mask writable pulseaudio runtime dir

... and don't fail hard without need if there is a FUSE mount

1 files changed, 13 insertions, 2 deletions

diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c
index b4df78dda..2c360f297 100644
--- a/src/firejail/pulseaudio.c
+++ b/src/firejail/pulseaudio.c
@@ -23,6 +23,7 @@
 #include <sys/statvfs.h>
 #include <sys/mount.h>
 #include <dirent.h>
+#include <errno.h>
 #include <sys/wait.h>
 
 #include <fcntl.h>
@@ -133,8 +134,13 @@ void pulseaudio_init(void) {
                 goto out;
         }
         // confirm the actual mount destination is owned by the user
-        if (fstat(fd, &s) == -1)
-                errExit("fstat");
+        if (fstat(fd, &s) == -1) { // FUSE
+                if (errno != EACCES)
+                        errExit("fstat");
+                close(fd);
+                pulseaudio_set_environment(pulsecfg);
+                goto out;
+        }
         if (s.st_uid != getuid()) {
                 close(fd);
                 pulseaudio_set_environment(pulsecfg);
@@ -169,6 +175,11 @@ void pulseaudio_init(void) {
         pulseaudio_set_environment(p);
         free(p);
 
+        // RUN_PULSE_DIR not needed anymore, mask it
+        if (mount("tmpfs", RUN_PULSE_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
+                errExit("mount pulseaudio");
+        fs_logger2("tmpfs", RUN_PULSE_DIR);
+
 out:
         free(pulsecfg);
         free(homeusercfg);