3 files changed, 11 insertions, 4 deletions

diff --git a/RELNOTES b/RELNOTES
index f38b42c4b..d9036898f 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,3 +1,6 @@
+firejail (0.9.65) baseline; urgency=low
+  * allow --tmpfs inside $HOME for unprivileged users
+
 firejail (0.9.64) baseline; urgency=low
   * replaced --nowrap option with --wrap in firemon
   * The blocking action of seccomp filters has been changed from
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 2000ffc62..2f2bfdc79 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -366,6 +366,14 @@ void fs_blacklist(void) {
                 else if (strncmp(entry->data, "tmpfs ", 6) == 0) {
                         ptr = entry->data + 6;
                         op = MOUNT_TMPFS;
+                        char *resolved_path = realpath(ptr, NULL);
+                        if (!resolved_path || strncmp(cfg.homedir, resolved_path, strlen(cfg.homedir)) != 0) {
+                                if (getuid() != 0) {
+                                        fprintf(stderr, "Error: tmpfs outside $HOME is only available for root\n");
+                                        exit(1);
+                                }
+                        }
+                        free(resolved_path);
                 }
                 else if (strncmp(entry->data, "mkdir ", 6) == 0) {
                         EUID_USER();
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 5d83e6a73..8ed187b20 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -1563,10 +1563,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
         else if (strncmp(ptr, "noexec ", 7) == 0)
                 ptr += 7;
         else if (strncmp(ptr, "tmpfs ", 6) == 0) {
-                if (getuid() != 0) {
-                        fprintf(stderr, "Error: tmpfs available only when running the sandbox as root\n");
-                        exit(1);
-                }
                 ptr += 6;
         }
         else {