From 1576791f29e8e9c83896fe1479e8bc099cca0d5a Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Wed, 9 May 2018 10:57:50 -0400
Subject: fix /proc hidepid

---
 src/firejail/firejail.h | 1 +
 src/firejail/main.c     | 8 ++++----
 src/firejail/sbox.c     | 7 +++++++
 3 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 8c0b3ba4e..ec227340b 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -792,6 +792,7 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc,
 #define SBOX_CAPS_NETWORK (1 << 4)	// caps filter for programs running network programs
 #define SBOX_ALLOW_STDIN (1 << 5)		// don't close stdin
 #define SBOX_STDIN_FROM_FILE (1 << 6)	// open file and redirect it to stdin
+#define SBOX_CAPS_HIDEPID (1 << 7)	// hidepid caps filter for running firemon
 
 // run sbox
 int sbox_run(unsigned filter, int num, ...);
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 2e47dd938..9d28f3352 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -551,21 +551,21 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
 	}
 	else if (strcmp(argv[i], "--list") == 0) {
 		if (pid_hidepid())
-			sbox_run(SBOX_ROOT| SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--list");
+			sbox_run(SBOX_ROOT| SBOX_CAPS_HIDEPID | SBOX_SECCOMP, 2, PATH_FIREMON, "--list");
 		else
 			sbox_run(SBOX_USER| SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--list");
 		exit(0);
 	}
 	else if (strcmp(argv[i], "--tree") == 0) {
 		if (pid_hidepid())
-			sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--tree");
+			sbox_run(SBOX_ROOT | SBOX_CAPS_HIDEPID | SBOX_SECCOMP, 2, PATH_FIREMON, "--tree");
 		else
 			sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--tree");
 		exit(0);
 	}
 	else if (strcmp(argv[i], "--top") == 0) {
 		if (pid_hidepid())
-			sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN,
+			sbox_run(SBOX_ROOT | SBOX_CAPS_HIDEPID | SBOX_SECCOMP | SBOX_ALLOW_STDIN,
 				2, PATH_FIREMON, "--top");
 		else
 			sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN,
@@ -577,7 +577,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
 		if (checkcfg(CFG_NETWORK)) {
 			struct stat s;
 			if (stat("/proc/sys/kernel/grsecurity", &s) == 0 || pid_hidepid())
-				sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN,
+				sbox_run(SBOX_ROOT | SBOX_CAPS_HIDEPID | SBOX_SECCOMP | SBOX_ALLOW_STDIN,
 					2, PATH_FIREMON, "--netstats");
 			else
 				sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN,
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c
index 53df20a54..c11daad58 100644
--- a/src/firejail/sbox.c
+++ b/src/firejail/sbox.c
@@ -166,6 +166,13 @@ int sbox_run(unsigned filter, int num, ...) {
 			caps_set(set);
 #endif
 		}
+		else if (filter & SBOX_CAPS_HIDEPID) {
+#ifndef HAVE_GCOV // the following filter will prevent GCOV from saving info in .gcda files
+			uint64_t set = ((uint64_t) 1) << CAP_SYS_PTRACE;
+			set |=  ((uint64_t) 1) << CAP_SYS_PACCT;
+			caps_set(set);
+#endif
+		}
 
 		if (filter & SBOX_SECCOMP) {
 			if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
-- 
cgit v1.2.3-54-g00ecf