allow tmpfs for regular users for files in home directory

author: netblue30 <netblue30@yahoo.com> 2017-03-10 10:17:00 -0500
committer: netblue30 <netblue30@yahoo.com> 2017-03-10 10:17:00 -0500
commit: 22414adf2a79b08a77bacbc002fb6ebb126d5b32 (patch)
tree: 4a00f60c09c0c78f288f748b1e909552515add60 /src/firejail
parent: config support to disable access to /mnt and /media (diff)
download: firejail-22414adf2a79b08a77bacbc002fb6ebb126d5b32.tar.gz
firejail-22414adf2a79b08a77bacbc002fb6ebb126d5b32.tar.zst
firejail-22414adf2a79b08a77bacbc002fb6ebb126d5b32.zip
1 files changed, 13 insertions, 2 deletions
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index c4feadad0..d5d62e929 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -970,8 +970,19 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                ptr += 7;
        else if (strncmp(ptr, "tmpfs ", 6) == 0) {
                if (getuid() != 0) {
-                        fprintf(stderr, "Error: tmpfs available only when running the sandbox as root\n");
+                        // allow a non-root user  to mount tmpfs in user home directory, links are not allowed
-                        exit(1);
+                        invalid_filename(ptr + 6);
+                        char *newfname = expand_home(ptr + 6, cfg.homedir);
+                        assert(newfname);
+                        if (is_link(newfname)) {
+                                fprintf(stderr, "Error: for regular user, tmpfs is not available for symbolic links\n");
+                                exit(1);        
+                        }
+                        if (strncmp(newfname, cfg.homedir, strlen(cfg.homedir)) != 0) {
+                                fprintf(stderr, "Error: for regular user, tmpfs is available only for files in user home directory\n");
+                                exit(1);        
+                        }
+                        free(newfname);
                }
                ptr += 6;
        }
author	netblue30 <netblue30@yahoo.com>	2017-03-10 10:17:00 -0500
committer	netblue30 <netblue30@yahoo.com>	2017-03-10 10:17:00 -0500
commit	22414adf2a79b08a77bacbc002fb6ebb126d5b32 (patch)
tree	4a00f60c09c0c78f288f748b1e909552515add60 /src/firejail
parent	config support to disable access to /mnt and /media (diff)
download	firejail-22414adf2a79b08a77bacbc002fb6ebb126d5b32.tar.gz firejail-22414adf2a79b08a77bacbc002fb6ebb126d5b32.tar.zst firejail-22414adf2a79b08a77bacbc002fb6ebb126d5b32.zip

diff --git a/src/firejail/profile.c b/src/firejail/profile.c index c4feadad0..d5d62e929 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c
@@ -970,8 +970,19 @@ int profile_check_line(char ptr, int lineno, const char fname) {
970	ptr += 7;	970	ptr += 7;
971	else if (strncmp(ptr, "tmpfs ", 6) == 0) {	971	else if (strncmp(ptr, "tmpfs ", 6) == 0) {
972	if (getuid() != 0) {	972	if (getuid() != 0) {
973	fprintf(stderr, "Error: tmpfs available only when running the sandbox as root\n");	973	// allow a non-root user to mount tmpfs in user home directory, links are not allowed
974	exit(1);	974	invalid_filename(ptr + 6);
		975	char *newfname = expand_home(ptr + 6, cfg.homedir);
		976	assert(newfname);
		977	if (is_link(newfname)) {
		978	fprintf(stderr, "Error: for regular user, tmpfs is not available for symbolic links\n");
		979	exit(1);
		980	}
		981	if (strncmp(newfname, cfg.homedir, strlen(cfg.homedir)) != 0) {
		982	fprintf(stderr, "Error: for regular user, tmpfs is available only for files in user home directory\n");
		983	exit(1);
		984	}
		985	free(newfname);
975	}	986	}
976	ptr += 6;	987	ptr += 6;
977	}	988	}