From 3a4d7acdf2213778daa18ce98c94905bc87982ed Mon Sep 17 00:00:00 2001
From: root <root@debian>
Date: Thu, 14 Jan 2016 11:15:59 -0500
Subject: --join fixes

---
 src/firejail/join.c  | 17 +++++++++--------
 src/man/firejail.txt | 13 ++++++++++---
 2 files changed, 19 insertions(+), 11 deletions(-)

diff --git a/src/firejail/join.c b/src/firejail/join.c
index cf99b9c6d..ca9ec33e9 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -232,7 +232,7 @@ void join(pid_t pid, const char *homedir, int argc, char **argv, int index) {
 	}
 	
 	// set cgroup
-	if (cfg.cgroup)
+	if (cfg.cgroup)	// not available for uid 0
 		set_cgroup(cfg.cgroup);
 		
 	// join namespaces
@@ -273,21 +273,22 @@ void join(pid_t pid, const char *homedir, int argc, char **argv, int index) {
 		}
 		
 		// set cpu affinity
-		if (cfg.cpus)
+		if (cfg.cpus)	// not available for uid 0
 			set_cpu_affinity();
 					
 		// set caps filter
-		if (apply_caps == 1)
+		if (apply_caps == 1)	// not available for uid 0
 			caps_set(caps);
 #ifdef HAVE_SECCOMP
 		// set protocol filter
-		protocol_filter_load(RUN_PROTOCOL_CFG);
-		if (cfg.protocol) {
+		if (getuid() != 0)
+			protocol_filter_load(RUN_PROTOCOL_CFG);
+		if (cfg.protocol) {	// not available for uid 0
 			protocol_filter();
 		}
 				
 		// set seccomp filter
-		if (apply_seccomp == 1)
+		if (apply_seccomp == 1)	// not available for uid 0
 			seccomp_set();
 		
 #endif
@@ -299,14 +300,14 @@ void join(pid_t pid, const char *homedir, int argc, char **argv, int index) {
 			errExit("setenv");
 
 		// mount user namespace or drop privileges
-		if (arg_noroot) {
+		if (arg_noroot) {	// not available for uid 0
 			if (arg_debug)
 				printf("Joining user namespace\n");
 			if (join_namespace(1, "user"))
 				exit(1);
 		}
 		else 
-			drop_privs(arg_nogroups);
+			drop_privs(arg_nogroups);	// nogroups not available for uid 0
 
 		// set prompt color to green
 		//export PS1='\[\e[1;32m\][\u@\h \W]\$\[\e[0m\] '
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 75e962b56..895b7a3af 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -495,7 +495,11 @@ $ firejail \-\-ipc-namespace firefox
 .TP
 \fB\-\-join=name
 Join the sandbox identified by name. By default a /bin/bash shell is started after joining the sandbox.
-If a program is specified, the program is run in the sandbox.
+If a program is specified, the program is run in the sandbox. If \-\-join command is issued as a regular user,
+all security filters are configured for the new process the same they are configured in the sandbox.
+If \-\-join command is issued as root, the security filters, cgroups and cpus configurations are not applied
+to the process joining the sandbox.
+
 .br
 
 .br
@@ -510,8 +514,11 @@ $ firejail \-\-join=mygame
 
 .TP
 \fB\-\-join=pid
-Join the sandbox identified by PID. By default a /bin/bash shell is started after joining the sandbox.
-If a program is specified, the program is run in the sandbox.
+Join the sandbox identified by process ID. By default a /bin/bash shell is started after joining the sandbox.
+If a program is specified, the program is run in the sandbox. If \-\-join command is issued as a regular user,
+all security filters are configured for the new process the same they are configured in the sandbox.
+If \-\-join command is issued as root, the security filters, cgroups and cpus configurations are not applied
+to the process joining the sandbox.
 .br
 
 .br
-- 
cgit v1.2.3-70-g09d2