racket/sandbox: add sandbox-make-environment-variables

By default, a sandbox gets a fresh environment variable set,
which means that it does not affect environment variables
outside the sandbox (which means that sandboxed code cannot
set the Racket process's OS-level environment variables).

Closes PR 13667

collects/racket/sandbox.rkt

@@ -29,6 +29,7 @@
          sandbox-make-inspector
          sandbox-make-code-inspector
          sandbox-make-logger
+         sandbox-make-environment-variables
          sandbox-memory-limit
          sandbox-eval-limits
          sandbox-eval-handlers
@@ -89,6 +90,7 @@
                  [sandbox-make-inspector      current-inspector]
                  [sandbox-make-code-inspector current-code-inspector]
                  [sandbox-make-logger         current-logger]
+                 [sandbox-make-environment-variables current-environment-variables]
                  [sandbox-memory-limit        #f]
                  [sandbox-eval-limits         #f]
                  [sandbox-eval-handlers       '(#f #f)])
@@ -230,6 +232,11 @@
 
 (define sandbox-make-logger (make-parameter current-logger))
 
+(define sandbox-make-environment-variables (make-parameter
+                                            (lambda ()
+                                              (environment-variables-copy
+                                               (current-environment-variables)))))
+
 (define (compute-permissions for-require for-load)
   ;; `for-require' is a list of module paths and paths that will be `reqiure'd,
   ;; while `for-load' is a list of path (strings) that will be `load'ed.
@@ -909,6 +916,7 @@
     [current-custodian user-cust]
     [current-thread-group (make-thread-group)]
     ;; paths
+    [current-environment-variables ((sandbox-make-environment-variables))]
     [current-library-collection-paths
      (filter directory-exists?
              (append (sandbox-override-collection-paths)

collects/scribblings/reference/sandbox.scrbl

@@ -321,8 +321,9 @@ function.
 
 Invokes the @racket[thunk] in a context where sandbox configuration
 parameters are set for minimal restrictions.  More specifically, there
-are no memory or time limits, and the existing existing inspectors,
+are no memory or time limits, and the existing existing @tech{inspectors},
-security guard, exit handler, and logger are used.  (Note that the I/O
+@tech{security guard}, @tech{exit handler}, @tech{logger}, and 
+@tech{environment variable set} are used.  (Note that the I/O
 ports settings are not included.)}
 
 
@@ -759,6 +760,16 @@ an evaluator, and the default parameter value is
 @racket[current-logger].  This means that it is not creating a new
 logger (this might change in the future).}
 
+
+@defparam[sandbox-make-environment-variables make (-> environment-variables?)]{
+
+A @tech{parameter} that determines the procedure used to create the
+@tech{environment variable set} for sandboxed evaluation.  The
+procedure is called when initializing an evaluator, and the default
+parameter value constructs a new @tech{environment variable set} using
+@racket[(environment-variables-copy
+(current-environment-variables))].}
+
 @; ----------------------------------------------------------------------
 
 @section{Interacting with Evaluators}

collects/tests/racket/sandbox.rktl

@@ -590,6 +590,12 @@
    --eval--
    (syntax-original? #'x) => #t
 
+   --eval--
+   (putenv "APPLE" "AnApple") => #t
+   (getenv "APPLE") => "AnApple"
+   --top--
+   (getenv "APPLE") => #f
+
    ))
 
 (parameterize ([current-module-declare-name (make-resolved-module-path 'junk)])

doc/release-notes/racket/HISTORY.txt

@@ -3,6 +3,7 @@ Added current-environment-variables, environment-variables-get,
  environment-variables-set!, environment-variables-keys,
  environment-variables-copy, bytes-environment-variables-name?,
  string-environment-variables-name?, and environment-variables?
+racket/sadnox: added sandbox-make-environment-variables
 
 Version 5.3.4.1
 Changed JIT to support ARM