4 files changed, 31 insertions, 2 deletions

diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c
index dd347a714..db9382dc3 100644
--- a/src/firejail/appimage.c
+++ b/src/firejail/appimage.c
@@ -31,6 +31,10 @@
 static char *devloop = NULL;    // device file 
 static char *mntdir = NULL;     // mount point in /tmp directory
 
+const char *appimage_getdir(void) {
+        return mntdir;
+}
+
 void appimage_set(const char *appimage_path) {
         assert(appimage_path);
         assert(devloop == NULL);        // don't call this twice!
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 6d64ce4cd..0b6e2e181 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -259,6 +259,7 @@ extern int arg_nice;		// nice value configured
 extern int arg_ipc;             // enable ipc namespace
 extern int arg_writable_etc;    // writable etc
 extern int arg_writable_var;    // writable var
+extern int arg_appimage;        // appimage
 
 extern int parent_to_child_fds[2];
 extern int child_to_parent_fds[2];
@@ -581,6 +582,7 @@ void fs_rdwr(void);
 // appimage.c
 void appimage_set(const char *appimage_path);
 void appimage_clear(void);
+const char *appimage_getdir(void);
 
 #endif
 
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index 617e61dcd..ba6c8cd74 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -504,7 +504,7 @@ void fs_whitelist(void) {
         
         // /tmp mountpoint
         if (tmp_dir) {
-                // keep a copy of real /tmp directory in WHITELIST_TMP_DIR
+                // keep a copy of real /tmp directory in  
                 int rv = mkdir(RUN_WHITELIST_TMP_DIR, 1777);
                 if (rv == -1)
                         errExit("mkdir");
@@ -522,6 +522,29 @@ void fs_whitelist(void) {
                 if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=1777,gid=0") < 0)
                         errExit("mounting tmpfs on /tmp");
                 fs_logger("tmpfs /tmp");
+                
+                // mount appimage directory if necessary
+                if (arg_appimage) {
+                        const char *dir = appimage_getdir();
+                        assert(dir);
+                        char *wdir;
+                        if (asprintf(&wdir, "%s/%s", RUN_WHITELIST_TMP_DIR, dir + 4) == -1)
+                                errExit("asprintf");
+
+                        // create directory
+                        if (mkdir(dir, 0755) < 0)
+                                errExit("mkdir");
+                        if (chown(dir, getuid(), getgid()) < 0)
+                                errExit("chown");
+                        if (chmod(dir, 0755) < 0)
+                                errExit("chmod");
+                
+                        // mount
+                        if (mount(wdir, dir, NULL, MS_BIND|MS_REC, NULL) < 0)
+                                errExit("mount bind");
+                        fs_logger2("whitelist", dir);
+                        free(wdir);
+                }
         }
         
         // /media mountpoint
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 423df3752..9e8e1eaf0 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -99,6 +99,7 @@ int arg_nice = 0;				// nice value configured
 int arg_ipc = 0;                                        // enable ipc namespace
 int arg_writable_etc = 0;                       // writable etc
 int arg_writable_var = 0;                       // writable var
+int arg_appimage = 0;                           // appimage
 
 int parent_to_child_fds[2];
 int child_to_parent_fds[2];
@@ -705,7 +706,6 @@ int main(int argc, char **argv) {
 #ifdef HAVE_SECCOMP
         int highest_errno = errno_highest_nr();
 #endif
-        int arg_appimage = 0;
 
         // drop permissions by default and rise them when required
         EUID_INIT();