From 84ade8f847adfd3e18987ccc840f352aad92c1c2 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Tue, 6 Jun 2017 10:31:41 -0400
Subject: testing

---
 src/firejail/caps.c    | 18 ++++++++++--------
 src/firejail/join.c    |  2 +-
 src/firejail/sandbox.c |  2 +-
 3 files changed, 12 insertions(+), 10 deletions(-)

(limited to 'src')

diff --git a/src/firejail/caps.c b/src/firejail/caps.c
index 883e8015e..ff4d3a9d7 100644
--- a/src/firejail/caps.c
+++ b/src/firejail/caps.c
@@ -248,15 +248,17 @@ void caps_print(void) {
 	}
 }
 
-// drop discretionary access control capabilities by default in all sandboxes
+// drop discretionary access control capabilities for root sandboxes
 void caps_drop_dac_override(void) {
-	if (prctl(PR_CAPBSET_DROP, CAP_DAC_OVERRIDE, 0, 0, 0));
-	else if (arg_debug)
-		printf("Drop CAP_DAC_OVERRIDE\n");
-
-	if (prctl(PR_CAPBSET_DROP, CAP_DAC_READ_SEARCH, 0, 0, 0));
-	else if (arg_debug)
-		printf("Drop CAP_DAC_READ_SEARCH\n");
+	if (getuid() == 0) {
+		if (prctl(PR_CAPBSET_DROP, CAP_DAC_OVERRIDE, 0, 0, 0));
+		else if (arg_debug)
+			printf("Drop CAP_DAC_OVERRIDE\n");
+
+		if (prctl(PR_CAPBSET_DROP, CAP_DAC_READ_SEARCH, 0, 0, 0));
+		else if (arg_debug)
+			printf("Drop CAP_DAC_READ_SEARCH\n");
+	}
 }
 
 int caps_default_filter(void) {
diff --git a/src/firejail/join.c b/src/firejail/join.c
index d7328a91b..4c0537413 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -242,7 +242,7 @@ void join(pid_t pid, int argc, char **argv, int index) {
 	if (child < 0)
 		errExit("fork");
 	if (child == 0) {
-		// drop discretionary access control capabilities by default
+		// drop discretionary access control capabilities for root sandboxes
 		caps_drop_dac_override();
 		
 		// chroot into /proc/PID/root directory
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 0a32393a2..7489e7b6d 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -100,7 +100,7 @@ static void set_caps(void) {
 	else if (arg_caps_default_filter)
 		caps_default_filter();
 	
-	// drop discretionary access control capabilities by default
+	// drop discretionary access control capabilities for root sandboxes
 	caps_drop_dac_override();
 }
 
-- 
cgit v1.2.3-54-g00ecf