7 files changed, 58 insertions, 23 deletions

diff --git a/src/bash_completion/firejail.bash_completion b/src/bash_completion/firejail.bash_completion
index 78bd622fc..d3dcd57d0 100644
--- a/src/bash_completion/firejail.bash_completion
+++ b/src/bash_completion/firejail.bash_completion
@@ -47,6 +47,10 @@ _firejail()
             _filedir
             return 0
             ;;
+       --read-write)
+            _filedir
+            return 0
+            ;;
         --bind)
             _filedir
             return 0
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 8856986e6..29bb6c494 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -584,10 +584,6 @@ extern char *xephyr_screen;
 extern char *xephyr_extra_params;
 int checkcfg(int val);
 
-// fs_rdwr.c
-void fs_rdwr_add(const char *path);
-void fs_rdwr(void);
-
 // appimage.c
 void appimage_set(const char *appimage_path);
 void appimage_clear(void);
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index d426636d8..630458549 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -27,6 +27,8 @@
 #include <fcntl.h>
 #include <errno.h>
 
+static void fs_rdwr(const char *dir);
+
 static void create_empty_dir(void) {
         struct stat s;
         
@@ -229,6 +231,7 @@ typedef enum {
         MOUNT_READONLY,
         MOUNT_TMPFS,
         MOUNT_NOEXEC,
+        MOUNT_RDWR,
         OPERATION_MAX
 } OPERATION;
 
@@ -331,6 +334,12 @@ static void disable_file(OPERATION op, const char *filename) {
                 fs_rdonly(fname);
 // todo: last_disable = SUCCESSFUL;
         }
+        else if (op == MOUNT_RDWR) {
+                if (arg_debug)
+                        printf("Mounting read-only %s\n", fname);
+                fs_rdwr(fname);
+// todo: last_disable = SUCCESSFUL;
+        }
         else if (op == MOUNT_NOEXEC) {
                 if (arg_debug)
                         printf("Mounting noexec %s\n", fname);
@@ -492,6 +501,10 @@ void fs_blacklist(void) {
                         ptr = entry->data + 10;
                         op = MOUNT_READONLY;
                 }                       
+                else if (strncmp(entry->data, "read-write ", 11) == 0) {
+                        ptr = entry->data + 11;
+                        op = MOUNT_RDWR;
+                }                       
                 else if (strncmp(entry->data, "noexec ", 7) == 0) {
                         ptr = entry->data + 7;
                         op = MOUNT_NOEXEC;
@@ -560,6 +573,29 @@ void fs_rdonly(const char *dir) {
         }
 }
 
+static void fs_rdwr(const char *dir) {
+        assert(dir);
+        // check directory exists
+        struct stat s;
+        int rv = stat(dir, &s);
+        if (rv == 0) {
+                // if the file is outside /home directory, allow only root user
+                uid_t u = getuid();
+                if (u != 0 && s.st_uid != u) {
+                        fprintf(stderr, "Warning: you are not allowed to change %s to read-write\n", dir);
+                        return;
+                }
+                
+                // mount --bind /bin /bin
+                if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0)
+                        errExit("mount read-write");
+                // mount --bind -o remount,rw /bin
+                if (mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_REC, NULL) < 0)
+                        errExit("mount read-write");
+                fs_logger2("read-write", dir);
+        }
+}
+
 void fs_noexec(const char *dir) {
         assert(dir);
         // check directory exists
@@ -757,9 +793,6 @@ void fs_basic_fs(void) {
         // firejail sandboxes (firejail --force)
         if (getuid() != 0)
                 disable_firejail_config();
-                
-        if (getuid() == 0)
-                fs_rdwr();
 }
 
 
diff --git a/src/firejail/fs_rdwr.c b/src/firejail/fs_rdwr.c
index 68df6465f..e098be416 100644
--- a/src/firejail/fs_rdwr.c
+++ b/src/firejail/fs_rdwr.c
@@ -17,6 +17,7 @@
  * with this program; if not, write to the Free Software Foundation, Inc.,
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
+#if 0
 #include "firejail.h"
 #include <sys/mount.h>
 #include <sys/stat.h>
@@ -91,3 +92,5 @@ void fs_rdwr(void) {
         }
 }
 
+#endif
+
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 703b9913b..25063700c 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1206,7 +1206,7 @@ int main(int argc, char **argv) {
                                 errExit("asprintf");
                         
                         profile_check_line(line, 0, NULL);      // will exit if something wrong
-                        // profile_add(line); is not necessary
+                        profile_add(line);
                 }
                 else if (strcmp(argv[i], "--overlay") == 0) {
                         if (cfg.chrootdir) {
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 40e2e4330..46ef0921d 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -716,16 +716,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 return 0;               
         }
 
-        // read-write
-        if (strncmp(ptr, "read-write ", 11) == 0) {
-                if (getuid() != 0) {
-                        fprintf(stderr, "Error: read-write command is available only for root user\n");
-                        exit(1);
-                }
-                fs_rdwr_add(ptr + 11);
-                return 0;
-        }
-
         // rest of filesystem
         if (strncmp(ptr, "blacklist ", 10) == 0)
                 ptr += 10;
@@ -747,6 +737,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
         }
         else if (strncmp(ptr, "read-only ", 10) == 0)
                 ptr += 10;
+        else if (strncmp(ptr, "read-write ", 11) == 0)
+                ptr += 11;
         else if (strncmp(ptr, "noexec ", 7) == 0)
                 ptr += 7;
         else if (strncmp(ptr, "tmpfs ", 6) == 0) {
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index f7079200e..fed573e6c 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1184,16 +1184,23 @@ A short note about mixing \-\-whitelist and \-\-read-only options. Whitelisted d
 should be made read-only independently. Making a parent directory read-only, will not
 make the whitelist read-only. Example:
 .br
+
+.br
 $ firejail --whitelist=~/work --read-only=~ --read-only=~/work
 
 .TP
 \fB\-\-read-write=dirname_or_filename
-By default, the sandbox mounts system directories read-only.
-These directories are /etc, /var, /usr, /bin, /sbin, /lib, /lib32, /libx32 and /lib64. 
-Use this option to mount read-write files or directories inside the system directories.
+Set directory or file read-write. Only files or directories belonging to the current user are allowed for
+this operation. Example:
+.br
+
+.br
+$ mkdir ~/test
+.br
+$ touch ~/test/a
+.br
+$ firejail --read-only=~/test --read-write=~/test/a
 
-This option is available only to root user. It has no effect when --chroot or --overlay are also set. In these
-cases the system directories are mounted read-write.
 
 .TP
 \fB\-\-rlimit-fsize=number