suport mkdir and mkfile for /run/user/<PID> directory (#3346)

2 files changed, 29 insertions, 13 deletions

diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c
index eb660df90..0e213f2f8 100644
--- a/src/firejail/fs_mkdir.c
+++ b/src/firejail/fs_mkdir.c
@@ -25,6 +25,22 @@
 #include <sys/wait.h>
 #include <string.h>
 
+
+static void check(const char *fname) {
+        // manufacture /run/user directory
+        char *runuser;
+        if (asprintf(&runuser, "/run/user/%d/", getuid()) == -1)
+                errExit("asprintf");
+
+        if (strncmp(fname, cfg.homedir, strlen(cfg.homedir)) != 0 &&
+            strncmp(fname, "/tmp", 4) != 0 &&
+            strncmp(fname, runuser, strlen(runuser)) != 0) {
+                fprintf(stderr, "Error: only files or directories in user home, /tmp, or /run/user/<UID> are supported by mkdir\n");
+                exit(1);
+        }
+        free(runuser);
+}
+
 static void mkdir_recursive(char *path) {
         char *subdir = NULL;
         struct stat s;
@@ -61,11 +77,7 @@ void fs_mkdir(const char *name) {
         // check directory name
         invalid_filename(name, 0); // no globbing
         char *expanded = expand_macros(name);
-        if (strncmp(expanded, cfg.homedir, strlen(cfg.homedir)) != 0 &&
-            strncmp(expanded, "/tmp", 4) != 0) {
-                fprintf(stderr, "Error: only directories in user home or /tmp are supported by mkdir\n");
-                exit(1);
-        }
+        check(expanded); // will exit if wrong path
 
         struct stat s;
         if (stat(expanded, &s) == 0) {
@@ -101,11 +113,7 @@ void fs_mkfile(const char *name) {
         // check file name
         invalid_filename(name, 0); // no globbing
         char *expanded = expand_macros(name);
-        if (strncmp(expanded, cfg.homedir, strlen(cfg.homedir)) != 0 &&
-            strncmp(expanded, "/tmp", 4) != 0) {
-                fprintf(stderr, "Error: only files in user home or /tmp are supported by mkfile\n");
-                exit(1);
-        }
+        check(expanded); // will exit if wrong path
 
         struct stat s;
         if (stat(expanded, &s) == 0) {
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 6405fd301..df2d2a2e8 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -211,7 +211,7 @@ Disable /mnt, /media, /run/mount and /run/media access.
 /var/tmp directory is untouched.
 .TP
 \fBmkdir directory
-Create a directory in user home or under /tmp before the sandbox is started.
+Create a directory in user home, under /tmp, or under /run/user/<UID> before the sandbox is started.
 The directory is created if it doesn't already exist.
 .br
 
@@ -230,10 +230,18 @@ whitelist ~/.mozilla
 mkdir ~/.cache/mozilla/firefox
 .br
 whitelist ~/.cache/mozilla/firefox
+.br
+
+.br
+For files in /run/user/<PID> use ${RUNUSER} macro:
+.br
+
+.br
+mkdir ${RUNUSER}/firejail-testing
 .TP
 \fBmkfile file
-Similar to mkdir, this command creates a file in user home or under /tmp before the sandbox is started.
-The file is created if it doesn't already exist.
+Similar to mkdir, this command creates an empty file in user home, or /tmp, or under /run/user/<UID>
+before the sandbox is started. The file is created if it doesn't already exist.
 .TP
 \fBnoexec file_or_directory
 Remount the file or the directory noexec, nodev and nosuid.