diff options
-rw-r--r-- | etc/firejail.config | 3 | ||||
-rw-r--r-- | src/firejail/checkcfg.c | 9 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/fs.c | 2 | ||||
-rw-r--r-- | src/firejail/main.c | 5 | ||||
-rw-r--r-- | src/firejail/profile.c | 5 |
6 files changed, 23 insertions, 2 deletions
diff --git a/etc/firejail.config b/etc/firejail.config index f4acfe7f8..d9d2f2f1e 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
@@ -47,6 +47,9 @@ | |||
47 | # Enable or disable networking features, default enabled. | 47 | # Enable or disable networking features, default enabled. |
48 | # network yes | 48 | # network yes |
49 | 49 | ||
50 | # Enable or disable private-cache feature, default enabled | ||
51 | # private-cache yes | ||
52 | |||
50 | # Enable --quiet as default every time the sandbox is started. Default disabled. | 53 | # Enable --quiet as default every time the sandbox is started. Default disabled. |
51 | # quiet-by-default no | 54 | # quiet-by-default no |
52 | 55 | ||
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 8786c018e..3fbe6a30e 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -155,6 +155,15 @@ int checkcfg(int val) { | |||
155 | else | 155 | else |
156 | goto errout; | 156 | goto errout; |
157 | } | 157 | } |
158 | // private cache directory | ||
159 | else if (strncmp(ptr, "private-cache ", 14) == 0) { | ||
160 | if (strcmp(ptr + 14, "yes") == 0) | ||
161 | cfg_val[CFG_PRIVATE_CACHE] = 1; | ||
162 | else if (strcmp(ptr + 14, "no") == 0) | ||
163 | cfg_val[CFG_PRIVATE_CACHE] = 0; | ||
164 | else | ||
165 | goto errout; | ||
166 | } | ||
158 | // quiet by default | 167 | // quiet by default |
159 | else if (strncmp(ptr, "quiet-by-default ", 17) == 0) { | 168 | else if (strncmp(ptr, "quiet-by-default ", 17) == 0) { |
160 | if (strcmp(ptr + 17, "yes") == 0) | 169 | if (strcmp(ptr + 17, "yes") == 0) |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 533ed880a..0dbe1f896 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -660,6 +660,7 @@ enum { | |||
660 | CFG_FORCE_NONEWPRIVS, | 660 | CFG_FORCE_NONEWPRIVS, |
661 | CFG_JOIN, | 661 | CFG_JOIN, |
662 | CFG_NETWORK, | 662 | CFG_NETWORK, |
663 | CFG_PRIVATE_CACHE, | ||
663 | CFG_RESTRICTED_NETWORK, | 664 | CFG_RESTRICTED_NETWORK, |
664 | CFG_SECCOMP, | 665 | CFG_SECCOMP, |
665 | CFG_USERNS, | 666 | CFG_USERNS, |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index de77c027c..74f8328ff 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -845,6 +845,8 @@ void fs_private_cache(void) { | |||
845 | return; | 845 | return; |
846 | } | 846 | } |
847 | 847 | ||
848 | if (arg_debug) | ||
849 | printf("Mounting tmpfs on %s\n", cache); | ||
848 | // get a file descriptor for ~/.cache, fails if there is any symlink | 850 | // get a file descriptor for ~/.cache, fails if there is any symlink |
849 | int fd = safe_fd(cache, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); | 851 | int fd = safe_fd(cache, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); |
850 | if (fd == -1) | 852 | if (fd == -1) |
diff --git a/src/firejail/main.c b/src/firejail/main.c index c4944c7d5..ba6b98191 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1114,7 +1114,10 @@ int main(int argc, char **argv) { | |||
1114 | arg_private_tmp = 1; | 1114 | arg_private_tmp = 1; |
1115 | } | 1115 | } |
1116 | else if (strcmp(argv[i], "--private-cache") == 0) { | 1116 | else if (strcmp(argv[i], "--private-cache") == 0) { |
1117 | arg_private_cache = 1; | 1117 | if (checkcfg(CFG_PRIVATE_CACHE)) |
1118 | arg_private_cache = 1; | ||
1119 | else | ||
1120 | exit_err_feature("private-cache"); | ||
1118 | } | 1121 | } |
1119 | 1122 | ||
1120 | //************************************* | 1123 | //************************************* |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 98c45b637..72c314aad 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -196,7 +196,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
196 | return 0; | 196 | return 0; |
197 | } | 197 | } |
198 | else if (strcmp(ptr, "private-cache") == 0) { | 198 | else if (strcmp(ptr, "private-cache") == 0) { |
199 | arg_private_cache = 1; | 199 | if (checkcfg(CFG_PRIVATE_CACHE)) |
200 | arg_private_cache = 1; | ||
201 | else | ||
202 | warning_feature_disabled("private-cache"); | ||
200 | return 0; | 203 | return 0; |
201 | } | 204 | } |
202 | else if (strcmp(ptr, "private-dev") == 0) { | 205 | else if (strcmp(ptr, "private-dev") == 0) { |