7 files changed, 123 insertions, 0 deletions
diff --git a/README.md b/README.md
index f502c8909..6769ad47e 100644
--- a/README.md
+++ b/README.md
@@ -79,6 +79,27 @@ $ firejail --net=eth0 firefox
              $ firejail --nice=-5 firefox
 `````
+## mkdir
+`````
+$ man firejail-profile
+[...]
+       mkdir directory
+              Create   a   directory  in  user  home.  Use  this  command  for
+              whitelisted directories you need to preserve when the sandbox is
+              closed.  Subdirectories  also  need  to  be created using mkdir.
+              Example from firefox profile:
+              mkdir ~/.mozilla
+              whitelist ~/.mozilla
+              mkdir ~/.cache
+              mkdir ~/.cache/mozilla
+              mkdir ~/.cache/mozilla/firefox
+              whitelist ~/.cache/mozilla/firefox
+[...]
+`````
 ## New security profiles
 lxterminal, Epiphany, cherrytree
diff --git a/RELNOTES b/RELNOTES
index 8617ac659..86bb10b1a 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -3,6 +3,7 @@ firejail (0.9.39) baseline; urgency=low
  * default seccomp filter update
  * disable STUN/WebRTC in default netfilter configuration
  * added --nice option
+  * addded mkdir profile command
  * --version also prints compile options
  * build rpm packages using "make rpms"
  * new profiles: lxterminal, Epiphany, cherrytree
diff --git a/etc/firefox.profile b/etc/firefox.profile
index 0946ebfbe..0b082f216 100644
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@@ -12,7 +12,11 @@ netfilter
 tracelog
 noroot
 whitelist ${DOWNLOADS}
+mkdir ~/.mozilla
 whitelist ~/.mozilla
+mkdir ~/.cache
+mkdir ~/.cache/mozilla
+mkdir ~/.cache/mozilla/firefox
 whitelist ~/.cache/mozilla/firefox
 whitelist ~/dwhelper
 whitelist ~/.zotero
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index a754711b1..2662cc1d7 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -512,5 +512,8 @@ void check_user(int argc, char **argv);
 // paths.c
 char **build_paths(void);
+// fs_mkdir.c
+void fs_mkdir(const char *name);
 #endif
diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c
new file mode 100644
index 000000000..7c2b108c6
--- /dev/null
+++ b/src/firejail/fs_mkdir.c
@@ -0,0 +1,70 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+#include "firejail.h"
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <unistd.h>
+#include <grp.h>
+ #include <sys/wait.h>
+ 
+void fs_mkdir(const char *name) {
+        // check directory name
+        invalid_filename(name);
+        char *expanded = expand_home(name, cfg.homedir);
+        if (strncmp(expanded, cfg.homedir, strlen(cfg.homedir)) != 0) {
+                fprintf(stderr, "Error: only directories in user home are supported by mkdir\n");
+                exit(1);
+        }
+        struct stat s;
+        if (stat(expanded, &s) == 0) {
+                // file exists, do nothing
+                goto doexit;
+        }
+        // fork a process, drop privileges, and create the directory
+        // no error recovery will be attempted
+        pid_t child = fork();
+        if (child < 0)
+                errExit("fork");
+        if (child == 0) {
+                if (arg_debug)
+                        printf("Create %s directory\n", expanded);
+                
+                // drop privileges
+                if (setgroups(0, NULL) < 0)
+                        errExit("setgroups");
+                if (setgid(getgid()) < 0)
+                        errExit("setgid/getgid");
+                if (setuid(getuid()) < 0)
+                        errExit("setuid/getuid");
+                
+                // create directory
+                if (mkdir(expanded, 0755) == -1)
+                        fprintf(stderr, "Warning: cannot create %s directory\n", expanded);
+                exit(0);
+        }
+        
+        // wait for the child to finish
+        waitpid(child, NULL, 0);
+doexit:
+        free(expanded);
+}       
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 70ec360ce..0c28eefd8 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -99,6 +99,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                return 0;
        }
+        if (strncmp(ptr, "mkdir ", 6) == 0) {
+                fs_mkdir(ptr + 6);
+                return 0;
+        }
        // sandbox name
        if (strncmp(ptr, "name ", 5) == 0) {
                cfg.name = ptr + 5;
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 3ebb11549..b46958bd4 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -134,6 +134,25 @@ Mount-bind directory1 on top of directory2. This option is only available when r
 \fBbind file1,file2
 Mount-bind file1 on top of file2. This option is only available when running as root.
 .TP
+\fBmkdir directory
+Create a directory in user home. Use this command for whitelisted directories you need to preserve
+when the sandbox is closed. Subdirectories also need to be created using mkdir. Example from
+firefox profile:
+.br
+.br
+mkdir ~/.mozilla
+.br
+whitelist ~/.mozilla
+.br
+mkdir ~/.cache
+.br
+mkdir ~/.cache/mozilla
+.br
+mkdir ~/.cache/mozilla/firefox
+.br
+whitelist ~/.cache/mozilla/firefox
+.TP
 \fBprivate
 Mount new /root and /home/user directories in temporary
 filesystems. All modifications are discarded when the sandbox is

diff --git a/README.md b/README.md index f502c8909..6769ad47e 100644 --- a/README.md +++ b/README.md
@@ -79,6 +79,27 @@ $ firejail --net=eth0 firefox
79	$ firejail --nice=-5 firefox	79	$ firejail --nice=-5 firefox
80	`````	80	`````
81		81
		82	## mkdir
		83
		84	`````
		85	$ man firejail-profile
		86	[...]
		87	mkdir directory
		88	Create a directory in user home. Use this command for
		89	whitelisted directories you need to preserve when the sandbox is
		90	closed. Subdirectories also need to be created using mkdir.
		91	Example from firefox profile:
		92
		93	mkdir ~/.mozilla
		94	whitelist ~/.mozilla
		95	mkdir ~/.cache
		96	mkdir ~/.cache/mozilla
		97	mkdir ~/.cache/mozilla/firefox
		98	whitelist ~/.cache/mozilla/firefox
		99
		100	[...]
		101	`````
		102
82	## New security profiles	103	## New security profiles
83		104
84	lxterminal, Epiphany, cherrytree	105	lxterminal, Epiphany, cherrytree


diff --git a/RELNOTES b/RELNOTES index 8617ac659..86bb10b1a 100644 --- a/RELNOTES +++ b/RELNOTES
@@ -3,6 +3,7 @@ firejail (0.9.39) baseline; urgency=low
3	* default seccomp filter update	3	* default seccomp filter update
4	* disable STUN/WebRTC in default netfilter configuration	4	* disable STUN/WebRTC in default netfilter configuration
5	* added --nice option	5	* added --nice option
		6	* addded mkdir profile command
6	* --version also prints compile options	7	* --version also prints compile options
7	* build rpm packages using "make rpms"	8	* build rpm packages using "make rpms"
8	* new profiles: lxterminal, Epiphany, cherrytree	9	* new profiles: lxterminal, Epiphany, cherrytree


diff --git a/etc/firefox.profile b/etc/firefox.profile index 0946ebfbe..0b082f216 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile
@@ -12,7 +12,11 @@ netfilter
12	tracelog	12	tracelog
13	noroot	13	noroot
14	whitelist ${DOWNLOADS}	14	whitelist ${DOWNLOADS}
		15	mkdir ~/.mozilla
15	whitelist ~/.mozilla	16	whitelist ~/.mozilla
		17	mkdir ~/.cache
		18	mkdir ~/.cache/mozilla
		19	mkdir ~/.cache/mozilla/firefox
16	whitelist ~/.cache/mozilla/firefox	20	whitelist ~/.cache/mozilla/firefox
17	whitelist ~/dwhelper	21	whitelist ~/dwhelper
18	whitelist ~/.zotero	22	whitelist ~/.zotero


diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index a754711b1..2662cc1d7 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -512,5 +512,8 @@ void check_user(int argc, char **argv);
512	// paths.c	512	// paths.c
513	char **build_paths(void);	513	char **build_paths(void);
514		514
		515	// fs_mkdir.c
		516	void fs_mkdir(const char *name);
		517
515	#endif	518	#endif
516		519


diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c new file mode 100644 index 000000000..7c2b108c6 --- /dev/null +++ b/src/firejail/fs_mkdir.c
@@ -0,0 +1,70 @@
		1	/*
		2	* Copyright (C) 2014-2016 Firejail Authors
		3	*
		4	* This file is part of firejail project
		5	*
		6	* This program is free software; you can redistribute it and/or modify
		7	* it under the terms of the GNU General Public License as published by
		8	* the Free Software Foundation; either version 2 of the License, or
		9	* (at your option) any later version.
		10	*
		11	* This program is distributed in the hope that it will be useful,
		12	* but WITHOUT ANY WARRANTY; without even the implied warranty of
		13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
		14	* GNU General Public License for more details.
		15	*
		16	* You should have received a copy of the GNU General Public License along
		17	* with this program; if not, write to the Free Software Foundation, Inc.,
		18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
		19	*/
		20	#include "firejail.h"
		21	#include <sys/types.h>
		22	#include <sys/stat.h>
		23	#include <unistd.h>
		24	#include <grp.h>
		25	#include <sys/wait.h>
		26
		27	void fs_mkdir(const char *name) {
		28	// check directory name
		29	invalid_filename(name);
		30	char *expanded = expand_home(name, cfg.homedir);
		31	if (strncmp(expanded, cfg.homedir, strlen(cfg.homedir)) != 0) {
		32	fprintf(stderr, "Error: only directories in user home are supported by mkdir\n");
		33	exit(1);
		34	}
		35
		36	struct stat s;
		37	if (stat(expanded, &s) == 0) {
		38	// file exists, do nothing
		39	goto doexit;
		40	}
		41
		42	// fork a process, drop privileges, and create the directory
		43	// no error recovery will be attempted
		44	pid_t child = fork();
		45	if (child < 0)
		46	errExit("fork");
		47	if (child == 0) {
		48	if (arg_debug)
		49	printf("Create %s directory\n", expanded);
		50
		51	// drop privileges
		52	if (setgroups(0, NULL) < 0)
		53	errExit("setgroups");
		54	if (setgid(getgid()) < 0)
		55	errExit("setgid/getgid");
		56	if (setuid(getuid()) < 0)
		57	errExit("setuid/getuid");
		58
		59	// create directory
		60	if (mkdir(expanded, 0755) == -1)
		61	fprintf(stderr, "Warning: cannot create %s directory\n", expanded);
		62	exit(0);
		63	}
		64
		65	// wait for the child to finish
		66	waitpid(child, NULL, 0);
		67
		68	doexit:
		69	free(expanded);
		70	}


diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 70ec360ce..0c28eefd8 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c
@@ -99,6 +99,11 @@ int profile_check_line(char ptr, int lineno, const char fname) {
99	return 0;	99	return 0;
100	}	100	}
101		101
		102	if (strncmp(ptr, "mkdir ", 6) == 0) {
		103	fs_mkdir(ptr + 6);
		104	return 0;
		105	}
		106
102	// sandbox name	107	// sandbox name
103	if (strncmp(ptr, "name ", 5) == 0) {	108	if (strncmp(ptr, "name ", 5) == 0) {
104	cfg.name = ptr + 5;	109	cfg.name = ptr + 5;


diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 3ebb11549..b46958bd4 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt
@@ -134,6 +134,25 @@ Mount-bind directory1 on top of directory2. This option is only available when r
134	\fBbind file1,file2	134	\fBbind file1,file2
135	Mount-bind file1 on top of file2. This option is only available when running as root.	135	Mount-bind file1 on top of file2. This option is only available when running as root.
136	.TP	136	.TP
		137	\fBmkdir directory
		138	Create a directory in user home. Use this command for whitelisted directories you need to preserve
		139	when the sandbox is closed. Subdirectories also need to be created using mkdir. Example from
		140	firefox profile:
		141	.br
		142
		143	.br
		144	mkdir ~/.mozilla
		145	.br
		146	whitelist ~/.mozilla
		147	.br
		148	mkdir ~/.cache
		149	.br
		150	mkdir ~/.cache/mozilla
		151	.br
		152	mkdir ~/.cache/mozilla/firefox
		153	.br
		154	whitelist ~/.cache/mozilla/firefox
		155	.TP
137	\fBprivate	156	\fBprivate
138	Mount new /root and /home/user directories in temporary	157	Mount new /root and /home/user directories in temporary
139	filesystems. All modifications are discarded when the sandbox is	158	filesystems. All modifications are discarded when the sandbox is