10 files changed, 45 insertions, 10 deletions

diff --git a/RELNOTES b/RELNOTES
index 459fdd37b..d8d03b912 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,11 +1,12 @@
 firejail (0.9.37) baseline; urgency=low
   * IPv6 support (--ip6 and --netfilter6)
   * --join command enhancement (--join-network, --join-filesystem)
-  * --user command
-  * --disable-network and --disable-userns compile time flags
+  * added --user command
+  * added --disable-network and --disable-userns compile time flags
   * symlink invocation
   * added KMail, Seamonkey, Telegram profiles
-  * --tmpfs option allowd only running as root
+  * --tmpfs option allowed only running as root
+  * added --private-tmp option
   * bugfixes
  -- netblue30 <netblue30@yahoo.com>  Sun,  24 Jan 2016 20:00:00 -0500
 
diff --git a/etc/server.profile b/etc/server.profile
index 5b706df9a..5471aed91 100644
--- a/etc/server.profile
+++ b/etc/server.profile
@@ -5,5 +5,6 @@ noblacklist /usr/sbin
 include /etc/firejail/disable-mgmt.inc
 private
 private-dev
+private-tmp
 seccomp
 
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index a2afd4a8d..2f40b4d86 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -224,6 +224,7 @@ extern int arg_shell_none;	// run the program directly without a shell
 extern int arg_private_dev;     // private dev directory
 extern int arg_private_etc;     // private etc directory
 extern int arg_private_bin;     // private bin directory
+extern int arg_private_tmp;     // private tmp directory
 extern int arg_scan;            // arp-scan all interfaces
 extern int arg_whitelist;       // whitelist commad
 extern int arg_nosound; // disable sound
@@ -288,6 +289,7 @@ void fs_overlayfs(void);
 // chroot into an existing directory; mount exiting /dev and update /etc/resolv.conf
 void fs_chroot(const char *rootdir);
 int fs_check_chroot_dir(const char *rootdir);
+void fs_private_tmp(void);
 
 // profile.c
 // find and read the profile specified by name from dir directory
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index cad101bf9..b0add91e2 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -959,4 +959,11 @@ void fs_chroot(const char *rootdir) {
 }
 #endif
 
+void fs_private_tmp(void) {
+        // mount tmpfs on top of /run/firejail/mnt
+        if (arg_debug)
+                printf("Mounting tmpfs on /tmp directory\n");
+        if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=777,gid=0") < 0)
+                errExit("mounting /tmp/firejail/mnt");
+}
 
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 2fda8f1ab..21e6e4975 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -85,6 +85,7 @@ int arg_shell_none = 0;			// run the program directly without a shell
 int arg_private_dev = 0;                        // private dev directory
 int arg_private_etc = 0;                        // private etc directory
 int arg_private_bin = 0;                        // private bin directory
+int arg_private_tmp = 0;                        // private tmp directory
 int arg_scan = 0;                               // arp-scan all interfaces
 int arg_whitelist = 0;                          // whitelist commad
 int arg_nosound = 0;                            // disable sound
@@ -922,7 +923,7 @@ int main(int argc, char **argv) {
                         arg_private_dev = 1;
                 }
                 else if (strncmp(argv[i], "--private-etc=", 14) == 0) {
-                        // extract private etc dirname
+                        // extract private etc list
                         cfg.etc_private_keep = argv[i] + 14;
                         if (*cfg.etc_private_keep == '\0') {
                                 fprintf(stderr, "Error: invalid private-etc option\n");
@@ -937,7 +938,7 @@ int main(int argc, char **argv) {
                         }
                 }
                 else if (strncmp(argv[i], "--private-bin=", 14) == 0) {
-                        // extract private etc dirname
+                        // extract private bin list
                         cfg.bin_private_keep = argv[i] + 14;
                         if (*cfg.bin_private_keep == '\0') {
                                 fprintf(stderr, "Error: invalid private-bin option\n");
@@ -946,8 +947,9 @@ int main(int argc, char **argv) {
                         fs_check_bin_list();
                         arg_private_bin = 1;
                 }
-                        
-
+                else if (strcmp(argv[i], "--private-tmp") == 0) {
+                        arg_private_tmp = 1;
+                }
 
                 //*************************************
                 // hostname, etc
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 5a0e9b727..76adbb934 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -143,6 +143,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 arg_private_dev = 1;
                 return 0;
         }
+        else if (strcmp(ptr, "private-tmp") == 0) {
+                arg_private_tmp = 1;
+                return 0;
+        }
         else if (strcmp(ptr, "nogroups") == 0) {
                 arg_nogroups = 1;
                 return 0;
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index ddf6f785d..02ff7737f 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -426,6 +426,8 @@ int sandbox(void* sandbox_arg) {
         }
         if (arg_private_bin)
                 fs_private_bin_list();
+        if (arg_private_tmp)
+                fs_private_tmp();
         
         //****************************
         // apply the profile file
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 531eba379..5021025e8 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -230,6 +230,8 @@ void usage(void) {
         printf("\t\tfilesystem, and copy the files and directories in the list.\n");
         printf("\t\tAll modifications are discarded when the sandbox is closed.\n\n");
         
+        printf("\t--private-tmp - mount a tmpfs on top of /tmp directory\n\n");
+        
         printf("\t--profile=filename - use a custom profile.\n\n");
         printf("\t--profile-path=directory - use this directory to look for profile files.\n\n");
         
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 2f17c3088..90c59d753 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -139,13 +139,13 @@ Mount new /root and /home/user directories in temporary
 filesystems. All modifications are discarded when the sandbox is
 closed.
 .TP
+\fBprivate directory
+Use directory as user home.
+.TP
 \fBprivate-bin file,file
 Build a new /bin in a temporary filesystem, and copy the programs in the list.
 The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin.
 .TP
-\fBprivate directory
-Use directory as user home.
-.TP
 \fBprivate-home file,directory
 Build a new user home in a temporary
 filesystem, and copy the files and directories in the list in the
@@ -160,6 +160,9 @@ Build a new /etc in a temporary
 filesystem, and copy the files and directories in the list.
 All modifications are discarded when the sandbox is closed.
 .TP
+\fBprivate-tmp
+Mount an empty temporary filesystem on top of /tmp directory.
+.TP
 \fBwhitelist file_or_directory
 Build a new user home in a temporary filesystem, and mount-bind file_or_directory.
 The modifications to file_or_directory are persistent, everything else is discarded
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 43572bb4b..877ee0ce5 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1004,6 +1004,17 @@ Example:
 $ firejail --private-etc=group,hostname,localtime, \\
 .br
 nsswitch.conf,passwd,resolv.conf
+
+.TP
+\fB\-\-private-tmp
+Mount an empty temporary filesystem on top of /tmp directory.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-private-tmp
+
 .TP
 \fB\-\-profile=filename
 Load a custom security profile from filename. For filename use an absolute path or a path relative to the current path.