remove tmpfs from /dev/shm for root user

author: netblue30 <netblue30@yahoo.com> 2016-10-27 10:54:34 -0400
committer: netblue30 <netblue30@yahoo.com> 2016-10-27 10:54:34 -0400
commit: 096333704e0c3d6b7cf23fe6f4e34e99fdc9770f (patch)
tree: e21337713211357ea7867c25524833b92eada03d
parent: security: overwrite /etc/resolv.conf (diff)
download: firejail-096333704e0c3d6b7cf23fe6f4e34e99fdc9770f.tar.gz
firejail-096333704e0c3d6b7cf23fe6f4e34e99fdc9770f.tar.zst
firejail-096333704e0c3d6b7cf23fe6f4e34e99fdc9770f.zip
3 files changed, 9 insertions, 6 deletions
diff --git a/RELNOTES b/RELNOTES
index 7aeac4f8d..16c03fc23 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,6 +1,7 @@
 firejail (0.9.45) baseline; urgency=low
  * development version, work in progress
  * security: overwrite /etc/resolv.conf found by Martin Carpenter
+  * feature: allow root user access to /dev/shm (--noblacklist=/dev/shm)
  * feature: split most of networking code in a separate executable
  * new profiles: xiphos, Tor Browser Bundle
  * bugfixes
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 6c566bd90..572b08205 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -754,8 +754,8 @@ void fs_basic_fs(void) {
        fs_rdonly("/usr");
        // update /var directory in order to support multiple sandboxes running on the same root directory
-        if (!arg_private_dev)
+//      if (!arg_private_dev)
-                fs_dev_shm();
+//              fs_dev_shm();
        fs_var_lock();
        fs_var_tmp();
        fs_var_log();
@@ -1061,8 +1061,8 @@ void fs_overlayfs(void) {
                errExit("chroot");
        // update /var directory in order to support multiple sandboxes running on the same root directory
-        if (!arg_private_dev)
+//      if (!arg_private_dev)
-                fs_dev_shm();
+//              fs_dev_shm();
        fs_var_lock();
        fs_var_tmp();
        fs_var_log();
@@ -1233,8 +1233,8 @@ void fs_chroot(const char *rootdir) {
                
        if (checkcfg(CFG_CHROOT_DESKTOP)) {
                // update /var directory in order to support multiple sandboxes running on the same root directory
-                if (!arg_private_dev)
+//              if (!arg_private_dev)
-                        fs_dev_shm();
+//                      fs_dev_shm();
                fs_var_lock();
                fs_var_tmp();
                fs_var_log();
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index aa5f7c28b..0186c6f82 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -244,6 +244,7 @@ void fs_private_dev(void){
 }
+#if 0
 void fs_dev_shm(void) {
        uid_t uid = getuid(); // set a new shm only if we started as root
        if (uid)
@@ -282,6 +283,7 @@ void fs_dev_shm(void) {
                        
        }
 }
+#endif  
 static void disable_file_or_dir(const char *fname) {
        if (arg_debug)
author	netblue30 <netblue30@yahoo.com>	2016-10-27 10:54:34 -0400
committer	netblue30 <netblue30@yahoo.com>	2016-10-27 10:54:34 -0400
commit	096333704e0c3d6b7cf23fe6f4e34e99fdc9770f (patch)
tree	e21337713211357ea7867c25524833b92eada03d
parent	security: overwrite /etc/resolv.conf (diff)
download	firejail-096333704e0c3d6b7cf23fe6f4e34e99fdc9770f.tar.gz firejail-096333704e0c3d6b7cf23fe6f4e34e99fdc9770f.tar.zst firejail-096333704e0c3d6b7cf23fe6f4e34e99fdc9770f.zip