From 0939f26a4f2f5d090baadb7f2a47269e9e456fb5 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Wed, 9 Nov 2016 22:46:32 -0500
Subject: fixed --top

---
 src/firejail/firejail.h |  8 +++++---
 src/firejail/main.c     |  3 ++-
 src/firejail/sbox.c     | 14 ++++++++------
 3 files changed, 15 insertions(+), 10 deletions(-)

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 56dbd6868..b8126cfe7 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -688,11 +688,13 @@ void build_cmdline(char **command_line, char **window_title, int argc, char **ar
 #define PATH_FIREMON (PREFIX "/bin/firemon")
 #define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp")
 // bitmapped filters for sbox_run
-#define SBOX_ROOT (1 << 0)
-#define SBOX_USER (1 << 1)
-#define SBOX_SECCOMP (1 << 2)
+#define SBOX_ROOT (1 << 0)			// run the sandbox as root
+#define SBOX_USER (1 << 1)			// run the sandbox as a regular user
+#define SBOX_SECCOMP (1 << 2)		// install seccomp 
 #define SBOX_CAPS_NONE (1 << 3)		// drop all capabilities
 #define SBOX_CAPS_NETWORK (1 << 4)	// caps filter for programs running network programs
+#define SBOX_ALLOW_STDIN (1 << 5)		// don't close stdin
+
 // run sbox
 int sbox_run(unsigned filter, int num, ...);
 
diff --git a/src/firejail/main.c b/src/firejail/main.c
index b6f3a7f59..f01094af9 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -507,7 +507,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
 		exit(rv);
 	}
 	else if (strcmp(argv[i], "--top") == 0) {
-		int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--top");
+		int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN,
+			2, PATH_FIREMON, "--top");
 		exit(rv);
 	}
 #ifdef HAVE_NETWORK	
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c
index 3d4eef3aa..bca72c14a 100644
--- a/src/firejail/sbox.c
+++ b/src/firejail/sbox.c
@@ -141,14 +141,16 @@ int sbox_run(unsigned filter, int num, ...) {
 		int max = 20; // getdtablesize() is overkill for a firejail process
 		for (i = 3; i < max; i++)
 			close(i); // close open files
+		if ((filter & SBOX_ALLOW_STDIN) == 0) {
 		int fd = open("/dev/null",O_RDWR, 0);
-		if (fd != -1) {
-			dup2 (fd, STDIN_FILENO);
-			if (fd > 2)
-				close (fd);
+			if (fd != -1) {
+				dup2 (fd, STDIN_FILENO);
+				if (fd > 2)
+					close (fd);
+			}
+			else // the user could run the sandbox without /dev/null
+				close(STDIN_FILENO);
 		}
-		else // the user could run the sandbox without /dev/null
-			close(STDIN_FILENO);
 		umask(027);	
 
 		// apply filters
-- 
cgit v1.2.3-54-g00ecf