overlay etc.

4 files changed, 54 insertions, 46 deletions

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 9a7f89a4a..633935108 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -326,6 +326,7 @@ void fs_proc_sys_dev_boot(void);
 // build a basic read-only filesystem
 void fs_basic_fs(void);
 // mount overlayfs on top of / directory
+char *fs_check_overlay_dir(const char *subdirname, int allow_reuse);
 void fs_overlayfs(void);
 // chroot into an existing directory; mount exiting /dev and update /etc/resolv.conf
 void fs_chroot(const char *rootdir);
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 484b99537..63ffa8bff 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -814,6 +814,44 @@ void fs_basic_fs(void) {
 }
 
 
+
+char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) {
+        // create ~/.firejail directory
+        struct stat s;
+        char *dirname;
+        if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1)
+                errExit("asprintf");
+        if (stat(dirname, &s) == -1) {
+                /* coverity[toctou] */
+                if (mkdir(dirname, 0700))
+                        errExit("mkdir");
+                if (chown(dirname, getuid(), getgid()) < 0)
+                        errExit("chown");
+                if (chmod(dirname, 0700) < 0)
+                        errExit("chmod");
+        }
+        else if (is_link(dirname)) {
+                fprintf(stderr, "Error: invalid ~/.firejail directory\n");
+                exit(1);
+        }
+
+        free(dirname);
+
+        // check overlay directory
+        if (asprintf(&dirname, "%s/.firejail/%s", cfg.homedir, subdirname) == -1)
+                errExit("asprintf");
+        if (allow_reuse == 0) {
+                if (stat(dirname, &s) == 0) {
+                        fprintf(stderr, "Error: overlay directory already exists: %s\n", dirname);
+                        exit(1);
+                }
+        }
+
+        return dirname;
+}
+
+
+
 // mount overlayfs on top of / directory
 // mounting an overlay and chrooting into it:
 //
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 1fa68e2f4..4946db2bd 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -704,41 +704,6 @@ static void delete_x11_file(pid_t pid) {
         free(fname);
 }
 
-static char *create_and_check_overlay_dir(const char *subdirname, int allow_reuse) {
-        // create ~/.firejail directory
-        struct stat s;
-        char *dirname;
-        if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1)
-                errExit("asprintf");
-        if (stat(dirname, &s) == -1) {
-                /* coverity[toctou] */
-                if (mkdir(dirname, 0700))
-                        errExit("mkdir");
-                if (chown(dirname, getuid(), getgid()) < 0)
-                        errExit("chown");
-                if (chmod(dirname, 0700) < 0)
-                        errExit("chmod");
-        }
-        else if (is_link(dirname)) {
-                fprintf(stderr, "Error: invalid ~/.firejail directory\n");
-                exit(1);
-        }
-
-        free(dirname);
-
-        // check overlay directory
-        if (asprintf(&dirname, "%s/.firejail/%s", cfg.homedir, subdirname) == -1)
-                errExit("asprintf");
-        if (allow_reuse == 0) {
-                if (stat(dirname, &s) == 0) {
-                        fprintf(stderr, "Error: overlay directory already exists: %s\n", dirname);
-                        exit(1);
-                }
-        }
-
-        return dirname;
-}
-
 static void detect_quiet(int argc, char **argv) {
         int i;
         
@@ -1329,7 +1294,7 @@ int main(int argc, char **argv) {
                         char *subdirname;
                         if (asprintf(&subdirname, "%d", getpid()) == -1)
                                 errExit("asprintf");
-                        cfg.overlay_dir = create_and_check_overlay_dir(subdirname, arg_overlay_reuse);
+                        cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse);
 
                         free(subdirname);
                 }
@@ -1352,7 +1317,7 @@ int main(int argc, char **argv) {
                                 fprintf(stderr, "Error: invalid overlay option\n");
                                 exit(1);
                         }
-                        cfg.overlay_dir = create_and_check_overlay_dir(subdirname, arg_overlay_reuse);
+                        cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse);
                 }
                 else if (strncmp(argv[i], "--overlay-path=", 15) == 0) {
                         if (cfg.chrootdir) {
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 3cc9a8401..732d14624 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -994,12 +994,13 @@ $ ls -l sandboxlog*
 \fB\-\-overlay
 Mount a filesystem overlay on top of the current filesystem.  Unlike the regular filesystem container,
 the system directories are mounted read-write. All filesystem modifications go into the overlay.
-The overlay is stored in $HOME/.firejail/<PID> directory. This option is not available on Grsecurity systems.
+The overlay is stored in $HOME/.firejail/<PID> directory.
 .br
 
 .br
 OverlayFS support is required in Linux kernel for this option to work.
-OverlayFS was officially introduced in Linux kernel version 3.18
+OverlayFS was officially introduced in Linux kernel version 3.18.
+This option is not available on Grsecurity systems.
 .br
 
 .br
@@ -1012,12 +1013,13 @@ $ firejail \-\-overlay firefox
 Mount a filesystem overlay on top of the current filesystem.  Unlike the regular filesystem container,
 the system directories are mounted read-write. All filesystem modifications go into the overlay.
 The overlay is stored in $HOME/.firejail/<NAME> directory. The created overlay can be reused between multiple
-sessions. This option is not available on Grsecurity systems.
+sessions.
 .br
 
 .br
 OverlayFS support is required in Linux kernel for this option to work.
-OverlayFS was officially introduced in Linux kernel version 3.18
+OverlayFS was officially introduced in Linux kernel version 3.18.
+This option is not available on Grsecurity systems.
 .br
 
 .br
@@ -1030,12 +1032,12 @@ $ firejail \-\-overlay-named=jail1 firefox
 Mount a filesystem overlay on top of the current filesystem.  Unlike the regular filesystem container,
 the system directories are mounted read-write. All filesystem modifications go into the overlay.
 The overlay is stored in the specified path. The created overlay can be reused between multiple sessions.
-This option is not available on Grsecurity systems.
 .br
 
 .br
 OverlayFS support is required in Linux kernel for this option to work.
-OverlayFS was officially introduced in Linux kernel version 3.18
+OverlayFS was officially introduced in Linux kernel version 3.18.
+This option is not available on Grsecurity systems.
 .br
 
 .br
@@ -1046,12 +1048,13 @@ $ firejail \-\-overlay-path=~/jails/jail1 firefox
 .TP
 \fB\-\-overlay-tmpfs
 Mount a filesystem overlay on top of the current filesystem. All filesystem modifications go into the overlay,
-and are discarded when the sandbox is closed. This option is not available on Grsecurity systems.
+and are discarded when the sandbox is closed.
 .br
 
 .br
 OverlayFS support is required in Linux kernel for this option to work.
-OverlayFS was officially introduced in Linux kernel version 3.18
+OverlayFS was officially introduced in Linux kernel version 3.18.
+This option is not available on Grsecurity systems.
 .br
 
 .br
@@ -1061,7 +1064,8 @@ $ firejail \-\-overlay-tmpfs firefox
 
 .TP
 \fB\-\-overlay-clean
-Clean all overlays stored in $HOME/.firejail directory.
+Clean all overlays stored in $HOME/.firejail directory. Overlays created with --overlay-path=path
+outside $HOME/.firejail will not be deleted.
 .br
 
 .br