fix --writable-etc

3 files changed, 14 insertions, 4 deletions

diff --git a/etc/profile-m-z/server.profile b/etc/profile-m-z/server.profile
index f1cf0ca59..fd7ffb38d 100644
--- a/etc/profile-m-z/server.profile
+++ b/etc/profile-m-z/server.profile
@@ -34,8 +34,6 @@ include globals.local
 noblacklist /sbin
 noblacklist /usr/sbin
 noblacklist /etc/init.d
-noblacklist /var/lib/apt
-noblacklist /var/cache/apt
 # noblacklist /var/opt
 
 blacklist /tmp/.X11-unix
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 4b01ea0a5..fd96f8bb5 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -2874,6 +2874,17 @@ int main(int argc, char **argv, char **envp) {
                 }
         }
 
+        // check writable_etc and DNS/DHCP
+        if (arg_writable_etc) {
+                if (cfg.dns1 != NULL || any_dhcp()) {
+                        // we could end up overwriting the real /etc/resolv.conf, so we better exit now!
+                        fprintf(stderr, "Error: --dns/--ip=dhcp and --writable-etc are mutually exclusive\n");
+                        exit(1);
+                }
+        }
+
+
+
         // enable seccomp if only seccomp.block-secondary was specified
         if (arg_seccomp_block_secondary)
                 arg_seccomp = 1;
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 96407d081..635137feb 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -1077,9 +1077,10 @@ int sandbox(void* sandbox_arg) {
                 fs_dev_disable_input();
 
         //****************************
-        // set dns
+        // rebuild etc directory, set dns
         //****************************
-        fs_rebuild_etc();
+        if (!arg_writable_etc)
+                fs_rebuild_etc();
 
         //****************************
         // start dhcp client