Merge pull request #1919 from chiraag-nataraj/master

Add --keep-var-tmp and associated profile option

7 files changed, 30 insertions, 3 deletions

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 14f87c36c..84f535575 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -366,6 +366,7 @@ extern int arg_nice;		// nice value configured
 extern int arg_ipc;             // enable ipc namespace
 extern int arg_writable_etc;    // writable etc
 extern int arg_writable_var;    // writable var
+extern int arg_keep_var_tmp; // don't overwrite /var/tmp
 extern int arg_writable_run_user;       // writable /run/user
 extern int arg_writable_var_log; // writable /var/log
 extern int arg_appimage;        // appimage
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index c9158ebd5..88f92ad74 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -704,7 +704,8 @@ void fs_basic_fs(void) {
 
         // update /var directory in order to support multiple sandboxes running on the same root directory
         fs_var_lock();
-        fs_var_tmp();
+        if (!arg_keep_var_tmp)
+          fs_var_tmp();
         if (!arg_writable_var_log)
                 fs_var_log();
         else
@@ -1015,7 +1016,8 @@ void fs_overlayfs(void) {
 //      if (!arg_private_dev)
 //              fs_dev_shm();
         fs_var_lock();
-        fs_var_tmp();
+        if (!arg_keep_var_tmp)
+                fs_var_tmp();
         if (!arg_writable_var_log)
                 fs_var_log();
         else
@@ -1258,7 +1260,8 @@ void fs_chroot(const char *rootdir) {
 //              if (!arg_private_dev)
 //                      fs_dev_shm();
                 fs_var_lock();
-                fs_var_tmp();
+                if (!arg_keep_var_tmp)
+                        fs_var_tmp();
                 if (!arg_writable_var_log)
                         fs_var_log();
                 else
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 9a013989a..2e47dd938 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -104,6 +104,7 @@ int arg_nice = 0;				// nice value configured
 int arg_ipc = 0;                                        // enable ipc namespace
 int arg_writable_etc = 0;                       // writable etc
 int arg_writable_var = 0;                       // writable var
+int arg_keep_var_tmp = 0;                       // don't overwrite /var/tmp
 int arg_writable_run_user = 0;                  // writable /run/user
 int arg_writable_var_log = 0;           // writable /var/log
 int arg_appimage = 0;                           // appimage
@@ -1537,6 +1538,9 @@ int main(int argc, char **argv) {
                 else if (strcmp(argv[i], "--writable-var") == 0) {
                         arg_writable_var = 1;
                 }
+                else if (strcmp(argv[1], "--keep-var-tmp") == 0) {
+                        arg_keep_var_tmp = 1;
+                }
                 else if (strcmp(argv[i], "--writable-run-user") == 0) {
                         arg_writable_run_user = 1;
                 }
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 156ffa24a..7b59cd48c 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -738,6 +738,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 arg_writable_var = 1;
                 return 0;
         }
+        // don't overwrite /var/tmp
+        if (strcmp(ptr, "keep-var-tmp") == 0) {
+                arg_keep_var_tmp = 1;
+                return 0;
+        }
         // writable-run-user
         if (strcmp(ptr, "writable-run-user") == 0) {
                 arg_writable_run_user = 1;
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 742fc0465..88614298e 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -94,6 +94,7 @@ static char *usage_str =
         "    --join-network=name|pid - join the network namespace.\n"
 #endif
         "    --join-or-start=name|pid - join the sandbox or start a new one.\n"
+        "    --keep-var-tmp - /var/tmp directory is untouched.\n"
         "    --list - list all sandboxes.\n"
 #ifdef HAVE_FILE_TRANSFER
         "    --ls=name|pid dir_or_filename - list files in sandbox container.\n"
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 0217e1353..f136be510 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -164,6 +164,9 @@ Mount-bind file1 on top of file2. This option is only available when running as
 \fBdisable-mnt
 Disable /mnt, /media, /run/mount and /run/media access.
 .TP
+\fBkeep-var-tmp
+/var/tmp directory is untouched.
+.TP
 \fBmkdir directory
 Create a directory in user home or under /tmp before the sandbox is started.
 The directory is created if it doesn't already exist.
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index d8fed1f31..af9fe4b90 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -678,6 +678,16 @@ Same as "firejail --join=name" if sandbox with specified name exists, otherwise
 Note that in contrary to other join options there is respective profile option.
 
 .TP
+\fB\-\-keep-var-tmp
+/var/tmp directory is untouched.
+.br
+
+.br
+Example:
+.br
+$ firejail --keep-var-tmp
+
+.TP
 \fB\-\-ls=name|pid dir_or_filename
 List files in sandbox container, see \fBFILE TRANSFER\fR section for more details.