5 files changed, 14 insertions, 29 deletions
diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c
index 61d0acd4a..e0be1f06a 100644
--- a/src/firejail/bandwidth.c
+++ b/src/firejail/bandwidth.c
@@ -125,10 +125,8 @@ void shm_create_firejail_dir(void) {
        }
        else { // check /dev/shm/firejail directory belongs to root end exit if doesn't!
                if (s.st_uid != 0 || s.st_gid != 0) {
-                        if (firejail_in_firejail == 0) {
+                        fprintf(stderr, "Error: non-root %s directory, exiting...\n", "/dev/shm/firejail");
-                                fprintf(stderr, "Error: non-root %s directory, exiting...\n", "/dev/shm/firejail");
+                        exit(1);
-                                exit(1);
-                        }
                }
        }
 }
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index ce2b0e7a5..cb841cc59 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -149,9 +149,6 @@ extern int arg_scan;		// arp-scan all interfaces
 extern int parent_to_child_fds[2];
 extern int child_to_parent_fds[2];
 extern pid_t sandbox_pid;
-extern int firejail_in_firejail;
 #define MAX_ARGS 128            // maximum number of command arguments (argc)
 extern char *fullargv[MAX_ARGS];
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 3f8f7176c..f4384faf7 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -44,10 +44,8 @@ void fs_build_firejail_dir(void) {
        }
        else { // check /tmp/firejail directory belongs to root end exit if doesn't!
                if (s.st_uid != 0 || s.st_gid != 0) {
-                        if (firejail_in_firejail == 0) {
+                        fprintf(stderr, "Error: non-root %s directory, exiting...\n", FIREJAIL_DIR);
-                                fprintf(stderr, "Error: non-root %s directory, exiting...\n", FIREJAIL_DIR);
+                        exit(1);
-                                exit(1);
-                        }
                }
        }
 }
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 3a5a21cad..a1e67c298 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -90,7 +90,6 @@ char *fullargv[MAX_ARGS];			// expanded argv for restricted shell
 int fullargc = 0;
 static pid_t child = 0;
 pid_t sandbox_pid;
-int firejail_in_firejail = 0;                   // firejail started in a firejail sandbox
 static void myexit(int rv) {
        logmsg("exiting...");
@@ -114,10 +113,8 @@ static void my_handler(int s){
 static void extract_user_data(void) {
        // check suid
        if (geteuid()) {
-                if (firejail_in_firejail == 0) {
+                fprintf(stderr, "Error: the sandbox is not setuid root\n");
-                        fprintf(stderr, "Error: the sandbox is not setuid root\n");
+                exit(1);
-                        exit(1);
-                }
        }
        struct passwd *pw = getpwuid(getuid());
@@ -392,12 +389,13 @@ int main(int argc, char **argv) {
        // check if we already have a sandbox running
        int rv = check_kernel_procs();
-        if (rv == 0)
+        if (rv == 0) {
-                firejail_in_firejail = 1;
+                // start the program directly without sandboxing
+                run_no_sandbox(argc, argv);
+                // it will never get here!
+                assert(0);
+        }
-        
        // initialize globals
        init_cfg();
        cfg.original_argv = argv;
@@ -697,6 +695,7 @@ int main(int argc, char **argv) {
                        }
                        
                        // extract private home dirname
+printf("here %s:%d\n", __FILE__, __LINE__);                     
                        cfg.home_private = argv[i] + 10;
                        fs_check_private_dir();
                        arg_private = 1;
@@ -974,13 +973,6 @@ int main(int argc, char **argv) {
                }
        }
-        // if a sandbox is already running, start the program directly without sandboxing
-        if (firejail_in_firejail) {
-                run_no_sandbox(argc, argv);
-                // it will never get here!
-                assert(0);
-        }
        // check network configuration options - it will exit if anything went wrong
        net_check_cfg();
        
diff --git a/todo b/todo
index 4185403d1..b62f80b8d 100644
--- a/todo
+++ b/todo
@@ -27,4 +27,4 @@ Warning: failed to unmount /sys
 Child process initialized
 $
-3. default.profile createing problems for  --chroot, --private-home
+3. default.profile creating problems for  --chroot, --private-home

diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c index 61d0acd4a..e0be1f06a 100644 --- a/src/firejail/bandwidth.c +++ b/src/firejail/bandwidth.c
@@ -125,10 +125,8 @@ void shm_create_firejail_dir(void) {
125	}	125	}
126	else { // check /dev/shm/firejail directory belongs to root end exit if doesn't!	126	else { // check /dev/shm/firejail directory belongs to root end exit if doesn't!
127	if (s.st_uid != 0 \|\| s.st_gid != 0) {	127	if (s.st_uid != 0 \|\| s.st_gid != 0) {
128	if (firejail_in_firejail == 0) {	128	fprintf(stderr, "Error: non-root %s directory, exiting...\n", "/dev/shm/firejail");
129	fprintf(stderr, "Error: non-root %s directory, exiting...\n", "/dev/shm/firejail");	129	exit(1);
130	exit(1);
131	}
132	}	130	}
133	}	131	}
134	}	132	}


diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index ce2b0e7a5..cb841cc59 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -149,9 +149,6 @@ extern int arg_scan; // arp-scan all interfaces
149	extern int parent_to_child_fds[2];	149	extern int parent_to_child_fds[2];
150	extern int child_to_parent_fds[2];	150	extern int child_to_parent_fds[2];
151	extern pid_t sandbox_pid;	151	extern pid_t sandbox_pid;
152	extern int firejail_in_firejail;
153
154
155		152
156	#define MAX_ARGS 128 // maximum number of command arguments (argc)	153	#define MAX_ARGS 128 // maximum number of command arguments (argc)
157	extern char *fullargv[MAX_ARGS];	154	extern char *fullargv[MAX_ARGS];


diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 3f8f7176c..f4384faf7 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c
@@ -44,10 +44,8 @@ void fs_build_firejail_dir(void) {
44	}	44	}
45	else { // check /tmp/firejail directory belongs to root end exit if doesn't!	45	else { // check /tmp/firejail directory belongs to root end exit if doesn't!
46	if (s.st_uid != 0 \|\| s.st_gid != 0) {	46	if (s.st_uid != 0 \|\| s.st_gid != 0) {
47	if (firejail_in_firejail == 0) {	47	fprintf(stderr, "Error: non-root %s directory, exiting...\n", FIREJAIL_DIR);
48	fprintf(stderr, "Error: non-root %s directory, exiting...\n", FIREJAIL_DIR);	48	exit(1);
49	exit(1);
50	}
51	}	49	}
52	}	50	}
53	}	51	}


diff --git a/src/firejail/main.c b/src/firejail/main.c index 3a5a21cad..a1e67c298 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -90,7 +90,6 @@ char *fullargv[MAX_ARGS]; // expanded argv for restricted shell
90	int fullargc = 0;	90	int fullargc = 0;
91	static pid_t child = 0;	91	static pid_t child = 0;
92	pid_t sandbox_pid;	92	pid_t sandbox_pid;
93	int firejail_in_firejail = 0; // firejail started in a firejail sandbox
94		93
95	static void myexit(int rv) {	94	static void myexit(int rv) {
96	logmsg("exiting...");	95	logmsg("exiting...");
@@ -114,10 +113,8 @@ static void my_handler(int s){
114	static void extract_user_data(void) {	113	static void extract_user_data(void) {
115	// check suid	114	// check suid
116	if (geteuid()) {	115	if (geteuid()) {
117	if (firejail_in_firejail == 0) {	116	fprintf(stderr, "Error: the sandbox is not setuid root\n");
118	fprintf(stderr, "Error: the sandbox is not setuid root\n");	117	exit(1);
119	exit(1);
120	}
121	}	118	}
122		119
123	struct passwd *pw = getpwuid(getuid());	120	struct passwd *pw = getpwuid(getuid());
@@ -392,12 +389,13 @@ int main(int argc, char **argv) {
392		389
393	// check if we already have a sandbox running	390	// check if we already have a sandbox running
394	int rv = check_kernel_procs();	391	int rv = check_kernel_procs();
395	if (rv == 0)	392	if (rv == 0) {
396	firejail_in_firejail = 1;	393	// start the program directly without sandboxing
397		394	run_no_sandbox(argc, argv);
398		395	// it will never get here!
		396	assert(0);
		397	}
399		398
400
401	// initialize globals	399	// initialize globals
402	init_cfg();	400	init_cfg();
403	cfg.original_argv = argv;	401	cfg.original_argv = argv;
@@ -697,6 +695,7 @@ int main(int argc, char **argv) {
697	}	695	}
698		696
699	// extract private home dirname	697	// extract private home dirname
		698	printf("here %s:%d\n", __FILE__, __LINE__);
700	cfg.home_private = argv[i] + 10;	699	cfg.home_private = argv[i] + 10;
701	fs_check_private_dir();	700	fs_check_private_dir();
702	arg_private = 1;	701	arg_private = 1;
@@ -974,13 +973,6 @@ int main(int argc, char **argv) {
974	}	973	}
975	}	974	}
976		975
977	// if a sandbox is already running, start the program directly without sandboxing
978	if (firejail_in_firejail) {
979	run_no_sandbox(argc, argv);
980	// it will never get here!
981	assert(0);
982	}
983
984	// check network configuration options - it will exit if anything went wrong	976	// check network configuration options - it will exit if anything went wrong
985	net_check_cfg();	977	net_check_cfg();
986		978


diff --git a/todo b/todo index 4185403d1..b62f80b8d 100644 --- a/todo +++ b/todo
@@ -27,4 +27,4 @@ Warning: failed to unmount /sys
27	Child process initialized	27	Child process initialized
28	$	28	$
29		29
30	3. default.profile createing problems for --chroot, --private-home	30	3. default.profile creating problems for --chroot, --private-home