nitpick:

- #define LEN(x) sizeof(x) / sizeof(*x)
+ #define LEN(x) (sizeof(x) / sizeof(*x))

missing check if malloc failed.

Thanks!

missing check if malloc failed. Consider to use calloc, zero initialized memory is usually easier to debug.

What is the gain of strncmp here? You compute strlen first based on env_blacklist[i].

Because I only need to partially match the string. Example of valid entry in env_blacklist would be PWD=, example of *envp that would be blacklisted is PWD=/home/user.

The second parameter should be the index of the first '=' in the string indeed.

@dezgeg I don't think I understand. Could you elaborate?

Sorry, that comment was a brain fart. But consider the case where env_blacklist contains FOO and *envp is FOOBAR.

Yeah, the point was that env_blacklist elements would always end with an equal sign. But unsetenv approach is much better. Also I've discovered environ only today.

a for loop incrementing envp would be slightly more readable here.

Agreed!

path is not freed.

It should not be freed, the point is to allocate enough memory to hold combined string to reduce boilerplate. free() happens at other places.

strcpy() can't fail, btw.

Thanks!

path is not freed

See above.

Neither can strcat().

Should check return value of stat -> buf could even contain the result of previous values stat calls.

You are right, I'll reimplement this on top of opendir.

Directory is not closed and memory is not freed in error case.

I don't understand why this has to be done. I'll read up on it.

I think this should be handled by exit, not manually. Directories, files and memory are handled by default, and if there's something that is not handled in a larger program, atexit callback should be used.

Write return code to a local variable instead of line wrapping here for readability.

Line wrapping will go away if I rename nftw_rm.

LEN() returns something completely wrong here Ok it's correct after all.

I don't think so:

$ cat example.c
#include <stdio.h>

#define LEN(x) sizeof(x) / sizeof(*x)

char *zzz[] = {"a", "b", "c"};

int main() {
  printf("%lu\n", LEN(zzz));
  return 0;
}
$ nix-shell -p gcc gnumake --run 'make example'
$ ./example
3

I think the code for the blacklist approach would be much simpler if you just used execvp() and just modified the current environment with unsetenv().

I agree, I'm going to do that. Thanks!

This whole function could just be asprintf(&ret, "%s%s", dir, name)

or in C++: dir + name. ;)

I know it could be asprintf, but it's cleaner this way. Check previous chrootenv version, I've used asprintf.

How is it cleaner to write 13 lines of code to replace 1 line?

It has better semantics.

There is no template, only concatenation, while asprintf has its own DSL.

But every C programmer who reads asprintf(&ret, "%s%s", x, y) immediately knows it's just concatenating two strings.

And in fact you're using this in precisely one place, with a constant string as the other arg. Just

char *host_target = strjoin("host/", prefix_dirent->d_name)

->

char *host_target;
asprintf(&host_target, "host/%s", prefix_dirent->d_name);

to make it even more simpler.

OK, point taken. errorf uses the same DSL anyway so it seems there is not much use in implementing simpler asprintf, at least not without dropping errorf.

const char * const bind_blacklist[] etc.

Isn't this variable totally unused?

Ah it's supposed to be a constant... const char * const then.

It's unused for now.

This variable is supposed to be filled in presumably when @abbradar gets better.

Then I would add a TODO comment.

Will do!

root is not removed in the error case.