diff options
| author |  netblue30 <netblue30@yahoo.com> | 2017-03-07 15:43:55 -0500 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2017-03-07 15:43:55 -0500 |
| commit | 6cddc32564529573ddc3057fd8aefce1e0ae23a2 (patch) | |
| tree | ee6fdc270e111fbacad0caa65dbd8dd0b0a20f24 | |
| parent | Following links in private-bin command ported from #1100 created problems for... (diff) | |
| download | firejail-6cddc32564529573ddc3057fd8aefce1e0ae23a2.tar.gz firejail-6cddc32564529573ddc3057fd8aefce1e0ae23a2.tar.zst firejail-6cddc32564529573ddc3057fd8aefce1e0ae23a2.zip | |
allow /tmp in mkdir and mkfile profile commands
| -rw-r--r-- | RELNOTES | 2 | ||||
| -rw-r--r-- | src/firejail/fs_mkdir.c | 12 | ||||
| -rw-r--r-- | src/man/firejail-profile.txt | 6 |
3 files changed, 13 insertions, 7 deletions
| @@ -31,7 +31,9 @@ firejail (0.9.45) baseline; urgency=low | |||
| 31 | * feature: added a number o Python scripts for handling sandboxes | 31 | * feature: added a number o Python scripts for handling sandboxes |
| 32 | * feature: allow local customization using .local files under /etc/firejail | 32 | * feature: allow local customization using .local files under /etc/firejail |
| 33 | * feature: follow-symlink-as-user runtime config option in /etc/firejail/firejail.config | 33 | * feature: follow-symlink-as-user runtime config option in /etc/firejail/firejail.config |
| 34 | * feature: follow-symlink-private-bin option in /etc/firejail/firejail.config | ||
| 34 | * feature: xvfb X11 server support (--x11=xvfb) | 35 | * feature: xvfb X11 server support (--x11=xvfb) |
| 36 | * feature: allow /tmp directory in mkdir and mkfile profile commands | ||
| 35 | * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire, | 37 | * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire, |
| 36 | * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma, | 38 | * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma, |
| 37 | * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator, | 39 | * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator, |
diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c index a0bda7443..35d043dde 100644 --- a/src/firejail/fs_mkdir.c +++ b/src/firejail/fs_mkdir.c | |||
| @@ -57,12 +57,15 @@ static void mkdir_recursive(char *path) { | |||
| 57 | 57 | ||
| 58 | void fs_mkdir(const char *name) { | 58 | void fs_mkdir(const char *name) { |
| 59 | EUID_ASSERT(); | 59 | EUID_ASSERT(); |
| 60 | printf("****************************\n"); | ||
| 61 | |||
| 60 | 62 | ||
| 61 | // check directory name | 63 | // check directory name |
| 62 | invalid_filename(name); | 64 | invalid_filename(name); |
| 63 | char *expanded = expand_home(name, cfg.homedir); | 65 | char *expanded = expand_home(name, cfg.homedir); |
| 64 | if (strncmp(expanded, cfg.homedir, strlen(cfg.homedir)) != 0) { | 66 | if (strncmp(expanded, cfg.homedir, strlen(cfg.homedir)) != 0 && |
| 65 | fprintf(stderr, "Error: only directories in user home are supported by mkdir\n"); | 67 | strncmp(expanded, "/tmp", 4) != 0) { |
| 68 | fprintf(stderr, "Error: only directories in user home or /tmp are supported by mkdir\n"); | ||
| 66 | exit(1); | 69 | exit(1); |
| 67 | } | 70 | } |
| 68 | 71 | ||
| @@ -100,8 +103,9 @@ void fs_mkfile(const char *name) { | |||
| 100 | // check file name | 103 | // check file name |
| 101 | invalid_filename(name); | 104 | invalid_filename(name); |
| 102 | char *expanded = expand_home(name, cfg.homedir); | 105 | char *expanded = expand_home(name, cfg.homedir); |
| 103 | if (strncmp(expanded, cfg.homedir, strlen(cfg.homedir)) != 0) { | 106 | if (strncmp(expanded, cfg.homedir, strlen(cfg.homedir)) != 0 && |
| 104 | fprintf(stderr, "Error: only files in user home are supported by mkfile\n"); | 107 | strncmp(expanded, "/tmp", 4) != 0) { |
| 108 | fprintf(stderr, "Error: only files in user home or /tmp are supported by mkfile\n"); | ||
| 105 | exit(1); | 109 | exit(1); |
| 106 | } | 110 | } |
| 107 | 111 | ||
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index d60d48072..cf2398ad4 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
| @@ -156,7 +156,7 @@ Mount-bind directory1 on top of directory2. This option is only available when r | |||
| 156 | Mount-bind file1 on top of file2. This option is only available when running as root. | 156 | Mount-bind file1 on top of file2. This option is only available when running as root. |
| 157 | .TP | 157 | .TP |
| 158 | \fBmkdir directory | 158 | \fBmkdir directory |
| 159 | Create a directory in user home before the sandbox is started. | 159 | Create a directory in user home or under /tmp before the sandbox is started. |
| 160 | The directory is created if it doesn't already exist. | 160 | The directory is created if it doesn't already exist. |
| 161 | .br | 161 | .br |
| 162 | 162 | ||
| @@ -177,8 +177,8 @@ mkdir ~/.cache/mozilla/firefox | |||
| 177 | whitelist ~/.cache/mozilla/firefox | 177 | whitelist ~/.cache/mozilla/firefox |
| 178 | .TP | 178 | .TP |
| 179 | \fBmkfile file | 179 | \fBmkfile file |
| 180 | Similar to mkdir, this command creates a file in user home before the sandbox is started. | 180 | Similar to mkdir, this command creates a file in user home or under /tmp before the sandbox is started. |
| 181 | The file is created if it doesn't already exist, but it's target directory has to exist. | 181 | The file is created if it doesn't already exist. |
| 182 | .TP | 182 | .TP |
| 183 | \fBnoexec file_or_directory | 183 | \fBnoexec file_or_directory |
| 184 | Remount the file or the directory noexec, nodev and nosuid. | 184 | Remount the file or the directory noexec, nodev and nosuid. |