diff options
-rw-r--r-- | src/firejail/fs.c | 33 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 2 | ||||
-rw-r--r-- | src/man/firejail.txt | 5 |
3 files changed, 23 insertions, 17 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index e57038ee0..4ae7dbfa4 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -171,21 +171,28 @@ static void disable_file(OPERATION op, const char *filename) { | |||
171 | fs_remount_rec(fname, op); | 171 | fs_remount_rec(fname, op); |
172 | } | 172 | } |
173 | else if (op == MOUNT_TMPFS) { | 173 | else if (op == MOUNT_TMPFS) { |
174 | if (S_ISDIR(s.st_mode)) { | 174 | if (!S_ISDIR(s.st_mode)) { |
175 | if (getuid()) { | 175 | fwarning("%s is not a directory; cannot mount a tmpfs on top of it.\n", fname); |
176 | if (strncmp(cfg.homedir, fname, strlen(cfg.homedir)) != 0 || | 176 | free(fname); |
177 | fname[strlen(cfg.homedir)] != '/') { | 177 | return; |
178 | fprintf(stderr, "Error: tmpfs outside $HOME is only available for root\n"); | 178 | } |
179 | exit(1); | 179 | |
180 | } | 180 | uid_t uid = getuid(); |
181 | if (uid != 0) { | ||
182 | // only user owned directories in user home | ||
183 | if (s.st_uid != uid || | ||
184 | strncmp(cfg.homedir, fname, strlen(cfg.homedir)) != 0 || | ||
185 | fname[strlen(cfg.homedir)] != '/') { | ||
186 | fwarning("you are not allowed to mount a tmpfs on %s\n", fname); | ||
187 | free(fname); | ||
188 | return; | ||
181 | } | 189 | } |
182 | // fs_tmpfs returns with EUID 0 | ||
183 | fs_tmpfs(fname, getuid()); | ||
184 | selinux_relabel_path(fname, fname); | ||
185 | EUID_USER(); | ||
186 | } | 190 | } |
187 | else | 191 | |
188 | fwarning("%s is not a directory; cannot mount a tmpfs on top of it.\n", fname); | 192 | fs_tmpfs(fname, uid); |
193 | EUID_USER(); // fs_tmpfs returns with EUID 0 | ||
194 | |||
195 | selinux_relabel_path(fname, fname); | ||
189 | } | 196 | } |
190 | else | 197 | else |
191 | assert(0); | 198 | assert(0); |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 6f3bef7f2..db58e0910 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -420,7 +420,7 @@ Make directory or file read-only. | |||
420 | Make directory or file read-write. | 420 | Make directory or file read-write. |
421 | .TP | 421 | .TP |
422 | \fBtmpfs directory | 422 | \fBtmpfs directory |
423 | Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root. | 423 | Mount an empty tmpfs filesystem on top of directory. Directories outside user home or not owned by the user are not allowed. Sandboxes running as root are exempt from these restrictions. |
424 | .TP | 424 | .TP |
425 | \fBtracelog | 425 | \fBtracelog |
426 | Blacklist violations logged to syslog. | 426 | Blacklist violations logged to syslog. |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 3212a88e4..4a2e520c5 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -2566,14 +2566,13 @@ Kill the sandbox automatically after the time has elapsed. The time is specified | |||
2566 | $ firejail \-\-timeout=01:30:00 firefox | 2566 | $ firejail \-\-timeout=01:30:00 firefox |
2567 | .TP | 2567 | .TP |
2568 | \fB\-\-tmpfs=dirname | 2568 | \fB\-\-tmpfs=dirname |
2569 | Mount a writable tmpfs filesystem on directory dirname. This option is available only when running the sandbox as root. | 2569 | Mount a writable tmpfs filesystem on directory dirname. Directories outside user home or not owned by the user are not allowed. Sandboxes running as root are exempt from these restrictions. File globbing is supported, see \fBFILE GLOBBING\fR section for more details. |
2570 | File globbing is supported, see \fBFILE GLOBBING\fR section for more details. | ||
2571 | .br | 2570 | .br |
2572 | 2571 | ||
2573 | .br | 2572 | .br |
2574 | Example: | 2573 | Example: |
2575 | .br | 2574 | .br |
2576 | # firejail \-\-tmpfs=/var | 2575 | $ firejail \-\-tmpfs=~/.local/share |
2577 | .TP | 2576 | .TP |
2578 | \fB\-\-top | 2577 | \fB\-\-top |
2579 | Monitor the most CPU-intensive sandboxes, see \fBMONITORING\fR section for more details. | 2578 | Monitor the most CPU-intensive sandboxes, see \fBMONITORING\fR section for more details. |