From 096333704e0c3d6b7cf23fe6f4e34e99fdc9770f Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Thu, 27 Oct 2016 10:54:34 -0400
Subject: remove tmpfs from /dev/shm for root user

---
 RELNOTES              |  1 +
 src/firejail/fs.c     | 12 ++++++------
 src/firejail/fs_dev.c |  2 ++
 3 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/RELNOTES b/RELNOTES
index 7aeac4f8d..16c03fc23 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,6 +1,7 @@
 firejail (0.9.45) baseline; urgency=low
   * development version, work in progress
   * security: overwrite /etc/resolv.conf found by Martin Carpenter
+  * feature: allow root user access to /dev/shm (--noblacklist=/dev/shm)
   * feature: split most of networking code in a separate executable
   * new profiles: xiphos, Tor Browser Bundle
   * bugfixes
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 6c566bd90..572b08205 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -754,8 +754,8 @@ void fs_basic_fs(void) {
 	fs_rdonly("/usr");
 
 	// update /var directory in order to support multiple sandboxes running on the same root directory
-	if (!arg_private_dev)
-		fs_dev_shm();
+//	if (!arg_private_dev)
+//		fs_dev_shm();
 	fs_var_lock();
 	fs_var_tmp();
 	fs_var_log();
@@ -1061,8 +1061,8 @@ void fs_overlayfs(void) {
 		errExit("chroot");
 
 	// update /var directory in order to support multiple sandboxes running on the same root directory
-	if (!arg_private_dev)
-		fs_dev_shm();
+//	if (!arg_private_dev)
+//		fs_dev_shm();
 	fs_var_lock();
 	fs_var_tmp();
 	fs_var_log();
@@ -1233,8 +1233,8 @@ void fs_chroot(const char *rootdir) {
 		
 	if (checkcfg(CFG_CHROOT_DESKTOP)) {
 		// update /var directory in order to support multiple sandboxes running on the same root directory
-		if (!arg_private_dev)
-			fs_dev_shm();
+//		if (!arg_private_dev)
+//			fs_dev_shm();
 		fs_var_lock();
 		fs_var_tmp();
 		fs_var_log();
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index aa5f7c28b..0186c6f82 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -244,6 +244,7 @@ void fs_private_dev(void){
 }
 
 
+#if 0
 void fs_dev_shm(void) {
 	uid_t uid = getuid(); // set a new shm only if we started as root
 	if (uid)
@@ -282,6 +283,7 @@ void fs_dev_shm(void) {
 			
 	}
 }
+#endif	
 
 static void disable_file_or_dir(const char *fname) {
 	if (arg_debug)
-- 
cgit v1.2.3-54-g00ecf