diff options
author | smitsohu <smitsohu@gmail.com> | 2021-01-06 16:53:55 +0100 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2021-01-06 16:53:55 +0100 |
commit | 4dd09c88bc8078b39a8348cd5b5b224ae0587e72 (patch) | |
tree | 6075e77fc1f91bca2cded5a1917cf6080c35c292 /src | |
parent | fix preview in apostrophe (diff) | |
download | firejail-4dd09c88bc8078b39a8348cd5b5b224ae0587e72.tar.gz firejail-4dd09c88bc8078b39a8348cd5b5b224ae0587e72.tar.zst firejail-4dd09c88bc8078b39a8348cd5b5b224ae0587e72.zip |
join: misc improvements
* don't mess with umask of root, it could be more strict
than user umask and relaxing it may catch root by surprise
* join needs execveat syscall, need to drop it post-exec
* make things more explicit
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/join.c | 10 | ||||
-rw-r--r-- | src/lib/syscall.c | 1 |
2 files changed, 5 insertions, 6 deletions
diff --git a/src/firejail/join.c b/src/firejail/join.c index d2f802add..4f0210f95 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -296,7 +296,7 @@ static void extract_umask(pid_t pid) { | |||
296 | fprintf(stderr, "Error: cannot open umask file\n"); | 296 | fprintf(stderr, "Error: cannot open umask file\n"); |
297 | exit(1); | 297 | exit(1); |
298 | } | 298 | } |
299 | if (fscanf(fp, "%o", &orig_umask) != 1) { | 299 | if (fscanf(fp, "%3o", &orig_umask) != 1) { |
300 | fprintf(stderr, "Error: cannot read umask\n"); | 300 | fprintf(stderr, "Error: cannot read umask\n"); |
301 | exit(1); | 301 | exit(1); |
302 | } | 302 | } |
@@ -335,7 +335,7 @@ bool is_ready_for_join(const pid_t pid) { | |||
335 | struct stat s; | 335 | struct stat s; |
336 | if (fstat(fd, &s) == -1) | 336 | if (fstat(fd, &s) == -1) |
337 | errExit("fstat"); | 337 | errExit("fstat"); |
338 | if (!S_ISREG(s.st_mode) || s.st_uid != 0) { | 338 | if (!S_ISREG(s.st_mode) || s.st_uid != 0 || s.st_size != 1) { |
339 | close(fd); | 339 | close(fd); |
340 | return false; | 340 | return false; |
341 | } | 341 | } |
@@ -411,7 +411,7 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
411 | extract_x11_display(parent); | 411 | extract_x11_display(parent); |
412 | 412 | ||
413 | int shfd = -1; | 413 | int shfd = -1; |
414 | if (!arg_shell_none) | 414 | if (!arg_shell_none && !arg_audit) |
415 | shfd = open_shell(); | 415 | shfd = open_shell(); |
416 | 416 | ||
417 | EUID_ROOT(); | 417 | EUID_ROOT(); |
@@ -423,6 +423,7 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
423 | extract_cgroup(pid); | 423 | extract_cgroup(pid); |
424 | extract_nogroups(pid); | 424 | extract_nogroups(pid); |
425 | extract_user_namespace(pid); | 425 | extract_user_namespace(pid); |
426 | extract_umask(pid); | ||
426 | #ifdef HAVE_APPARMOR | 427 | #ifdef HAVE_APPARMOR |
427 | extract_apparmor(pid); | 428 | extract_apparmor(pid); |
428 | #endif | 429 | #endif |
@@ -432,9 +433,6 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
432 | if (cfg.cgroup) // not available for uid 0 | 433 | if (cfg.cgroup) // not available for uid 0 |
433 | set_cgroup(cfg.cgroup); | 434 | set_cgroup(cfg.cgroup); |
434 | 435 | ||
435 | // set umask, also uid 0 | ||
436 | extract_umask(pid); | ||
437 | |||
438 | // join namespaces | 436 | // join namespaces |
439 | if (arg_join_network) { | 437 | if (arg_join_network) { |
440 | if (join_namespace(pid, "net")) | 438 | if (join_namespace(pid, "net")) |
diff --git a/src/lib/syscall.c b/src/lib/syscall.c index 4903971ad..6823d0ae6 100644 --- a/src/lib/syscall.c +++ b/src/lib/syscall.c | |||
@@ -336,6 +336,7 @@ static const SyscallGroupList sysgroups[] = { | |||
336 | #endif | 336 | #endif |
337 | }, | 337 | }, |
338 | { .name = "@default-keep", .list = | 338 | { .name = "@default-keep", .list = |
339 | "execveat," // commonly used by fexecve | ||
339 | "execve," | 340 | "execve," |
340 | "prctl" | 341 | "prctl" |
341 | }, | 342 | }, |