mainline merge: add switch to disable/enable private-cache

6 files changed, 23 insertions, 2 deletions

diff --git a/etc/firejail.config b/etc/firejail.config
index f4acfe7f8..d9d2f2f1e 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -47,6 +47,9 @@
 # Enable or disable networking features, default enabled.
 # network yes
 
+# Enable or disable private-cache feature, default enabled
+# private-cache yes
+
 # Enable --quiet as default every time the sandbox is started. Default disabled.
 # quiet-by-default no
 
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 8786c018e..3fbe6a30e 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -155,6 +155,15 @@ int checkcfg(int val) {
                                 else
                                         goto errout;
                         }
+                        // private cache directory
+                        else if (strncmp(ptr, "private-cache ", 14) == 0) {
+                                if (strcmp(ptr + 14, "yes") == 0)
+                                        cfg_val[CFG_PRIVATE_CACHE] = 1;
+                                else if (strcmp(ptr + 14, "no") == 0)
+                                        cfg_val[CFG_PRIVATE_CACHE] = 0;
+                                else
+                                        goto errout;
+                        }
                         // quiet by default
                         else if (strncmp(ptr, "quiet-by-default ", 17) == 0) {
                                 if (strcmp(ptr + 17, "yes") == 0)
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 533ed880a..0dbe1f896 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -660,6 +660,7 @@ enum {
         CFG_FORCE_NONEWPRIVS,
         CFG_JOIN,
         CFG_NETWORK,
+        CFG_PRIVATE_CACHE,
         CFG_RESTRICTED_NETWORK,
         CFG_SECCOMP,
         CFG_USERNS,
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index de77c027c..74f8328ff 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -845,6 +845,8 @@ void fs_private_cache(void) {
                 return;
         }
 
+        if (arg_debug)
+                printf("Mounting tmpfs on %s\n", cache);
         // get a file descriptor for ~/.cache, fails if there is any symlink
         int fd = safe_fd(cache, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
         if (fd == -1)
diff --git a/src/firejail/main.c b/src/firejail/main.c
index c4944c7d5..ba6b98191 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1114,7 +1114,10 @@ int main(int argc, char **argv) {
                         arg_private_tmp = 1;
                 }
                 else if (strcmp(argv[i], "--private-cache") == 0) {
-                        arg_private_cache = 1;
+                        if (checkcfg(CFG_PRIVATE_CACHE))
+                                arg_private_cache = 1;
+                        else
+                                exit_err_feature("private-cache");
                 }
 
                 //*************************************
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 98c45b637..72c314aad 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -196,7 +196,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 return 0;
         }
         else if (strcmp(ptr, "private-cache") == 0) {
-                arg_private_cache = 1;
+                if (checkcfg(CFG_PRIVATE_CACHE))
+                        arg_private_cache = 1;
+                else
+                        warning_feature_disabled("private-cache");
                 return 0;
         }
         else if (strcmp(ptr, "private-dev") == 0) {