Revert "mounting a tmpfs on ~/.cache directory (private-cache) by default"

This reverts commit caa7ad8714206a158123773ddcaca6ef219a5501.
author: Tad <tad@spotco.us> 2018-06-14 17:09:07 -0400
committer: Tad <tad@spotco.us> 2018-06-14 17:09:07 -0400
commit: ce416de492c229b09b4cb466e042f03ed3ce2e40 (patch)
tree: deb46b0026b9b2718ec4293bb07faf19272fd561 /src
parent: readme.md (diff)
download: firejail-ce416de492c229b09b4cb466e042f03ed3ce2e40.tar.gz
firejail-ce416de492c229b09b4cb466e042f03ed3ce2e40.tar.zst
firejail-ce416de492c229b09b4cb466e042f03ed3ce2e40.zip
8 files changed, 35 insertions, 14 deletions
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 6dc28b9bb..68e93e16e 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -175,15 +175,6 @@ int checkcfg(int val) {
                                else
                                        goto errout;
                        }
-                        // private-cache
-                        else if (strncmp(ptr, "private-cache ", 14) == 0) {
-                                if (strcmp(ptr + 14, "yes") == 0)
-                                        cfg_val[CFG_PRIVATE_CACHE] = 1;
-                                else if (strcmp(ptr + 14, "no") == 0)
-                                        cfg_val[CFG_PRIVATE_CACHE] = 0;
-                                else
-                                        goto errout;
-                        }
                        // seccomp
                        else if (strncmp(ptr, "seccomp ", 8) == 0) {
                                if (strcmp(ptr + 8, "yes") == 0)
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 3e05591b8..92a18af25 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -308,6 +308,7 @@ static inline int any_interface_configured(void) {
 extern int arg_private;         // mount private /home
 extern int arg_private_template; // private /home template
+extern int arg_private_cache;   // private home/.cache
 extern int arg_debug;           // print debug messages
 extern int arg_debug_blacklists;        // print debug messages for blacklists
 extern int arg_debug_whitelists;        // print debug messages for whitelists
@@ -753,7 +754,6 @@ enum {
        CFG_PRIVATE_LIB,
        CFG_APPARMOR,
        CFG_DBUS,
-        CFG_PRIVATE_CACHE,
        CFG_MAX // this should always be the last entry
 };
 extern char *xephyr_screen;
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 68b09dcbd..0e104699f 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -1353,8 +1353,10 @@ void fs_private_cache(void) {
                fwarning("user .cache is a symbolic link, tmpfs not mounted\n");
                return;
        }
-        if (stat(cache, &s) == -1 || !S_ISDIR(s.st_mode))
+        if (stat(cache, &s) == -1 || !S_ISDIR(s.st_mode)) {
+                fwarning("no user .cache directory found, tmpfs not mounted\n");
                return;
+        }
        if (s.st_uid != getuid()) {
                fwarning("user .cache is not owned by current user, tmpfs not mounted\n");
                return;
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 9babb72de..6aebd9ab2 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -46,6 +46,7 @@ static char child_stack[STACK_SIZE];		// space for child's stack
 Config cfg;                                     // configuration
 int arg_private = 0;                            // mount private /home and /tmp directoryu
 int arg_private_template = 0;   // mount private /home using a template
+int arg_private_cache = 0;              // mount private home/.cache
 int arg_debug = 0;                              // print debug messages
 int arg_debug_blacklists = 0;                   // print debug messages for blacklists
 int arg_debug_whitelists = 0;                   // print debug messages for whitelists
@@ -1681,6 +1682,9 @@ int main(int argc, char **argv) {
                else if (strcmp(argv[i], "--private-tmp") == 0) {
                        arg_private_tmp = 1;
                }
+                else if (strcmp(argv[i], "--private-cache") == 0) {
+                        arg_private_cache = 1;
+                }
                //*************************************
                // hostname, etc
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 88d27f09f..22db6f5fb 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -217,6 +217,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                arg_allusers = 1;
                return 0;
        }
+        else if (strcmp(ptr, "private-cache") == 0) {
+                arg_private_cache = 1;
+                return 0;
+        }
        else if (strcmp(ptr, "private-dev") == 0) {
                arg_private_dev = 1;
                return 0;
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index a1400db34..7922da9b9 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -833,9 +833,14 @@ int sandbox(void* sandbox_arg) {
                }
        }
-        // private cache directory by default
+        if (arg_private_cache) {
-        if (checkcfg(CFG_PRIVATE_CACHE))
+                if (cfg.chrootdir)
-                fs_private_cache();
+                        fwarning("private-cache feature is disabled in chroot\n");
+                else if (arg_overlay)
+                        fwarning("private-cache feature is disabled in overlay\n");
+                else
+                        fs_private_cache();
+        }
        if (arg_private_tmp) {
                // private-tmp is implemented as a whitelist
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index c32fdf8f4..851eb1026 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -221,6 +221,10 @@ filesystem, and copy the files and directories in the list in the
 new home. All modifications are discarded when the sandbox is
 closed.
 .TP
+\fBprivate-cache
+Mount an empty temporary filesystem on top of the .cache directory in user home. All
+modifications are discarded when the sandbox is closed.
+.TP
 \fBprivate-bin file,file
 Build a new /bin in a temporary filesystem, and copy the programs in the list.
 The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin.
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 760249e70..d527c05d8 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1322,6 +1322,17 @@ Example:
 $ firejail \-\-private-home=.mozilla firefox
 .TP
+\fB\-\-private-cache
+Mount an empty temporary filesystem on top of the .cache directory in user home. All
+modifications are discarded when the sandbox is closed.
+.br
+.br
+Example:
+.br
+$ firejail \-\-private-cache openbox
+.TP
 \fB\-\-private-bin=file,file
 Build a new /bin in a temporary filesystem, and copy the programs in the list.
 If no listed file is found, /bin directory will be empty.
author	Tad <tad@spotco.us>	2018-06-14 17:09:07 -0400
committer	Tad <tad@spotco.us>	2018-06-14 17:09:07 -0400
commit	ce416de492c229b09b4cb466e042f03ed3ce2e40 (patch)
tree	deb46b0026b9b2718ec4293bb07faf19272fd561 /src
parent	readme.md (diff)
download	firejail-ce416de492c229b09b4cb466e042f03ed3ce2e40.tar.gz firejail-ce416de492c229b09b4cb466e042f03ed3ce2e40.tar.zst firejail-ce416de492c229b09b4cb466e042f03ed3ce2e40.zip