diff options
author | root <root@debian> | 2016-01-25 14:58:27 -0500 |
---|---|---|
committer | root <root@debian> | 2016-01-25 14:58:27 -0500 |
commit | 678cd1495457318dad39178bb646ba1b96332ddb (patch) | |
tree | 45c5396447d0b42d1a6cd224b24c34ca5744c961 /src | |
parent | testing (diff) | |
download | firejail-678cd1495457318dad39178bb646ba1b96332ddb.tar.gz firejail-678cd1495457318dad39178bb646ba1b96332ddb.tar.zst firejail-678cd1495457318dad39178bb646ba1b96332ddb.zip |
--tmpfs allowd only as root user
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/profile.c | 7 | ||||
-rw-r--r-- | src/firejail/usage.c | 3 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 2 | ||||
-rw-r--r-- | src/man/firejail.txt | 4 |
4 files changed, 11 insertions, 5 deletions
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 2d7b07c6d..5a0e9b727 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -417,8 +417,13 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
417 | } | 417 | } |
418 | else if (strncmp(ptr, "read-only ", 10) == 0) | 418 | else if (strncmp(ptr, "read-only ", 10) == 0) |
419 | ptr += 10; | 419 | ptr += 10; |
420 | else if (strncmp(ptr, "tmpfs ", 6) == 0) | 420 | else if (strncmp(ptr, "tmpfs ", 6) == 0) { |
421 | if (getuid() != 0) { | ||
422 | fprintf(stderr, "Error: tmpfs available only when running the sandbox as root\n"); | ||
423 | exit(1); | ||
424 | } | ||
421 | ptr += 6; | 425 | ptr += 6; |
426 | } | ||
422 | else { | 427 | else { |
423 | if (lineno == 0) | 428 | if (lineno == 0) |
424 | fprintf(stderr, "Error: \"%s\" as a command line option is invalid\n", ptr); | 429 | fprintf(stderr, "Error: \"%s\" as a command line option is invalid\n", ptr); |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 6a033b922..531eba379 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -291,7 +291,8 @@ void usage(void) { | |||
291 | printf("\t--shell=program - set default user shell.\n\n"); | 291 | printf("\t--shell=program - set default user shell.\n\n"); |
292 | printf("\t--shutdown=name - shutdown the sandbox identified by name.\n\n"); | 292 | printf("\t--shutdown=name - shutdown the sandbox identified by name.\n\n"); |
293 | printf("\t--shutdown=pid - shutdown the sandbox identified by PID.\n\n"); | 293 | printf("\t--shutdown=pid - shutdown the sandbox identified by PID.\n\n"); |
294 | printf("\t--tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n\n"); | 294 | printf("\t--tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n"); |
295 | printf("\t\tThis option is available only when running the sandbox as root.\n\n"); | ||
295 | printf("\t--top - monitor the most CPU-intensive sandboxes.\n\n"); | 296 | printf("\t--top - monitor the most CPU-intensive sandboxes.\n\n"); |
296 | printf("\t--trace - trace open, access and connect system calls.\n\n"); | 297 | printf("\t--trace - trace open, access and connect system calls.\n\n"); |
297 | printf("\t--tracelog - add a syslog message for every access to files or\n"); | 298 | printf("\t--tracelog - add a syslog message for every access to files or\n"); |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index e91c5c089..2f17c3088 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -126,7 +126,7 @@ blacklist ${HOME}/.ssh | |||
126 | Make directory or file read-only. | 126 | Make directory or file read-only. |
127 | .TP | 127 | .TP |
128 | \fBtmpfs directory | 128 | \fBtmpfs directory |
129 | Mount an empty tmpfs filesystem on top of directory. | 129 | Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root. |
130 | .TP | 130 | .TP |
131 | \fBbind directory1,directory2 | 131 | \fBbind directory1,directory2 |
132 | Mount-bind directory1 on top of directory2. This option is only available when running as root. | 132 | Mount-bind directory1 on top of directory2. This option is only available when running as root. |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index ef65530db..43572bb4b 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1348,13 +1348,13 @@ $ firejail \-\-list | |||
1348 | $ firejail \-\-shutdown=3272 | 1348 | $ firejail \-\-shutdown=3272 |
1349 | .TP | 1349 | .TP |
1350 | \fB\-\-tmpfs=dirname | 1350 | \fB\-\-tmpfs=dirname |
1351 | Mount a tmpfs filesystem on directory dirname. | 1351 | Mount a tmpfs filesystem on directory dirname. This option is available only when running the sandbox as root. |
1352 | .br | 1352 | .br |
1353 | 1353 | ||
1354 | .br | 1354 | .br |
1355 | Example: | 1355 | Example: |
1356 | .br | 1356 | .br |
1357 | $ firejail \-\-tmpfs=/var | 1357 | # firejail \-\-tmpfs=/var |
1358 | .TP | 1358 | .TP |
1359 | \fB\-\-top | 1359 | \fB\-\-top |
1360 | Monitor the most CPU-intensive sandboxes, see \fBMONITORING\fR section for more details. | 1360 | Monitor the most CPU-intensive sandboxes, see \fBMONITORING\fR section for more details. |