From 4dd09c88bc8078b39a8348cd5b5b224ae0587e72 Mon Sep 17 00:00:00 2001
From: smitsohu <smitsohu@gmail.com>
Date: Wed, 6 Jan 2021 16:53:55 +0100
Subject: join: misc improvements

* don't mess with umask of root, it could be more strict
than user umask and relaxing it may catch root by surprise

* join needs execveat syscall, need to drop it post-exec

* make things more explicit
---
 src/firejail/join.c | 10 ++++------
 src/lib/syscall.c   |  1 +
 2 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/src/firejail/join.c b/src/firejail/join.c
index d2f802add..4f0210f95 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -296,7 +296,7 @@ static void extract_umask(pid_t pid) {
 		fprintf(stderr, "Error: cannot open umask file\n");
 		exit(1);
 	}
-	if (fscanf(fp, "%o", &orig_umask) != 1) {
+	if (fscanf(fp, "%3o", &orig_umask) != 1) {
 		fprintf(stderr, "Error: cannot read umask\n");
 		exit(1);
 	}
@@ -335,7 +335,7 @@ bool is_ready_for_join(const pid_t pid) {
 	struct stat s;
 	if (fstat(fd, &s) == -1)
 		errExit("fstat");
-	if (!S_ISREG(s.st_mode) || s.st_uid != 0) {
+	if (!S_ISREG(s.st_mode) || s.st_uid != 0 || s.st_size != 1) {
 		close(fd);
 		return false;
 	}
@@ -411,7 +411,7 @@ void join(pid_t pid, int argc, char **argv, int index) {
 	extract_x11_display(parent);
 
 	int shfd = -1;
-	if (!arg_shell_none)
+	if (!arg_shell_none && !arg_audit)
 		shfd = open_shell();
 
 	EUID_ROOT();
@@ -423,6 +423,7 @@ void join(pid_t pid, int argc, char **argv, int index) {
 		extract_cgroup(pid);
 		extract_nogroups(pid);
 		extract_user_namespace(pid);
+		extract_umask(pid);
 #ifdef HAVE_APPARMOR
 		extract_apparmor(pid);
 #endif
@@ -432,9 +433,6 @@ void join(pid_t pid, int argc, char **argv, int index) {
 	if (cfg.cgroup)	// not available for uid 0
 		set_cgroup(cfg.cgroup);
 
-	// set umask, also uid 0
-	extract_umask(pid);
-
 	// join namespaces
 	if (arg_join_network) {
 		if (join_namespace(pid, "net"))
diff --git a/src/lib/syscall.c b/src/lib/syscall.c
index 4903971ad..6823d0ae6 100644
--- a/src/lib/syscall.c
+++ b/src/lib/syscall.c
@@ -336,6 +336,7 @@ static const SyscallGroupList sysgroups[] = {
 #endif
 	},
 	{ .name = "@default-keep", .list =
+	  "execveat," // commonly used by fexecve
 	  "execve,"
 	  "prctl"
 	},
-- 
cgit v1.2.3-70-g09d2