aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorLibravatar netblue30 <netblue30@yahoo.com>2020-10-27 09:35:41 -0400
committerLibravatar netblue30 <netblue30@yahoo.com>2020-10-27 09:35:41 -0400
commit64a8d6a7f771e6457f7998335a8b88d60fe2b6ab (patch)
tree709362b9b7465f371dc82c3c014ef1a3140c6309 /src
parentRemove redundant read-only item (#3703) (diff)
downloadfirejail-64a8d6a7f771e6457f7998335a8b88d60fe2b6ab.tar.gz
firejail-64a8d6a7f771e6457f7998335a8b88d60fe2b6ab.tar.zst
firejail-64a8d6a7f771e6457f7998335a8b88d60fe2b6ab.zip
compile time option to disable --private-cache and --tmpfs for regular user
Diffstat (limited to 'src')
-rw-r--r--src/common.mk.in3
-rw-r--r--src/firejail/checkcfg.c8
-rw-r--r--src/firejail/fs.c4
-rw-r--r--src/firejail/main.c2
-rw-r--r--src/firejail/profile.c8
-rw-r--r--src/firejail/sandbox.c2
6 files changed, 24 insertions, 3 deletions
diff --git a/src/common.mk.in b/src/common.mk.in
index c9ef455ed..b8a13cd1b 100644
--- a/src/common.mk.in
+++ b/src/common.mk.in
@@ -24,6 +24,7 @@ HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
24HAVE_GCOV=@HAVE_GCOV@ 24HAVE_GCOV=@HAVE_GCOV@
25HAVE_SELINUX=@HAVE_SELINUX@ 25HAVE_SELINUX=@HAVE_SELINUX@
26HAVE_DBUSPROXY=@HAVE_DBUSPROXY@ 26HAVE_DBUSPROXY=@HAVE_DBUSPROXY@
27HAVE_USERTMPFS=@HAVE_USERTMPFS@
27 28
28H_FILE_LIST = $(sort $(wildcard *.[h])) 29H_FILE_LIST = $(sort $(wildcard *.[h]))
29C_FILE_LIST = $(sort $(wildcard *.c)) 30C_FILE_LIST = $(sort $(wildcard *.c))
@@ -33,7 +34,7 @@ BINOBJS = $(foreach file, $(OBJS), $file)
33CFLAGS = @CFLAGS@ 34CFLAGS = @CFLAGS@
34CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) 35CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV)
35CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' 36CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"'
36MANFLAGS = $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX) 37MANFLAGS = $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX)
37CFLAGS += $(MANFLAGS) 38CFLAGS += $(MANFLAGS)
38CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security 39CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security
39LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread 40LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index a0aa3138a..085221464 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -351,6 +351,14 @@ void print_compiletime_support(void) {
351#endif 351#endif
352 ); 352 );
353 353
354 printf("\t- private-cache and tmpfs as user %s\n",
355#ifdef HAVE_USERTMPFS
356 "enabled"
357#else
358 "disabled"
359#endif
360 );
361
354 printf("\t- SELinux support is %s\n", 362 printf("\t- SELinux support is %s\n",
355#ifdef HAVE_SELINUX 363#ifdef HAVE_SELINUX
356 "enabled" 364 "enabled"
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 2f2bfdc79..76ec102c3 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -162,7 +162,7 @@ static void disable_file(OPERATION op, const char *filename) {
162 } 162 }
163 else if (op == MOUNT_TMPFS) { 163 else if (op == MOUNT_TMPFS) {
164 if (S_ISDIR(s.st_mode)) { 164 if (S_ISDIR(s.st_mode)) {
165 fs_tmpfs(fname, 0); 165 fs_tmpfs(fname, getuid());
166 last_disable = SUCCESSFUL; 166 last_disable = SUCCESSFUL;
167 } 167 }
168 else 168 else
@@ -451,7 +451,7 @@ void fs_blacklist(void) {
451void fs_tmpfs(const char *dir, unsigned check_owner) { 451void fs_tmpfs(const char *dir, unsigned check_owner) {
452 assert(dir); 452 assert(dir);
453 if (arg_debug) 453 if (arg_debug)
454 printf("Mounting tmpfs on %s\n", dir); 454 printf("Mounting tmpfs on %s, check owner: %s\n", dir, (check_owner)? "yes": "no");
455 // get a file descriptor for dir, fails if there is any symlink 455 // get a file descriptor for dir, fails if there is any symlink
456 int fd = safe_fd(dir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); 456 int fd = safe_fd(dir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
457 if (fd == -1) 457 if (fd == -1)
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 0d67c2a64..b4c9ee294 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -2000,12 +2000,14 @@ int main(int argc, char **argv, char **envp) {
2000 else if (strcmp(argv[i], "--private-tmp") == 0) { 2000 else if (strcmp(argv[i], "--private-tmp") == 0) {
2001 arg_private_tmp = 1; 2001 arg_private_tmp = 1;
2002 } 2002 }
2003#ifdef HAVE_USERTMPFS
2003 else if (strcmp(argv[i], "--private-cache") == 0) { 2004 else if (strcmp(argv[i], "--private-cache") == 0) {
2004 if (checkcfg(CFG_PRIVATE_CACHE)) 2005 if (checkcfg(CFG_PRIVATE_CACHE))
2005 arg_private_cache = 1; 2006 arg_private_cache = 1;
2006 else 2007 else
2007 exit_err_feature("private-cache"); 2008 exit_err_feature("private-cache");
2008 } 2009 }
2010#endif
2009 else if (strcmp(argv[i], "--private-cwd") == 0) { 2011 else if (strcmp(argv[i], "--private-cwd") == 0) {
2010 cfg.cwd = NULL; 2012 cfg.cwd = NULL;
2011 arg_private_cwd = 1; 2013 arg_private_cwd = 1;
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 869183e2f..4942f99ff 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -383,10 +383,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
383 return 0; 383 return 0;
384 } 384 }
385 else if (strcmp(ptr, "private-cache") == 0) { 385 else if (strcmp(ptr, "private-cache") == 0) {
386#ifdef HAVE_USERTMPFS
386 if (checkcfg(CFG_PRIVATE_CACHE)) 387 if (checkcfg(CFG_PRIVATE_CACHE))
387 arg_private_cache = 1; 388 arg_private_cache = 1;
388 else 389 else
389 warning_feature_disabled("private-cache"); 390 warning_feature_disabled("private-cache");
391#endif
390 return 0; 392 return 0;
391 } 393 }
392 else if (strcmp(ptr, "private-dev") == 0) { 394 else if (strcmp(ptr, "private-dev") == 0) {
@@ -1570,6 +1572,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
1570 else if (strncmp(ptr, "noexec ", 7) == 0) 1572 else if (strncmp(ptr, "noexec ", 7) == 0)
1571 ptr += 7; 1573 ptr += 7;
1572 else if (strncmp(ptr, "tmpfs ", 6) == 0) { 1574 else if (strncmp(ptr, "tmpfs ", 6) == 0) {
1575#ifndef HAVE_USERTMPFS
1576 if (getuid() != 0) {
1577 fprintf(stderr, "Error: tmpfs available only when running the sandbox as root\n");
1578 exit(1);
1579 }
1580#endif
1573 ptr += 6; 1581 ptr += 6;
1574 } 1582 }
1575 else { 1583 else {
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 3e8dbe5d9..8bfe76603 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -921,6 +921,7 @@ int sandbox(void* sandbox_arg) {
921 } 921 }
922 } 922 }
923 923
924#ifdef HAVE_USERTMPFS
924 if (arg_private_cache) { 925 if (arg_private_cache) {
925 if (cfg.chrootdir) 926 if (cfg.chrootdir)
926 fwarning("private-cache feature is disabled in chroot\n"); 927 fwarning("private-cache feature is disabled in chroot\n");
@@ -929,6 +930,7 @@ int sandbox(void* sandbox_arg) {
929 else 930 else
930 fs_private_cache(); 931 fs_private_cache();
931 } 932 }
933#endif
932 934
933 if (arg_private_tmp) { 935 if (arg_private_tmp) {
934 // private-tmp is implemented as a whitelist 936 // private-tmp is implemented as a whitelist
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2024-09-03 09:10:17 +0000