--tmpfs allowd only as root user

author: root <root@debian> 2016-01-25 14:58:27 -0500
committer: root <root@debian> 2016-01-25 14:58:27 -0500
commit: 678cd1495457318dad39178bb646ba1b96332ddb (patch)
tree: 45c5396447d0b42d1a6cd224b24c34ca5744c961 /src
parent: testing (diff)
download: firejail-678cd1495457318dad39178bb646ba1b96332ddb.tar.gz
firejail-678cd1495457318dad39178bb646ba1b96332ddb.tar.zst
firejail-678cd1495457318dad39178bb646ba1b96332ddb.zip
4 files changed, 11 insertions, 5 deletions
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 2d7b07c6d..5a0e9b727 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -417,8 +417,13 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
        }
        else if (strncmp(ptr, "read-only ", 10) == 0)
                ptr += 10;
-        else if (strncmp(ptr, "tmpfs ", 6) == 0)
+        else if (strncmp(ptr, "tmpfs ", 6) == 0) {
+                if (getuid() != 0) {
+                        fprintf(stderr, "Error: tmpfs available only when running the sandbox as root\n");
+                        exit(1);
+                }
                ptr += 6;
+        }
        else {
                if (lineno == 0)
                        fprintf(stderr, "Error: \"%s\" as a command line option is invalid\n", ptr);
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 6a033b922..531eba379 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -291,7 +291,8 @@ void usage(void) {
        printf("\t--shell=program - set default user shell.\n\n");
        printf("\t--shutdown=name - shutdown the sandbox identified by name.\n\n");
        printf("\t--shutdown=pid - shutdown the sandbox identified by PID.\n\n");
-        printf("\t--tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n\n");
+        printf("\t--tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n");
+        printf("\t\tThis option is available only when running the sandbox as root.\n\n");
        printf("\t--top - monitor the most CPU-intensive sandboxes.\n\n");
        printf("\t--trace - trace open, access and connect system calls.\n\n");
        printf("\t--tracelog - add a syslog message for every access to files or\n");
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index e91c5c089..2f17c3088 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -126,7 +126,7 @@ blacklist ${HOME}/.ssh
 Make directory or file read-only.
 .TP
 \fBtmpfs directory
-Mount an empty tmpfs filesystem on top of directory.
+Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root.
 .TP
 \fBbind directory1,directory2
 Mount-bind directory1 on top of directory2. This option is only available when running as root.
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index ef65530db..43572bb4b 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1348,13 +1348,13 @@ $ firejail \-\-list
 $ firejail \-\-shutdown=3272
 .TP
 \fB\-\-tmpfs=dirname
-Mount a tmpfs filesystem on directory dirname.
+Mount a tmpfs filesystem on directory dirname. This option is available only when running the sandbox as root.
 .br
 .br
 Example:
 .br
-$ firejail \-\-tmpfs=/var
+# firejail \-\-tmpfs=/var
 .TP
 \fB\-\-top
 Monitor the most CPU-intensive sandboxes, see \fBMONITORING\fR section for more details.
author	root <root@debian>	2016-01-25 14:58:27 -0500
committer	root <root@debian>	2016-01-25 14:58:27 -0500
commit	678cd1495457318dad39178bb646ba1b96332ddb (patch)
tree	45c5396447d0b42d1a6cd224b24c34ca5744c961 /src
parent	testing (diff)
download	firejail-678cd1495457318dad39178bb646ba1b96332ddb.tar.gz firejail-678cd1495457318dad39178bb646ba1b96332ddb.tar.zst firejail-678cd1495457318dad39178bb646ba1b96332ddb.zip