4 files changed, 23 insertions, 9 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index d18cd112f..3e05591b8 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -347,6 +347,7 @@ extern char *arg_netns;		// "ip netns"-created network namespace to use
 extern int arg_doubledash;      // double dash
 extern int arg_shell_none;      // run the program directly without a shell
 extern int arg_private_dev;     // private dev directory
+extern int arg_keep_dev_shm;    // preserve /dev/shm
 extern int arg_private_etc;     // private etc directory
 extern int arg_private_opt;     // private opt directory
 extern int arg_private_srv;     // private srv directory
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index 9e287bf27..ff525f0b9 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -171,12 +171,23 @@ static void empty_dev_shm(void) {
        fs_logger("create /dev/shm");
 }
+static void mount_dev_shm(void) {
+        mkdir_attr("/dev/shm", 01777, 0, 0);
+        int rv = mount(RUN_DEV_DIR "/shm", "/dev/shm", "none", MS_BIND, "mode=01777,gid=0");
+        if (rv == -1) {
+                fwarning("cannot mount the old /dev/shm in private-dev\n");
+                dbg_test_dir(RUN_DEV_DIR "/shm");
+                empty_dev_shm();
+                return;
+        }
+}
 static void process_dev_shm(void) {
        // Jack audio keeps an Unix socket under (/dev/shm/jack_default_1000_0 or /dev/shm/jack/...)
        // looking for jack socket
        glob_t globbuf;
        int globerr = glob(RUN_DEV_DIR "/shm/jack*", GLOB_NOSORT, NULL, &globbuf);
-        if (globerr) {
+        if (globerr && !arg_keep_dev_shm) {
                empty_dev_shm();
                return;
        }
@@ -184,14 +195,8 @@ static void process_dev_shm(void) {
        // if we got here, it means we have a jack server installed
        // mount-bind the old /dev/shm
-        mkdir_attr("/dev/shm", 01777, 0, 0);
+        mount_dev_shm();
-        int rv = mount(RUN_DEV_DIR "/shm", "/dev/shm", "none", MS_BIND, "mode=01777,gid=0");
-        if (rv == -1) {
-                fwarning("cannot mount the old /dev/shm in private-dev\n");
-                dbg_test_dir(RUN_DEV_DIR "/shm");
-                empty_dev_shm();
-                return;
-        }
 }
diff --git a/src/firejail/main.c b/src/firejail/main.c
index ce28c62da..9babb72de 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -85,6 +85,7 @@ char *arg_netns = NULL;			// "ip netns"-created network namespace to use
 int arg_doubledash = 0;                 // double dash
 int arg_shell_none = 0;                 // run the program directly without a shell
 int arg_private_dev = 0;                        // private dev directory
+int arg_keep_dev_shm = 0;                       // preserve /dev/shm
 int arg_private_etc = 0;                        // private etc directory
 int arg_private_opt = 0;                        // private opt directory
 int arg_private_srv = 0;                        // private srv directory
@@ -1602,6 +1603,9 @@ int main(int argc, char **argv) {
                else if (strcmp(argv[i], "--private-dev") == 0) {
                        arg_private_dev = 1;
                }
+                else if (strcmp(argv[i], "--keep-dev-shm") == 0) {
+                        arg_keep_dev_shm = 1;
+                }
                else if (strncmp(argv[i], "--private-etc=", 14) == 0) {
                        if (arg_writable_etc) {
                                fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n");
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 7d03a7c34..88d27f09f 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -221,6 +221,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                arg_private_dev = 1;
                return 0;
        }
+        else if (strcmp(ptr, "keep-dev-shm") == 0) {
+                arg_keep_dev_shm = 1;
+                return 0;
+        }
        else if (strcmp(ptr, "private-tmp") == 0) {
                arg_private_tmp = 1;
                return 0;

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index d18cd112f..3e05591b8 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -347,6 +347,7 @@ extern char *arg_netns; // "ip netns"-created network namespace to use
347	extern int arg_doubledash; // double dash	347	extern int arg_doubledash; // double dash
348	extern int arg_shell_none; // run the program directly without a shell	348	extern int arg_shell_none; // run the program directly without a shell
349	extern int arg_private_dev; // private dev directory	349	extern int arg_private_dev; // private dev directory
		350	extern int arg_keep_dev_shm; // preserve /dev/shm
350	extern int arg_private_etc; // private etc directory	351	extern int arg_private_etc; // private etc directory
351	extern int arg_private_opt; // private opt directory	352	extern int arg_private_opt; // private opt directory
352	extern int arg_private_srv; // private srv directory	353	extern int arg_private_srv; // private srv directory


diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index 9e287bf27..ff525f0b9 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c
@@ -171,12 +171,23 @@ static void empty_dev_shm(void) {
171	fs_logger("create /dev/shm");	171	fs_logger("create /dev/shm");
172	}	172	}
173		173
		174	static void mount_dev_shm(void) {
		175	mkdir_attr("/dev/shm", 01777, 0, 0);
		176	int rv = mount(RUN_DEV_DIR "/shm", "/dev/shm", "none", MS_BIND, "mode=01777,gid=0");
		177	if (rv == -1) {
		178	fwarning("cannot mount the old /dev/shm in private-dev\n");
		179	dbg_test_dir(RUN_DEV_DIR "/shm");
		180	empty_dev_shm();
		181	return;
		182	}
		183	}
		184
174	static void process_dev_shm(void) {	185	static void process_dev_shm(void) {
175	// Jack audio keeps an Unix socket under (/dev/shm/jack_default_1000_0 or /dev/shm/jack/...)	186	// Jack audio keeps an Unix socket under (/dev/shm/jack_default_1000_0 or /dev/shm/jack/...)
176	// looking for jack socket	187	// looking for jack socket
177	glob_t globbuf;	188	glob_t globbuf;
178	int globerr = glob(RUN_DEV_DIR "/shm/jack*", GLOB_NOSORT, NULL, &globbuf);	189	int globerr = glob(RUN_DEV_DIR "/shm/jack*", GLOB_NOSORT, NULL, &globbuf);
179	if (globerr) {	190	if (globerr && !arg_keep_dev_shm) {
180	empty_dev_shm();	191	empty_dev_shm();
181	return;	192	return;
182	}	193	}
@@ -184,14 +195,8 @@ static void process_dev_shm(void) {
184		195
185	// if we got here, it means we have a jack server installed	196	// if we got here, it means we have a jack server installed
186	// mount-bind the old /dev/shm	197	// mount-bind the old /dev/shm
187	mkdir_attr("/dev/shm", 01777, 0, 0);	198	mount_dev_shm();
188	int rv = mount(RUN_DEV_DIR "/shm", "/dev/shm", "none", MS_BIND, "mode=01777,gid=0");	199
189	if (rv == -1) {
190	fwarning("cannot mount the old /dev/shm in private-dev\n");
191	dbg_test_dir(RUN_DEV_DIR "/shm");
192	empty_dev_shm();
193	return;
194	}
195	}	200	}
196		201
197		202


diff --git a/src/firejail/main.c b/src/firejail/main.c index ce28c62da..9babb72de 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -85,6 +85,7 @@ char *arg_netns = NULL; // "ip netns"-created network namespace to use
85	int arg_doubledash = 0; // double dash	85	int arg_doubledash = 0; // double dash
86	int arg_shell_none = 0; // run the program directly without a shell	86	int arg_shell_none = 0; // run the program directly without a shell
87	int arg_private_dev = 0; // private dev directory	87	int arg_private_dev = 0; // private dev directory
		88	int arg_keep_dev_shm = 0; // preserve /dev/shm
88	int arg_private_etc = 0; // private etc directory	89	int arg_private_etc = 0; // private etc directory
89	int arg_private_opt = 0; // private opt directory	90	int arg_private_opt = 0; // private opt directory
90	int arg_private_srv = 0; // private srv directory	91	int arg_private_srv = 0; // private srv directory
@@ -1602,6 +1603,9 @@ int main(int argc, char **argv) {
1602	else if (strcmp(argv[i], "--private-dev") == 0) {	1603	else if (strcmp(argv[i], "--private-dev") == 0) {
1603	arg_private_dev = 1;	1604	arg_private_dev = 1;
1604	}	1605	}
		1606	else if (strcmp(argv[i], "--keep-dev-shm") == 0) {
		1607	arg_keep_dev_shm = 1;
		1608	}
1605	else if (strncmp(argv[i], "--private-etc=", 14) == 0) {	1609	else if (strncmp(argv[i], "--private-etc=", 14) == 0) {
1606	if (arg_writable_etc) {	1610	if (arg_writable_etc) {
1607	fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n");	1611	fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n");


diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 7d03a7c34..88d27f09f 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c
@@ -221,6 +221,10 @@ int profile_check_line(char ptr, int lineno, const char fname) {
221	arg_private_dev = 1;	221	arg_private_dev = 1;
222	return 0;	222	return 0;
223	}	223	}
		224	else if (strcmp(ptr, "keep-dev-shm") == 0) {
		225	arg_keep_dev_shm = 1;
		226	return 0;
		227	}
224	else if (strcmp(ptr, "private-tmp") == 0) {	228	else if (strcmp(ptr, "private-tmp") == 0) {
225	arg_private_tmp = 1;	229	arg_private_tmp = 1;
226	return 0;	230	return 0;