diff options
-rw-r--r-- | etc/disable-secret.inc | 1 | ||||
-rw-r--r-- | src/firejail/profile.c | 7 | ||||
-rw-r--r-- | src/firejail/usage.c | 3 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 2 | ||||
-rw-r--r-- | src/man/firejail.txt | 4 | ||||
-rwxr-xr-x | test/invalid_filename.exp | 14 | ||||
-rwxr-xr-x | test/option_tmpfs.exp | 22 | ||||
-rwxr-xr-x | test/test-root.sh | 3 | ||||
-rwxr-xr-x | test/test.sh | 3 |
9 files changed, 34 insertions, 25 deletions
diff --git a/etc/disable-secret.inc b/etc/disable-secret.inc index b09c2b0d4..7d29cda31 100644 --- a/etc/disable-secret.inc +++ b/etc/disable-secret.inc | |||
@@ -1,6 +1,5 @@ | |||
1 | # HOME directory | 1 | # HOME directory |
2 | blacklist ${HOME}/.ssh | 2 | blacklist ${HOME}/.ssh |
3 | tmpfs ${HOME}/.gnome2_private | ||
4 | blacklist ${HOME}/.gnome2/keyrings | 3 | blacklist ${HOME}/.gnome2/keyrings |
5 | blacklist ${HOME}/kde4/share/apps/kwallet | 4 | blacklist ${HOME}/kde4/share/apps/kwallet |
6 | blacklist ${HOME}/kde/share/apps/kwallet | 5 | blacklist ${HOME}/kde/share/apps/kwallet |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 2d7b07c6d..5a0e9b727 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -417,8 +417,13 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
417 | } | 417 | } |
418 | else if (strncmp(ptr, "read-only ", 10) == 0) | 418 | else if (strncmp(ptr, "read-only ", 10) == 0) |
419 | ptr += 10; | 419 | ptr += 10; |
420 | else if (strncmp(ptr, "tmpfs ", 6) == 0) | 420 | else if (strncmp(ptr, "tmpfs ", 6) == 0) { |
421 | if (getuid() != 0) { | ||
422 | fprintf(stderr, "Error: tmpfs available only when running the sandbox as root\n"); | ||
423 | exit(1); | ||
424 | } | ||
421 | ptr += 6; | 425 | ptr += 6; |
426 | } | ||
422 | else { | 427 | else { |
423 | if (lineno == 0) | 428 | if (lineno == 0) |
424 | fprintf(stderr, "Error: \"%s\" as a command line option is invalid\n", ptr); | 429 | fprintf(stderr, "Error: \"%s\" as a command line option is invalid\n", ptr); |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 6a033b922..531eba379 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -291,7 +291,8 @@ void usage(void) { | |||
291 | printf("\t--shell=program - set default user shell.\n\n"); | 291 | printf("\t--shell=program - set default user shell.\n\n"); |
292 | printf("\t--shutdown=name - shutdown the sandbox identified by name.\n\n"); | 292 | printf("\t--shutdown=name - shutdown the sandbox identified by name.\n\n"); |
293 | printf("\t--shutdown=pid - shutdown the sandbox identified by PID.\n\n"); | 293 | printf("\t--shutdown=pid - shutdown the sandbox identified by PID.\n\n"); |
294 | printf("\t--tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n\n"); | 294 | printf("\t--tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n"); |
295 | printf("\t\tThis option is available only when running the sandbox as root.\n\n"); | ||
295 | printf("\t--top - monitor the most CPU-intensive sandboxes.\n\n"); | 296 | printf("\t--top - monitor the most CPU-intensive sandboxes.\n\n"); |
296 | printf("\t--trace - trace open, access and connect system calls.\n\n"); | 297 | printf("\t--trace - trace open, access and connect system calls.\n\n"); |
297 | printf("\t--tracelog - add a syslog message for every access to files or\n"); | 298 | printf("\t--tracelog - add a syslog message for every access to files or\n"); |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index e91c5c089..2f17c3088 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -126,7 +126,7 @@ blacklist ${HOME}/.ssh | |||
126 | Make directory or file read-only. | 126 | Make directory or file read-only. |
127 | .TP | 127 | .TP |
128 | \fBtmpfs directory | 128 | \fBtmpfs directory |
129 | Mount an empty tmpfs filesystem on top of directory. | 129 | Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root. |
130 | .TP | 130 | .TP |
131 | \fBbind directory1,directory2 | 131 | \fBbind directory1,directory2 |
132 | Mount-bind directory1 on top of directory2. This option is only available when running as root. | 132 | Mount-bind directory1 on top of directory2. This option is only available when running as root. |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index ef65530db..43572bb4b 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1348,13 +1348,13 @@ $ firejail \-\-list | |||
1348 | $ firejail \-\-shutdown=3272 | 1348 | $ firejail \-\-shutdown=3272 |
1349 | .TP | 1349 | .TP |
1350 | \fB\-\-tmpfs=dirname | 1350 | \fB\-\-tmpfs=dirname |
1351 | Mount a tmpfs filesystem on directory dirname. | 1351 | Mount a tmpfs filesystem on directory dirname. This option is available only when running the sandbox as root. |
1352 | .br | 1352 | .br |
1353 | 1353 | ||
1354 | .br | 1354 | .br |
1355 | Example: | 1355 | Example: |
1356 | .br | 1356 | .br |
1357 | $ firejail \-\-tmpfs=/var | 1357 | # firejail \-\-tmpfs=/var |
1358 | .TP | 1358 | .TP |
1359 | \fB\-\-top | 1359 | \fB\-\-top |
1360 | Monitor the most CPU-intensive sandboxes, see \fBMONITORING\fR section for more details. | 1360 | Monitor the most CPU-intensive sandboxes, see \fBMONITORING\fR section for more details. |
diff --git a/test/invalid_filename.exp b/test/invalid_filename.exp index e496e4aaf..26563aa43 100755 --- a/test/invalid_filename.exp +++ b/test/invalid_filename.exp | |||
@@ -200,20 +200,6 @@ expect { | |||
200 | } | 200 | } |
201 | after 100 | 201 | after 100 |
202 | 202 | ||
203 | send -- "firejail --debug-check-filename --tmpfs=\"bla&&bla\"\r" | ||
204 | expect { | ||
205 | timeout {puts "TESTING ERROR 13.1\n";exit} | ||
206 | "Checking filename bla&&bla" | ||
207 | } | ||
208 | expect { | ||
209 | timeout {puts "TESTING ERROR 13.2\n";exit} | ||
210 | "Error:" | ||
211 | } | ||
212 | expect { | ||
213 | timeout {puts "TESTING ERROR 13.3\n";exit} | ||
214 | "is an invalid filename" | ||
215 | } | ||
216 | after 100 | ||
217 | 203 | ||
218 | send -- "firejail --debug-check-filename --whitelist=\"bla&&bla\"\r" | 204 | send -- "firejail --debug-check-filename --whitelist=\"bla&&bla\"\r" |
219 | expect { | 205 | expect { |
diff --git a/test/option_tmpfs.exp b/test/option_tmpfs.exp index 1ff47ab13..6522ef2d3 100755 --- a/test/option_tmpfs.exp +++ b/test/option_tmpfs.exp | |||
@@ -18,9 +18,27 @@ expect { | |||
18 | } | 18 | } |
19 | expect { | 19 | expect { |
20 | timeout {puts "TESTING ERROR 2\n";exit} | 20 | timeout {puts "TESTING ERROR 2\n";exit} |
21 | "home" | 21 | "/root" |
22 | } | 22 | } |
23 | sleep 1 | 23 | sleep 1 |
24 | send -- "exit\r" | ||
25 | sleep 2 | ||
24 | 26 | ||
25 | puts "\n" | 27 | send -- "firejail --debug-check-filename --tmpfs=\"bla&&bla\"\r" |
28 | expect { | ||
29 | timeout {puts "TESTING ERROR 13.1\n";exit} | ||
30 | "Checking filename bla&&bla" | ||
31 | } | ||
32 | expect { | ||
33 | timeout {puts "TESTING ERROR 13.2\n";exit} | ||
34 | "Error:" | ||
35 | } | ||
36 | expect { | ||
37 | timeout {puts "TESTING ERROR 13.3\n";exit} | ||
38 | "is an invalid filename" | ||
39 | } | ||
40 | after 100 | ||
41 | |||
42 | |||
43 | puts "\nalldone\n" | ||
26 | 44 | ||
diff --git a/test/test-root.sh b/test/test-root.sh index ac6b2ef00..66096f33a 100755 --- a/test/test-root.sh +++ b/test/test-root.sh | |||
@@ -2,6 +2,9 @@ | |||
2 | 2 | ||
3 | ./chk_config.exp | 3 | ./chk_config.exp |
4 | 4 | ||
5 | echo "TESTING: tmpfs" | ||
6 | ./option_tmpfs.exp | ||
7 | |||
5 | echo "TESTING: network interfaces" | 8 | echo "TESTING: network interfaces" |
6 | ./net_interface.exp | 9 | ./net_interface.exp |
7 | 10 | ||
diff --git a/test/test.sh b/test/test.sh index 98addc38a..985b43af0 100755 --- a/test/test.sh +++ b/test/test.sh | |||
@@ -110,9 +110,6 @@ echo "TESTING: firejail in firejail - force new sandbox" | |||
110 | echo "TESTING: chroot overlay" | 110 | echo "TESTING: chroot overlay" |
111 | ./option_chroot_overlay.exp | 111 | ./option_chroot_overlay.exp |
112 | 112 | ||
113 | echo "TESTING: tmpfs" | ||
114 | ./option_tmpfs.exp | ||
115 | |||
116 | echo "TESTING: blacklist directory" | 113 | echo "TESTING: blacklist directory" |
117 | ./option_blacklist.exp | 114 | ./option_blacklist.exp |
118 | 115 | ||