Implement checking of allowed environment variables

Signed-off-by: Matthias Beyer <mail@beyermatthias.de>
author: Matthias Beyer <mail@beyermatthias.de> 2020-12-08 14:16:51 +0100
committer: Matthias Beyer <mail@beyermatthias.de> 2020-12-08 14:47:58 +0100
commit: e2bce1e321313408957938302815640b095ddec9 (patch)
tree: 2e1a36beae85a36b8d8b377a218c1e26c7cd1f59 /config.toml
parent: 25ffcbbd37a983d2031a6aa172730d6957b0a6a6 (diff)
1 files changed, 17 insertions, 3 deletions
diff --git a/config.toml b/config.toml
index 1cd9626..e68b206 100644
--- a/config.toml
+++ b/config.toml
@@ -125,7 +125,21 @@ maxjobs       = 1
 
 
 [containers]
-# environment variables which are allowed during container start
-# This way, errors (typos) when passing environment to a build can be prevented
-allowed_env = [ "PATH" ]
+
+# Restrict the environment that can be passed to the containers
+#
+# This is a security mechansim to prevent typos when passing environment
+# variables (either from package definition or from CLI) to the build jobs in
+# the containers.
+#
+# If this is set to `true`, only the variables named in `allowed_env` will be
+# allowed to be passed to the container. If a variable is not in this list,
+# butido will fail with an error message.
+#
+check_env_names = true
+
+# Environment variables which are allowed to be passed to a container.
+# This way, errors (typos) when passing environment to a build can be prevented.
+# Double-check this list
+allowed_env = [ "FOO", "BAR" ]
author	Matthias Beyer <mail@beyermatthias.de>	2020-12-08 14:16:51 +0100
committer	Matthias Beyer <mail@beyermatthias.de>	2020-12-08 14:47:58 +0100
commit	e2bce1e321313408957938302815640b095ddec9 (patch)
tree	2e1a36beae85a36b8d8b377a218c1e26c7cd1f59 /config.toml
parent	25ffcbbd37a983d2031a6aa172730d6957b0a6a6 (diff)