Apologies, I obviously wasn't clear enough on the CL. Can you describe the current situation that's prompting you to need this change?

We have a program that we want to run inside a container that requires write access to USB devices. Our program inside the container will be running as non-root, which means it won't have permissions to open a device with O_RDWR permissions. Our solution to this is to have a preload library that will override the open library call by introducing communication with a service that's running outside the container which can retrieve the file descriptor by forwarding the request to the existing permission broker service. So we need the LD_PRELOAD environment variable to be configured before the program executes but without affecting the parent process's environment. 

And this program cannot be modified? And if it cannot be modified, isn't it easier to wrap it in a script that sets the env variable rather than adding a bunch of code to Minijail? Have you guys tried that? Does it work?

Any program we would need this for would be mounted read-only from a squashfs file, and we would in many cases not be the owner of the program. So we would neither be able to modify the program nor create a script that sets the environment variables. 

Why can't you include the script in the same squashfs filesystem?

wrap_executable.sh

#!/bin/bash

LD_PRELOAD=/path/to/library_wrapper.so /path/to/executable

If Minijail can be used to launch /path/to/executable, it can be used to launch /path/to/wrap_executable.sh. Am I missing something?

To clarify, I want to avoid adding a hundred lines of code to Minijail for literally a one-off case. This code will then have to be maintained forever after. If we can't change the binary nor wrap the binary, then we can add stuff to Minijail.