move umask from policy to Restrictions (since it affects the after-authentication context)

squell · squell · commit 12024bf687c5 · 2025-06-27T16:09:32.000+02:00
diff --git a/src/common/context.rs b/src/common/context.rs
@@ -96,7 +96,7 @@ impl Context {
             process: Process::new(),
             use_pty: true,
             noexec: false,
-            umask: policy.umask(),
+            umask: Umask::Preserve,
         })
     }
 
diff --git a/src/exec/mod.rs b/src/exec/mod.rs
@@ -50,6 +50,7 @@ impl SpawnNoexecHandler {
 }
 
 #[derive(Debug, Copy, Clone)]
+#[cfg_attr(test, derive(PartialEq))]
 #[repr(u32)]
 pub enum Umask {
     /// Keep the umask of the parent process.
diff --git a/src/sudo/env/environment.rs b/src/sudo/env/environment.rs
@@ -280,6 +280,7 @@ mod tests {
                         chdir: crate::sudoers::DirChange::Strict(None),
                         trust_environment: false,
                         use_pty: true,
+                        umask: crate::exec::Umask::Preserve,
                         #[cfg(feature = "apparmor")]
                         apparmor_profile: None,
                         noexec: false,
diff --git a/src/sudo/env/tests.rs b/src/sudo/env/tests.rs
@@ -172,6 +172,7 @@ fn test_environment_variable_filtering() {
                 use_pty: true,
                 chdir: crate::sudoers::DirChange::Strict(None),
                 trust_environment: false,
+                umask: crate::exec::Umask::Preserve,
                 #[cfg(feature = "apparmor")]
                 apparmor_profile: None,
                 noexec: false,
diff --git a/src/sudo/pipeline.rs b/src/sudo/pipeline.rs
@@ -238,6 +238,7 @@ fn apply_policy_to_context(
     // could be needed, but here we copy these -- perhaps we should split up the Context type
     context.use_pty = controls.use_pty;
     context.noexec = controls.noexec;
+    context.umask = controls.umask;
 
     Ok(())
 }
diff --git a/src/sudoers/mod.rs b/src/sudoers/mod.rs
@@ -15,7 +15,6 @@ use std::path::{Path, PathBuf};
 
 use crate::common::resolve::resolve_path;
 use crate::defaults;
-use crate::exec::Umask;
 use crate::log::auth_warn;
 use crate::system::interface::{GroupId, UnixGroup, UnixUser, UserId};
 use crate::system::{self, can_execute};
@@ -318,26 +317,6 @@ impl Sudoers {
 
         None
     }
-
-    pub(crate) fn umask(&self) -> Umask {
-        if self.settings.umask() == 0o777 {
-            Umask::Preserve
-        } else if self.settings.umask_override() {
-            Umask::Override(
-                self.settings
-                    .umask()
-                    .try_into()
-                    .expect("the umask parser should have prevented overflow"),
-            )
-        } else {
-            Umask::Extend(
-                self.settings
-                    .umask()
-                    .try_into()
-                    .expect("the umask parser should have prevented overflow"),
-            )
-        }
-    }
 }
 
 // a `take_while` variant that does not consume the first non-matching item
diff --git a/src/sudoers/policy.rs b/src/sudoers/policy.rs
@@ -4,6 +4,7 @@ use super::Judgement;
 use crate::common::{
     SudoPath, HARDENED_ENUM_VALUE_0, HARDENED_ENUM_VALUE_1, HARDENED_ENUM_VALUE_2,
 };
+use crate::exec::Umask;
 use crate::sudoers::ast::{ExecControl, Tag};
 use crate::system::{time::Duration, Hostname, User};
 /// Data types and traits that represent what the "terms and conditions" are after a succesful
@@ -59,6 +60,7 @@ pub struct Restrictions<'a> {
     pub env_check: &'a HashSet<String>,
     pub chdir: DirChange<'a>,
     pub path: Option<&'a str>,
+    pub umask: Umask,
     #[cfg(feature = "apparmor")]
     pub apparmor_profile: Option<String>,
 }
@@ -109,6 +111,20 @@ impl Judgement {
                         Some(super::ChDir::Path(path)) => DirChange::Strict(Some(path)),
                     },
                     path: self.settings.secure_path(),
+                    umask: {
+                        let mask = self
+                            .settings
+                            .umask()
+                            .try_into()
+                            .expect("the umask parser should have prevented overflow");
+                        if self.settings.umask() == 0o777 {
+                            Umask::Preserve
+                        } else if self.settings.umask_override() {
+                            Umask::Override(mask)
+                        } else {
+                            Umask::Extend(mask)
+                        }
+                    },
                     #[cfg(feature = "apparmor")]
                     apparmor_profile: tag
                         .apparmor_profile

Original file line number	Diff line number	Diff line change
`@@ -96,7 +96,7 @@ impl Context {`
`96`	`96`	`process: Process::new(),`
`97`	`97`	`use_pty: true,`
`98`	`98`	`noexec: false,`
`99`		`- umask: policy.umask(),`
	`99`	`+ umask: Umask::Preserve,`
`100`	`100`	`})`
`101`	`101`	`}`
`102`	`102`
Original file line number	Diff line number	Diff line change
`@@ -50,6 +50,7 @@ impl SpawnNoexecHandler {`
`50`	`50`	`}`
`51`	`51`
`52`	`52`	`#[derive(Debug, Copy, Clone)]`
	`53`	`+#[cfg_attr(test, derive(PartialEq))]`
`53`	`54`	`#[repr(u32)]`
`54`	`55`	`pub enum Umask {`
`55`	`56`	`/// Keep the umask of the parent process.`
Original file line number	Diff line number	Diff line change
`@@ -238,6 +238,7 @@ fn apply_policy_to_context(`
`238`	`238`	`// could be needed, but here we copy these -- perhaps we should split up the Context type`
`239`	`239`	`context.use_pty = controls.use_pty;`
`240`	`240`	`context.noexec = controls.noexec;`
	`241`	`+ context.umask = controls.umask;`
`241`	`242`
`242`	`243`	`Ok(())`
`243`	`244`	`}`