diff options
Diffstat (limited to 'src/firejail/sandbox.c')
-rw-r--r-- | src/firejail/sandbox.c | 32 |
1 files changed, 25 insertions, 7 deletions
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 95732b95e..2113ef70f 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -109,7 +109,7 @@ static void set_caps(void) { | |||
109 | caps_drop_dac_override(); | 109 | caps_drop_dac_override(); |
110 | } | 110 | } |
111 | 111 | ||
112 | void save_nogroups(void) { | 112 | static void save_nogroups(void) { |
113 | if (arg_nogroups == 0) | 113 | if (arg_nogroups == 0) |
114 | return; | 114 | return; |
115 | 115 | ||
@@ -126,7 +126,23 @@ void save_nogroups(void) { | |||
126 | 126 | ||
127 | } | 127 | } |
128 | 128 | ||
129 | void save_umask(void) { | 129 | static void save_nonewprivs(void) { |
130 | if (arg_nonewprivs == 0) | ||
131 | return; | ||
132 | |||
133 | FILE *fp = fopen(RUN_NONEWPRIVS_CFG, "wxe"); | ||
134 | if (fp) { | ||
135 | fprintf(fp, "\n"); | ||
136 | SET_PERMS_STREAM(fp, 0, 0, 0644); // assume mode 0644 | ||
137 | fclose(fp); | ||
138 | } | ||
139 | else { | ||
140 | fprintf(stderr, "Error: cannot save nonewprivs state\n"); | ||
141 | exit(1); | ||
142 | } | ||
143 | } | ||
144 | |||
145 | static void save_umask(void) { | ||
130 | FILE *fp = fopen(RUN_UMASK_FILE, "wxe"); | 146 | FILE *fp = fopen(RUN_UMASK_FILE, "wxe"); |
131 | if (fp) { | 147 | if (fp) { |
132 | fprintf(fp, "%o\n", orig_umask); | 148 | fprintf(fp, "%o\n", orig_umask); |
@@ -597,11 +613,6 @@ int sandbox(void* sandbox_arg) { | |||
597 | fs_logger("install mount namespace"); | 613 | fs_logger("install mount namespace"); |
598 | 614 | ||
599 | //**************************** | 615 | //**************************** |
600 | // save the umask | ||
601 | //**************************** | ||
602 | save_umask(); | ||
603 | |||
604 | //**************************** | ||
605 | // netfilter | 616 | // netfilter |
606 | //**************************** | 617 | //**************************** |
607 | if (arg_netfilter && any_bridge_configured()) { // assuming by default the client filter | 618 | if (arg_netfilter && any_bridge_configured()) { // assuming by default the client filter |
@@ -750,10 +761,17 @@ int sandbox(void* sandbox_arg) { | |||
750 | need_preload = arg_trace || arg_tracelog; | 761 | need_preload = arg_trace || arg_tracelog; |
751 | arg_seccomp = 1; | 762 | arg_seccomp = 1; |
752 | } | 763 | } |
764 | |||
753 | // trace pre-install | 765 | // trace pre-install |
754 | if (need_preload) | 766 | if (need_preload) |
755 | fs_trace_preload(); | 767 | fs_trace_preload(); |
756 | 768 | ||
769 | // state of nonewprivs | ||
770 | save_nonewprivs(); | ||
771 | |||
772 | // save original umask | ||
773 | save_umask(); | ||
774 | |||
757 | // store hosts file | 775 | // store hosts file |
758 | if (cfg.hosts_file) | 776 | if (cfg.hosts_file) |
759 | fs_store_hosts_file(); | 777 | fs_store_hosts_file(); |