diff options
| author |  netblue30 <netblue30@yahoo.com> | 2017-03-10 10:17:00 -0500 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2017-03-10 10:17:00 -0500 |
| commit | 22414adf2a79b08a77bacbc002fb6ebb126d5b32 (patch) | |
| tree | 4a00f60c09c0c78f288f748b1e909552515add60 | |
| parent | config support to disable access to /mnt and /media (diff) | |
| download | firejail-22414adf2a79b08a77bacbc002fb6ebb126d5b32.tar.gz firejail-22414adf2a79b08a77bacbc002fb6ebb126d5b32.tar.zst firejail-22414adf2a79b08a77bacbc002fb6ebb126d5b32.zip | |
allow tmpfs for regular users for files in home directory
| -rw-r--r-- | RELNOTES | 1 | ||||
| -rw-r--r-- | src/firejail/profile.c | 15 |
2 files changed, 14 insertions, 2 deletions
| @@ -34,6 +34,7 @@ firejail (0.9.45) baseline; urgency=low | |||
| 34 | * feature: allow /tmp directory in mkdir and mkfile profile commands | 34 | * feature: allow /tmp directory in mkdir and mkfile profile commands |
| 35 | * feature: implemented --noblacklist command, profile support | 35 | * feature: implemented --noblacklist command, profile support |
| 36 | * feature: config support to disable access to /mnt and /media (disable-mnt) | 36 | * feature: config support to disable access to /mnt and /media (disable-mnt) |
| 37 | * feature: allow tmpfs for regular users for files in home directory | ||
| 37 | * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire, | 38 | * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire, |
| 38 | * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma, | 39 | * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma, |
| 39 | * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator, | 40 | * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator, |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index c4feadad0..d5d62e929 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
| @@ -970,8 +970,19 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
| 970 | ptr += 7; | 970 | ptr += 7; |
| 971 | else if (strncmp(ptr, "tmpfs ", 6) == 0) { | 971 | else if (strncmp(ptr, "tmpfs ", 6) == 0) { |
| 972 | if (getuid() != 0) { | 972 | if (getuid() != 0) { |
| 973 | fprintf(stderr, "Error: tmpfs available only when running the sandbox as root\n"); | 973 | // allow a non-root user to mount tmpfs in user home directory, links are not allowed |
| 974 | exit(1); | 974 | invalid_filename(ptr + 6); |
| 975 | char *newfname = expand_home(ptr + 6, cfg.homedir); | ||
| 976 | assert(newfname); | ||
| 977 | if (is_link(newfname)) { | ||
| 978 | fprintf(stderr, "Error: for regular user, tmpfs is not available for symbolic links\n"); | ||
| 979 | exit(1); | ||
| 980 | } | ||
| 981 | if (strncmp(newfname, cfg.homedir, strlen(cfg.homedir)) != 0) { | ||
| 982 | fprintf(stderr, "Error: for regular user, tmpfs is available only for files in user home directory\n"); | ||
| 983 | exit(1); | ||
| 984 | } | ||
| 985 | free(newfname); | ||
| 975 | } | 986 | } |
| 976 | ptr += 6; | 987 | ptr += 6; |
| 977 | } | 988 | } |