6 files changed, 50 insertions, 16 deletions
diff --git a/RELNOTES b/RELNOTES
index 61732c390..4775cf0f6 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -34,9 +34,6 @@ firejail (0.9.45) baseline; urgency=low
  * feature: allow /tmp directory in mkdir and mkfile profile commands
  * feature: implemented --noblacklist command, profile support
  * feature: config support to disable access to /mnt and /media (disable-mnt)
-  * feature: allow tmpfs for regular users for files in home directory
-  * feature: mount a tmpfs on top of ~/.cache directory by default
-  * feature: config support to disable tmpfs mounting on ~/.cache (cache-tmpfs)
  * feature: config support to disable join (join)
  * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire,
  * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma,
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 3413febcb..fc6bdc7d0 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -486,7 +486,15 @@ void fs_cache(void) {
        char *cache;
        if (asprintf(&cache, "%s/.cache", cfg.homedir) == -1)
                errExit("asprintf");
+        if (is_link(cache)) {
+                fprintf(stderr, "Error: ~/.cache directory is a symbolik link\n");
+                exit(1);
+        }
        disable_file(MOUNT_TMPFS, cache);
+        if (is_link(cache)) {
+                fprintf(stderr, "Error: ~/.cache directory is a symbolik link\n");
+                exit(1);
+        }
        free(cache);
 }
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 4b3cab041..993acf2aa 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -970,19 +970,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                ptr += 7;
        else if (strncmp(ptr, "tmpfs ", 6) == 0) {
                if (getuid() != 0) {
-                        // allow a non-root user  to mount tmpfs in user home directory, links are not allowed
+                        fprintf(stderr, "Error: tmpfs available only when running the sandbox as root\n");
-                        invalid_filename(ptr + 6);
+                        exit(1);
-                        char *newfname = expand_home(ptr + 6, cfg.homedir);
-                        assert(newfname);
-                        if (is_link(newfname)) {
-                                fprintf(stderr, "Error: for regular user, tmpfs is not available for symbolic links\n");
-                                exit(1);        
-                        }
-                        if (strncmp(newfname, cfg.homedir, strlen(cfg.homedir)) != 0) {
-                                fprintf(stderr, "Error: for regular user, tmpfs is available only for files in user home directory\n");
-                                exit(1);        
-                        }
-                        free(newfname);
                }
                ptr += 6;
        }
diff --git a/test/network/configure b/test/network/configure
index 35d938340..d4511c705 100755
--- a/test/network/configure
+++ b/test/network/configure
@@ -25,3 +25,6 @@ ip link add link eth0 name eth0.6 type vlan id 6
 ip link add link eth0 name eth0.7 type vlan id 7
 /sbin/ifconfig eth0.7 10.10.207.10/24 up
+# network namespace
+ip netns add red
diff --git a/test/network/netns.exp b/test/network/netns.exp
new file mode 100755
index 000000000..9475cf958
--- /dev/null
+++ b/test/network/netns.exp
@@ -0,0 +1,34 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2017 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send --  "firejail --netns=red --noprofile\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+after 100
+send -- "ip link show\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "LOOPBACK"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "DOWN"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "link/loopback"
+}
+after 100
+send -- "exit\r"
+after 100
+puts "all done\n"
diff --git a/test/network/network.sh b/test/network/network.sh
index 2c60be0a5..c4c104042 100755
--- a/test/network/network.sh
+++ b/test/network/network.sh
@@ -11,6 +11,9 @@ sudo ./configure
 echo "TESTING: firemon interface (firemon-interfaces.exp)"
 sudo ./firemon-interfaces.exp
+echo "TESTING: netns (netns.exp)"
+./netns.exp
 echo "TESTING: print dns (dns-print.exp)"
 ./dns-print.exp

diff --git a/RELNOTES b/RELNOTES index 61732c390..4775cf0f6 100644 --- a/RELNOTES +++ b/RELNOTES
@@ -34,9 +34,6 @@ firejail (0.9.45) baseline; urgency=low
34	* feature: allow /tmp directory in mkdir and mkfile profile commands	34	* feature: allow /tmp directory in mkdir and mkfile profile commands
35	* feature: implemented --noblacklist command, profile support	35	* feature: implemented --noblacklist command, profile support
36	* feature: config support to disable access to /mnt and /media (disable-mnt)	36	* feature: config support to disable access to /mnt and /media (disable-mnt)
37	* feature: allow tmpfs for regular users for files in home directory
38	* feature: mount a tmpfs on top of ~/.cache directory by default
39	* feature: config support to disable tmpfs mounting on ~/.cache (cache-tmpfs)
40	* feature: config support to disable join (join)	37	* feature: config support to disable join (join)
41	* new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire,	38	* new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire,
42	* new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma,	39	* new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma,


diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 3413febcb..fc6bdc7d0 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c
@@ -486,7 +486,15 @@ void fs_cache(void) {
486	char *cache;	486	char *cache;
487	if (asprintf(&cache, "%s/.cache", cfg.homedir) == -1)	487	if (asprintf(&cache, "%s/.cache", cfg.homedir) == -1)
488	errExit("asprintf");	488	errExit("asprintf");
		489	if (is_link(cache)) {
		490	fprintf(stderr, "Error: ~/.cache directory is a symbolik link\n");
		491	exit(1);
		492	}
489	disable_file(MOUNT_TMPFS, cache);	493	disable_file(MOUNT_TMPFS, cache);
		494	if (is_link(cache)) {
		495	fprintf(stderr, "Error: ~/.cache directory is a symbolik link\n");
		496	exit(1);
		497	}
490	free(cache);	498	free(cache);
491	}	499	}
492		500


diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 4b3cab041..993acf2aa 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c
@@ -970,19 +970,8 @@ int profile_check_line(char ptr, int lineno, const char fname) {
970	ptr += 7;	970	ptr += 7;
971	else if (strncmp(ptr, "tmpfs ", 6) == 0) {	971	else if (strncmp(ptr, "tmpfs ", 6) == 0) {
972	if (getuid() != 0) {	972	if (getuid() != 0) {
973	// allow a non-root user to mount tmpfs in user home directory, links are not allowed	973	fprintf(stderr, "Error: tmpfs available only when running the sandbox as root\n");
974	invalid_filename(ptr + 6);	974	exit(1);
975	char *newfname = expand_home(ptr + 6, cfg.homedir);
976	assert(newfname);
977	if (is_link(newfname)) {
978	fprintf(stderr, "Error: for regular user, tmpfs is not available for symbolic links\n");
979	exit(1);
980	}
981	if (strncmp(newfname, cfg.homedir, strlen(cfg.homedir)) != 0) {
982	fprintf(stderr, "Error: for regular user, tmpfs is available only for files in user home directory\n");
983	exit(1);
984	}
985	free(newfname);
986	}	975	}
987	ptr += 6;	976	ptr += 6;
988	}	977	}


diff --git a/test/network/configure b/test/network/configure index 35d938340..d4511c705 100755 --- a/test/network/configure +++ b/test/network/configure
@@ -25,3 +25,6 @@ ip link add link eth0 name eth0.6 type vlan id 6
25	ip link add link eth0 name eth0.7 type vlan id 7	25	ip link add link eth0 name eth0.7 type vlan id 7
26	/sbin/ifconfig eth0.7 10.10.207.10/24 up	26	/sbin/ifconfig eth0.7 10.10.207.10/24 up
27		27
		28	# network namespace
		29	ip netns add red
		30


diff --git a/test/network/netns.exp b/test/network/netns.exp new file mode 100755 index 000000000..9475cf958 --- /dev/null +++ b/test/network/netns.exp
@@ -0,0 +1,34 @@
		1	#!/usr/bin/expect -f
		2	# This file is part of Firejail project
		3	# Copyright (C) 2014-2017 Firejail Authors
		4	# License GPL v2
		5
		6	set timeout 10
		7	spawn $env(SHELL)
		8	match_max 100000
		9
		10	send -- "firejail --netns=red --noprofile\r"
		11	expect {
		12	timeout {puts "TESTING ERROR 1\n";exit}
		13	"Child process initialized"
		14	}
		15	after 100
		16
		17	send -- "ip link show\r"
		18	expect {
		19	timeout {puts "TESTING ERROR 2\n";exit}
		20	"LOOPBACK"
		21	}
		22	expect {
		23	timeout {puts "TESTING ERROR 3\n";exit}
		24	"DOWN"
		25	}
		26	expect {
		27	timeout {puts "TESTING ERROR 4\n";exit}
		28	"link/loopback"
		29	}
		30	after 100
		31	send -- "exit\r"
		32	after 100
		33
		34	puts "all done\n"


diff --git a/test/network/network.sh b/test/network/network.sh index 2c60be0a5..c4c104042 100755 --- a/test/network/network.sh +++ b/test/network/network.sh
@@ -11,6 +11,9 @@ sudo ./configure
11	echo "TESTING: firemon interface (firemon-interfaces.exp)"	11	echo "TESTING: firemon interface (firemon-interfaces.exp)"
12	sudo ./firemon-interfaces.exp	12	sudo ./firemon-interfaces.exp
13		13
		14	echo "TESTING: netns (netns.exp)"
		15	./netns.exp
		16
14	echo "TESTING: print dns (dns-print.exp)"	17	echo "TESTING: print dns (dns-print.exp)"
15	./dns-print.exp	18	./dns-print.exp
16		19