diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/checkcfg.c | 9 | ||||
-rw-r--r-- | src/firejail/firejail.h | 2 | ||||
-rw-r--r-- | src/firejail/fs.c | 4 | ||||
-rw-r--r-- | src/firejail/main.c | 4 | ||||
-rw-r--r-- | src/firejail/profile.c | 4 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 11 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 4 | ||||
-rw-r--r-- | src/man/firejail.txt | 11 |
8 files changed, 35 insertions, 14 deletions
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 6dc28b9bb..68e93e16e 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -175,15 +175,6 @@ int checkcfg(int val) { | |||
175 | else | 175 | else |
176 | goto errout; | 176 | goto errout; |
177 | } | 177 | } |
178 | // private-cache | ||
179 | else if (strncmp(ptr, "private-cache ", 14) == 0) { | ||
180 | if (strcmp(ptr + 14, "yes") == 0) | ||
181 | cfg_val[CFG_PRIVATE_CACHE] = 1; | ||
182 | else if (strcmp(ptr + 14, "no") == 0) | ||
183 | cfg_val[CFG_PRIVATE_CACHE] = 0; | ||
184 | else | ||
185 | goto errout; | ||
186 | } | ||
187 | // seccomp | 178 | // seccomp |
188 | else if (strncmp(ptr, "seccomp ", 8) == 0) { | 179 | else if (strncmp(ptr, "seccomp ", 8) == 0) { |
189 | if (strcmp(ptr + 8, "yes") == 0) | 180 | if (strcmp(ptr + 8, "yes") == 0) |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 3e05591b8..92a18af25 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -308,6 +308,7 @@ static inline int any_interface_configured(void) { | |||
308 | 308 | ||
309 | extern int arg_private; // mount private /home | 309 | extern int arg_private; // mount private /home |
310 | extern int arg_private_template; // private /home template | 310 | extern int arg_private_template; // private /home template |
311 | extern int arg_private_cache; // private home/.cache | ||
311 | extern int arg_debug; // print debug messages | 312 | extern int arg_debug; // print debug messages |
312 | extern int arg_debug_blacklists; // print debug messages for blacklists | 313 | extern int arg_debug_blacklists; // print debug messages for blacklists |
313 | extern int arg_debug_whitelists; // print debug messages for whitelists | 314 | extern int arg_debug_whitelists; // print debug messages for whitelists |
@@ -753,7 +754,6 @@ enum { | |||
753 | CFG_PRIVATE_LIB, | 754 | CFG_PRIVATE_LIB, |
754 | CFG_APPARMOR, | 755 | CFG_APPARMOR, |
755 | CFG_DBUS, | 756 | CFG_DBUS, |
756 | CFG_PRIVATE_CACHE, | ||
757 | CFG_MAX // this should always be the last entry | 757 | CFG_MAX // this should always be the last entry |
758 | }; | 758 | }; |
759 | extern char *xephyr_screen; | 759 | extern char *xephyr_screen; |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 68b09dcbd..0e104699f 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -1353,8 +1353,10 @@ void fs_private_cache(void) { | |||
1353 | fwarning("user .cache is a symbolic link, tmpfs not mounted\n"); | 1353 | fwarning("user .cache is a symbolic link, tmpfs not mounted\n"); |
1354 | return; | 1354 | return; |
1355 | } | 1355 | } |
1356 | if (stat(cache, &s) == -1 || !S_ISDIR(s.st_mode)) | 1356 | if (stat(cache, &s) == -1 || !S_ISDIR(s.st_mode)) { |
1357 | fwarning("no user .cache directory found, tmpfs not mounted\n"); | ||
1357 | return; | 1358 | return; |
1359 | } | ||
1358 | if (s.st_uid != getuid()) { | 1360 | if (s.st_uid != getuid()) { |
1359 | fwarning("user .cache is not owned by current user, tmpfs not mounted\n"); | 1361 | fwarning("user .cache is not owned by current user, tmpfs not mounted\n"); |
1360 | return; | 1362 | return; |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 9babb72de..6aebd9ab2 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -46,6 +46,7 @@ static char child_stack[STACK_SIZE]; // space for child's stack | |||
46 | Config cfg; // configuration | 46 | Config cfg; // configuration |
47 | int arg_private = 0; // mount private /home and /tmp directoryu | 47 | int arg_private = 0; // mount private /home and /tmp directoryu |
48 | int arg_private_template = 0; // mount private /home using a template | 48 | int arg_private_template = 0; // mount private /home using a template |
49 | int arg_private_cache = 0; // mount private home/.cache | ||
49 | int arg_debug = 0; // print debug messages | 50 | int arg_debug = 0; // print debug messages |
50 | int arg_debug_blacklists = 0; // print debug messages for blacklists | 51 | int arg_debug_blacklists = 0; // print debug messages for blacklists |
51 | int arg_debug_whitelists = 0; // print debug messages for whitelists | 52 | int arg_debug_whitelists = 0; // print debug messages for whitelists |
@@ -1681,6 +1682,9 @@ int main(int argc, char **argv) { | |||
1681 | else if (strcmp(argv[i], "--private-tmp") == 0) { | 1682 | else if (strcmp(argv[i], "--private-tmp") == 0) { |
1682 | arg_private_tmp = 1; | 1683 | arg_private_tmp = 1; |
1683 | } | 1684 | } |
1685 | else if (strcmp(argv[i], "--private-cache") == 0) { | ||
1686 | arg_private_cache = 1; | ||
1687 | } | ||
1684 | 1688 | ||
1685 | //************************************* | 1689 | //************************************* |
1686 | // hostname, etc | 1690 | // hostname, etc |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 88d27f09f..22db6f5fb 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -217,6 +217,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
217 | arg_allusers = 1; | 217 | arg_allusers = 1; |
218 | return 0; | 218 | return 0; |
219 | } | 219 | } |
220 | else if (strcmp(ptr, "private-cache") == 0) { | ||
221 | arg_private_cache = 1; | ||
222 | return 0; | ||
223 | } | ||
220 | else if (strcmp(ptr, "private-dev") == 0) { | 224 | else if (strcmp(ptr, "private-dev") == 0) { |
221 | arg_private_dev = 1; | 225 | arg_private_dev = 1; |
222 | return 0; | 226 | return 0; |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index a1400db34..7922da9b9 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -833,9 +833,14 @@ int sandbox(void* sandbox_arg) { | |||
833 | } | 833 | } |
834 | } | 834 | } |
835 | 835 | ||
836 | // private cache directory by default | 836 | if (arg_private_cache) { |
837 | if (checkcfg(CFG_PRIVATE_CACHE)) | 837 | if (cfg.chrootdir) |
838 | fs_private_cache(); | 838 | fwarning("private-cache feature is disabled in chroot\n"); |
839 | else if (arg_overlay) | ||
840 | fwarning("private-cache feature is disabled in overlay\n"); | ||
841 | else | ||
842 | fs_private_cache(); | ||
843 | } | ||
839 | 844 | ||
840 | if (arg_private_tmp) { | 845 | if (arg_private_tmp) { |
841 | // private-tmp is implemented as a whitelist | 846 | // private-tmp is implemented as a whitelist |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index c32fdf8f4..851eb1026 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -221,6 +221,10 @@ filesystem, and copy the files and directories in the list in the | |||
221 | new home. All modifications are discarded when the sandbox is | 221 | new home. All modifications are discarded when the sandbox is |
222 | closed. | 222 | closed. |
223 | .TP | 223 | .TP |
224 | \fBprivate-cache | ||
225 | Mount an empty temporary filesystem on top of the .cache directory in user home. All | ||
226 | modifications are discarded when the sandbox is closed. | ||
227 | .TP | ||
224 | \fBprivate-bin file,file | 228 | \fBprivate-bin file,file |
225 | Build a new /bin in a temporary filesystem, and copy the programs in the list. | 229 | Build a new /bin in a temporary filesystem, and copy the programs in the list. |
226 | The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin. | 230 | The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin. |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 760249e70..d527c05d8 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1322,6 +1322,17 @@ Example: | |||
1322 | $ firejail \-\-private-home=.mozilla firefox | 1322 | $ firejail \-\-private-home=.mozilla firefox |
1323 | 1323 | ||
1324 | .TP | 1324 | .TP |
1325 | \fB\-\-private-cache | ||
1326 | Mount an empty temporary filesystem on top of the .cache directory in user home. All | ||
1327 | modifications are discarded when the sandbox is closed. | ||
1328 | .br | ||
1329 | |||
1330 | .br | ||
1331 | Example: | ||
1332 | .br | ||
1333 | $ firejail \-\-private-cache openbox | ||
1334 | |||
1335 | .TP | ||
1325 | \fB\-\-private-bin=file,file | 1336 | \fB\-\-private-bin=file,file |
1326 | Build a new /bin in a temporary filesystem, and copy the programs in the list. | 1337 | Build a new /bin in a temporary filesystem, and copy the programs in the list. |
1327 | If no listed file is found, /bin directory will be empty. | 1338 | If no listed file is found, /bin directory will be empty. |