diff options
author | smitsohu <smitsohu@gmail.com> | 2020-11-20 20:04:20 +0100 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2020-11-20 20:04:20 +0100 |
commit | da53c4ebf0b7f5c6d07cb14dd7ec3ff3910fe180 (patch) | |
tree | 9475d0d33b52cc178c7b88caae1f9c0727500351 | |
parent | tmpfs testing (diff) | |
download | firejail-da53c4ebf0b7f5c6d07cb14dd7ec3ff3910fe180.tar.gz firejail-da53c4ebf0b7f5c6d07cb14dd7ec3ff3910fe180.tar.zst firejail-da53c4ebf0b7f5c6d07cb14dd7ec3ff3910fe180.zip |
reimplement --private-cache using --tmpfs
-rw-r--r-- | src/firejail/fs.c | 36 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 9 | ||||
-rwxr-xr-x | test/fs/private-cache.exp | 30 |
3 files changed, 17 insertions, 58 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 65f53bf76..0d4e496e8 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -162,11 +162,12 @@ static void disable_file(OPERATION op, const char *filename) { | |||
162 | } | 162 | } |
163 | else if (op == MOUNT_TMPFS) { | 163 | else if (op == MOUNT_TMPFS) { |
164 | if (S_ISDIR(s.st_mode)) { | 164 | if (S_ISDIR(s.st_mode)) { |
165 | if (getuid() && | 165 | if (getuid()) { |
166 | (strncmp(cfg.homedir, fname, strlen(cfg.homedir)) != 0 || | 166 | if (strncmp(cfg.homedir, fname, strlen(cfg.homedir)) != 0 || |
167 | fname[strlen(cfg.homedir)] != '/')) { | 167 | fname[strlen(cfg.homedir)] != '/') { |
168 | fprintf(stderr, "Error: tmpfs outside $HOME is only available for root\n"); | 168 | fprintf(stderr, "Error: tmpfs outside $HOME is only available for root\n"); |
169 | exit(1); | 169 | exit(1); |
170 | } | ||
170 | } | 171 | } |
171 | fs_tmpfs(fname, getuid()); | 172 | fs_tmpfs(fname, getuid()); |
172 | last_disable = SUCCESSFUL; | 173 | last_disable = SUCCESSFUL; |
@@ -1260,28 +1261,3 @@ void fs_private_tmp(void) { | |||
1260 | } | 1261 | } |
1261 | closedir(dir); | 1262 | closedir(dir); |
1262 | } | 1263 | } |
1263 | |||
1264 | // this function is called from sandbox.c before blacklist/whitelist functions | ||
1265 | void fs_private_cache(void) { | ||
1266 | char *cache; | ||
1267 | if (asprintf(&cache, "%s/.cache", cfg.homedir) == -1) | ||
1268 | errExit("asprintf"); | ||
1269 | // check if ~/.cache is a valid destination | ||
1270 | struct stat s; | ||
1271 | if (lstat(cache, &s) == -1) { | ||
1272 | fwarning("skipping private-cache: cannot find %s\n", cache); | ||
1273 | free(cache); | ||
1274 | return; | ||
1275 | } | ||
1276 | if (!S_ISDIR(s.st_mode)) { | ||
1277 | if (S_ISLNK(s.st_mode)) | ||
1278 | fwarning("skipping private-cache: %s is a symbolic link\n", cache); | ||
1279 | else | ||
1280 | fwarning("skipping private-cache: %s is not a directory\n", cache); | ||
1281 | free(cache); | ||
1282 | return; | ||
1283 | } | ||
1284 | // do the mount | ||
1285 | fs_tmpfs(cache, getuid()); // check ownership of ~/.cache | ||
1286 | free(cache); | ||
1287 | } | ||
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 8bfe76603..41951f38f 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -923,12 +923,9 @@ int sandbox(void* sandbox_arg) { | |||
923 | 923 | ||
924 | #ifdef HAVE_USERTMPFS | 924 | #ifdef HAVE_USERTMPFS |
925 | if (arg_private_cache) { | 925 | if (arg_private_cache) { |
926 | if (cfg.chrootdir) | 926 | EUID_USER(); |
927 | fwarning("private-cache feature is disabled in chroot\n"); | 927 | profile_add("tmpfs ${HOME}/.cache"); |
928 | else if (arg_overlay) | 928 | EUID_ROOT(); |
929 | fwarning("private-cache feature is disabled in overlay\n"); | ||
930 | else | ||
931 | fs_private_cache(); | ||
932 | } | 929 | } |
933 | #endif | 930 | #endif |
934 | 931 | ||
diff --git a/test/fs/private-cache.exp b/test/fs/private-cache.exp index 0597e8921..6e4c6bd1b 100755 --- a/test/fs/private-cache.exp +++ b/test/fs/private-cache.exp | |||
@@ -7,16 +7,17 @@ set timeout 10 | |||
7 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
8 | match_max 100000 | 8 | match_max 100000 |
9 | 9 | ||
10 | if {[file exists ~/.cache]} { | 10 | send -- "mkdir --mode=700 ~/.cache\r" |
11 | puts "found .cache directory\n" | ||
12 | } else { | ||
13 | send -- "mkdir --mode=755 ~/.cache\r" | ||
14 | } | ||
15 | after 100 | 11 | after 100 |
16 | 12 | ||
17 | send -- "touch ~/.cache/abcdefg\r" | 13 | send -- "touch ~/.cache/abcdefg\r" |
18 | after 100 | 14 | after 100 |
19 | 15 | ||
16 | if { ! [file exists ~/.cache/abcdefg] } { | ||
17 | puts "TESTING ERROR 0\n" | ||
18 | exit | ||
19 | } | ||
20 | |||
20 | send -- "firejail --noprofile --private-cache\r" | 21 | send -- "firejail --noprofile --private-cache\r" |
21 | expect { | 22 | expect { |
22 | timeout {puts "TESTING ERROR 1\n";exit} | 23 | timeout {puts "TESTING ERROR 1\n";exit} |
@@ -34,23 +35,8 @@ after 100 | |||
34 | send -- "exit\r" | 35 | send -- "exit\r" |
35 | sleep 1 | 36 | sleep 1 |
36 | 37 | ||
37 | send -- "rm -v ~/.cache/abcdefg\r" | 38 | # cleanup |
38 | expect { | 39 | send -- "rm ~/.cache/abcdefg\r" |
39 | timeout {puts "TESTING ERROR 3\n";exit} | ||
40 | "removed" | ||
41 | } | ||
42 | after 100 | 40 | after 100 |
43 | 41 | ||
44 | # redo the test with --private | ||
45 | |||
46 | send -- "firejail --noprofile --private --private-cache\r" | ||
47 | expect { | ||
48 | timeout {puts "TESTING ERROR 4\n";exit} | ||
49 | "Warning" | ||
50 | } | ||
51 | sleep 1 | ||
52 | |||
53 | send -- "exit\r" | ||
54 | sleep 1 | ||
55 | |||
56 | puts "\nall done\n" | 42 | puts "\nall done\n" |