From f5b9be2a61d116a5005a3e41da2474a945aa1aa3 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Fri, 28 Aug 2015 07:23:19 -0400
Subject: firejail-in-firejail fixes

---
 src/firejail/bandwidth.c |  6 ++++--
 src/firejail/firejail.h  |  1 +
 src/firejail/fs.c        |  6 ++++--
 src/firejail/main.c      | 18 ++++++++++++++----
 4 files changed, 23 insertions(+), 8 deletions(-)

diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c
index e0be1f06a..61d0acd4a 100644
--- a/src/firejail/bandwidth.c
+++ b/src/firejail/bandwidth.c
@@ -125,8 +125,10 @@ void shm_create_firejail_dir(void) {
 	}
 	else { // check /dev/shm/firejail directory belongs to root end exit if doesn't!
 		if (s.st_uid != 0 || s.st_gid != 0) {
-			fprintf(stderr, "Error: non-root %s directory, exiting...\n", "/dev/shm/firejail");
-			exit(1);
+			if (firejail_in_firejail == 0) {
+				fprintf(stderr, "Error: non-root %s directory, exiting...\n", "/dev/shm/firejail");
+				exit(1);
+			}
 		}
 	}
 }
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 351e9d045..532a4797e 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -151,6 +151,7 @@ extern int arg_scan;		// arp-scan all interfaces
 extern int parent_to_child_fds[2];
 extern int child_to_parent_fds[2];
 extern pid_t sandbox_pid;
+extern int firejail_in_firejail;
 
 
 
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 6beac3227..ca73ae554 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -44,8 +44,10 @@ void fs_build_firejail_dir(void) {
 	}
 	else { // check /tmp/firejail directory belongs to root end exit if doesn't!
 		if (s.st_uid != 0 || s.st_gid != 0) {
-			fprintf(stderr, "Error: non-root %s directory, exiting...\n", FIREJAIL_DIR);
-			exit(1);
+			if (firejail_in_firejail == 0) {
+				fprintf(stderr, "Error: non-root %s directory, exiting...\n", FIREJAIL_DIR);
+				exit(1);
+			}
 		}
 	}
 }
diff --git a/src/firejail/main.c b/src/firejail/main.c
index aeb85d724..bcff0e41f 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -92,6 +92,7 @@ char *fullargv[MAX_ARGS];			// expanded argv for restricted shell
 int fullargc = 0;
 static pid_t child = 0;
 pid_t sandbox_pid;
+int firejail_in_firejail = 0;			// firejail started in a firejail sandbox
 
 static void myexit(int rv) {
 	logmsg("exiting...");
@@ -127,8 +128,10 @@ static void my_handler(int s){
 static void extract_user_data(void) {
 	// check suid
 	if (geteuid()) {
-		fprintf(stderr, "Error: the sandbox is not setuid root\n");
-		exit(1);
+		if (firejail_in_firejail == 0) {
+			fprintf(stderr, "Error: the sandbox is not setuid root\n");
+			exit(1);
+		}
 	}
 
 	struct passwd *pw = getpwuid(getuid());
@@ -400,6 +403,14 @@ int main(int argc, char **argv) {
 	int arg_cgroup = 0;
 	int custom_profile = 0;	// custom profile loaded
 	int arg_noprofile = 0; // use generic.profile if none other found/specified
+
+	// check if we already have a sandbox running
+	int rv = check_kernel_procs();
+	if (rv == 0)
+		firejail_in_firejail = 1;
+
+
+
 	
 	// initialize globals
 	init_cfg();
@@ -998,8 +1009,7 @@ int main(int argc, char **argv) {
 	}
 
 	// if a sandbox is already running, start the program directly without sandboxing
-	int rv = check_kernel_procs();
-	if (rv == 0) {
+	if (firejail_in_firejail) {
 		run_no_sandbox(argc, argv);
 		// it will never get here!
 		assert(0);
-- 
cgit v1.2.3-54-g00ecf