11 @@ func (m *MacOSNetJail) Command(command []string) *exec.Cmd {
 	m.logger.Debug("Full command args", "args", command)
 
 	// Use prepared environment from Open method
-	cmd.Env = m.preparedEnv
+	env := make([]string, 0, len(m.preparedEnv))
+	for key, value := range m.preparedEnv {
+		env = append(env, fmt.Sprintf("%s=%s", key, value))
+	}
+	cmd.Env = env
 	cmd.Stdout = os.Stdout
 	cmd.Stderr = os.Stderr
 	cmd.Stdin = os.Stdin
@@ -362,4 +365,4 @@ func (m *MacOSNetJail) cleanupTempFiles() {
 	if m.mainRulesPath != "" {
 		os.Remove(m.mainRulesPath)
 	}
-}
+}
diff --git a/namespace/namespace.go b/namespace/namespace.go
@@ -17,7 +17,6 @@ const (
 type Config struct {
 	HTTPPort  int
 	HTTPSPort int
-	Env       map[string]string
 }
 
 // NewJail creates a new NetJail instance for the current platform
@@ -34,4 +33,4 @@ func New(config Config, logger *slog.Logger) (jail.Commander, error) {
 
 func newNamespaceName() string {
 	return fmt.Sprintf("%s_%d", namespacePrefix, time.Now().UnixNano()%10000000)
-}
+}
