Allow --tmpfs inside $HOME for unprivileged users

--tmpfs was added in 0.9.14 and restricted to root only in 0.9.38 due to priv-esc CVE-2016-10117 (e.g. --tmpfs=/etc and modify /etc/sudoers). This commit reintroduce it for normal users, if the realpath of it is inside users-home.
author: rusty-snake <41237666+rusty-snake@users.noreply.github.com> 2020-10-16 18:51:37 +0200
committer: rusty-snake <41237666+rusty-snake@users.noreply.github.com> 2020-10-23 11:01:12 +0200
commit: 1ebdf894c675925109031b3fbb859478a2ece566 (patch)
tree: 6e656ad5d5e4047bcdc078aefbf926e084309589 /src/firejail/profile.c
parent: 0.9.64 testing (diff)
download: firejail-1ebdf894c675925109031b3fbb859478a2ece566.tar.gz
firejail-1ebdf894c675925109031b3fbb859478a2ece566.tar.zst
firejail-1ebdf894c675925109031b3fbb859478a2ece566.zip
1 files changed, 0 insertions, 4 deletions
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 5d83e6a73..8ed187b20 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -1563,10 +1563,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
        else if (strncmp(ptr, "noexec ", 7) == 0)
                ptr += 7;
        else if (strncmp(ptr, "tmpfs ", 6) == 0) {
-                if (getuid() != 0) {
-                        fprintf(stderr, "Error: tmpfs available only when running the sandbox as root\n");
-                        exit(1);
-                }
                ptr += 6;
        }
        else {
author	rusty-snake <41237666+rusty-snake@users.noreply.github.com>	2020-10-16 18:51:37 +0200
committer	rusty-snake <41237666+rusty-snake@users.noreply.github.com>	2020-10-23 11:01:12 +0200
commit	1ebdf894c675925109031b3fbb859478a2ece566 (patch)
tree	6e656ad5d5e4047bcdc078aefbf926e084309589 /src/firejail/profile.c
parent	0.9.64 testing (diff)
download	firejail-1ebdf894c675925109031b3fbb859478a2ece566.tar.gz firejail-1ebdf894c675925109031b3fbb859478a2ece566.tar.zst firejail-1ebdf894c675925109031b3fbb859478a2ece566.zip