1 files changed, 13 insertions, 5 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 01182bd2c..bf78f8a17 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -77,7 +77,7 @@ static void disable_file(OPERATION op, const char *filename) {
                EUID_ROOT();
                int err = bind_mount_path_to_fd(RUN_RO_DIR, fd);
-                if (err < 0)
+                if (err != 0)
                        err = bind_mount_path_to_fd(RUN_RO_FILE, fd);
                EUID_USER();
                close(fd);
@@ -655,8 +655,13 @@ static void fs_remount_rec(const char *dir, OPERATION op) {
 // resolve a path and remount it
 void fs_remount(const char *path, OPERATION op, int rec) {
        assert(path);
-        assert(geteuid() == 0);
-        EUID_USER();
+        int called_as_root = 0;
+        if (geteuid() == 0)
+                called_as_root = 1;
+        if (called_as_root)
+                EUID_USER();
        char *rpath = realpath(path, NULL);
        if (rpath) {
@@ -666,7 +671,9 @@ void fs_remount(const char *path, OPERATION op, int rec) {
                        fs_remount_simple(rpath, op);
                free(rpath);
        }
-        EUID_ROOT();
+        if (called_as_root)
+                EUID_ROOT();
 }
 // Disable /mnt, /media, /run/mount and /run/media access
@@ -821,7 +828,6 @@ void disable_config(void) {
 // build a basic read-only filesystem
-// top level directories could be links, run no after-mount checks
 void fs_basic_fs(void) {
        uid_t uid = getuid();
@@ -831,6 +837,7 @@ void fs_basic_fs(void) {
        if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0)
                errExit("mounting /proc");
+        EUID_USER();
        if (arg_debug)
                printf("Basic read-only filesystem:\n");
        if (!arg_writable_etc) {
@@ -850,6 +857,7 @@ void fs_basic_fs(void) {
        fs_remount("/lib64", MOUNT_READONLY, 1);
        fs_remount("/lib32", MOUNT_READONLY, 1);
        fs_remount("/libx32", MOUNT_READONLY, 1);
+        EUID_ROOT();
        // update /var directory in order to support multiple sandboxes running on the same root directory
        fs_var_lock();

diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 01182bd2c..bf78f8a17 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c
@@ -77,7 +77,7 @@ static void disable_file(OPERATION op, const char *filename) {
77		77
78	EUID_ROOT();	78	EUID_ROOT();
79	int err = bind_mount_path_to_fd(RUN_RO_DIR, fd);	79	int err = bind_mount_path_to_fd(RUN_RO_DIR, fd);
80	if (err < 0)	80	if (err != 0)
81	err = bind_mount_path_to_fd(RUN_RO_FILE, fd);	81	err = bind_mount_path_to_fd(RUN_RO_FILE, fd);
82	EUID_USER();	82	EUID_USER();
83	close(fd);	83	close(fd);
@@ -655,8 +655,13 @@ static void fs_remount_rec(const char *dir, OPERATION op) {
655	// resolve a path and remount it	655	// resolve a path and remount it
656	void fs_remount(const char *path, OPERATION op, int rec) {	656	void fs_remount(const char *path, OPERATION op, int rec) {
657	assert(path);	657	assert(path);
658	assert(geteuid() == 0);	658
659	EUID_USER();	659	int called_as_root = 0;
		660	if (geteuid() == 0)
		661	called_as_root = 1;
		662
		663	if (called_as_root)
		664	EUID_USER();
660		665
661	char *rpath = realpath(path, NULL);	666	char *rpath = realpath(path, NULL);
662	if (rpath) {	667	if (rpath) {
@@ -666,7 +671,9 @@ void fs_remount(const char *path, OPERATION op, int rec) {
666	fs_remount_simple(rpath, op);	671	fs_remount_simple(rpath, op);
667	free(rpath);	672	free(rpath);
668	}	673	}
669	EUID_ROOT();	674
		675	if (called_as_root)
		676	EUID_ROOT();
670	}	677	}
671		678
672	// Disable /mnt, /media, /run/mount and /run/media access	679	// Disable /mnt, /media, /run/mount and /run/media access
@@ -821,7 +828,6 @@ void disable_config(void) {
821		828
822		829
823	// build a basic read-only filesystem	830	// build a basic read-only filesystem
824	// top level directories could be links, run no after-mount checks
825	void fs_basic_fs(void) {	831	void fs_basic_fs(void) {
826	uid_t uid = getuid();	832	uid_t uid = getuid();
827		833
@@ -831,6 +837,7 @@ void fs_basic_fs(void) {
831	if (mount("proc", "/proc", "proc", MS_NOSUID \| MS_NOEXEC \| MS_NODEV \| MS_REC, NULL) < 0)	837	if (mount("proc", "/proc", "proc", MS_NOSUID \| MS_NOEXEC \| MS_NODEV \| MS_REC, NULL) < 0)
832	errExit("mounting /proc");	838	errExit("mounting /proc");
833		839
		840	EUID_USER();
834	if (arg_debug)	841	if (arg_debug)
835	printf("Basic read-only filesystem:\n");	842	printf("Basic read-only filesystem:\n");
836	if (!arg_writable_etc) {	843	if (!arg_writable_etc) {
@@ -850,6 +857,7 @@ void fs_basic_fs(void) {
850	fs_remount("/lib64", MOUNT_READONLY, 1);	857	fs_remount("/lib64", MOUNT_READONLY, 1);
851	fs_remount("/lib32", MOUNT_READONLY, 1);	858	fs_remount("/lib32", MOUNT_READONLY, 1);
852	fs_remount("/libx32", MOUNT_READONLY, 1);	859	fs_remount("/libx32", MOUNT_READONLY, 1);
		860	EUID_ROOT();
853		861
854	// update /var directory in order to support multiple sandboxes running on the same root directory	862	// update /var directory in order to support multiple sandboxes running on the same root directory
855	fs_var_lock();	863	fs_var_lock();