6 files changed, 60 insertions, 16 deletions
diff --git a/README b/README
index 06680e0b4..3ea3e8d1f 100644
--- a/README
+++ b/README
@@ -37,6 +37,7 @@ Maintainer:
 Committers
 - chiraag-nataraj (https://github.com/chiraag-nataraj)
 - crass (https://github.com/crass)
+- curiosityseeker (https://github.com/curiosityseeker)
 - glitsj16 (https://github.com/glitsj16)
 - Fred-Barclay (https://github.com/Fred-Barclay)
 - Kristóf Marussy (https://github.com/kris7t)
diff --git a/RELNOTES b/RELNOTES
index 7cad9c257..cae2518bc 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -7,9 +7,10 @@ firejail (0.9.63) baseline; urgency=low
    /etc/firejail/firejail.config file.
  * DHCP client support
  * SELinux labeling support
-  * 32-bit seccomp filter
+  * custom 32-bit seccomp filter support
  * restrict ${RUNUSER} in serveral profiles
  * whitelist globbing
+  * mkdir and mkfile support for /run/user directory
  * new condition: HAS_NOSOUND
  * new profiles: gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, muraster
  * new profiles: gnome-passwordsafe, bibtex, gummi, latex, mupdf-x11-curl
diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c
index eb660df90..0e213f2f8 100644
--- a/src/firejail/fs_mkdir.c
+++ b/src/firejail/fs_mkdir.c
@@ -25,6 +25,22 @@
 #include <sys/wait.h>
 #include <string.h>
+static void check(const char *fname) {
+        // manufacture /run/user directory
+        char *runuser;
+        if (asprintf(&runuser, "/run/user/%d/", getuid()) == -1)
+                errExit("asprintf");
+        if (strncmp(fname, cfg.homedir, strlen(cfg.homedir)) != 0 &&
+            strncmp(fname, "/tmp", 4) != 0 &&
+            strncmp(fname, runuser, strlen(runuser)) != 0) {
+                fprintf(stderr, "Error: only files or directories in user home, /tmp, or /run/user/<UID> are supported by mkdir\n");
+                exit(1);
+        }
+        free(runuser);
+}
 static void mkdir_recursive(char *path) {
        char *subdir = NULL;
        struct stat s;
@@ -61,11 +77,7 @@ void fs_mkdir(const char *name) {
        // check directory name
        invalid_filename(name, 0); // no globbing
        char *expanded = expand_macros(name);
-        if (strncmp(expanded, cfg.homedir, strlen(cfg.homedir)) != 0 &&
+        check(expanded); // will exit if wrong path
-            strncmp(expanded, "/tmp", 4) != 0) {
-                fprintf(stderr, "Error: only directories in user home or /tmp are supported by mkdir\n");
-                exit(1);
-        }
        struct stat s;
        if (stat(expanded, &s) == 0) {
@@ -101,11 +113,7 @@ void fs_mkfile(const char *name) {
        // check file name
        invalid_filename(name, 0); // no globbing
        char *expanded = expand_macros(name);
-        if (strncmp(expanded, cfg.homedir, strlen(cfg.homedir)) != 0 &&
+        check(expanded); // will exit if wrong path
-            strncmp(expanded, "/tmp", 4) != 0) {
-                fprintf(stderr, "Error: only files in user home or /tmp are supported by mkfile\n");
-                exit(1);
-        }
        struct stat s;
        if (stat(expanded, &s) == 0) {
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 6405fd301..df2d2a2e8 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -211,7 +211,7 @@ Disable /mnt, /media, /run/mount and /run/media access.
 /var/tmp directory is untouched.
 .TP
 \fBmkdir directory
-Create a directory in user home or under /tmp before the sandbox is started.
+Create a directory in user home, under /tmp, or under /run/user/<UID> before the sandbox is started.
 The directory is created if it doesn't already exist.
 .br
@@ -230,10 +230,18 @@ whitelist ~/.mozilla
 mkdir ~/.cache/mozilla/firefox
 .br
 whitelist ~/.cache/mozilla/firefox
+.br
+.br
+For files in /run/user/<PID> use ${RUNUSER} macro:
+.br
+.br
+mkdir ${RUNUSER}/firejail-testing
 .TP
 \fBmkfile file
-Similar to mkdir, this command creates a file in user home or under /tmp before the sandbox is started.
+Similar to mkdir, this command creates an empty file in user home, or /tmp, or under /run/user/<UID>
-The file is created if it doesn't already exist.
+before the sandbox is started. The file is created if it doesn't already exist.
 .TP
 \fBnoexec file_or_directory
 Remount the file or the directory noexec, nodev and nosuid.
diff --git a/test/fs/mkdir.exp b/test/fs/mkdir.exp
index 8a7ac9d97..59005e1a2 100755
--- a/test/fs/mkdir.exp
+++ b/test/fs/mkdir.exp
@@ -17,10 +17,32 @@ expect {
 send -- "rm -rf ~/.firejail_test\r"
 after 100
+send -- "firejail --profile=mkdir.profile find /tmp/.firejail_test\r"
+expect {
+        timeout {puts "TESTING ERROR 2.1\n";exit}
+        "Warning: cannot create" { puts "TESTING ERROR 2.2\n";exit}
+        "No such file or directory" { puts "TESTING ERROR 2.3\n";exit}
+        "/tmp/.firejail_test/a/b/c/d.txt"
+}
+send -- "rm -rf /tmp/.firejail_test\r"
+after 100
+set UID [exec id -u]
+send -- "firejail --profile=mkdir.profile find /run/user/$UID/.firejail_test\r"
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "Warning: cannot create" { puts "TESTING ERROR 3.2\n";exit}
+        "No such file or directory" { puts "TESTING ERROR 3.3\n";exit}
+        "/run/user/$UID/.firejail_test/a/b/c/d.txt"
+}
+send -- "rm -rf /run/user/$UID/.firejail_test\r"
+after 100
 send -- "firejail --profile=mkdir2.profile\r"
 expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
+        timeout {puts "TESTING ERROR 4\n";exit}
-        "only directories in user home or /tmp"
+        "only files or directories in user home, /tmp, or /run/user/<UID>"
 }
 after 100
diff --git a/test/fs/mkdir.profile b/test/fs/mkdir.profile
index 61b44c9ac..35c27c872 100644
--- a/test/fs/mkdir.profile
+++ b/test/fs/mkdir.profile
@@ -1,2 +1,6 @@
 mkdir ~/.firejail_test/a/b/c
 mkfile ~/.firejail_test/a/b/c/d.txt
+mkdir /tmp/.firejail_test/a/b/c
+mkfile /tmp/.firejail_test/a/b/c/d.txt
+mkdir ${RUNUSER}/.firejail_test/a/b/c
+mkfile ${RUNUSER}/.firejail_test/a/b/c/d.txt