diff options
author | netblue30 <netblue30@yahoo.com> | 2018-06-12 07:17:18 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2018-06-12 07:17:18 -0400 |
commit | caa7ad8714206a158123773ddcaca6ef219a5501 (patch) | |
tree | e87b2723277e0a7478705334f97ca95e34a590fe | |
parent | Add profiles for Microsoft Office Online apps (from Manjaro devs) (diff) | |
download | firejail-caa7ad8714206a158123773ddcaca6ef219a5501.tar.gz firejail-caa7ad8714206a158123773ddcaca6ef219a5501.tar.zst firejail-caa7ad8714206a158123773ddcaca6ef219a5501.zip |
mounting a tmpfs on ~/.cache directory (private-cache) by default
-rw-r--r-- | etc/firejail.config | 5 | ||||
-rw-r--r-- | src/firejail/checkcfg.c | 9 | ||||
-rw-r--r-- | src/firejail/firejail.h | 2 | ||||
-rw-r--r-- | src/firejail/fs.c | 4 | ||||
-rw-r--r-- | src/firejail/main.c | 4 | ||||
-rw-r--r-- | src/firejail/profile.c | 4 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 11 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 4 | ||||
-rw-r--r-- | src/man/firejail.txt | 11 |
9 files changed, 19 insertions, 35 deletions
diff --git a/etc/firejail.config b/etc/firejail.config index 1f47f77d0..42dfaf3c6 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
@@ -56,6 +56,11 @@ | |||
56 | # Remove /usr/local directories from private-bin list, default disabled. | 56 | # Remove /usr/local directories from private-bin list, default disabled. |
57 | # private-bin-no-local no | 57 | # private-bin-no-local no |
58 | 58 | ||
59 | # Mount an empty temporary filesystem on top of the .cache | ||
60 | # directory in user home. All modifications are discarded when | ||
61 | # the sandbox is closed. Default enabled. | ||
62 | # private-cache yes | ||
63 | |||
59 | # Enable or disable private-home feature, default enabled | 64 | # Enable or disable private-home feature, default enabled |
60 | # private-home yes | 65 | # private-home yes |
61 | 66 | ||
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 68e93e16e..6dc28b9bb 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -175,6 +175,15 @@ int checkcfg(int val) { | |||
175 | else | 175 | else |
176 | goto errout; | 176 | goto errout; |
177 | } | 177 | } |
178 | // private-cache | ||
179 | else if (strncmp(ptr, "private-cache ", 14) == 0) { | ||
180 | if (strcmp(ptr + 14, "yes") == 0) | ||
181 | cfg_val[CFG_PRIVATE_CACHE] = 1; | ||
182 | else if (strcmp(ptr + 14, "no") == 0) | ||
183 | cfg_val[CFG_PRIVATE_CACHE] = 0; | ||
184 | else | ||
185 | goto errout; | ||
186 | } | ||
178 | // seccomp | 187 | // seccomp |
179 | else if (strncmp(ptr, "seccomp ", 8) == 0) { | 188 | else if (strncmp(ptr, "seccomp ", 8) == 0) { |
180 | if (strcmp(ptr + 8, "yes") == 0) | 189 | if (strcmp(ptr + 8, "yes") == 0) |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index e2a780d77..55f8e6081 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -308,7 +308,6 @@ static inline int any_interface_configured(void) { | |||
308 | 308 | ||
309 | extern int arg_private; // mount private /home | 309 | extern int arg_private; // mount private /home |
310 | extern int arg_private_template; // private /home template | 310 | extern int arg_private_template; // private /home template |
311 | extern int arg_private_cache; // private home/.cache | ||
312 | extern int arg_debug; // print debug messages | 311 | extern int arg_debug; // print debug messages |
313 | extern int arg_debug_blacklists; // print debug messages for blacklists | 312 | extern int arg_debug_blacklists; // print debug messages for blacklists |
314 | extern int arg_debug_whitelists; // print debug messages for whitelists | 313 | extern int arg_debug_whitelists; // print debug messages for whitelists |
@@ -751,6 +750,7 @@ enum { | |||
751 | CFG_PRIVATE_LIB, | 750 | CFG_PRIVATE_LIB, |
752 | CFG_APPARMOR, | 751 | CFG_APPARMOR, |
753 | CFG_DBUS, | 752 | CFG_DBUS, |
753 | CFG_PRIVATE_CACHE, | ||
754 | CFG_MAX // this should always be the last entry | 754 | CFG_MAX // this should always be the last entry |
755 | }; | 755 | }; |
756 | extern char *xephyr_screen; | 756 | extern char *xephyr_screen; |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 0e104699f..68b09dcbd 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -1353,10 +1353,8 @@ void fs_private_cache(void) { | |||
1353 | fwarning("user .cache is a symbolic link, tmpfs not mounted\n"); | 1353 | fwarning("user .cache is a symbolic link, tmpfs not mounted\n"); |
1354 | return; | 1354 | return; |
1355 | } | 1355 | } |
1356 | if (stat(cache, &s) == -1 || !S_ISDIR(s.st_mode)) { | 1356 | if (stat(cache, &s) == -1 || !S_ISDIR(s.st_mode)) |
1357 | fwarning("no user .cache directory found, tmpfs not mounted\n"); | ||
1358 | return; | 1357 | return; |
1359 | } | ||
1360 | if (s.st_uid != getuid()) { | 1358 | if (s.st_uid != getuid()) { |
1361 | fwarning("user .cache is not owned by current user, tmpfs not mounted\n"); | 1359 | fwarning("user .cache is not owned by current user, tmpfs not mounted\n"); |
1362 | return; | 1360 | return; |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 7d4c33460..072c4b0ee 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -46,7 +46,6 @@ static char child_stack[STACK_SIZE]; // space for child's stack | |||
46 | Config cfg; // configuration | 46 | Config cfg; // configuration |
47 | int arg_private = 0; // mount private /home and /tmp directoryu | 47 | int arg_private = 0; // mount private /home and /tmp directoryu |
48 | int arg_private_template = 0; // mount private /home using a template | 48 | int arg_private_template = 0; // mount private /home using a template |
49 | int arg_private_cache = 0; // mount private home/.cache | ||
50 | int arg_debug = 0; // print debug messages | 49 | int arg_debug = 0; // print debug messages |
51 | int arg_debug_blacklists = 0; // print debug messages for blacklists | 50 | int arg_debug_blacklists = 0; // print debug messages for blacklists |
52 | int arg_debug_whitelists = 0; // print debug messages for whitelists | 51 | int arg_debug_whitelists = 0; // print debug messages for whitelists |
@@ -1677,9 +1676,6 @@ int main(int argc, char **argv) { | |||
1677 | else if (strcmp(argv[i], "--private-tmp") == 0) { | 1676 | else if (strcmp(argv[i], "--private-tmp") == 0) { |
1678 | arg_private_tmp = 1; | 1677 | arg_private_tmp = 1; |
1679 | } | 1678 | } |
1680 | else if (strcmp(argv[i], "--private-cache") == 0) { | ||
1681 | arg_private_cache = 1; | ||
1682 | } | ||
1683 | 1679 | ||
1684 | //************************************* | 1680 | //************************************* |
1685 | // hostname, etc | 1681 | // hostname, etc |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 04519483c..7b59cd48c 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -217,10 +217,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
217 | arg_allusers = 1; | 217 | arg_allusers = 1; |
218 | return 0; | 218 | return 0; |
219 | } | 219 | } |
220 | else if (strcmp(ptr, "private-cache") == 0) { | ||
221 | arg_private_cache = 1; | ||
222 | return 0; | ||
223 | } | ||
224 | else if (strcmp(ptr, "private-dev") == 0) { | 220 | else if (strcmp(ptr, "private-dev") == 0) { |
225 | arg_private_dev = 1; | 221 | arg_private_dev = 1; |
226 | return 0; | 222 | return 0; |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index fdb0babc8..5c129fead 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -833,14 +833,9 @@ int sandbox(void* sandbox_arg) { | |||
833 | } | 833 | } |
834 | } | 834 | } |
835 | 835 | ||
836 | if (arg_private_cache) { | 836 | // private cache directory by default |
837 | if (cfg.chrootdir) | 837 | if (checkcfg(CFG_PRIVATE_CACHE)) |
838 | fwarning("private-cache feature is disabled in chroot\n"); | 838 | fs_private_cache(); |
839 | else if (arg_overlay) | ||
840 | fwarning("private-cache feature is disabled in overlay\n"); | ||
841 | else | ||
842 | fs_private_cache(); | ||
843 | } | ||
844 | 839 | ||
845 | if (arg_private_tmp) { | 840 | if (arg_private_tmp) { |
846 | // private-tmp is implemented as a whitelist | 841 | // private-tmp is implemented as a whitelist |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index ae7085f24..7bfa3a019 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -221,10 +221,6 @@ filesystem, and copy the files and directories in the list in the | |||
221 | new home. All modifications are discarded when the sandbox is | 221 | new home. All modifications are discarded when the sandbox is |
222 | closed. | 222 | closed. |
223 | .TP | 223 | .TP |
224 | \fBprivate-cache | ||
225 | Mount an empty temporary filesystem on top of the .cache directory in user home. All | ||
226 | modifications are discarded when the sandbox is closed. | ||
227 | .TP | ||
228 | \fBprivate-bin file,file | 224 | \fBprivate-bin file,file |
229 | Build a new /bin in a temporary filesystem, and copy the programs in the list. | 225 | Build a new /bin in a temporary filesystem, and copy the programs in the list. |
230 | The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin. | 226 | The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin. |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 0ac5854f7..aad678aa4 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1312,17 +1312,6 @@ Example: | |||
1312 | $ firejail \-\-private-home=.mozilla firefox | 1312 | $ firejail \-\-private-home=.mozilla firefox |
1313 | 1313 | ||
1314 | .TP | 1314 | .TP |
1315 | \fB\-\-private-cache | ||
1316 | Mount an empty temporary filesystem on top of the .cache directory in user home. All | ||
1317 | modifications are discarded when the sandbox is closed. | ||
1318 | .br | ||
1319 | |||
1320 | .br | ||
1321 | Example: | ||
1322 | .br | ||
1323 | $ firejail \-\-private-cache openbox | ||
1324 | |||
1325 | .TP | ||
1326 | \fB\-\-private-bin=file,file | 1315 | \fB\-\-private-bin=file,file |
1327 | Build a new /bin in a temporary filesystem, and copy the programs in the list. | 1316 | Build a new /bin in a temporary filesystem, and copy the programs in the list. |
1328 | If no listed file is found, /bin directory will be empty. | 1317 | If no listed file is found, /bin directory will be empty. |