From c1b2509c7272fbef5ddc9fae289783b1985ad37f Mon Sep 17 00:00:00 2001
From: smitsohu <smitsohu@gmail.com>
Date: Sun, 4 Nov 2018 18:11:07 +0100
Subject: mount appimages nodev,nosuid

---
 src/firejail/appimage.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

(limited to 'src')

diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c
index e8db91958..7adf31eb6 100644
--- a/src/firejail/appimage.c
+++ b/src/firejail/appimage.c
@@ -106,16 +106,19 @@ void appimage_set(const char *appimage) {
 	char *mode;
 	if (asprintf(&mode, "mode=700,uid=%d,gid=%d", getuid(), getgid()) == -1)
 		errExit("asprintf");
-	EUID_ROOT();
+	unsigned long flags = MS_MGC_VAL|MS_RDONLY;
+	if (getuid())
+		flags |= MS_NODEV|MS_NOSUID;
 
+	EUID_ROOT();
 	if (size == 0) {
 		fmessage("Mounting appimage type 1\n");
-		if (mount(devloop, mntdir, "iso9660",MS_MGC_VAL|MS_RDONLY,  mode) < 0)
+		if (mount(devloop, mntdir, "iso9660", flags,  mode) < 0)
 			errExit("mounting appimage");
 	}
 	else {
 		fmessage("Mounting appimage type 2\n");
-		if (mount(devloop, mntdir, "squashfs",MS_MGC_VAL|MS_RDONLY,  mode) < 0)
+		if (mount(devloop, mntdir, "squashfs", flags,  mode) < 0)
 			errExit("mounting appimage");
 	}
 
-- 
cgit v1.2.3-54-g00ecf