diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/common.mk.in | 3 | ||||
-rw-r--r-- | src/firejail/checkcfg.c | 8 | ||||
-rw-r--r-- | src/firejail/fs.c | 4 | ||||
-rw-r--r-- | src/firejail/main.c | 2 | ||||
-rw-r--r-- | src/firejail/profile.c | 8 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 2 |
6 files changed, 24 insertions, 3 deletions
diff --git a/src/common.mk.in b/src/common.mk.in index c9ef455ed..b8a13cd1b 100644 --- a/src/common.mk.in +++ b/src/common.mk.in | |||
@@ -24,6 +24,7 @@ HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@ | |||
24 | HAVE_GCOV=@HAVE_GCOV@ | 24 | HAVE_GCOV=@HAVE_GCOV@ |
25 | HAVE_SELINUX=@HAVE_SELINUX@ | 25 | HAVE_SELINUX=@HAVE_SELINUX@ |
26 | HAVE_DBUSPROXY=@HAVE_DBUSPROXY@ | 26 | HAVE_DBUSPROXY=@HAVE_DBUSPROXY@ |
27 | HAVE_USERTMPFS=@HAVE_USERTMPFS@ | ||
27 | 28 | ||
28 | H_FILE_LIST = $(sort $(wildcard *.[h])) | 29 | H_FILE_LIST = $(sort $(wildcard *.[h])) |
29 | C_FILE_LIST = $(sort $(wildcard *.c)) | 30 | C_FILE_LIST = $(sort $(wildcard *.c)) |
@@ -33,7 +34,7 @@ BINOBJS = $(foreach file, $(OBJS), $file) | |||
33 | CFLAGS = @CFLAGS@ | 34 | CFLAGS = @CFLAGS@ |
34 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) | 35 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) |
35 | CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' | 36 | CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' |
36 | MANFLAGS = $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX) | 37 | MANFLAGS = $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX) |
37 | CFLAGS += $(MANFLAGS) | 38 | CFLAGS += $(MANFLAGS) |
38 | CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security | 39 | CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security |
39 | LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread | 40 | LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread |
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index a0aa3138a..085221464 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -351,6 +351,14 @@ void print_compiletime_support(void) { | |||
351 | #endif | 351 | #endif |
352 | ); | 352 | ); |
353 | 353 | ||
354 | printf("\t- private-cache and tmpfs as user %s\n", | ||
355 | #ifdef HAVE_USERTMPFS | ||
356 | "enabled" | ||
357 | #else | ||
358 | "disabled" | ||
359 | #endif | ||
360 | ); | ||
361 | |||
354 | printf("\t- SELinux support is %s\n", | 362 | printf("\t- SELinux support is %s\n", |
355 | #ifdef HAVE_SELINUX | 363 | #ifdef HAVE_SELINUX |
356 | "enabled" | 364 | "enabled" |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 2f2bfdc79..76ec102c3 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -162,7 +162,7 @@ static void disable_file(OPERATION op, const char *filename) { | |||
162 | } | 162 | } |
163 | else if (op == MOUNT_TMPFS) { | 163 | else if (op == MOUNT_TMPFS) { |
164 | if (S_ISDIR(s.st_mode)) { | 164 | if (S_ISDIR(s.st_mode)) { |
165 | fs_tmpfs(fname, 0); | 165 | fs_tmpfs(fname, getuid()); |
166 | last_disable = SUCCESSFUL; | 166 | last_disable = SUCCESSFUL; |
167 | } | 167 | } |
168 | else | 168 | else |
@@ -451,7 +451,7 @@ void fs_blacklist(void) { | |||
451 | void fs_tmpfs(const char *dir, unsigned check_owner) { | 451 | void fs_tmpfs(const char *dir, unsigned check_owner) { |
452 | assert(dir); | 452 | assert(dir); |
453 | if (arg_debug) | 453 | if (arg_debug) |
454 | printf("Mounting tmpfs on %s\n", dir); | 454 | printf("Mounting tmpfs on %s, check owner: %s\n", dir, (check_owner)? "yes": "no"); |
455 | // get a file descriptor for dir, fails if there is any symlink | 455 | // get a file descriptor for dir, fails if there is any symlink |
456 | int fd = safe_fd(dir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); | 456 | int fd = safe_fd(dir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); |
457 | if (fd == -1) | 457 | if (fd == -1) |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 0d67c2a64..b4c9ee294 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -2000,12 +2000,14 @@ int main(int argc, char **argv, char **envp) { | |||
2000 | else if (strcmp(argv[i], "--private-tmp") == 0) { | 2000 | else if (strcmp(argv[i], "--private-tmp") == 0) { |
2001 | arg_private_tmp = 1; | 2001 | arg_private_tmp = 1; |
2002 | } | 2002 | } |
2003 | #ifdef HAVE_USERTMPFS | ||
2003 | else if (strcmp(argv[i], "--private-cache") == 0) { | 2004 | else if (strcmp(argv[i], "--private-cache") == 0) { |
2004 | if (checkcfg(CFG_PRIVATE_CACHE)) | 2005 | if (checkcfg(CFG_PRIVATE_CACHE)) |
2005 | arg_private_cache = 1; | 2006 | arg_private_cache = 1; |
2006 | else | 2007 | else |
2007 | exit_err_feature("private-cache"); | 2008 | exit_err_feature("private-cache"); |
2008 | } | 2009 | } |
2010 | #endif | ||
2009 | else if (strcmp(argv[i], "--private-cwd") == 0) { | 2011 | else if (strcmp(argv[i], "--private-cwd") == 0) { |
2010 | cfg.cwd = NULL; | 2012 | cfg.cwd = NULL; |
2011 | arg_private_cwd = 1; | 2013 | arg_private_cwd = 1; |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 869183e2f..4942f99ff 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -383,10 +383,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
383 | return 0; | 383 | return 0; |
384 | } | 384 | } |
385 | else if (strcmp(ptr, "private-cache") == 0) { | 385 | else if (strcmp(ptr, "private-cache") == 0) { |
386 | #ifdef HAVE_USERTMPFS | ||
386 | if (checkcfg(CFG_PRIVATE_CACHE)) | 387 | if (checkcfg(CFG_PRIVATE_CACHE)) |
387 | arg_private_cache = 1; | 388 | arg_private_cache = 1; |
388 | else | 389 | else |
389 | warning_feature_disabled("private-cache"); | 390 | warning_feature_disabled("private-cache"); |
391 | #endif | ||
390 | return 0; | 392 | return 0; |
391 | } | 393 | } |
392 | else if (strcmp(ptr, "private-dev") == 0) { | 394 | else if (strcmp(ptr, "private-dev") == 0) { |
@@ -1570,6 +1572,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1570 | else if (strncmp(ptr, "noexec ", 7) == 0) | 1572 | else if (strncmp(ptr, "noexec ", 7) == 0) |
1571 | ptr += 7; | 1573 | ptr += 7; |
1572 | else if (strncmp(ptr, "tmpfs ", 6) == 0) { | 1574 | else if (strncmp(ptr, "tmpfs ", 6) == 0) { |
1575 | #ifndef HAVE_USERTMPFS | ||
1576 | if (getuid() != 0) { | ||
1577 | fprintf(stderr, "Error: tmpfs available only when running the sandbox as root\n"); | ||
1578 | exit(1); | ||
1579 | } | ||
1580 | #endif | ||
1573 | ptr += 6; | 1581 | ptr += 6; |
1574 | } | 1582 | } |
1575 | else { | 1583 | else { |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 3e8dbe5d9..8bfe76603 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -921,6 +921,7 @@ int sandbox(void* sandbox_arg) { | |||
921 | } | 921 | } |
922 | } | 922 | } |
923 | 923 | ||
924 | #ifdef HAVE_USERTMPFS | ||
924 | if (arg_private_cache) { | 925 | if (arg_private_cache) { |
925 | if (cfg.chrootdir) | 926 | if (cfg.chrootdir) |
926 | fwarning("private-cache feature is disabled in chroot\n"); | 927 | fwarning("private-cache feature is disabled in chroot\n"); |
@@ -929,6 +930,7 @@ int sandbox(void* sandbox_arg) { | |||
929 | else | 930 | else |
930 | fs_private_cache(); | 931 | fs_private_cache(); |
931 | } | 932 | } |
933 | #endif | ||
932 | 934 | ||
933 | if (arg_private_tmp) { | 935 | if (arg_private_tmp) { |
934 | // private-tmp is implemented as a whitelist | 936 | // private-tmp is implemented as a whitelist |