14 files changed, 4 insertions, 54 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 3f005b547..e100e1f2c 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -499,15 +499,15 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                exit(0);
        }
        else if (strcmp(argv[i], "--list") == 0) {
-                int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--list");
+                int rv = sbox_run(SBOX_ROOT| SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--list");
                exit(rv);
        }
        else if (strcmp(argv[i], "--tree") == 0) {
-                int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--tree");
+                int rv = sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--tree");
                exit(rv);
        }
        else if (strcmp(argv[i], "--top") == 0) {
-                int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN,
+                int rv = sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN,
                        2, PATH_FIREMON, "--top");
                exit(rv);
        }
@@ -515,12 +515,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
        else if (strcmp(argv[i], "--netstats") == 0) {
                if (checkcfg(CFG_NETWORK)) {
                        struct stat s;
-                        int rv;
+                        int rv = sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN,
-                        if (stat("/proc/sys/kernel/grsecurity", &s) == 0)
-                                rv = sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN,
-                                        2, PATH_FIREMON, "--netstats");
-                        else
-                                rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN,
                                        2, PATH_FIREMON, "--netstats");
                        exit(rv);
                }
diff --git a/src/firemon/arp.c b/src/firemon/arp.c
index 7cb8ff4c3..d204a0c3a 100644
--- a/src/firemon/arp.c
+++ b/src/firemon/arp.c
@@ -73,9 +73,6 @@ static void print_arp(const char *fname) {
 }
 void arp(pid_t pid) {
-        if (getuid() == 0)
-                firemon_drop_privs();
-        
        pid_read(pid);
        
        // print processes
diff --git a/src/firemon/caps.c b/src/firemon/caps.c
index 5cd9b5d0d..49c7b204b 100644
--- a/src/firemon/caps.c
+++ b/src/firemon/caps.c
@@ -49,9 +49,6 @@ static void print_caps(int pid) {
 }
                        
 void caps(pid_t pid) {
-        if (getuid() == 0)
-                firemon_drop_privs();
-        
        pid_read(pid);  // include all processes
        
        // print processes
diff --git a/src/firemon/cgroup.c b/src/firemon/cgroup.c
index 0b93390ae..ec2d350af 100644
--- a/src/firemon/cgroup.c
+++ b/src/firemon/cgroup.c
@@ -45,9 +45,6 @@ static void print_cgroup(int pid) {
 }
                        
 void cgroup(pid_t pid) {
-        if (getuid() == 0)
-                firemon_drop_privs();
-        
        pid_read(pid);
        
        // print processes
diff --git a/src/firemon/cpu.c b/src/firemon/cpu.c
index 06658f58c..20fba33d6 100644
--- a/src/firemon/cpu.c
+++ b/src/firemon/cpu.c
@@ -49,9 +49,6 @@ static void print_cpu(int pid) {
 }
                        
 void cpu(pid_t pid) {
-        if (getuid() == 0)
-                firemon_drop_privs();
-        
        pid_read(pid);
        
        // print processes
diff --git a/src/firemon/firemon.c b/src/firemon/firemon.c
index 3140c5f70..950311c00 100644
--- a/src/firemon/firemon.c
+++ b/src/firemon/firemon.c
@@ -62,17 +62,6 @@ int find_child(int id) {
        return -1;
 }
-// drop privileges
-void firemon_drop_privs(void) {
-        // drop privileges
-        if (setgroups(0, NULL) < 0)
-                errExit("setgroups");
-        if (setgid(getgid()) < 0)
-                errExit("setgid/getgid");
-        if (setuid(getuid()) < 0)
-                errExit("setuid/getuid");
-}
 // sleep and wait for a key to be pressed
 void firemon_sleep(int st) {
        if (terminal_set == 0) {
diff --git a/src/firemon/firemon.h b/src/firemon/firemon.h
index 522ece077..a873430a3 100644
--- a/src/firemon/firemon.h
+++ b/src/firemon/firemon.h
@@ -38,7 +38,6 @@ static inline void firemon_clrscr(void) {
 // firemon.c
 extern int arg_nowrap;
 int find_child(int id);
-void firemon_drop_privs(void);
 void firemon_sleep(int st);
diff --git a/src/firemon/list.c b/src/firemon/list.c
index 901627c2a..acff13a28 100644
--- a/src/firemon/list.c
+++ b/src/firemon/list.c
@@ -20,9 +20,6 @@
 #include "firemon.h"
 void list(void) {
-        if (getuid() == 0)
-                firemon_drop_privs();
-        
        pid_read(0);    // include all processes
        
        // print processes
diff --git a/src/firemon/netstats.c b/src/firemon/netstats.c
index 0ff0dd33d..3c020d630 100644
--- a/src/firemon/netstats.c
+++ b/src/firemon/netstats.c
@@ -170,9 +170,6 @@ static void print_proc(int index, int itv, int col) {
 }
 void netstats(void) {
-        if (getuid() == 0)
-                firemon_drop_privs();
-        
        pid_read(0);    // include all processes
        
        printf("Displaying network statistics only for sandboxes using a new network namespace.\n");
diff --git a/src/firemon/route.c b/src/firemon/route.c
index 398965671..ac8000b6a 100644
--- a/src/firemon/route.c
+++ b/src/firemon/route.c
@@ -182,9 +182,6 @@ static void print_route(const char *fname) {
 }
 void route(pid_t pid) {
-        if (getuid() == 0)
-                firemon_drop_privs();
-        
        pid_read(pid);
        
        // print processes
diff --git a/src/firemon/seccomp.c b/src/firemon/seccomp.c
index 71771c72d..d4c248f8b 100644
--- a/src/firemon/seccomp.c
+++ b/src/firemon/seccomp.c
@@ -49,9 +49,6 @@ static void print_seccomp(int pid) {
 }
                        
 void seccomp(pid_t pid) {
-        if (getuid() == 0)
-                firemon_drop_privs();
-        
        pid_read(pid);  // include all processes
        
        // print processes
diff --git a/src/firemon/top.c b/src/firemon/top.c
index a6da6f64e..b804761dd 100644
--- a/src/firemon/top.c
+++ b/src/firemon/top.c
@@ -232,9 +232,6 @@ void head_print(int col, int row) {
 }
 void top(void) {
-        if (getuid() == 0)
-                firemon_drop_privs();
        while (1) {
                // clear linked list
                head_clear();
diff --git a/src/firemon/tree.c b/src/firemon/tree.c
index b05eb92f9..a4b92a11f 100644
--- a/src/firemon/tree.c
+++ b/src/firemon/tree.c
@@ -20,9 +20,6 @@
 #include "firemon.h"
 void tree(pid_t pid) {
-        if (getuid() == 0)
-                firemon_drop_privs();
-        
        pid_read(pid);  // include all processes
        
        // print processes
diff --git a/src/firemon/x11.c b/src/firemon/x11.c
index e30c2d78b..c7fe4c616 100644
--- a/src/firemon/x11.c
+++ b/src/firemon/x11.c
@@ -23,9 +23,6 @@
 #include <unistd.h>
                        
 void x11(pid_t pid) {
-        if (getuid() == 0)
-                firemon_drop_privs();
-        
        pid_read(pid);
        
        // print processes