From f760f1b5392b71ee2d7636efe2194ae69b522aee Mon Sep 17 00:00:00 2001
From: Sebastian Wick <sebastian.wick@redhat.com>
Date: Fri, 29 Aug 2025 12:48:17 +0200
Subject: [PATCH] run: Add --clear-env option for clearing the outside
 environment

---
 app/flatpak-builtins-run.c            |  4 ++++
 common/flatpak-common-types-private.h |  3 ++-
 common/flatpak-run.c                  | 10 ++++++++++
 doc/flatpak-run.xml                   | 18 ++++++++++++++----
 4 files changed, 30 insertions(+), 5 deletions(-)

diff --git a/app/flatpak-builtins-run.c b/app/flatpak-builtins-run.c
index d0a1fb00..b5531e6c 100644
--- a/app/flatpak-builtins-run.c
+++ b/app/flatpak-builtins-run.c
@@ -61,6 +61,7 @@ static gboolean opt_parent_share_pids;
 static int opt_instance_id_fd = -1;
 static char *opt_app_path;
 static char *opt_usr_path;
+static gboolean opt_clear_env;
 
 static GOptionEntry options[] = {
   { "arch", 0, 0, G_OPTION_ARG_STRING, &opt_arch, N_("Arch to use"), N_("ARCH") },
@@ -89,6 +90,7 @@ static GOptionEntry options[] = {
   { "instance-id-fd", 0, 0, G_OPTION_ARG_INT, &opt_instance_id_fd, N_("Write the instance ID to the given file descriptor"), NULL },
   { "app-path", 0, 0, G_OPTION_ARG_FILENAME, &opt_app_path, N_("Use PATH instead of the app's /app"), N_("PATH") },
   { "usr-path", 0, 0, G_OPTION_ARG_FILENAME, &opt_usr_path, N_("Use PATH instead of the runtime's /usr"), N_("PATH") },
+  { "clear-env", 0, 0, G_OPTION_ARG_NONE, &opt_clear_env, N_("Clear all outside environment variables"), NULL },
   { NULL }
 };
 
@@ -308,6 +310,8 @@ flatpak_builtin_run (int argc, char **argv, GCancellable *cancellable, GError **
     flags |= FLATPAK_RUN_FLAG_NO_A11Y_BUS_PROXY;
   if (!opt_session_bus)
     flags |= FLATPAK_RUN_FLAG_NO_SESSION_BUS_PROXY;
+  if (!opt_clear_env)
+    flags |= FLATPAK_RUN_FLAG_CLEAR_ENV;
 
   if (!flatpak_run_app (app_deploy ? app_ref : runtime_ref,
                         app_deploy,
diff --git a/common/flatpak-common-types-private.h b/common/flatpak-common-types-private.h
index d7f3913b..0c61e375 100644
--- a/common/flatpak-common-types-private.h
+++ b/common/flatpak-common-types-private.h
@@ -44,11 +44,12 @@ typedef enum {
   FLATPAK_RUN_FLAG_SANDBOX            = (1 << 14),
   FLATPAK_RUN_FLAG_NO_DOCUMENTS_PORTAL = (1 << 15),
   FLATPAK_RUN_FLAG_BLUETOOTH          = (1 << 16),
-  FLATPAK_RUN_FLAG_CANBUS            = (1 << 17),
+  FLATPAK_RUN_FLAG_CANBUS             = (1 << 17),
   FLATPAK_RUN_FLAG_DO_NOT_REAP        = (1 << 18),
   FLATPAK_RUN_FLAG_NO_PROC            = (1 << 19),
   FLATPAK_RUN_FLAG_PARENT_EXPOSE_PIDS = (1 << 20),
   FLATPAK_RUN_FLAG_PARENT_SHARE_PIDS  = (1 << 21),
+  FLATPAK_RUN_FLAG_CLEAR_ENV          = (1 << 22),
 } FlatpakRunFlags;
 
 typedef struct FlatpakDir          FlatpakDir;
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
index a64e6894..e6039ee8 100644
--- a/common/flatpak-run.c
+++ b/common/flatpak-run.c
@@ -728,6 +728,15 @@ apply_exports (char            **envp,
   return envp;
 }
 
+static void
+flatpak_run_apply_env_clear (FlatpakBwrap *bwrap, gboolean clear_env)
+{
+  if (!clear_env)
+    return;
+
+  flatpak_bwrap_add_args (bwrap, "--clearenv", NULL);
+}
+
 void
 flatpak_run_apply_env_default (FlatpakBwrap *bwrap, gboolean use_ld_so_cache)
 {
@@ -3268,6 +3277,7 @@ flatpak_run_app (FlatpakDecomposed   *app_ref,
       app_files = g_object_ref (original_app_files);
     }
 
+  flatpak_run_apply_env_clear (bwrap, !!(flags & FLATPAK_RUN_FLAG_CLEAR_ENV));
   flatpak_run_apply_env_default (bwrap, use_ld_so_cache);
   flatpak_run_apply_env_vars (bwrap, app_context);
   flatpak_run_apply_env_prompt (bwrap, app_id);
diff --git a/doc/flatpak-run.xml b/doc/flatpak-run.xml
index 37a12b51..dc2a5f69 100644
--- a/doc/flatpak-run.xml
+++ b/doc/flatpak-run.xml
@@ -80,10 +80,10 @@
         </para>
         <para>
             Environment variables are generally passed on to the sandboxed application, with
-            certain exceptions. The application metadata can override environment variables,
-            as well as the <option>--env</option> option. Apart from that, Flatpak always
-            unsets or overrides the following variables, since their session values
-            are likely to interfere with the functioning of the sandbox:
+            certain exceptions, if <option>--clear-env</option> is not specified. The application
+            metadata can override environment variables, as well as the <option>--env</option>
+            option. Apart from that, Flatpak always unsets or overrides the following variables,
+            since their session values are likely to interfere with the functioning of the sandbox:
         </para>
         <simplelist>
             <member>PATH</member>
@@ -585,6 +585,16 @@ key=v1;v2;
                 </para></listitem>
             </varlistentry>
 
+            <varlistentry>
+                <term><option>--clear-env</option></term>
+
+                <listitem><para>
+                    Do not pass environment variables from the outside to the
+                    sandboxed application. Explicitly set and unset environment
+                    variables still get applied.
+                </para></listitem>
+            </varlistentry>
+
             <varlistentry>
                 <term><option>--own-name=NAME</option></term>