aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLibravatar smitsohu <smitsohu@gmail.com>2018-07-16 01:53:11 +0200
committerLibravatar smitsohu <smitsohu@gmail.com>2018-07-16 01:53:11 +0200
commitea04ab987de24ab7088ac06c3310ee10aa99fa16 (patch)
tree6353837f7489430bdb29c1bd5da93c61f9353fc5
parentrework fix for empty spaces in mountinfo fields (diff)
downloadfirejail-ea04ab987de24ab7088ac06c3310ee10aa99fa16.tar.gz
firejail-ea04ab987de24ab7088ac06c3310ee10aa99fa16.tar.zst
firejail-ea04ab987de24ab7088ac06c3310ee10aa99fa16.zip
set umask for internal use
Diffstat
-rw-r--r--src/firejail/firejail.h2
-rw-r--r--src/firejail/join.c19
-rw-r--r--src/firejail/main.c13
-rw-r--r--src/firejail/run_symlink.c3
-rw-r--r--src/firejail/sandbox.c21
5 files changed, 55 insertions, 3 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 7a711cef3..0654439d6 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -98,6 +98,7 @@
98#define RUN_PASSWD_FILE "/run/firejail/mnt/passwd" 98#define RUN_PASSWD_FILE "/run/firejail/mnt/passwd"
99#define RUN_GROUP_FILE "/run/firejail/mnt/group" 99#define RUN_GROUP_FILE "/run/firejail/mnt/group"
100#define RUN_FSLOGGER_FILE "/run/firejail/mnt/fslogger" 100#define RUN_FSLOGGER_FILE "/run/firejail/mnt/fslogger"
101#define RUN_UMASK_FILE "/run/firejail/mnt/umask"
101#define RUN_OVERLAY_ROOT "/run/firejail/mnt/oroot" 102#define RUN_OVERLAY_ROOT "/run/firejail/mnt/oroot"
102 103
103 104
@@ -391,6 +392,7 @@ extern int login_shell;
391extern int parent_to_child_fds[2]; 392extern int parent_to_child_fds[2];
392extern int child_to_parent_fds[2]; 393extern int child_to_parent_fds[2];
393extern pid_t sandbox_pid; 394extern pid_t sandbox_pid;
395extern mode_t orig_umask;
394extern unsigned long long start_timestamp; 396extern unsigned long long start_timestamp;
395 397
396#define MAX_ARGS 128 // maximum number of command arguments (argc) 398#define MAX_ARGS 128 // maximum number of command arguments (argc)
diff --git a/src/firejail/join.c b/src/firejail/join.c
index d4a2389c6..e6da4c248 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -205,6 +205,22 @@ static void extract_user_namespace(pid_t pid) {
205 free(uidmap); 205 free(uidmap);
206} 206}
207 207
208static void extract_umask(pid_t pid) {
209 char *fname;
210 if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_UMASK_FILE) == -1)
211 errExit("asprintf");
212
213 FILE *fp = fopen(fname, "re");
214 free(fname);
215 if (!fp)
216 return;
217 if (fscanf(fp, "%4o", &orig_umask) < 1) {
218 fprintf(stderr, "Error: cannot read umask\n");
219 exit(1);
220 }
221 fclose(fp);
222}
223
208void join(pid_t pid, int argc, char **argv, int index) { 224void join(pid_t pid, int argc, char **argv, int index) {
209 EUID_ASSERT(); 225 EUID_ASSERT();
210 char *homedir = cfg.homedir; 226 char *homedir = cfg.homedir;
@@ -254,6 +270,9 @@ void join(pid_t pid, int argc, char **argv, int index) {
254 if (cfg.cgroup) // not available for uid 0 270 if (cfg.cgroup) // not available for uid 0
255 set_cgroup(cfg.cgroup); 271 set_cgroup(cfg.cgroup);
256 272
273 // get umask, it will be set by start_application()
274 extract_umask(pid);
275
257 // join namespaces 276 // join namespaces
258 if (arg_join_network) { 277 if (arg_join_network) {
259 if (join_namespace(pid, "net")) 278 if (join_namespace(pid, "net"))
diff --git a/src/firejail/main.c b/src/firejail/main.c
index ef8d8172f..42ed504f9 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -135,6 +135,7 @@ char *fullargv[MAX_ARGS]; // expanded argv for restricted shell
135int fullargc = 0; 135int fullargc = 0;
136static pid_t child = 0; 136static pid_t child = 0;
137pid_t sandbox_pid; 137pid_t sandbox_pid;
138mode_t orig_umask = 022;
138unsigned long long start_timestamp; 139unsigned long long start_timestamp;
139 140
140static void clear_atexit(void) { 141static void clear_atexit(void) {
@@ -833,7 +834,9 @@ static void run_builder(int argc, char **argv) {
833 errExit("setgid/getgid"); 834 errExit("setgid/getgid");
834 if (setuid(getuid()) < 0) 835 if (setuid(getuid()) < 0)
835 errExit("setuid/getuid"); 836 errExit("setuid/getuid");
837
836 assert(getenv("LD_PRELOAD") == NULL); 838 assert(getenv("LD_PRELOAD") == NULL);
839 umask(orig_umask);
837 840
838 argv[0] = LIBDIR "/firejail/fbuilder"; 841 argv[0] = LIBDIR "/firejail/fbuilder";
839 execvp(argv[0], argv); 842 execvp(argv[0], argv);
@@ -858,6 +861,9 @@ int main(int argc, char **argv) {
858 EUID_INIT(); 861 EUID_INIT();
859 EUID_USER(); 862 EUID_USER();
860 863
864 // sanitize the umask
865 orig_umask = umask(022);
866
861 // check if the user is allowed to use firejail 867 // check if the user is allowed to use firejail
862 init_cfg(argc, argv); 868 init_cfg(argc, argv);
863 869
@@ -991,9 +997,10 @@ int main(int argc, char **argv) {
991 EUID_USER();} 997 EUID_USER();}
992#endif 998#endif
993 999
994 drop_privs(1); 1000 drop_privs(1);
995 int rv = system(argv[2]); 1001 umask(orig_umask);
996 exit(rv); 1002 int rv = system(argv[2]);
1003 exit(rv);
997 } 1004 }
998 } 1005 }
999 } 1006 }
diff --git a/src/firejail/run_symlink.c b/src/firejail/run_symlink.c
index 2bb4a2ed7..5714206d4 100644
--- a/src/firejail/run_symlink.c
+++ b/src/firejail/run_symlink.c
@@ -89,6 +89,9 @@ void run_symlink(int argc, char **argv, int run_as_is) {
89 89
90 free(selfpath); 90 free(selfpath);
91 91
92 // restore original umask
93 umask(orig_umask);
94
92 // desktop integration is not supported for root user; instead, the original program is started 95 // desktop integration is not supported for root user; instead, the original program is started
93 if (getuid() == 0 || run_as_is) { 96 if (getuid() == 0 || run_as_is) {
94 argv[0] = program; 97 argv[0] = program;
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 7922da9b9..66881c040 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -126,6 +126,19 @@ void save_nogroups(void) {
126 126
127} 127}
128 128
129void save_umask(void) {
130 FILE *fp = fopen(RUN_UMASK_FILE, "wxe");
131 if (fp) {
132 fprintf(fp, "%o\n", orig_umask);
133 SET_PERMS_STREAM(fp, 0, 0, 0644); // assume mode 0644
134 fclose(fp);
135 }
136 else {
137 fprintf(stderr, "Error: cannot save umask\n");
138 exit(1);
139 }
140}
141
129static void sandbox_if_up(Bridge *br) { 142static void sandbox_if_up(Bridge *br) {
130 assert(br); 143 assert(br);
131 if (!br->configured) 144 if (!br->configured)
@@ -367,6 +380,9 @@ void start_application(int no_sandbox) {
367 env_defaults(); 380 env_defaults();
368 env_apply(); 381 env_apply();
369 } 382 }
383 // restore original umask
384 umask(orig_umask);
385
370 if (arg_debug) { 386 if (arg_debug) {
371 printf("starting application\n"); 387 printf("starting application\n");
372 printf("LD_PRELOAD=%s\n", getenv("LD_PRELOAD")); 388 printf("LD_PRELOAD=%s\n", getenv("LD_PRELOAD"));
@@ -555,6 +571,11 @@ int sandbox(void* sandbox_arg) {
555 fs_logger("install mount namespace"); 571 fs_logger("install mount namespace");
556 572
557 //**************************** 573 //****************************
574 // save the umask
575 //****************************
576 save_umask();
577
578 //****************************
558 // netfilter 579 // netfilter
559 //**************************** 580 //****************************
560 if (arg_netfilter && any_bridge_configured()) { // assuming by default the client filter 581 if (arg_netfilter && any_bridge_configured()) { // assuming by default the client filter
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-08 22:06:55 +0000