Add --keep-var-tmp and associated profile option

7 files changed, 30 insertions, 3 deletions

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 14f87c36c..84f535575 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -366,6 +366,7 @@ extern int arg_nice;		// nice value configured
 extern int arg_ipc;             // enable ipc namespace
 extern int arg_writable_etc;    // writable etc
 extern int arg_writable_var;    // writable var
+extern int arg_keep_var_tmp; // don't overwrite /var/tmp
 extern int arg_writable_run_user;       // writable /run/user
 extern int arg_writable_var_log; // writable /var/log
 extern int arg_appimage;        // appimage
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index c9158ebd5..88f92ad74 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -704,7 +704,8 @@ void fs_basic_fs(void) {
 
         // update /var directory in order to support multiple sandboxes running on the same root directory
         fs_var_lock();
-        fs_var_tmp();
+        if (!arg_keep_var_tmp)
+          fs_var_tmp();
         if (!arg_writable_var_log)
                 fs_var_log();
         else
@@ -1015,7 +1016,8 @@ void fs_overlayfs(void) {
 //      if (!arg_private_dev)
 //              fs_dev_shm();
         fs_var_lock();
-        fs_var_tmp();
+        if (!arg_keep_var_tmp)
+                fs_var_tmp();
         if (!arg_writable_var_log)
                 fs_var_log();
         else
@@ -1258,7 +1260,8 @@ void fs_chroot(const char *rootdir) {
 //              if (!arg_private_dev)
 //                      fs_dev_shm();
                 fs_var_lock();
-                fs_var_tmp();
+                if (!arg_keep_var_tmp)
+                        fs_var_tmp();
                 if (!arg_writable_var_log)
                         fs_var_log();
                 else
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 9a013989a..2e47dd938 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -104,6 +104,7 @@ int arg_nice = 0;				// nice value configured
 int arg_ipc = 0;                                        // enable ipc namespace
 int arg_writable_etc = 0;                       // writable etc
 int arg_writable_var = 0;                       // writable var
+int arg_keep_var_tmp = 0;                       // don't overwrite /var/tmp
 int arg_writable_run_user = 0;                  // writable /run/user
 int arg_writable_var_log = 0;           // writable /var/log
 int arg_appimage = 0;                           // appimage
@@ -1537,6 +1538,9 @@ int main(int argc, char **argv) {
                 else if (strcmp(argv[i], "--writable-var") == 0) {
                         arg_writable_var = 1;
                 }
+                else if (strcmp(argv[1], "--keep-var-tmp") == 0) {
+                        arg_keep_var_tmp = 1;
+                }
                 else if (strcmp(argv[i], "--writable-run-user") == 0) {
                         arg_writable_run_user = 1;
                 }
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 156ffa24a..7b59cd48c 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -738,6 +738,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 arg_writable_var = 1;
                 return 0;
         }
+        // don't overwrite /var/tmp
+        if (strcmp(ptr, "keep-var-tmp") == 0) {
+                arg_keep_var_tmp = 1;
+                return 0;
+        }
         // writable-run-user
         if (strcmp(ptr, "writable-run-user") == 0) {
                 arg_writable_run_user = 1;
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 742fc0465..be5eb3989 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -221,6 +221,7 @@ static char *usage_str =
         "    --writable-run-user - allow access to /run/user/$UID/systemd and\n"
         "\t/run/user/$UID/gnupg.\n"
         "    --writable-var - /var directory is mounted read-write.\n"
+        "    --keep-var-tmp - /var/tmp directory is untouched.\n"
         "    --writable-var-log - use the real /var/log directory, not a clone.\n"
 #ifdef HAVE_X11
         "    --x11 - enable X11 sandboxing. The software checks first if Xpra is\n"
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 0217e1353..c73f23b94 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -280,6 +280,9 @@ Disable the default blacklisting of run/user/$UID/systemd and /run/user/$UID/gnu
 \fBwritable-var
 Mount /var directory read-write.
 .TP
+\fBkeep-var-tmp
+/var/tmp directory is untouched.
+.TP
 \fBwritable-var-log
 Use the real /var/log directory, not a clone. By default, a tmpfs is mounted on top of /var/log
 directory, and a skeleton filesystem is created based on the original /var/log.
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index d8fed1f31..87326a7bd 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -2129,6 +2129,16 @@ Example:
 $ sudo firejail --writable-var
 
 .TP
+\fB\-\-keep-var-tmp
+/var/tmp directory is untouched.
+.br
+
+.br
+Example:
+.br
+$ sudo firejail --keep-var-tmp
+
+.TP
 \fB\-\-writable-var-log
 Use the real /var/log directory, not a clone. By default, a tmpfs is mounted on top of /var/log
 directory, and a skeleton filesystem is created based on the original /var/log.