diff options
author | ಚಿರಾಗ್ ನಟರಾಜ್ <chiraag.nataraj@gmail.com> | 2018-05-03 13:07:11 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-05-03 13:07:11 +0000 |
commit | d21b681b3651d1d905ab50565cf145e377f82088 (patch) | |
tree | 7330b4c379f9f3d310302b9922f222c18819152d | |
parent | harden pulseaudio, xauthority mounts (diff) | |
parent | Moved documentation to conform with alphabetical ordering (diff) | |
download | firejail-d21b681b3651d1d905ab50565cf145e377f82088.tar.gz firejail-d21b681b3651d1d905ab50565cf145e377f82088.tar.zst firejail-d21b681b3651d1d905ab50565cf145e377f82088.zip |
Merge pull request #1919 from chiraag-nataraj/master
Add --keep-var-tmp and associated profile option
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/fs.c | 9 | ||||
-rw-r--r-- | src/firejail/main.c | 4 | ||||
-rw-r--r-- | src/firejail/profile.c | 5 | ||||
-rw-r--r-- | src/firejail/usage.c | 1 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 3 | ||||
-rw-r--r-- | src/man/firejail.txt | 10 |
7 files changed, 30 insertions, 3 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 14f87c36c..84f535575 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -366,6 +366,7 @@ extern int arg_nice; // nice value configured | |||
366 | extern int arg_ipc; // enable ipc namespace | 366 | extern int arg_ipc; // enable ipc namespace |
367 | extern int arg_writable_etc; // writable etc | 367 | extern int arg_writable_etc; // writable etc |
368 | extern int arg_writable_var; // writable var | 368 | extern int arg_writable_var; // writable var |
369 | extern int arg_keep_var_tmp; // don't overwrite /var/tmp | ||
369 | extern int arg_writable_run_user; // writable /run/user | 370 | extern int arg_writable_run_user; // writable /run/user |
370 | extern int arg_writable_var_log; // writable /var/log | 371 | extern int arg_writable_var_log; // writable /var/log |
371 | extern int arg_appimage; // appimage | 372 | extern int arg_appimage; // appimage |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index c9158ebd5..88f92ad74 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -704,7 +704,8 @@ void fs_basic_fs(void) { | |||
704 | 704 | ||
705 | // update /var directory in order to support multiple sandboxes running on the same root directory | 705 | // update /var directory in order to support multiple sandboxes running on the same root directory |
706 | fs_var_lock(); | 706 | fs_var_lock(); |
707 | fs_var_tmp(); | 707 | if (!arg_keep_var_tmp) |
708 | fs_var_tmp(); | ||
708 | if (!arg_writable_var_log) | 709 | if (!arg_writable_var_log) |
709 | fs_var_log(); | 710 | fs_var_log(); |
710 | else | 711 | else |
@@ -1015,7 +1016,8 @@ void fs_overlayfs(void) { | |||
1015 | // if (!arg_private_dev) | 1016 | // if (!arg_private_dev) |
1016 | // fs_dev_shm(); | 1017 | // fs_dev_shm(); |
1017 | fs_var_lock(); | 1018 | fs_var_lock(); |
1018 | fs_var_tmp(); | 1019 | if (!arg_keep_var_tmp) |
1020 | fs_var_tmp(); | ||
1019 | if (!arg_writable_var_log) | 1021 | if (!arg_writable_var_log) |
1020 | fs_var_log(); | 1022 | fs_var_log(); |
1021 | else | 1023 | else |
@@ -1258,7 +1260,8 @@ void fs_chroot(const char *rootdir) { | |||
1258 | // if (!arg_private_dev) | 1260 | // if (!arg_private_dev) |
1259 | // fs_dev_shm(); | 1261 | // fs_dev_shm(); |
1260 | fs_var_lock(); | 1262 | fs_var_lock(); |
1261 | fs_var_tmp(); | 1263 | if (!arg_keep_var_tmp) |
1264 | fs_var_tmp(); | ||
1262 | if (!arg_writable_var_log) | 1265 | if (!arg_writable_var_log) |
1263 | fs_var_log(); | 1266 | fs_var_log(); |
1264 | else | 1267 | else |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 9a013989a..2e47dd938 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -104,6 +104,7 @@ int arg_nice = 0; // nice value configured | |||
104 | int arg_ipc = 0; // enable ipc namespace | 104 | int arg_ipc = 0; // enable ipc namespace |
105 | int arg_writable_etc = 0; // writable etc | 105 | int arg_writable_etc = 0; // writable etc |
106 | int arg_writable_var = 0; // writable var | 106 | int arg_writable_var = 0; // writable var |
107 | int arg_keep_var_tmp = 0; // don't overwrite /var/tmp | ||
107 | int arg_writable_run_user = 0; // writable /run/user | 108 | int arg_writable_run_user = 0; // writable /run/user |
108 | int arg_writable_var_log = 0; // writable /var/log | 109 | int arg_writable_var_log = 0; // writable /var/log |
109 | int arg_appimage = 0; // appimage | 110 | int arg_appimage = 0; // appimage |
@@ -1537,6 +1538,9 @@ int main(int argc, char **argv) { | |||
1537 | else if (strcmp(argv[i], "--writable-var") == 0) { | 1538 | else if (strcmp(argv[i], "--writable-var") == 0) { |
1538 | arg_writable_var = 1; | 1539 | arg_writable_var = 1; |
1539 | } | 1540 | } |
1541 | else if (strcmp(argv[1], "--keep-var-tmp") == 0) { | ||
1542 | arg_keep_var_tmp = 1; | ||
1543 | } | ||
1540 | else if (strcmp(argv[i], "--writable-run-user") == 0) { | 1544 | else if (strcmp(argv[i], "--writable-run-user") == 0) { |
1541 | arg_writable_run_user = 1; | 1545 | arg_writable_run_user = 1; |
1542 | } | 1546 | } |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 156ffa24a..7b59cd48c 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -738,6 +738,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
738 | arg_writable_var = 1; | 738 | arg_writable_var = 1; |
739 | return 0; | 739 | return 0; |
740 | } | 740 | } |
741 | // don't overwrite /var/tmp | ||
742 | if (strcmp(ptr, "keep-var-tmp") == 0) { | ||
743 | arg_keep_var_tmp = 1; | ||
744 | return 0; | ||
745 | } | ||
741 | // writable-run-user | 746 | // writable-run-user |
742 | if (strcmp(ptr, "writable-run-user") == 0) { | 747 | if (strcmp(ptr, "writable-run-user") == 0) { |
743 | arg_writable_run_user = 1; | 748 | arg_writable_run_user = 1; |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 742fc0465..88614298e 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -94,6 +94,7 @@ static char *usage_str = | |||
94 | " --join-network=name|pid - join the network namespace.\n" | 94 | " --join-network=name|pid - join the network namespace.\n" |
95 | #endif | 95 | #endif |
96 | " --join-or-start=name|pid - join the sandbox or start a new one.\n" | 96 | " --join-or-start=name|pid - join the sandbox or start a new one.\n" |
97 | " --keep-var-tmp - /var/tmp directory is untouched.\n" | ||
97 | " --list - list all sandboxes.\n" | 98 | " --list - list all sandboxes.\n" |
98 | #ifdef HAVE_FILE_TRANSFER | 99 | #ifdef HAVE_FILE_TRANSFER |
99 | " --ls=name|pid dir_or_filename - list files in sandbox container.\n" | 100 | " --ls=name|pid dir_or_filename - list files in sandbox container.\n" |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 0217e1353..f136be510 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -164,6 +164,9 @@ Mount-bind file1 on top of file2. This option is only available when running as | |||
164 | \fBdisable-mnt | 164 | \fBdisable-mnt |
165 | Disable /mnt, /media, /run/mount and /run/media access. | 165 | Disable /mnt, /media, /run/mount and /run/media access. |
166 | .TP | 166 | .TP |
167 | \fBkeep-var-tmp | ||
168 | /var/tmp directory is untouched. | ||
169 | .TP | ||
167 | \fBmkdir directory | 170 | \fBmkdir directory |
168 | Create a directory in user home or under /tmp before the sandbox is started. | 171 | Create a directory in user home or under /tmp before the sandbox is started. |
169 | The directory is created if it doesn't already exist. | 172 | The directory is created if it doesn't already exist. |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index d8fed1f31..af9fe4b90 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -678,6 +678,16 @@ Same as "firejail --join=name" if sandbox with specified name exists, otherwise | |||
678 | Note that in contrary to other join options there is respective profile option. | 678 | Note that in contrary to other join options there is respective profile option. |
679 | 679 | ||
680 | .TP | 680 | .TP |
681 | \fB\-\-keep-var-tmp | ||
682 | /var/tmp directory is untouched. | ||
683 | .br | ||
684 | |||
685 | .br | ||
686 | Example: | ||
687 | .br | ||
688 | $ firejail --keep-var-tmp | ||
689 | |||
690 | .TP | ||
681 | \fB\-\-ls=name|pid dir_or_filename | 691 | \fB\-\-ls=name|pid dir_or_filename |
682 | List files in sandbox container, see \fBFILE TRANSFER\fR section for more details. | 692 | List files in sandbox container, see \fBFILE TRANSFER\fR section for more details. |
683 | 693 | ||