diff options
| author |  netblue30 <netblue30@protonmail.com> | 2020-11-22 12:48:26 -0500 |
|---|---|---|
| committer |  GitHub <noreply@github.com> | 2020-11-22 12:48:26 -0500 |
| commit | 00f2996f3a5a5baf2ef1238eff764425e6c1049e (patch) | |
| tree | 544b4e4c804ecdc16bbef29e7d7c0da8009ad283 /src | |
| parent | Merge pull request #3752 from smitsohu/smitsohu-get-to-cat (diff) | |
| parent | reimplement --private-cache using --tmpfs (diff) | |
| download | firejail-00f2996f3a5a5baf2ef1238eff764425e6c1049e.tar.gz firejail-00f2996f3a5a5baf2ef1238eff764425e6c1049e.tar.zst firejail-00f2996f3a5a5baf2ef1238eff764425e6c1049e.zip | |
Merge pull request #3762 from smitsohu/smitsohu-private-cache
reimplement --private-cache using --tmpfs
Diffstat (limited to 'src')
| -rw-r--r-- | src/firejail/fs.c | 36 | ||||
| -rw-r--r-- | src/firejail/sandbox.c | 9 |
2 files changed, 9 insertions, 36 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 65f53bf76..0d4e496e8 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
| @@ -162,11 +162,12 @@ static void disable_file(OPERATION op, const char *filename) { | |||
| 162 | } | 162 | } |
| 163 | else if (op == MOUNT_TMPFS) { | 163 | else if (op == MOUNT_TMPFS) { |
| 164 | if (S_ISDIR(s.st_mode)) { | 164 | if (S_ISDIR(s.st_mode)) { |
| 165 | if (getuid() && | 165 | if (getuid()) { |
| 166 | (strncmp(cfg.homedir, fname, strlen(cfg.homedir)) != 0 || | 166 | if (strncmp(cfg.homedir, fname, strlen(cfg.homedir)) != 0 || |
| 167 | fname[strlen(cfg.homedir)] != '/')) { | 167 | fname[strlen(cfg.homedir)] != '/') { |
| 168 | fprintf(stderr, "Error: tmpfs outside $HOME is only available for root\n"); | 168 | fprintf(stderr, "Error: tmpfs outside $HOME is only available for root\n"); |
| 169 | exit(1); | 169 | exit(1); |
| 170 | } | ||
| 170 | } | 171 | } |
| 171 | fs_tmpfs(fname, getuid()); | 172 | fs_tmpfs(fname, getuid()); |
| 172 | last_disable = SUCCESSFUL; | 173 | last_disable = SUCCESSFUL; |
| @@ -1260,28 +1261,3 @@ void fs_private_tmp(void) { | |||
| 1260 | } | 1261 | } |
| 1261 | closedir(dir); | 1262 | closedir(dir); |
| 1262 | } | 1263 | } |
| 1263 | |||
| 1264 | // this function is called from sandbox.c before blacklist/whitelist functions | ||
| 1265 | void fs_private_cache(void) { | ||
| 1266 | char *cache; | ||
| 1267 | if (asprintf(&cache, "%s/.cache", cfg.homedir) == -1) | ||
| 1268 | errExit("asprintf"); | ||
| 1269 | // check if ~/.cache is a valid destination | ||
| 1270 | struct stat s; | ||
| 1271 | if (lstat(cache, &s) == -1) { | ||
| 1272 | fwarning("skipping private-cache: cannot find %s\n", cache); | ||
| 1273 | free(cache); | ||
| 1274 | return; | ||
| 1275 | } | ||
| 1276 | if (!S_ISDIR(s.st_mode)) { | ||
| 1277 | if (S_ISLNK(s.st_mode)) | ||
| 1278 | fwarning("skipping private-cache: %s is a symbolic link\n", cache); | ||
| 1279 | else | ||
| 1280 | fwarning("skipping private-cache: %s is not a directory\n", cache); | ||
| 1281 | free(cache); | ||
| 1282 | return; | ||
| 1283 | } | ||
| 1284 | // do the mount | ||
| 1285 | fs_tmpfs(cache, getuid()); // check ownership of ~/.cache | ||
| 1286 | free(cache); | ||
| 1287 | } | ||
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 8bfe76603..41951f38f 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
| @@ -923,12 +923,9 @@ int sandbox(void* sandbox_arg) { | |||
| 923 | 923 | ||
| 924 | #ifdef HAVE_USERTMPFS | 924 | #ifdef HAVE_USERTMPFS |
| 925 | if (arg_private_cache) { | 925 | if (arg_private_cache) { |
| 926 | if (cfg.chrootdir) | 926 | EUID_USER(); |
| 927 | fwarning("private-cache feature is disabled in chroot\n"); | 927 | profile_add("tmpfs ${HOME}/.cache"); |
| 928 | else if (arg_overlay) | 928 | EUID_ROOT(); |
| 929 | fwarning("private-cache feature is disabled in overlay\n"); | ||
| 930 | else | ||
| 931 | fs_private_cache(); | ||
| 932 | } | 929 | } |
| 933 | #endif | 930 | #endif |
| 934 | 931 | ||