5 files changed, 44 insertions, 0 deletions
diff --git a/RELNOTES b/RELNOTES
index 3d1004601..f93237d43 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -3,6 +3,7 @@ firejail (0.9.41) baseline; urgency=low
  * AppImage support (--appimage)
  * Sandbox auditing support (--audit)
  * include /dev/snd in --private-dev
+  * added mkfile profile command
  * compile time and run time support to disable whitelists
  * compile time support to disable global configuration file
  * some profiles have been converted to private-bin
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 24af41192..3d0e9a51b 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -548,6 +548,7 @@ char **build_paths(void);
 // fs_mkdir.c
 void fs_mkdir(const char *name);
+void fs_mkfile(const char *name);
 // x11.c
 void fs_x11(void);
diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c
index 398c534bf..c4ce52079 100644
--- a/src/firejail/fs_mkdir.c
+++ b/src/firejail/fs_mkdir.c
@@ -48,3 +48,36 @@ void fs_mkdir(const char *name) {
 doexit:
        free(expanded);
 }       
+void fs_mkfile(const char *name) {
+        EUID_ASSERT();
+        
+        // check file name
+        invalid_filename(name);
+        char *expanded = expand_home(name, cfg.homedir);
+        if (strncmp(expanded, cfg.homedir, strlen(cfg.homedir)) != 0) {
+                fprintf(stderr, "Error: only files in user home are supported by mkfile\n");
+                exit(1);
+        }
+        struct stat s;
+        if (stat(expanded, &s) == 0) {
+                // file exists, do nothing
+                goto doexit;
+        }
+        // create file
+        FILE *fp = fopen(expanded, "w");
+        if (!fp)
+                fprintf(stderr, "Warning: cannot create %s file\n", expanded);
+        else {
+                fclose(fp);
+                int rv = chown(expanded, getuid(), getgid());
+                (void) rv;
+                rv = chmod(expanded, 0600);
+                (void) rv;
+        }
+doexit:
+        free(expanded);
+}
+\ No newline at end of file
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 040efea74..bb834bf19 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -107,6 +107,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                fs_mkdir(ptr + 6);
                return 0;
        }
+        // mkfile 
+        if (strncmp(ptr, "mkfile ", 7) == 0) {
+                fs_mkfile(ptr + 7);
+                return 0;
+        }
        // sandbox name
        else if (strncmp(ptr, "name ", 5) == 0) {
                cfg.name = ptr + 5;
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index c2d5e7955..9c416b0f3 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -153,6 +153,10 @@ mkdir ~/.cache/mozilla/firefox
 .br
 whitelist ~/.cache/mozilla/firefox
 .TP
+\fBmkfile file
+Similar to mkdir, this command creates a file in user home before the sandbox is started.
+The file is created if it doesn't already exist.
+.TP
 \fBprivate
 Mount new /root and /home/user directories in temporary
 filesystems. All modifications are discarded when the sandbox is

diff --git a/RELNOTES b/RELNOTES index 3d1004601..f93237d43 100644 --- a/RELNOTES +++ b/RELNOTES
@@ -3,6 +3,7 @@ firejail (0.9.41) baseline; urgency=low
3	* AppImage support (--appimage)	3	* AppImage support (--appimage)
4	* Sandbox auditing support (--audit)	4	* Sandbox auditing support (--audit)
5	* include /dev/snd in --private-dev	5	* include /dev/snd in --private-dev
		6	* added mkfile profile command
6	* compile time and run time support to disable whitelists	7	* compile time and run time support to disable whitelists
7	* compile time support to disable global configuration file	8	* compile time support to disable global configuration file
8	* some profiles have been converted to private-bin	9	* some profiles have been converted to private-bin


diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 24af41192..3d0e9a51b 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -548,6 +548,7 @@ char **build_paths(void);
548		548
549	// fs_mkdir.c	549	// fs_mkdir.c
550	void fs_mkdir(const char *name);	550	void fs_mkdir(const char *name);
		551	void fs_mkfile(const char *name);
551		552
552	// x11.c	553	// x11.c
553	void fs_x11(void);	554	void fs_x11(void);


diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c index 398c534bf..c4ce52079 100644 --- a/src/firejail/fs_mkdir.c +++ b/src/firejail/fs_mkdir.c
@@ -48,3 +48,36 @@ void fs_mkdir(const char *name) {
48	doexit:	48	doexit:
49	free(expanded);	49	free(expanded);
50	}	50	}
		51
		52	void fs_mkfile(const char *name) {
		53	EUID_ASSERT();
		54
		55	// check file name
		56	invalid_filename(name);
		57	char *expanded = expand_home(name, cfg.homedir);
		58	if (strncmp(expanded, cfg.homedir, strlen(cfg.homedir)) != 0) {
		59	fprintf(stderr, "Error: only files in user home are supported by mkfile\n");
		60	exit(1);
		61	}
		62
		63	struct stat s;
		64	if (stat(expanded, &s) == 0) {
		65	// file exists, do nothing
		66	goto doexit;
		67	}
		68
		69	// create file
		70	FILE *fp = fopen(expanded, "w");
		71	if (!fp)
		72	fprintf(stderr, "Warning: cannot create %s file\n", expanded);
		73	else {
		74	fclose(fp);
		75	int rv = chown(expanded, getuid(), getgid());
		76	(void) rv;
		77	rv = chmod(expanded, 0600);
		78	(void) rv;
		79	}
		80
		81	doexit:
		82	free(expanded);
		83	} \ No newline at end of file


diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 040efea74..bb834bf19 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c
@@ -107,6 +107,11 @@ int profile_check_line(char ptr, int lineno, const char fname) {
107	fs_mkdir(ptr + 6);	107	fs_mkdir(ptr + 6);
108	return 0;	108	return 0;
109	}	109	}
		110	// mkfile
		111	if (strncmp(ptr, "mkfile ", 7) == 0) {
		112	fs_mkfile(ptr + 7);
		113	return 0;
		114	}
110	// sandbox name	115	// sandbox name
111	else if (strncmp(ptr, "name ", 5) == 0) {	116	else if (strncmp(ptr, "name ", 5) == 0) {
112	cfg.name = ptr + 5;	117	cfg.name = ptr + 5;


diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index c2d5e7955..9c416b0f3 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt
@@ -153,6 +153,10 @@ mkdir ~/.cache/mozilla/firefox
153	.br	153	.br
154	whitelist ~/.cache/mozilla/firefox	154	whitelist ~/.cache/mozilla/firefox
155	.TP	155	.TP
		156	\fBmkfile file
		157	Similar to mkdir, this command creates a file in user home before the sandbox is started.
		158	The file is created if it doesn't already exist.
		159	.TP
156	\fBprivate	160	\fBprivate
157	Mount new /root and /home/user directories in temporary	161	Mount new /root and /home/user directories in temporary
158	filesystems. All modifications are discarded when the sandbox is	162	filesystems. All modifications are discarded when the sandbox is