From e56c09e19f34a0dd6d6d442cc0d2782409a0b53e Mon Sep 17 00:00:00 2001
From: smitsohu <smitsohu@gmail.com>
Date: Fri, 14 Dec 2018 03:04:07 +0100
Subject: add explicit nonewprivs support to join option; accompanying small
 improvements

---
 src/firejail/sandbox.c | 32 +++++++++++++++++++++++++-------
 1 file changed, 25 insertions(+), 7 deletions(-)

(limited to 'src/firejail/sandbox.c')

diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 95732b95e..2113ef70f 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -109,7 +109,7 @@ static void set_caps(void) {
 		caps_drop_dac_override();
 }
 
-void save_nogroups(void) {
+static void save_nogroups(void) {
 	if (arg_nogroups == 0)
 		return;
 
@@ -126,7 +126,23 @@ void save_nogroups(void) {
 
 }
 
-void save_umask(void) {
+static void save_nonewprivs(void) {
+	if (arg_nonewprivs == 0)
+		return;
+
+	FILE *fp = fopen(RUN_NONEWPRIVS_CFG, "wxe");
+	if (fp) {
+		fprintf(fp, "\n");
+		SET_PERMS_STREAM(fp, 0, 0, 0644); // assume mode 0644
+		fclose(fp);
+	}
+	else {
+		fprintf(stderr, "Error: cannot save nonewprivs state\n");
+		exit(1);
+	}
+}
+
+static void save_umask(void) {
 	FILE *fp = fopen(RUN_UMASK_FILE, "wxe");
 	if (fp) {
 		fprintf(fp, "%o\n", orig_umask);
@@ -596,11 +612,6 @@ int sandbox(void* sandbox_arg) {
 		fs_logger("sandbox filesystem: local");
 	fs_logger("install mount namespace");
 
-	//****************************
-	// save the umask
-	//****************************
-	save_umask();
-
 	//****************************
 	// netfilter
 	//****************************
@@ -750,10 +761,17 @@ int sandbox(void* sandbox_arg) {
 		need_preload = arg_trace || arg_tracelog;
 		arg_seccomp = 1;
 	}
+
 	// trace pre-install
 	if (need_preload)
 		fs_trace_preload();
 
+	// state of nonewprivs
+	save_nonewprivs();
+
+	// save original umask
+	save_umask();
+
 	// store hosts file
 	if (cfg.hosts_file)
 		fs_store_hosts_file();
-- 
cgit v1.2.3-54-g00ecf