From fa5e81aa1490f13372cc973543aeae9df09e506d Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Sat, 16 Apr 2016 09:08:56 -0400
Subject: fix: firejail config in /etc/firejail is not blacklisted if the
 sandbox is started as root in order to allow sandbox chanining

---
 src/firejail/fs.c | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

(limited to 'src')

diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 7ee76d096..652f897d0 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -750,7 +750,13 @@ void fs_basic_fs(void) {
 	// don't leak user information
 	restrict_users();
 	
-	disable_firejail_config();
+	// when starting as root, firejail config is not disabled;
+	// this mode could be used to install and test new software by chaining
+	// firejail sandboxes (firejail --force)
+	if (getuid() != 0)
+		disable_firejail_config();
+	else
+		fprintf(stderr, "Warning: masking /etc/firejail disabled when starting the sandbox as root\n");
 }
 
 
@@ -967,13 +973,13 @@ void fs_overlayfs(void) {
 	// don't leak user information
 	restrict_users();
 
-	// when starting as root in overlay mode, firejail config is not disabled;
+	// when starting as root, firejail config is not disabled;
 	// this mode could be used to install and test new software by chaining
 	// firejail sandboxes (firejail --force)
 	if (getuid() != 0)
 		disable_firejail_config();
 	else
-		fprintf(stderr, "Warning: masking /etc/firejail disabled when starting the sandbox as root using --overlay option\n");
+		fprintf(stderr, "Warning: masking /etc/firejail disabled when starting the sandbox as root\n");
 
 	// cleanup and exit
 	free(option);
@@ -1104,7 +1110,13 @@ void fs_chroot(const char *rootdir) {
 	// don't leak user information
 	restrict_users();
 
-	disable_firejail_config();
+	// when starting as root, firejail config is not disabled;
+	// this mode could be used to install and test new software by chaining
+	// firejail sandboxes (firejail --force)
+	if (getuid() != 0)
+		disable_firejail_config();
+	else
+		fprintf(stderr, "Warning: masking /etc/firejail disabled when starting the sandbox as root\n");
 }
 #endif
 
-- 
cgit v1.2.3-54-g00ecf