diff options
author | netblue30 <netblue30@yahoo.com> | 2017-03-10 10:17:00 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2017-03-10 10:17:00 -0500 |
commit | 22414adf2a79b08a77bacbc002fb6ebb126d5b32 (patch) | |
tree | 4a00f60c09c0c78f288f748b1e909552515add60 | |
parent | config support to disable access to /mnt and /media (diff) | |
download | firejail-22414adf2a79b08a77bacbc002fb6ebb126d5b32.tar.gz firejail-22414adf2a79b08a77bacbc002fb6ebb126d5b32.tar.zst firejail-22414adf2a79b08a77bacbc002fb6ebb126d5b32.zip |
allow tmpfs for regular users for files in home directory
-rw-r--r-- | RELNOTES | 1 | ||||
-rw-r--r-- | src/firejail/profile.c | 15 |
2 files changed, 14 insertions, 2 deletions
@@ -34,6 +34,7 @@ firejail (0.9.45) baseline; urgency=low | |||
34 | * feature: allow /tmp directory in mkdir and mkfile profile commands | 34 | * feature: allow /tmp directory in mkdir and mkfile profile commands |
35 | * feature: implemented --noblacklist command, profile support | 35 | * feature: implemented --noblacklist command, profile support |
36 | * feature: config support to disable access to /mnt and /media (disable-mnt) | 36 | * feature: config support to disable access to /mnt and /media (disable-mnt) |
37 | * feature: allow tmpfs for regular users for files in home directory | ||
37 | * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire, | 38 | * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire, |
38 | * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma, | 39 | * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma, |
39 | * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator, | 40 | * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator, |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index c4feadad0..d5d62e929 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -970,8 +970,19 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
970 | ptr += 7; | 970 | ptr += 7; |
971 | else if (strncmp(ptr, "tmpfs ", 6) == 0) { | 971 | else if (strncmp(ptr, "tmpfs ", 6) == 0) { |
972 | if (getuid() != 0) { | 972 | if (getuid() != 0) { |
973 | fprintf(stderr, "Error: tmpfs available only when running the sandbox as root\n"); | 973 | // allow a non-root user to mount tmpfs in user home directory, links are not allowed |
974 | exit(1); | 974 | invalid_filename(ptr + 6); |
975 | char *newfname = expand_home(ptr + 6, cfg.homedir); | ||
976 | assert(newfname); | ||
977 | if (is_link(newfname)) { | ||
978 | fprintf(stderr, "Error: for regular user, tmpfs is not available for symbolic links\n"); | ||
979 | exit(1); | ||
980 | } | ||
981 | if (strncmp(newfname, cfg.homedir, strlen(cfg.homedir)) != 0) { | ||
982 | fprintf(stderr, "Error: for regular user, tmpfs is available only for files in user home directory\n"); | ||
983 | exit(1); | ||
984 | } | ||
985 | free(newfname); | ||
975 | } | 986 | } |
976 | ptr += 6; | 987 | ptr += 6; |
977 | } | 988 | } |