diff options
-rw-r--r-- | RELNOTES | 1 | ||||
-rw-r--r-- | src/firejail/fs.c | 13 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 6 |
3 files changed, 20 insertions, 0 deletions
@@ -35,6 +35,7 @@ firejail (0.9.45) baseline; urgency=low | |||
35 | * feature: implemented --noblacklist command, profile support | 35 | * feature: implemented --noblacklist command, profile support |
36 | * feature: config support to disable access to /mnt and /media (disable-mnt) | 36 | * feature: config support to disable access to /mnt and /media (disable-mnt) |
37 | * feature: allow tmpfs for regular users for files in home directory | 37 | * feature: allow tmpfs for regular users for files in home directory |
38 | * feature: mount a tmpfs on top of ~/.cache directory by default | ||
38 | * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire, | 39 | * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire, |
39 | * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma, | 40 | * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma, |
40 | * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator, | 41 | * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator, |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 801bde57c..cf96a01e4 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -237,6 +237,7 @@ static void globbing(OPERATION op, const char *pattern, const char *noblacklist[ | |||
237 | 237 | ||
238 | // blacklist files or directories by mounting empty files on top of them | 238 | // blacklist files or directories by mounting empty files on top of them |
239 | void fs_blacklist(void) { | 239 | void fs_blacklist(void) { |
240 | printf("here: start fs_blacklist\n"); | ||
240 | char *homedir = cfg.homedir; | 241 | char *homedir = cfg.homedir; |
241 | assert(homedir); | 242 | assert(homedir); |
242 | ProfileEntry *entry = cfg.profile; | 243 | ProfileEntry *entry = cfg.profile; |
@@ -479,8 +480,19 @@ void fs_mnt(void) { | |||
479 | disable_file(BLACKLIST_FILE, "//run/media"); | 480 | disable_file(BLACKLIST_FILE, "//run/media"); |
480 | } | 481 | } |
481 | 482 | ||
483 | |||
484 | void fs_cache(void) { | ||
485 | printf("here: deploy ~/.cache tmpfs\n"); | ||
486 | char *cache; | ||
487 | if (asprintf(&cache, "%s/.cache", cfg.homedir) == -1) | ||
488 | errExit("asprintf"); | ||
489 | disable_file(MOUNT_TMPFS, cache); | ||
490 | free(cache); | ||
491 | } | ||
492 | |||
482 | // mount /proc and /sys directories | 493 | // mount /proc and /sys directories |
483 | void fs_proc_sys_dev_boot(void) { | 494 | void fs_proc_sys_dev_boot(void) { |
495 | printf("here: fs_proc_sys_boot\n"); | ||
484 | if (arg_debug) | 496 | if (arg_debug) |
485 | printf("Remounting /proc and /proc/sys filesystems\n"); | 497 | printf("Remounting /proc and /proc/sys filesystems\n"); |
486 | if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) | 498 | if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) |
@@ -618,6 +630,7 @@ static void disable_config(void) { | |||
618 | 630 | ||
619 | // build a basic read-only filesystem | 631 | // build a basic read-only filesystem |
620 | void fs_basic_fs(void) { | 632 | void fs_basic_fs(void) { |
633 | printf("here: start fs_basic_fs\n"); | ||
621 | uid_t uid = getuid(); | 634 | uid_t uid = getuid(); |
622 | 635 | ||
623 | if (arg_debug) | 636 | if (arg_debug) |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 83afff516..f517316ed 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -771,6 +771,12 @@ int sandbox(void* sandbox_arg) { | |||
771 | fs_mnt(); | 771 | fs_mnt(); |
772 | 772 | ||
773 | //**************************** | 773 | //**************************** |
774 | // deploy a tmpfs on ~/.cache directory | ||
775 | //**************************** | ||
776 | fs_cache(); | ||
777 | |||
778 | |||
779 | //**************************** | ||
774 | // apply the profile file | 780 | // apply the profile file |
775 | //**************************** | 781 | //**************************** |
776 | // apply all whitelist commands ... | 782 | // apply all whitelist commands ... |