diff options
| author |  smitsohu <smitsohu@gmail.com> | 2021-01-06 16:53:55 +0100 |
|---|---|---|
| committer | smitsohu <smitsohu@gmail.com> | 2021-01-06 16:53:55 +0100 |
| commit | 4dd09c88bc8078b39a8348cd5b5b224ae0587e72 (patch) | |
| tree | 6075e77fc1f91bca2cded5a1917cf6080c35c292 /src | |
| parent | fix preview in apostrophe (diff) | |
| download | firejail-4dd09c88bc8078b39a8348cd5b5b224ae0587e72.tar.gz firejail-4dd09c88bc8078b39a8348cd5b5b224ae0587e72.tar.zst firejail-4dd09c88bc8078b39a8348cd5b5b224ae0587e72.zip | |
join: misc improvements
* don't mess with umask of root, it could be more strict
than user umask and relaxing it may catch root by surprise
* join needs execveat syscall, need to drop it post-exec
* make things more explicit
Diffstat (limited to 'src')
| -rw-r--r-- | src/firejail/join.c | 10 | ||||
| -rw-r--r-- | src/lib/syscall.c | 1 |
2 files changed, 5 insertions, 6 deletions
diff --git a/src/firejail/join.c b/src/firejail/join.c index d2f802add..4f0210f95 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
| @@ -296,7 +296,7 @@ static void extract_umask(pid_t pid) { | |||
| 296 | fprintf(stderr, "Error: cannot open umask file\n"); | 296 | fprintf(stderr, "Error: cannot open umask file\n"); |
| 297 | exit(1); | 297 | exit(1); |
| 298 | } | 298 | } |
| 299 | if (fscanf(fp, "%o", &orig_umask) != 1) { | 299 | if (fscanf(fp, "%3o", &orig_umask) != 1) { |
| 300 | fprintf(stderr, "Error: cannot read umask\n"); | 300 | fprintf(stderr, "Error: cannot read umask\n"); |
| 301 | exit(1); | 301 | exit(1); |
| 302 | } | 302 | } |
| @@ -335,7 +335,7 @@ bool is_ready_for_join(const pid_t pid) { | |||
| 335 | struct stat s; | 335 | struct stat s; |
| 336 | if (fstat(fd, &s) == -1) | 336 | if (fstat(fd, &s) == -1) |
| 337 | errExit("fstat"); | 337 | errExit("fstat"); |
| 338 | if (!S_ISREG(s.st_mode) || s.st_uid != 0) { | 338 | if (!S_ISREG(s.st_mode) || s.st_uid != 0 || s.st_size != 1) { |
| 339 | close(fd); | 339 | close(fd); |
| 340 | return false; | 340 | return false; |
| 341 | } | 341 | } |
| @@ -411,7 +411,7 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
| 411 | extract_x11_display(parent); | 411 | extract_x11_display(parent); |
| 412 | 412 | ||
| 413 | int shfd = -1; | 413 | int shfd = -1; |
| 414 | if (!arg_shell_none) | 414 | if (!arg_shell_none && !arg_audit) |
| 415 | shfd = open_shell(); | 415 | shfd = open_shell(); |
| 416 | 416 | ||
| 417 | EUID_ROOT(); | 417 | EUID_ROOT(); |
| @@ -423,6 +423,7 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
| 423 | extract_cgroup(pid); | 423 | extract_cgroup(pid); |
| 424 | extract_nogroups(pid); | 424 | extract_nogroups(pid); |
| 425 | extract_user_namespace(pid); | 425 | extract_user_namespace(pid); |
| 426 | extract_umask(pid); | ||
| 426 | #ifdef HAVE_APPARMOR | 427 | #ifdef HAVE_APPARMOR |
| 427 | extract_apparmor(pid); | 428 | extract_apparmor(pid); |
| 428 | #endif | 429 | #endif |
| @@ -432,9 +433,6 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
| 432 | if (cfg.cgroup) // not available for uid 0 | 433 | if (cfg.cgroup) // not available for uid 0 |
| 433 | set_cgroup(cfg.cgroup); | 434 | set_cgroup(cfg.cgroup); |
| 434 | 435 | ||
| 435 | // set umask, also uid 0 | ||
| 436 | extract_umask(pid); | ||
| 437 | |||
| 438 | // join namespaces | 436 | // join namespaces |
| 439 | if (arg_join_network) { | 437 | if (arg_join_network) { |
| 440 | if (join_namespace(pid, "net")) | 438 | if (join_namespace(pid, "net")) |
diff --git a/src/lib/syscall.c b/src/lib/syscall.c index 4903971ad..6823d0ae6 100644 --- a/src/lib/syscall.c +++ b/src/lib/syscall.c | |||
| @@ -336,6 +336,7 @@ static const SyscallGroupList sysgroups[] = { | |||
| 336 | #endif | 336 | #endif |
| 337 | }, | 337 | }, |
| 338 | { .name = "@default-keep", .list = | 338 | { .name = "@default-keep", .list = |
| 339 | "execveat," // commonly used by fexecve | ||
| 339 | "execve," | 340 | "execve," |
| 340 | "prctl" | 341 | "prctl" |
| 341 | }, | 342 | }, |