diff options
Diffstat (limited to 'src/firejail/sandbox.c')
-rw-r--r-- | src/firejail/sandbox.c | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 7922da9b9..66881c040 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -126,6 +126,19 @@ void save_nogroups(void) { | |||
126 | 126 | ||
127 | } | 127 | } |
128 | 128 | ||
129 | void save_umask(void) { | ||
130 | FILE *fp = fopen(RUN_UMASK_FILE, "wxe"); | ||
131 | if (fp) { | ||
132 | fprintf(fp, "%o\n", orig_umask); | ||
133 | SET_PERMS_STREAM(fp, 0, 0, 0644); // assume mode 0644 | ||
134 | fclose(fp); | ||
135 | } | ||
136 | else { | ||
137 | fprintf(stderr, "Error: cannot save umask\n"); | ||
138 | exit(1); | ||
139 | } | ||
140 | } | ||
141 | |||
129 | static void sandbox_if_up(Bridge *br) { | 142 | static void sandbox_if_up(Bridge *br) { |
130 | assert(br); | 143 | assert(br); |
131 | if (!br->configured) | 144 | if (!br->configured) |
@@ -367,6 +380,9 @@ void start_application(int no_sandbox) { | |||
367 | env_defaults(); | 380 | env_defaults(); |
368 | env_apply(); | 381 | env_apply(); |
369 | } | 382 | } |
383 | // restore original umask | ||
384 | umask(orig_umask); | ||
385 | |||
370 | if (arg_debug) { | 386 | if (arg_debug) { |
371 | printf("starting application\n"); | 387 | printf("starting application\n"); |
372 | printf("LD_PRELOAD=%s\n", getenv("LD_PRELOAD")); | 388 | printf("LD_PRELOAD=%s\n", getenv("LD_PRELOAD")); |
@@ -555,6 +571,11 @@ int sandbox(void* sandbox_arg) { | |||
555 | fs_logger("install mount namespace"); | 571 | fs_logger("install mount namespace"); |
556 | 572 | ||
557 | //**************************** | 573 | //**************************** |
574 | // save the umask | ||
575 | //**************************** | ||
576 | save_umask(); | ||
577 | |||
578 | //**************************** | ||
558 | // netfilter | 579 | // netfilter |
559 | //**************************** | 580 | //**************************** |
560 | if (arg_netfilter && any_bridge_configured()) { // assuming by default the client filter | 581 | if (arg_netfilter && any_bridge_configured()) { // assuming by default the client filter |