diff options
author | root <root@debian> | 2016-01-26 08:38:54 -0500 |
---|---|---|
committer | root <root@debian> | 2016-01-26 08:38:54 -0500 |
commit | 3a8649e37789151f235c5f01e846b7228bac402b (patch) | |
tree | 9848db30a0657041821f608575c7957d6d34f1fe /src | |
parent | --tmpfs allowd only as root user (diff) | |
download | firejail-3a8649e37789151f235c5f01e846b7228bac402b.tar.gz firejail-3a8649e37789151f235c5f01e846b7228bac402b.tar.zst firejail-3a8649e37789151f235c5f01e846b7228bac402b.zip |
--private-tmp
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/firejail.h | 2 | ||||
-rw-r--r-- | src/firejail/fs.c | 7 | ||||
-rw-r--r-- | src/firejail/main.c | 10 | ||||
-rw-r--r-- | src/firejail/profile.c | 4 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 2 | ||||
-rw-r--r-- | src/firejail/usage.c | 2 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 9 | ||||
-rw-r--r-- | src/man/firejail.txt | 11 |
8 files changed, 40 insertions, 7 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index a2afd4a8d..2f40b4d86 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -224,6 +224,7 @@ extern int arg_shell_none; // run the program directly without a shell | |||
224 | extern int arg_private_dev; // private dev directory | 224 | extern int arg_private_dev; // private dev directory |
225 | extern int arg_private_etc; // private etc directory | 225 | extern int arg_private_etc; // private etc directory |
226 | extern int arg_private_bin; // private bin directory | 226 | extern int arg_private_bin; // private bin directory |
227 | extern int arg_private_tmp; // private tmp directory | ||
227 | extern int arg_scan; // arp-scan all interfaces | 228 | extern int arg_scan; // arp-scan all interfaces |
228 | extern int arg_whitelist; // whitelist commad | 229 | extern int arg_whitelist; // whitelist commad |
229 | extern int arg_nosound; // disable sound | 230 | extern int arg_nosound; // disable sound |
@@ -288,6 +289,7 @@ void fs_overlayfs(void); | |||
288 | // chroot into an existing directory; mount exiting /dev and update /etc/resolv.conf | 289 | // chroot into an existing directory; mount exiting /dev and update /etc/resolv.conf |
289 | void fs_chroot(const char *rootdir); | 290 | void fs_chroot(const char *rootdir); |
290 | int fs_check_chroot_dir(const char *rootdir); | 291 | int fs_check_chroot_dir(const char *rootdir); |
292 | void fs_private_tmp(void); | ||
291 | 293 | ||
292 | // profile.c | 294 | // profile.c |
293 | // find and read the profile specified by name from dir directory | 295 | // find and read the profile specified by name from dir directory |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index cad101bf9..b0add91e2 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -959,4 +959,11 @@ void fs_chroot(const char *rootdir) { | |||
959 | } | 959 | } |
960 | #endif | 960 | #endif |
961 | 961 | ||
962 | void fs_private_tmp(void) { | ||
963 | // mount tmpfs on top of /run/firejail/mnt | ||
964 | if (arg_debug) | ||
965 | printf("Mounting tmpfs on /tmp directory\n"); | ||
966 | if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=777,gid=0") < 0) | ||
967 | errExit("mounting /tmp/firejail/mnt"); | ||
968 | } | ||
962 | 969 | ||
diff --git a/src/firejail/main.c b/src/firejail/main.c index 2fda8f1ab..21e6e4975 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -85,6 +85,7 @@ int arg_shell_none = 0; // run the program directly without a shell | |||
85 | int arg_private_dev = 0; // private dev directory | 85 | int arg_private_dev = 0; // private dev directory |
86 | int arg_private_etc = 0; // private etc directory | 86 | int arg_private_etc = 0; // private etc directory |
87 | int arg_private_bin = 0; // private bin directory | 87 | int arg_private_bin = 0; // private bin directory |
88 | int arg_private_tmp = 0; // private tmp directory | ||
88 | int arg_scan = 0; // arp-scan all interfaces | 89 | int arg_scan = 0; // arp-scan all interfaces |
89 | int arg_whitelist = 0; // whitelist commad | 90 | int arg_whitelist = 0; // whitelist commad |
90 | int arg_nosound = 0; // disable sound | 91 | int arg_nosound = 0; // disable sound |
@@ -922,7 +923,7 @@ int main(int argc, char **argv) { | |||
922 | arg_private_dev = 1; | 923 | arg_private_dev = 1; |
923 | } | 924 | } |
924 | else if (strncmp(argv[i], "--private-etc=", 14) == 0) { | 925 | else if (strncmp(argv[i], "--private-etc=", 14) == 0) { |
925 | // extract private etc dirname | 926 | // extract private etc list |
926 | cfg.etc_private_keep = argv[i] + 14; | 927 | cfg.etc_private_keep = argv[i] + 14; |
927 | if (*cfg.etc_private_keep == '\0') { | 928 | if (*cfg.etc_private_keep == '\0') { |
928 | fprintf(stderr, "Error: invalid private-etc option\n"); | 929 | fprintf(stderr, "Error: invalid private-etc option\n"); |
@@ -937,7 +938,7 @@ int main(int argc, char **argv) { | |||
937 | } | 938 | } |
938 | } | 939 | } |
939 | else if (strncmp(argv[i], "--private-bin=", 14) == 0) { | 940 | else if (strncmp(argv[i], "--private-bin=", 14) == 0) { |
940 | // extract private etc dirname | 941 | // extract private bin list |
941 | cfg.bin_private_keep = argv[i] + 14; | 942 | cfg.bin_private_keep = argv[i] + 14; |
942 | if (*cfg.bin_private_keep == '\0') { | 943 | if (*cfg.bin_private_keep == '\0') { |
943 | fprintf(stderr, "Error: invalid private-bin option\n"); | 944 | fprintf(stderr, "Error: invalid private-bin option\n"); |
@@ -946,8 +947,9 @@ int main(int argc, char **argv) { | |||
946 | fs_check_bin_list(); | 947 | fs_check_bin_list(); |
947 | arg_private_bin = 1; | 948 | arg_private_bin = 1; |
948 | } | 949 | } |
949 | 950 | else if (strcmp(argv[i], "--private-tmp") == 0) { | |
950 | 951 | arg_private_tmp = 1; | |
952 | } | ||
951 | 953 | ||
952 | //************************************* | 954 | //************************************* |
953 | // hostname, etc | 955 | // hostname, etc |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 5a0e9b727..76adbb934 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -143,6 +143,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
143 | arg_private_dev = 1; | 143 | arg_private_dev = 1; |
144 | return 0; | 144 | return 0; |
145 | } | 145 | } |
146 | else if (strcmp(ptr, "private-tmp") == 0) { | ||
147 | arg_private_tmp = 1; | ||
148 | return 0; | ||
149 | } | ||
146 | else if (strcmp(ptr, "nogroups") == 0) { | 150 | else if (strcmp(ptr, "nogroups") == 0) { |
147 | arg_nogroups = 1; | 151 | arg_nogroups = 1; |
148 | return 0; | 152 | return 0; |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index ddf6f785d..02ff7737f 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -426,6 +426,8 @@ int sandbox(void* sandbox_arg) { | |||
426 | } | 426 | } |
427 | if (arg_private_bin) | 427 | if (arg_private_bin) |
428 | fs_private_bin_list(); | 428 | fs_private_bin_list(); |
429 | if (arg_private_tmp) | ||
430 | fs_private_tmp(); | ||
429 | 431 | ||
430 | //**************************** | 432 | //**************************** |
431 | // apply the profile file | 433 | // apply the profile file |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 531eba379..5021025e8 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -230,6 +230,8 @@ void usage(void) { | |||
230 | printf("\t\tfilesystem, and copy the files and directories in the list.\n"); | 230 | printf("\t\tfilesystem, and copy the files and directories in the list.\n"); |
231 | printf("\t\tAll modifications are discarded when the sandbox is closed.\n\n"); | 231 | printf("\t\tAll modifications are discarded when the sandbox is closed.\n\n"); |
232 | 232 | ||
233 | printf("\t--private-tmp - mount a tmpfs on top of /tmp directory\n\n"); | ||
234 | |||
233 | printf("\t--profile=filename - use a custom profile.\n\n"); | 235 | printf("\t--profile=filename - use a custom profile.\n\n"); |
234 | printf("\t--profile-path=directory - use this directory to look for profile files.\n\n"); | 236 | printf("\t--profile-path=directory - use this directory to look for profile files.\n\n"); |
235 | 237 | ||
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 2f17c3088..90c59d753 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -139,13 +139,13 @@ Mount new /root and /home/user directories in temporary | |||
139 | filesystems. All modifications are discarded when the sandbox is | 139 | filesystems. All modifications are discarded when the sandbox is |
140 | closed. | 140 | closed. |
141 | .TP | 141 | .TP |
142 | \fBprivate directory | ||
143 | Use directory as user home. | ||
144 | .TP | ||
142 | \fBprivate-bin file,file | 145 | \fBprivate-bin file,file |
143 | Build a new /bin in a temporary filesystem, and copy the programs in the list. | 146 | Build a new /bin in a temporary filesystem, and copy the programs in the list. |
144 | The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin. | 147 | The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin. |
145 | .TP | 148 | .TP |
146 | \fBprivate directory | ||
147 | Use directory as user home. | ||
148 | .TP | ||
149 | \fBprivate-home file,directory | 149 | \fBprivate-home file,directory |
150 | Build a new user home in a temporary | 150 | Build a new user home in a temporary |
151 | filesystem, and copy the files and directories in the list in the | 151 | filesystem, and copy the files and directories in the list in the |
@@ -160,6 +160,9 @@ Build a new /etc in a temporary | |||
160 | filesystem, and copy the files and directories in the list. | 160 | filesystem, and copy the files and directories in the list. |
161 | All modifications are discarded when the sandbox is closed. | 161 | All modifications are discarded when the sandbox is closed. |
162 | .TP | 162 | .TP |
163 | \fBprivate-tmp | ||
164 | Mount an empty temporary filesystem on top of /tmp directory. | ||
165 | .TP | ||
163 | \fBwhitelist file_or_directory | 166 | \fBwhitelist file_or_directory |
164 | Build a new user home in a temporary filesystem, and mount-bind file_or_directory. | 167 | Build a new user home in a temporary filesystem, and mount-bind file_or_directory. |
165 | The modifications to file_or_directory are persistent, everything else is discarded | 168 | The modifications to file_or_directory are persistent, everything else is discarded |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 43572bb4b..877ee0ce5 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1004,6 +1004,17 @@ Example: | |||
1004 | $ firejail --private-etc=group,hostname,localtime, \\ | 1004 | $ firejail --private-etc=group,hostname,localtime, \\ |
1005 | .br | 1005 | .br |
1006 | nsswitch.conf,passwd,resolv.conf | 1006 | nsswitch.conf,passwd,resolv.conf |
1007 | |||
1008 | .TP | ||
1009 | \fB\-\-private-tmp | ||
1010 | Mount an empty temporary filesystem on top of /tmp directory. | ||
1011 | .br | ||
1012 | |||
1013 | .br | ||
1014 | Example: | ||
1015 | .br | ||
1016 | $ firejail \-\-private-tmp | ||
1017 | |||
1007 | .TP | 1018 | .TP |
1008 | \fB\-\-profile=filename | 1019 | \fB\-\-profile=filename |
1009 | Load a custom security profile from filename. For filename use an absolute path or a path relative to the current path. | 1020 | Load a custom security profile from filename. For filename use an absolute path or a path relative to the current path. |