6 files changed, 50 insertions, 2 deletions
diff --git a/RELNOTES b/RELNOTES
index 4bff6d092..37b4faf47 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -5,6 +5,7 @@ firejail (0.9.40-rc1) baseline; urgency=low
  * added --x11=xephyr option
  * added --cpu.print option
  * added filetransfer options --ls and --get
+  * added --writable-etc and --writable-var options
  * added mkdir, ipc-namespace, and nosound profile commands
  * added net iface, and iprange profile commands
  * --version also prints compile options
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 24ea53476..ece1eee4e 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -256,6 +256,8 @@ extern int arg_join_network;	// join only the network namespace
 extern int arg_join_filesystem; // join only the mount namespace
 extern int arg_nice;            // nice value configured
 extern int arg_ipc;             // enable ipc namespace
+extern int arg_writable_etc;    // writable etc
+extern int arg_writable_var;    // writable var
 extern int parent_to_child_fds[2];
 extern int child_to_parent_fds[2];
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 652f897d0..af1ddf93b 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -734,8 +734,10 @@ void fs_basic_fs(void) {
        fs_rdonly("/lib32");
        fs_rdonly("/libx32");
        fs_rdonly("/usr");
-        fs_rdonly("/etc");
+        if (!arg_writable_etc)
-        fs_rdonly("/var");
+                fs_rdonly("/etc");
+        if (!arg_writable_var)
+                fs_rdonly("/var");
        // update /var directory in order to support multiple sandboxes running on the same root directory
        if (!arg_private_dev)
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 6b50b450c..27bd7c385 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -96,6 +96,8 @@ int arg_join_network = 0;			// join only the network namespace
 int arg_join_filesystem = 0;                    // join only the mount namespace
 int arg_nice = 0;                               // nice value configured
 int arg_ipc = 0;                                        // enable ipc namespace
+int arg_writable_etc = 0;                       // writable etc
+int arg_writable_var = 0;                       // writable var
 int parent_to_child_fds[2];
 int child_to_parent_fds[2];
@@ -1272,6 +1274,20 @@ int main(int argc, char **argv) {
                }
 #endif
+                else if (strcmp(argv[i], "--writable-etc") == 0) {
+                        if (getuid() != 0) {
+                                fprintf(stderr, "Error: --writable-etc is available only for root user\n");
+                                exit(1);
+                        }
+                        arg_writable_etc = 1;
+                }
+                else if (strcmp(argv[i], "--writable-var") == 0) {
+                        if (getuid() != 0) {
+                                fprintf(stderr, "Error: --writable-var is available only for root user\n");
+                                exit(1);
+                        }
+                        arg_writable_var = 1;
+                }
                else if (strcmp(argv[i], "--private") == 0)
                        arg_private = 1;
                else if (strncmp(argv[i], "--private=", 10) == 0) {
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 539785f21..8b61629f4 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -246,6 +246,12 @@ void usage(void) {
        printf("    --user=new_user - switch the user before starting the sandbox.\n\n");
        printf("    --version - print program version and exit.\n\n");
        printf("    --whitelist=dirname_or_filename - whitelist directory or file.\n\n");
+        
+        printf("    --writable-etc - /etc directory is mounted read-write. This option is\n");
+        printf("\tavailable only when running the sandbox as root user.\n\n");
+        printf("    --writable-var - /var directory is mounted read-write. This option is\n");
+        printf("\tavailable only when running the sandbox as root user.\n\n");
+        
        printf("    --x11 - enable X11 server. The software checks first if Xpra is installed,\n");
        printf("\tthen it checks if Xephyr is installed.\n\n");
        printf("    --x11=xpra - enable Xpra X11 server.\n\n");
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 23db832c1..14b3c6a60 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1462,6 +1462,27 @@ $ firejail \-\-whitelist=/tmp/.X11-unix --whitelist=/dev/null
 $ firejail "\-\-whitelist=/home/username/My Virtual Machines"
 .TP
+\fB\-\-writable-etc
+Mount /etc directory read-write. This option is available only when running the sandbox as root user
+.br
+.br
+Example:
+.br
+$ sudo firejail --writable-etc
+.TP
+\fB\-\-writable-var
+Mount /var directory read-write. This option is available only when running the sandbox as root user
+.br
+.br
+Example:
+.br
+$ sudo firejail --writable-var
+.TP
 \fB\-\-x11
 Start a new X11 server using Xpra or Xephyr and attach the sandbox to this server.
 The regular X11 server (display 0) is not visible in the sandbox. This prevents screenshot and keylogger

diff --git a/RELNOTES b/RELNOTES index 4bff6d092..37b4faf47 100644 --- a/RELNOTES +++ b/RELNOTES
@@ -5,6 +5,7 @@ firejail (0.9.40-rc1) baseline; urgency=low
5	* added --x11=xephyr option	5	* added --x11=xephyr option
6	* added --cpu.print option	6	* added --cpu.print option
7	* added filetransfer options --ls and --get	7	* added filetransfer options --ls and --get
		8	* added --writable-etc and --writable-var options
8	* added mkdir, ipc-namespace, and nosound profile commands	9	* added mkdir, ipc-namespace, and nosound profile commands
9	* added net iface, and iprange profile commands	10	* added net iface, and iprange profile commands
10	* --version also prints compile options	11	* --version also prints compile options


diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 24ea53476..ece1eee4e 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -256,6 +256,8 @@ extern int arg_join_network; // join only the network namespace
256	extern int arg_join_filesystem; // join only the mount namespace	256	extern int arg_join_filesystem; // join only the mount namespace
257	extern int arg_nice; // nice value configured	257	extern int arg_nice; // nice value configured
258	extern int arg_ipc; // enable ipc namespace	258	extern int arg_ipc; // enable ipc namespace
		259	extern int arg_writable_etc; // writable etc
		260	extern int arg_writable_var; // writable var
259		261
260	extern int parent_to_child_fds[2];	262	extern int parent_to_child_fds[2];
261	extern int child_to_parent_fds[2];	263	extern int child_to_parent_fds[2];


diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 652f897d0..af1ddf93b 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c
@@ -734,8 +734,10 @@ void fs_basic_fs(void) {
734	fs_rdonly("/lib32");	734	fs_rdonly("/lib32");
735	fs_rdonly("/libx32");	735	fs_rdonly("/libx32");
736	fs_rdonly("/usr");	736	fs_rdonly("/usr");
737	fs_rdonly("/etc");	737	if (!arg_writable_etc)
738	fs_rdonly("/var");	738	fs_rdonly("/etc");
		739	if (!arg_writable_var)
		740	fs_rdonly("/var");
739		741
740	// update /var directory in order to support multiple sandboxes running on the same root directory	742	// update /var directory in order to support multiple sandboxes running on the same root directory
741	if (!arg_private_dev)	743	if (!arg_private_dev)


diff --git a/src/firejail/main.c b/src/firejail/main.c index 6b50b450c..27bd7c385 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -96,6 +96,8 @@ int arg_join_network = 0; // join only the network namespace
96	int arg_join_filesystem = 0; // join only the mount namespace	96	int arg_join_filesystem = 0; // join only the mount namespace
97	int arg_nice = 0; // nice value configured	97	int arg_nice = 0; // nice value configured
98	int arg_ipc = 0; // enable ipc namespace	98	int arg_ipc = 0; // enable ipc namespace
		99	int arg_writable_etc = 0; // writable etc
		100	int arg_writable_var = 0; // writable var
99		101
100	int parent_to_child_fds[2];	102	int parent_to_child_fds[2];
101	int child_to_parent_fds[2];	103	int child_to_parent_fds[2];
@@ -1272,6 +1274,20 @@ int main(int argc, char **argv) {
1272		1274
1273	}	1275	}
1274	#endif	1276	#endif
		1277	else if (strcmp(argv[i], "--writable-etc") == 0) {
		1278	if (getuid() != 0) {
		1279	fprintf(stderr, "Error: --writable-etc is available only for root user\n");
		1280	exit(1);
		1281	}
		1282	arg_writable_etc = 1;
		1283	}
		1284	else if (strcmp(argv[i], "--writable-var") == 0) {
		1285	if (getuid() != 0) {
		1286	fprintf(stderr, "Error: --writable-var is available only for root user\n");
		1287	exit(1);
		1288	}
		1289	arg_writable_var = 1;
		1290	}
1275	else if (strcmp(argv[i], "--private") == 0)	1291	else if (strcmp(argv[i], "--private") == 0)
1276	arg_private = 1;	1292	arg_private = 1;
1277	else if (strncmp(argv[i], "--private=", 10) == 0) {	1293	else if (strncmp(argv[i], "--private=", 10) == 0) {


diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 539785f21..8b61629f4 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c
@@ -246,6 +246,12 @@ void usage(void) {
246	printf(" --user=new_user - switch the user before starting the sandbox.\n\n");	246	printf(" --user=new_user - switch the user before starting the sandbox.\n\n");
247	printf(" --version - print program version and exit.\n\n");	247	printf(" --version - print program version and exit.\n\n");
248	printf(" --whitelist=dirname_or_filename - whitelist directory or file.\n\n");	248	printf(" --whitelist=dirname_or_filename - whitelist directory or file.\n\n");
		249
		250	printf(" --writable-etc - /etc directory is mounted read-write. This option is\n");
		251	printf("\tavailable only when running the sandbox as root user.\n\n");
		252	printf(" --writable-var - /var directory is mounted read-write. This option is\n");
		253	printf("\tavailable only when running the sandbox as root user.\n\n");
		254
249	printf(" --x11 - enable X11 server. The software checks first if Xpra is installed,\n");	255	printf(" --x11 - enable X11 server. The software checks first if Xpra is installed,\n");
250	printf("\tthen it checks if Xephyr is installed.\n\n");	256	printf("\tthen it checks if Xephyr is installed.\n\n");
251	printf(" --x11=xpra - enable Xpra X11 server.\n\n");	257	printf(" --x11=xpra - enable Xpra X11 server.\n\n");


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 23db832c1..14b3c6a60 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -1462,6 +1462,27 @@ $ firejail \-\-whitelist=/tmp/.X11-unix --whitelist=/dev/null
1462	$ firejail "\-\-whitelist=/home/username/My Virtual Machines"	1462	$ firejail "\-\-whitelist=/home/username/My Virtual Machines"
1463		1463
1464	.TP	1464	.TP
		1465	\fB\-\-writable-etc
		1466	Mount /etc directory read-write. This option is available only when running the sandbox as root user
		1467	.br
		1468
		1469	.br
		1470	Example:
		1471	.br
		1472	$ sudo firejail --writable-etc
		1473
		1474	.TP
		1475	\fB\-\-writable-var
		1476	Mount /var directory read-write. This option is available only when running the sandbox as root user
		1477	.br
		1478
		1479	.br
		1480	Example:
		1481	.br
		1482	$ sudo firejail --writable-var
		1483
		1484
		1485	.TP
1465	\fB\-\-x11	1486	\fB\-\-x11
1466	Start a new X11 server using Xpra or Xephyr and attach the sandbox to this server.	1487	Start a new X11 server using Xpra or Xephyr and attach the sandbox to this server.
1467	The regular X11 server (display 0) is not visible in the sandbox. This prevents screenshot and keylogger	1488	The regular X11 server (display 0) is not visible in the sandbox. This prevents screenshot and keylogger