summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/firejail/fs_home.c23
-rw-r--r--src/firejail/main.c13
-rw-r--r--src/firejail/usage.c3
-rw-r--r--src/man/firejail.txt12
4 files changed, 44 insertions, 7 deletions
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index 3cb410569..604bba0e4 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -355,11 +355,22 @@ int fs_copydir(const char *path, const struct stat *st, int ftype, struct FTW *s
355 struct stat s; 355 struct stat s;
356 // don't copy it if we already have the file 356 // don't copy it if we already have the file
357 if (stat(dest, &s) == 0) 357 if (stat(dest, &s) == 0)
358 return 0; 358 return(0);
359 if (stat(path, &s) == 0) { 359 if (stat(path, &s) == 0) {
360 if (copy_file(path, dest) == 0) { 360 if(ftype == FTW_F) {
361 if (chown(dest, u, g) == -1) 361 if (copy_file(path, dest) == 0) {
362 errExit("chown"); 362 if (arg_debug)
363 printf("copy from %s to %s\n", path, dest);
364 if (chown(dest, u, g) == -1)
365 errExit("chown");
366 fs_logger2("clone", path);
367 }
368 }
369 else if(ftype == FTW_D) {
370 if (mkdir(dest, s.st_mode) == -1)
371 errExit("mkdir");
372 if (arg_debug)
373 printf("copy from %s to %s\n", path, dest);
363 fs_logger2("clone", path); 374 fs_logger2("clone", path);
364 } 375 }
365 } 376 }
@@ -369,11 +380,13 @@ int fs_copydir(const char *path, const struct stat *st, int ftype, struct FTW *s
369} 380}
370 381
371void fs_private_template(void) { 382void fs_private_template(void) {
383
372 fs_private(); 384 fs_private();
373 if(!nftw(cfg.private_template, fs_copydir, 1, FTW_PHYS)) { 385 if(nftw(cfg.private_template, fs_copydir, 1, FTW_PHYS) != 0) {
374 fprintf(stderr, "Error: unable to copy template dir\n"); 386 fprintf(stderr, "Error: unable to copy template dir\n");
375 exit(1); 387 exit(1);
376 } 388 }
389
377} 390}
378 391
379// check new private home directory (--private= option) - exit if it fails 392// check new private home directory (--private= option) - exit if it fails
diff --git a/src/firejail/main.c b/src/firejail/main.c
index a6c96f956..9f6fa5142 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1349,9 +1349,18 @@ int main(int argc, char **argv) {
1349 else if (strcmp(argv[i], "--writable-var") == 0) { 1349 else if (strcmp(argv[i], "--writable-var") == 0) {
1350 arg_writable_var = 1; 1350 arg_writable_var = 1;
1351 } 1351 }
1352 else if (strcmp(argv[i], "--private") == 0) 1352 else if (strcmp(argv[i], "--private") == 0) {
1353 if (arg_private_template) {
1354 fprintf(stderr, "Error: --private and --private-template are mutually exclusive\n");
1355 exit(1);
1356 }
1353 arg_private = 1; 1357 arg_private = 1;
1358 }
1354 else if (strncmp(argv[i], "--private=", 10) == 0) { 1359 else if (strncmp(argv[i], "--private=", 10) == 0) {
1360 if (arg_private_template) {
1361 fprintf(stderr, "Error: --private and --private-template are mutually exclusive\n");
1362 exit(1);
1363 }
1355 // extract private home dirname 1364 // extract private home dirname
1356 cfg.home_private = argv[i] + 10; 1365 cfg.home_private = argv[i] + 10;
1357 if (*cfg.home_private == '\0') { 1366 if (*cfg.home_private == '\0') {
@@ -1362,7 +1371,7 @@ int main(int argc, char **argv) {
1362 arg_private = 1; 1371 arg_private = 1;
1363 } 1372 }
1364 else if (strncmp(argv[i], "--private-template=", 19) == 0) { 1373 else if (strncmp(argv[i], "--private-template=", 19) == 0) {
1365 cfg.private_template = argv[i] + 14; 1374 cfg.private_template = argv[i] + 19;
1366 if (arg_private) { 1375 if (arg_private) {
1367 fprintf(stderr, "Error: --private and --private-template are mutually exclusive\n"); 1376 fprintf(stderr, "Error: --private and --private-template are mutually exclusive\n");
1368 exit(1); 1377 exit(1);
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 958a16da7..baba93791 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -189,6 +189,9 @@ void usage(void) {
189 printf("\tclosed.\n\n"); 189 printf("\tclosed.\n\n");
190 printf(" --private=directory - use directory as user home.\n\n"); 190 printf(" --private=directory - use directory as user home.\n\n");
191 191
192 printf(" --private-template=directory - same as --private but copy the\n");
193 printf("\ttemplatedirectory in the tmpfs mounted user home.\n\n");
194
192 printf(" --private-bin=file,file - build a new /bin in a temporary filesystem,\n"); 195 printf(" --private-bin=file,file - build a new /bin in a temporary filesystem,\n");
193 printf("\tand copy the programs in the list.\n\n"); 196 printf("\tand copy the programs in the list.\n\n");
194 197
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 9e6916534..c6b73f428 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1045,6 +1045,18 @@ Example:
1045$ firejail \-\-private=/home/netblue/firefox-home firefox 1045$ firejail \-\-private=/home/netblue/firefox-home firefox
1046 1046
1047.TP 1047.TP
1048\fB\-\-private-template=templatedir
1049Mount new /root and /home/user directories in temporary
1050filesystems, and copy all files in templatedir. All modifications are discarded when the sandbox is
1051closed.
1052.br
1053
1054.br
1055Example:
1056.br
1057$ firejail \-\-private-template=/home/netblue/.config/mozilla firefox
1058
1059.TP
1048\fB\-\-private-bin=file,file 1060\fB\-\-private-bin=file,file
1049Build a new /bin in a temporary filesystem, and copy the programs in the list. 1061Build a new /bin in a temporary filesystem, and copy the programs in the list.
1050If no listed file is found, /bin directory will be empty. 1062If no listed file is found, /bin directory will be empty.
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-15 01:58:22 +0000