From 84ade8f847adfd3e18987ccc840f352aad92c1c2 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Tue, 6 Jun 2017 10:31:41 -0400
Subject: testing

---
 RELNOTES                   |  3 ++-
 src/firejail/caps.c        | 18 ++++++++++--------
 src/firejail/join.c        |  2 +-
 src/firejail/sandbox.c     |  2 +-
 test/apps-x11/chromium.exp |  2 +-
 test/apps/chromium.exp     |  2 +-
 6 files changed, 16 insertions(+), 13 deletions(-)

diff --git a/RELNOTES b/RELNOTES
index 9795fe376..d4e8c9e43 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -4,7 +4,8 @@ firejail (0.9.47) baseline; urgency=low
     please use ~/Downloads directory for saving files
   * modifs: AppArmor made optional; a warning is printed on the screen
     if the sandbox fails to load the AppArmor profile
-  * feature: drop discretionary access control capabilities by default 
+  * feature: drop discretionary access control capabilities for
+    root sandboxes
   * feature: added /etc/firejail/globals.local for global customizations
   * feature: profile support in overlayfs mode
   * new profiles: vym, darktable, Waterfox, digiKam, Catfish, HandBrake
diff --git a/src/firejail/caps.c b/src/firejail/caps.c
index 883e8015e..ff4d3a9d7 100644
--- a/src/firejail/caps.c
+++ b/src/firejail/caps.c
@@ -248,15 +248,17 @@ void caps_print(void) {
 	}
 }
 
-// drop discretionary access control capabilities by default in all sandboxes
+// drop discretionary access control capabilities for root sandboxes
 void caps_drop_dac_override(void) {
-	if (prctl(PR_CAPBSET_DROP, CAP_DAC_OVERRIDE, 0, 0, 0));
-	else if (arg_debug)
-		printf("Drop CAP_DAC_OVERRIDE\n");
-
-	if (prctl(PR_CAPBSET_DROP, CAP_DAC_READ_SEARCH, 0, 0, 0));
-	else if (arg_debug)
-		printf("Drop CAP_DAC_READ_SEARCH\n");
+	if (getuid() == 0) {
+		if (prctl(PR_CAPBSET_DROP, CAP_DAC_OVERRIDE, 0, 0, 0));
+		else if (arg_debug)
+			printf("Drop CAP_DAC_OVERRIDE\n");
+
+		if (prctl(PR_CAPBSET_DROP, CAP_DAC_READ_SEARCH, 0, 0, 0));
+		else if (arg_debug)
+			printf("Drop CAP_DAC_READ_SEARCH\n");
+	}
 }
 
 int caps_default_filter(void) {
diff --git a/src/firejail/join.c b/src/firejail/join.c
index d7328a91b..4c0537413 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -242,7 +242,7 @@ void join(pid_t pid, int argc, char **argv, int index) {
 	if (child < 0)
 		errExit("fork");
 	if (child == 0) {
-		// drop discretionary access control capabilities by default
+		// drop discretionary access control capabilities for root sandboxes
 		caps_drop_dac_override();
 		
 		// chroot into /proc/PID/root directory
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 0a32393a2..7489e7b6d 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -100,7 +100,7 @@ static void set_caps(void) {
 	else if (arg_caps_default_filter)
 		caps_default_filter();
 	
-	// drop discretionary access control capabilities by default
+	// drop discretionary access control capabilities for root sandboxes
 	caps_drop_dac_override();
 }
 
diff --git a/test/apps-x11/chromium.exp b/test/apps-x11/chromium.exp
index 3ec2bc049..a7eace125 100755
--- a/test/apps-x11/chromium.exp
+++ b/test/apps-x11/chromium.exp
@@ -71,7 +71,7 @@ expect {
 }
 expect {
 	timeout {puts "TESTING ERROR 6.2\n";exit}
-	"fffffffff"
+	"00240000"
 }
 expect {
 	timeout {puts "TESTING ERROR 6.3\n";exit}
diff --git a/test/apps/chromium.exp b/test/apps/chromium.exp
index 041918d7f..6b784e395 100755
--- a/test/apps/chromium.exp
+++ b/test/apps/chromium.exp
@@ -72,7 +72,7 @@ expect {
 }
 expect {
 	timeout {puts "TESTING ERROR 6.2\n";exit}
-	"fffffffff"
+	"00240000"
 }
 expect {
 	timeout {puts "TESTING ERROR 6.3\n";exit}
-- 
cgit v1.2.3-54-g00ecf