tmpfs option enhancements

* downgrade error to warning,
smiliar to read-write option;
this simplifies use of tmpfs
option in general purpose
profiles, for example we
don't need to worry about links
people put in their homedir

* update manpage

3 files changed, 23 insertions, 17 deletions

diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index e57038ee0..4ae7dbfa4 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -171,21 +171,28 @@ static void disable_file(OPERATION op, const char *filename) {
                 fs_remount_rec(fname, op);
         }
         else if (op == MOUNT_TMPFS) {
-                if (S_ISDIR(s.st_mode)) {
-                        if (getuid()) {
-                                if (strncmp(cfg.homedir, fname, strlen(cfg.homedir)) != 0 ||
-                                    fname[strlen(cfg.homedir)] != '/') {
-                                        fprintf(stderr, "Error: tmpfs outside $HOME is only available for root\n");
-                                        exit(1);
-                                }
+                if (!S_ISDIR(s.st_mode)) {
+                        fwarning("%s is not a directory; cannot mount a tmpfs on top of it.\n", fname);
+                        free(fname);
+                        return;
+                }
+
+                uid_t uid = getuid();
+                if (uid != 0) {
+                        // only user owned directories in user home
+                        if (s.st_uid != uid ||
+                            strncmp(cfg.homedir, fname, strlen(cfg.homedir)) != 0 ||
+                            fname[strlen(cfg.homedir)] != '/') {
+                                fwarning("you are not allowed to mount a tmpfs on %s\n", fname);
+                                free(fname);
+                                return;
                         }
-                        // fs_tmpfs returns with EUID 0
-                        fs_tmpfs(fname, getuid());
-                        selinux_relabel_path(fname, fname);
-                        EUID_USER();
                 }
-                else
-                        fwarning("%s is not a directory; cannot mount a tmpfs on top of it.\n", fname);
+
+                fs_tmpfs(fname, uid);
+                EUID_USER(); // fs_tmpfs returns with EUID 0
+
+                selinux_relabel_path(fname, fname);
         }
         else
                 assert(0);
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 6f3bef7f2..db58e0910 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -420,7 +420,7 @@ Make directory or file read-only.
 Make directory or file read-write.
 .TP
 \fBtmpfs directory
-Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root.
+Mount an empty tmpfs filesystem on top of directory. Directories outside user home or not owned by the user are not allowed. Sandboxes running as root are exempt from these restrictions.
 .TP
 \fBtracelog
 Blacklist violations logged to syslog.
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 3212a88e4..4a2e520c5 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -2566,14 +2566,13 @@ Kill the sandbox automatically after the time has elapsed. The time is specified
 $ firejail \-\-timeout=01:30:00 firefox
 .TP
 \fB\-\-tmpfs=dirname
-Mount a writable tmpfs filesystem on directory dirname. This option is available only when running the sandbox as root.
-File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
+Mount a writable tmpfs filesystem on directory dirname. Directories outside user home or not owned by the user are not allowed. Sandboxes running as root are exempt from these restrictions. File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
 .br
 
 .br
 Example:
 .br
-# firejail \-\-tmpfs=/var
+$ firejail \-\-tmpfs=~/.local/share
 .TP
 \fB\-\-top
 Monitor the most CPU-intensive sandboxes, see \fBMONITORING\fR section for more details.