mounting a tmpfs on ~/.cache directory (private-cache) by default

author: netblue30 <netblue30@yahoo.com> 2018-06-12 07:17:18 -0400
committer: netblue30 <netblue30@yahoo.com> 2018-06-12 07:17:18 -0400
commit: caa7ad8714206a158123773ddcaca6ef219a5501 (patch)
tree: e87b2723277e0a7478705334f97ca95e34a590fe
parent: Add profiles for Microsoft Office Online apps (from Manjaro devs) (diff)
download: firejail-caa7ad8714206a158123773ddcaca6ef219a5501.tar.gz
firejail-caa7ad8714206a158123773ddcaca6ef219a5501.tar.zst
firejail-caa7ad8714206a158123773ddcaca6ef219a5501.zip
9 files changed, 19 insertions, 35 deletions
diff --git a/etc/firejail.config b/etc/firejail.config
index 1f47f77d0..42dfaf3c6 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -56,6 +56,11 @@
 # Remove /usr/local directories from private-bin list, default disabled.
 # private-bin-no-local no
+# Mount  an empty temporary filesystem on top of the .cache
+# directory in user home. All  modifications  are  discarded  when
+# the sandbox is closed. Default enabled.
+# private-cache yes
 # Enable or disable private-home feature, default enabled
 # private-home yes
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 68e93e16e..6dc28b9bb 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -175,6 +175,15 @@ int checkcfg(int val) {
                                else
                                        goto errout;
                        }
+                        // private-cache
+                        else if (strncmp(ptr, "private-cache ", 14) == 0) {
+                                if (strcmp(ptr + 14, "yes") == 0)
+                                        cfg_val[CFG_PRIVATE_CACHE] = 1;
+                                else if (strcmp(ptr + 14, "no") == 0)
+                                        cfg_val[CFG_PRIVATE_CACHE] = 0;
+                                else
+                                        goto errout;
+                        }
                        // seccomp
                        else if (strncmp(ptr, "seccomp ", 8) == 0) {
                                if (strcmp(ptr + 8, "yes") == 0)
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index e2a780d77..55f8e6081 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -308,7 +308,6 @@ static inline int any_interface_configured(void) {
 extern int arg_private;         // mount private /home
 extern int arg_private_template; // private /home template
-extern int arg_private_cache;   // private home/.cache
 extern int arg_debug;           // print debug messages
 extern int arg_debug_blacklists;        // print debug messages for blacklists
 extern int arg_debug_whitelists;        // print debug messages for whitelists
@@ -751,6 +750,7 @@ enum {
        CFG_PRIVATE_LIB,
        CFG_APPARMOR,
        CFG_DBUS,
+        CFG_PRIVATE_CACHE,
        CFG_MAX // this should always be the last entry
 };
 extern char *xephyr_screen;
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 0e104699f..68b09dcbd 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -1353,10 +1353,8 @@ void fs_private_cache(void) {
                fwarning("user .cache is a symbolic link, tmpfs not mounted\n");
                return;
        }
-        if (stat(cache, &s) == -1 || !S_ISDIR(s.st_mode)) {
+        if (stat(cache, &s) == -1 || !S_ISDIR(s.st_mode))
-                fwarning("no user .cache directory found, tmpfs not mounted\n");
                return;
-        }
        if (s.st_uid != getuid()) {
                fwarning("user .cache is not owned by current user, tmpfs not mounted\n");
                return;
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 7d4c33460..072c4b0ee 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -46,7 +46,6 @@ static char child_stack[STACK_SIZE];		// space for child's stack
 Config cfg;                                     // configuration
 int arg_private = 0;                            // mount private /home and /tmp directoryu
 int arg_private_template = 0;   // mount private /home using a template
-int arg_private_cache = 0;              // mount private home/.cache
 int arg_debug = 0;                              // print debug messages
 int arg_debug_blacklists = 0;                   // print debug messages for blacklists
 int arg_debug_whitelists = 0;                   // print debug messages for whitelists
@@ -1677,9 +1676,6 @@ int main(int argc, char **argv) {
                else if (strcmp(argv[i], "--private-tmp") == 0) {
                        arg_private_tmp = 1;
                }
-                else if (strcmp(argv[i], "--private-cache") == 0) {
-                        arg_private_cache = 1;
-                }
                //*************************************
                // hostname, etc
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 04519483c..7b59cd48c 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -217,10 +217,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                arg_allusers = 1;
                return 0;
        }
-        else if (strcmp(ptr, "private-cache") == 0) {
-                arg_private_cache = 1;
-                return 0;
-        }
        else if (strcmp(ptr, "private-dev") == 0) {
                arg_private_dev = 1;
                return 0;
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index fdb0babc8..5c129fead 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -833,14 +833,9 @@ int sandbox(void* sandbox_arg) {
                }
        }
-        if (arg_private_cache) {
+        // private cache directory by default
-                if (cfg.chrootdir)
+        if (checkcfg(CFG_PRIVATE_CACHE))
-                        fwarning("private-cache feature is disabled in chroot\n");
+                fs_private_cache();
-                else if (arg_overlay)
-                        fwarning("private-cache feature is disabled in overlay\n");
-                else
-                        fs_private_cache();
-        }
        if (arg_private_tmp) {
                // private-tmp is implemented as a whitelist
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index ae7085f24..7bfa3a019 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -221,10 +221,6 @@ filesystem, and copy the files and directories in the list in the
 new home. All modifications are discarded when the sandbox is
 closed.
 .TP
-\fBprivate-cache
-Mount an empty temporary filesystem on top of the .cache directory in user home. All
-modifications are discarded when the sandbox is closed.
-.TP
 \fBprivate-bin file,file
 Build a new /bin in a temporary filesystem, and copy the programs in the list.
 The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin.
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 0ac5854f7..aad678aa4 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1312,17 +1312,6 @@ Example:
 $ firejail \-\-private-home=.mozilla firefox
 .TP
-\fB\-\-private-cache
-Mount an empty temporary filesystem on top of the .cache directory in user home. All
-modifications are discarded when the sandbox is closed.
-.br
-.br
-Example:
-.br
-$ firejail \-\-private-cache openbox
-.TP
 \fB\-\-private-bin=file,file
 Build a new /bin in a temporary filesystem, and copy the programs in the list.
 If no listed file is found, /bin directory will be empty.
author	netblue30 <netblue30@yahoo.com>	2018-06-12 07:17:18 -0400
committer	netblue30 <netblue30@yahoo.com>	2018-06-12 07:17:18 -0400
commit	caa7ad8714206a158123773ddcaca6ef219a5501 (patch)
tree	e87b2723277e0a7478705334f97ca95e34a590fe
parent	Add profiles for Microsoft Office Online apps (from Manjaro devs) (diff)
download	firejail-caa7ad8714206a158123773ddcaca6ef219a5501.tar.gz firejail-caa7ad8714206a158123773ddcaca6ef219a5501.tar.zst firejail-caa7ad8714206a158123773ddcaca6ef219a5501.zip