diff options
-rwxr-xr-x | configure | 25 | ||||
-rw-r--r-- | configure.ac | 9 | ||||
-rw-r--r-- | src/common.mk.in | 3 | ||||
-rw-r--r-- | src/firejail/checkcfg.c | 8 | ||||
-rw-r--r-- | src/firejail/fs.c | 4 | ||||
-rw-r--r-- | src/firejail/main.c | 2 | ||||
-rw-r--r-- | src/firejail/profile.c | 8 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 2 |
8 files changed, 54 insertions, 7 deletions
@@ -644,6 +644,7 @@ HAVE_PRIVATE_HOME | |||
644 | HAVE_FIRETUNNEL | 644 | HAVE_FIRETUNNEL |
645 | HAVE_GAWK | 645 | HAVE_GAWK |
646 | HAVE_MAN | 646 | HAVE_MAN |
647 | HAVE_USERTMPFS | ||
647 | HAVE_OVERLAYFS | 648 | HAVE_OVERLAYFS |
648 | HAVE_DBUSPROXY | 649 | HAVE_DBUSPROXY |
649 | EXTRA_LDFLAGS | 650 | EXTRA_LDFLAGS |
@@ -711,6 +712,7 @@ enable_analyzer | |||
711 | enable_apparmor | 712 | enable_apparmor |
712 | enable_dbusproxy | 713 | enable_dbusproxy |
713 | enable_overlayfs | 714 | enable_overlayfs |
715 | enable_usertmpfs | ||
714 | enable_man | 716 | enable_man |
715 | enable_firetunnel | 717 | enable_firetunnel |
716 | enable_private_home | 718 | enable_private_home |
@@ -1366,6 +1368,7 @@ Optional Features: | |||
1366 | --enable-apparmor enable apparmor | 1368 | --enable-apparmor enable apparmor |
1367 | --disable-dbusproxy disable dbus proxy | 1369 | --disable-dbusproxy disable dbus proxy |
1368 | --disable-overlayfs disable overlayfs | 1370 | --disable-overlayfs disable overlayfs |
1371 | --disable-usertmpfs disable tmpfs as regular user | ||
1369 | --disable-man disable man pages | 1372 | --disable-man disable man pages |
1370 | --disable-firetunnel disable firetunnel | 1373 | --disable-firetunnel disable firetunnel |
1371 | --disable-private-home disable private home feature | 1374 | --disable-private-home disable private home feature |
@@ -3417,8 +3420,8 @@ if test "x$enable_apparmor" = "xyes"; then : | |||
3417 | HAVE_APPARMOR="-DHAVE_APPARMOR" | 3420 | HAVE_APPARMOR="-DHAVE_APPARMOR" |
3418 | 3421 | ||
3419 | pkg_failed=no | 3422 | pkg_failed=no |
3420 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for libapparmor" >&5 | 3423 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for AA" >&5 |
3421 | $as_echo_n "checking for libapparmor... " >&6; } | 3424 | $as_echo_n "checking for AA... " >&6; } |
3422 | 3425 | ||
3423 | if test -n "$AA_CFLAGS"; then | 3426 | if test -n "$AA_CFLAGS"; then |
3424 | pkg_cv_AA_CFLAGS="$AA_CFLAGS" | 3427 | pkg_cv_AA_CFLAGS="$AA_CFLAGS" |
@@ -3458,7 +3461,7 @@ fi | |||
3458 | 3461 | ||
3459 | 3462 | ||
3460 | if test $pkg_failed = yes; then | 3463 | if test $pkg_failed = yes; then |
3461 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 | 3464 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 |
3462 | $as_echo "no" >&6; } | 3465 | $as_echo "no" >&6; } |
3463 | 3466 | ||
3464 | if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then | 3467 | if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then |
@@ -3485,7 +3488,7 @@ Alternatively, you may set the environment variables AA_CFLAGS | |||
3485 | and AA_LIBS to avoid the need to call pkg-config. | 3488 | and AA_LIBS to avoid the need to call pkg-config. |
3486 | See the pkg-config man page for more details." "$LINENO" 5 | 3489 | See the pkg-config man page for more details." "$LINENO" 5 |
3487 | elif test $pkg_failed = untried; then | 3490 | elif test $pkg_failed = untried; then |
3488 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 | 3491 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 |
3489 | $as_echo "no" >&6; } | 3492 | $as_echo "no" >&6; } |
3490 | { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 | 3493 | { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 |
3491 | $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} | 3494 | $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} |
@@ -3540,6 +3543,19 @@ if test "x$enable_overlayfs" != "xno"; then : | |||
3540 | 3543 | ||
3541 | fi | 3544 | fi |
3542 | 3545 | ||
3546 | HAVE_USERTMPS="" | ||
3547 | # Check whether --enable-usertmpfs was given. | ||
3548 | if test "${enable_usertmpfs+set}" = set; then : | ||
3549 | enableval=$enable_usertmpfs; | ||
3550 | fi | ||
3551 | |||
3552 | if test "x$enable_usertmpfs" != "xno"; then : | ||
3553 | |||
3554 | HAVE_USERTMPFS="-DHAVE_USERTMPFS" | ||
3555 | |||
3556 | |||
3557 | fi | ||
3558 | |||
3543 | HAVE_MAN="no" | 3559 | HAVE_MAN="no" |
3544 | # Check whether --enable-man was given. | 3560 | # Check whether --enable-man was given. |
3545 | if test "${enable_man+set}" = set; then : | 3561 | if test "${enable_man+set}" = set; then : |
@@ -5464,6 +5480,7 @@ echo " private home support: $HAVE_PRIVATE_HOME" | |||
5464 | echo " file transfer support: $HAVE_FILE_TRANSFER" | 5480 | echo " file transfer support: $HAVE_FILE_TRANSFER" |
5465 | echo " overlayfs support: $HAVE_OVERLAYFS" | 5481 | echo " overlayfs support: $HAVE_OVERLAYFS" |
5466 | echo " DBUS proxy support: $HAVE_DBUSPROXY" | 5482 | echo " DBUS proxy support: $HAVE_DBUSPROXY" |
5483 | echo " allow tmpfs as regular user: $HAVE_USERTMPFS" | ||
5467 | echo " Manpage support: $HAVE_MAN" | 5484 | echo " Manpage support: $HAVE_MAN" |
5468 | echo " firetunnel support: $HAVE_FIRETUNNEL" | 5485 | echo " firetunnel support: $HAVE_FIRETUNNEL" |
5469 | echo " busybox workaround: $BUSYBOX_WORKAROUND" | 5486 | echo " busybox workaround: $BUSYBOX_WORKAROUND" |
diff --git a/configure.ac b/configure.ac index cefc302f9..e21e4a01f 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -74,6 +74,14 @@ AS_IF([test "x$enable_overlayfs" != "xno"], [ | |||
74 | AC_SUBST(HAVE_OVERLAYFS) | 74 | AC_SUBST(HAVE_OVERLAYFS) |
75 | ]) | 75 | ]) |
76 | 76 | ||
77 | HAVE_USERTMPS="" | ||
78 | AC_ARG_ENABLE([usertmpfs], | ||
79 | AS_HELP_STRING([--disable-usertmpfs], [disable tmpfs as regular user])) | ||
80 | AS_IF([test "x$enable_usertmpfs" != "xno"], [ | ||
81 | HAVE_USERTMPFS="-DHAVE_USERTMPFS" | ||
82 | AC_SUBST(HAVE_USERTMPFS) | ||
83 | ]) | ||
84 | |||
77 | HAVE_MAN="no" | 85 | HAVE_MAN="no" |
78 | AC_ARG_ENABLE([man], | 86 | AC_ARG_ENABLE([man], |
79 | AS_HELP_STRING([--disable-man], [disable man pages])) | 87 | AS_HELP_STRING([--disable-man], [disable man pages])) |
@@ -240,6 +248,7 @@ echo " private home support: $HAVE_PRIVATE_HOME" | |||
240 | echo " file transfer support: $HAVE_FILE_TRANSFER" | 248 | echo " file transfer support: $HAVE_FILE_TRANSFER" |
241 | echo " overlayfs support: $HAVE_OVERLAYFS" | 249 | echo " overlayfs support: $HAVE_OVERLAYFS" |
242 | echo " DBUS proxy support: $HAVE_DBUSPROXY" | 250 | echo " DBUS proxy support: $HAVE_DBUSPROXY" |
251 | echo " allow tmpfs as regular user: $HAVE_USERTMPFS" | ||
243 | echo " Manpage support: $HAVE_MAN" | 252 | echo " Manpage support: $HAVE_MAN" |
244 | echo " firetunnel support: $HAVE_FIRETUNNEL" | 253 | echo " firetunnel support: $HAVE_FIRETUNNEL" |
245 | echo " busybox workaround: $BUSYBOX_WORKAROUND" | 254 | echo " busybox workaround: $BUSYBOX_WORKAROUND" |
diff --git a/src/common.mk.in b/src/common.mk.in index c9ef455ed..b8a13cd1b 100644 --- a/src/common.mk.in +++ b/src/common.mk.in | |||
@@ -24,6 +24,7 @@ HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@ | |||
24 | HAVE_GCOV=@HAVE_GCOV@ | 24 | HAVE_GCOV=@HAVE_GCOV@ |
25 | HAVE_SELINUX=@HAVE_SELINUX@ | 25 | HAVE_SELINUX=@HAVE_SELINUX@ |
26 | HAVE_DBUSPROXY=@HAVE_DBUSPROXY@ | 26 | HAVE_DBUSPROXY=@HAVE_DBUSPROXY@ |
27 | HAVE_USERTMPFS=@HAVE_USERTMPFS@ | ||
27 | 28 | ||
28 | H_FILE_LIST = $(sort $(wildcard *.[h])) | 29 | H_FILE_LIST = $(sort $(wildcard *.[h])) |
29 | C_FILE_LIST = $(sort $(wildcard *.c)) | 30 | C_FILE_LIST = $(sort $(wildcard *.c)) |
@@ -33,7 +34,7 @@ BINOBJS = $(foreach file, $(OBJS), $file) | |||
33 | CFLAGS = @CFLAGS@ | 34 | CFLAGS = @CFLAGS@ |
34 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) | 35 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) |
35 | CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' | 36 | CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' |
36 | MANFLAGS = $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX) | 37 | MANFLAGS = $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX) |
37 | CFLAGS += $(MANFLAGS) | 38 | CFLAGS += $(MANFLAGS) |
38 | CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security | 39 | CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security |
39 | LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread | 40 | LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread |
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index a0aa3138a..085221464 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -351,6 +351,14 @@ void print_compiletime_support(void) { | |||
351 | #endif | 351 | #endif |
352 | ); | 352 | ); |
353 | 353 | ||
354 | printf("\t- private-cache and tmpfs as user %s\n", | ||
355 | #ifdef HAVE_USERTMPFS | ||
356 | "enabled" | ||
357 | #else | ||
358 | "disabled" | ||
359 | #endif | ||
360 | ); | ||
361 | |||
354 | printf("\t- SELinux support is %s\n", | 362 | printf("\t- SELinux support is %s\n", |
355 | #ifdef HAVE_SELINUX | 363 | #ifdef HAVE_SELINUX |
356 | "enabled" | 364 | "enabled" |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 2f2bfdc79..76ec102c3 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -162,7 +162,7 @@ static void disable_file(OPERATION op, const char *filename) { | |||
162 | } | 162 | } |
163 | else if (op == MOUNT_TMPFS) { | 163 | else if (op == MOUNT_TMPFS) { |
164 | if (S_ISDIR(s.st_mode)) { | 164 | if (S_ISDIR(s.st_mode)) { |
165 | fs_tmpfs(fname, 0); | 165 | fs_tmpfs(fname, getuid()); |
166 | last_disable = SUCCESSFUL; | 166 | last_disable = SUCCESSFUL; |
167 | } | 167 | } |
168 | else | 168 | else |
@@ -451,7 +451,7 @@ void fs_blacklist(void) { | |||
451 | void fs_tmpfs(const char *dir, unsigned check_owner) { | 451 | void fs_tmpfs(const char *dir, unsigned check_owner) { |
452 | assert(dir); | 452 | assert(dir); |
453 | if (arg_debug) | 453 | if (arg_debug) |
454 | printf("Mounting tmpfs on %s\n", dir); | 454 | printf("Mounting tmpfs on %s, check owner: %s\n", dir, (check_owner)? "yes": "no"); |
455 | // get a file descriptor for dir, fails if there is any symlink | 455 | // get a file descriptor for dir, fails if there is any symlink |
456 | int fd = safe_fd(dir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); | 456 | int fd = safe_fd(dir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); |
457 | if (fd == -1) | 457 | if (fd == -1) |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 0d67c2a64..b4c9ee294 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -2000,12 +2000,14 @@ int main(int argc, char **argv, char **envp) { | |||
2000 | else if (strcmp(argv[i], "--private-tmp") == 0) { | 2000 | else if (strcmp(argv[i], "--private-tmp") == 0) { |
2001 | arg_private_tmp = 1; | 2001 | arg_private_tmp = 1; |
2002 | } | 2002 | } |
2003 | #ifdef HAVE_USERTMPFS | ||
2003 | else if (strcmp(argv[i], "--private-cache") == 0) { | 2004 | else if (strcmp(argv[i], "--private-cache") == 0) { |
2004 | if (checkcfg(CFG_PRIVATE_CACHE)) | 2005 | if (checkcfg(CFG_PRIVATE_CACHE)) |
2005 | arg_private_cache = 1; | 2006 | arg_private_cache = 1; |
2006 | else | 2007 | else |
2007 | exit_err_feature("private-cache"); | 2008 | exit_err_feature("private-cache"); |
2008 | } | 2009 | } |
2010 | #endif | ||
2009 | else if (strcmp(argv[i], "--private-cwd") == 0) { | 2011 | else if (strcmp(argv[i], "--private-cwd") == 0) { |
2010 | cfg.cwd = NULL; | 2012 | cfg.cwd = NULL; |
2011 | arg_private_cwd = 1; | 2013 | arg_private_cwd = 1; |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 869183e2f..4942f99ff 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -383,10 +383,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
383 | return 0; | 383 | return 0; |
384 | } | 384 | } |
385 | else if (strcmp(ptr, "private-cache") == 0) { | 385 | else if (strcmp(ptr, "private-cache") == 0) { |
386 | #ifdef HAVE_USERTMPFS | ||
386 | if (checkcfg(CFG_PRIVATE_CACHE)) | 387 | if (checkcfg(CFG_PRIVATE_CACHE)) |
387 | arg_private_cache = 1; | 388 | arg_private_cache = 1; |
388 | else | 389 | else |
389 | warning_feature_disabled("private-cache"); | 390 | warning_feature_disabled("private-cache"); |
391 | #endif | ||
390 | return 0; | 392 | return 0; |
391 | } | 393 | } |
392 | else if (strcmp(ptr, "private-dev") == 0) { | 394 | else if (strcmp(ptr, "private-dev") == 0) { |
@@ -1570,6 +1572,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1570 | else if (strncmp(ptr, "noexec ", 7) == 0) | 1572 | else if (strncmp(ptr, "noexec ", 7) == 0) |
1571 | ptr += 7; | 1573 | ptr += 7; |
1572 | else if (strncmp(ptr, "tmpfs ", 6) == 0) { | 1574 | else if (strncmp(ptr, "tmpfs ", 6) == 0) { |
1575 | #ifndef HAVE_USERTMPFS | ||
1576 | if (getuid() != 0) { | ||
1577 | fprintf(stderr, "Error: tmpfs available only when running the sandbox as root\n"); | ||
1578 | exit(1); | ||
1579 | } | ||
1580 | #endif | ||
1573 | ptr += 6; | 1581 | ptr += 6; |
1574 | } | 1582 | } |
1575 | else { | 1583 | else { |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 3e8dbe5d9..8bfe76603 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -921,6 +921,7 @@ int sandbox(void* sandbox_arg) { | |||
921 | } | 921 | } |
922 | } | 922 | } |
923 | 923 | ||
924 | #ifdef HAVE_USERTMPFS | ||
924 | if (arg_private_cache) { | 925 | if (arg_private_cache) { |
925 | if (cfg.chrootdir) | 926 | if (cfg.chrootdir) |
926 | fwarning("private-cache feature is disabled in chroot\n"); | 927 | fwarning("private-cache feature is disabled in chroot\n"); |
@@ -929,6 +930,7 @@ int sandbox(void* sandbox_arg) { | |||
929 | else | 930 | else |
930 | fs_private_cache(); | 931 | fs_private_cache(); |
931 | } | 932 | } |
933 | #endif | ||
932 | 934 | ||
933 | if (arg_private_tmp) { | 935 | if (arg_private_tmp) { |
934 | // private-tmp is implemented as a whitelist | 936 | // private-tmp is implemented as a whitelist |