added support to enable/disable tmpfs mounting on top of ~/.cache directory

5 files changed, 17 insertions, 2 deletions

diff --git a/RELNOTES b/RELNOTES
index 39ddfda76..30df8ca3f 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -36,6 +36,7 @@ firejail (0.9.45) baseline; urgency=low
   * feature: config support to disable access to /mnt and /media (disable-mnt)
   * feature: allow tmpfs for regular users for files in home directory
   * feature: mount a tmpfs on top of ~/.cache directory by default
+  * feature: config support to disable tmpfs mounting on ~/.cache (cache-tmpfs)
   * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire,
   * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma,
   * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator,
diff --git a/etc/firejail.config b/etc/firejail.config
index af190cb3c..0887e05b5 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -6,6 +6,9 @@
 # Enable or disable bind support, default enabled.
 # bind yes
 
+# Enable mounting a tmpfs on top of ~/.cache directory, default enabled.
+# cache-tmpfs yes
+
 # Enable or disable chroot support, default enabled.
 # chroot yes
 
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 2aa7e7373..476ecbe10 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -74,8 +74,17 @@ int checkcfg(int val) {
                         if (!ptr)
                                 continue;
                         
+                        // mount tmpfs on top of ~/.cache directory
+                        if (strncmp(ptr, "cache-tmpfs ", 12) == 0) {
+                                if (strcmp(ptr + 12, "yes") == 0)
+                                        cfg_val[CFG_CACHE_TMPFS] = 1;
+                                else if (strcmp(ptr + 12, "no") == 0)
+                                        cfg_val[CFG_CACHE_TMPFS] = 0;
+                                else
+                                        goto errout;
+                        }
                         // file transfer        
-                        if (strncmp(ptr, "file-transfer ", 14) == 0) {
+                        else if (strncmp(ptr, "file-transfer ", 14) == 0) {
                                 if (strcmp(ptr + 14, "yes") == 0)
                                         cfg_val[CFG_FILE_TRANSFER] = 1;
                                 else if (strcmp(ptr + 14, "no") == 0)
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index f4d24ffa5..fa6ba5c6a 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -684,6 +684,7 @@ enum {
         CFG_FOLLOW_SYMLINK_AS_USER,
         CFG_FOLLOW_SYMLINK_PRIVATE_BIN,
         CFG_DISABLE_MNT,
+        CFG_CACHE_TMPFS,
         CFG_MAX // this should always be the last entry
 };
 extern char *xephyr_screen;
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index f517316ed..faa641d13 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -773,7 +773,8 @@ int sandbox(void* sandbox_arg) {
         //****************************
         // deploy a tmpfs on ~/.cache directory
         //****************************
-        fs_cache();
+        if (checkcfg(CFG_CACHE_TMPFS))
+                fs_cache();
 
 
         //****************************