diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/fs.c | 9 | ||||
-rw-r--r-- | src/firejail/main.c | 4 | ||||
-rw-r--r-- | src/firejail/profile.c | 5 | ||||
-rw-r--r-- | src/firejail/usage.c | 1 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 3 | ||||
-rw-r--r-- | src/man/firejail.txt | 10 |
7 files changed, 30 insertions, 3 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 14f87c36c..84f535575 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -366,6 +366,7 @@ extern int arg_nice; // nice value configured | |||
366 | extern int arg_ipc; // enable ipc namespace | 366 | extern int arg_ipc; // enable ipc namespace |
367 | extern int arg_writable_etc; // writable etc | 367 | extern int arg_writable_etc; // writable etc |
368 | extern int arg_writable_var; // writable var | 368 | extern int arg_writable_var; // writable var |
369 | extern int arg_keep_var_tmp; // don't overwrite /var/tmp | ||
369 | extern int arg_writable_run_user; // writable /run/user | 370 | extern int arg_writable_run_user; // writable /run/user |
370 | extern int arg_writable_var_log; // writable /var/log | 371 | extern int arg_writable_var_log; // writable /var/log |
371 | extern int arg_appimage; // appimage | 372 | extern int arg_appimage; // appimage |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index c9158ebd5..88f92ad74 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -704,7 +704,8 @@ void fs_basic_fs(void) { | |||
704 | 704 | ||
705 | // update /var directory in order to support multiple sandboxes running on the same root directory | 705 | // update /var directory in order to support multiple sandboxes running on the same root directory |
706 | fs_var_lock(); | 706 | fs_var_lock(); |
707 | fs_var_tmp(); | 707 | if (!arg_keep_var_tmp) |
708 | fs_var_tmp(); | ||
708 | if (!arg_writable_var_log) | 709 | if (!arg_writable_var_log) |
709 | fs_var_log(); | 710 | fs_var_log(); |
710 | else | 711 | else |
@@ -1015,7 +1016,8 @@ void fs_overlayfs(void) { | |||
1015 | // if (!arg_private_dev) | 1016 | // if (!arg_private_dev) |
1016 | // fs_dev_shm(); | 1017 | // fs_dev_shm(); |
1017 | fs_var_lock(); | 1018 | fs_var_lock(); |
1018 | fs_var_tmp(); | 1019 | if (!arg_keep_var_tmp) |
1020 | fs_var_tmp(); | ||
1019 | if (!arg_writable_var_log) | 1021 | if (!arg_writable_var_log) |
1020 | fs_var_log(); | 1022 | fs_var_log(); |
1021 | else | 1023 | else |
@@ -1258,7 +1260,8 @@ void fs_chroot(const char *rootdir) { | |||
1258 | // if (!arg_private_dev) | 1260 | // if (!arg_private_dev) |
1259 | // fs_dev_shm(); | 1261 | // fs_dev_shm(); |
1260 | fs_var_lock(); | 1262 | fs_var_lock(); |
1261 | fs_var_tmp(); | 1263 | if (!arg_keep_var_tmp) |
1264 | fs_var_tmp(); | ||
1262 | if (!arg_writable_var_log) | 1265 | if (!arg_writable_var_log) |
1263 | fs_var_log(); | 1266 | fs_var_log(); |
1264 | else | 1267 | else |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 9a013989a..2e47dd938 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -104,6 +104,7 @@ int arg_nice = 0; // nice value configured | |||
104 | int arg_ipc = 0; // enable ipc namespace | 104 | int arg_ipc = 0; // enable ipc namespace |
105 | int arg_writable_etc = 0; // writable etc | 105 | int arg_writable_etc = 0; // writable etc |
106 | int arg_writable_var = 0; // writable var | 106 | int arg_writable_var = 0; // writable var |
107 | int arg_keep_var_tmp = 0; // don't overwrite /var/tmp | ||
107 | int arg_writable_run_user = 0; // writable /run/user | 108 | int arg_writable_run_user = 0; // writable /run/user |
108 | int arg_writable_var_log = 0; // writable /var/log | 109 | int arg_writable_var_log = 0; // writable /var/log |
109 | int arg_appimage = 0; // appimage | 110 | int arg_appimage = 0; // appimage |
@@ -1537,6 +1538,9 @@ int main(int argc, char **argv) { | |||
1537 | else if (strcmp(argv[i], "--writable-var") == 0) { | 1538 | else if (strcmp(argv[i], "--writable-var") == 0) { |
1538 | arg_writable_var = 1; | 1539 | arg_writable_var = 1; |
1539 | } | 1540 | } |
1541 | else if (strcmp(argv[1], "--keep-var-tmp") == 0) { | ||
1542 | arg_keep_var_tmp = 1; | ||
1543 | } | ||
1540 | else if (strcmp(argv[i], "--writable-run-user") == 0) { | 1544 | else if (strcmp(argv[i], "--writable-run-user") == 0) { |
1541 | arg_writable_run_user = 1; | 1545 | arg_writable_run_user = 1; |
1542 | } | 1546 | } |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 156ffa24a..7b59cd48c 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -738,6 +738,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
738 | arg_writable_var = 1; | 738 | arg_writable_var = 1; |
739 | return 0; | 739 | return 0; |
740 | } | 740 | } |
741 | // don't overwrite /var/tmp | ||
742 | if (strcmp(ptr, "keep-var-tmp") == 0) { | ||
743 | arg_keep_var_tmp = 1; | ||
744 | return 0; | ||
745 | } | ||
741 | // writable-run-user | 746 | // writable-run-user |
742 | if (strcmp(ptr, "writable-run-user") == 0) { | 747 | if (strcmp(ptr, "writable-run-user") == 0) { |
743 | arg_writable_run_user = 1; | 748 | arg_writable_run_user = 1; |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 742fc0465..be5eb3989 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -221,6 +221,7 @@ static char *usage_str = | |||
221 | " --writable-run-user - allow access to /run/user/$UID/systemd and\n" | 221 | " --writable-run-user - allow access to /run/user/$UID/systemd and\n" |
222 | "\t/run/user/$UID/gnupg.\n" | 222 | "\t/run/user/$UID/gnupg.\n" |
223 | " --writable-var - /var directory is mounted read-write.\n" | 223 | " --writable-var - /var directory is mounted read-write.\n" |
224 | " --keep-var-tmp - /var/tmp directory is untouched.\n" | ||
224 | " --writable-var-log - use the real /var/log directory, not a clone.\n" | 225 | " --writable-var-log - use the real /var/log directory, not a clone.\n" |
225 | #ifdef HAVE_X11 | 226 | #ifdef HAVE_X11 |
226 | " --x11 - enable X11 sandboxing. The software checks first if Xpra is\n" | 227 | " --x11 - enable X11 sandboxing. The software checks first if Xpra is\n" |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 0217e1353..c73f23b94 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -280,6 +280,9 @@ Disable the default blacklisting of run/user/$UID/systemd and /run/user/$UID/gnu | |||
280 | \fBwritable-var | 280 | \fBwritable-var |
281 | Mount /var directory read-write. | 281 | Mount /var directory read-write. |
282 | .TP | 282 | .TP |
283 | \fBkeep-var-tmp | ||
284 | /var/tmp directory is untouched. | ||
285 | .TP | ||
283 | \fBwritable-var-log | 286 | \fBwritable-var-log |
284 | Use the real /var/log directory, not a clone. By default, a tmpfs is mounted on top of /var/log | 287 | Use the real /var/log directory, not a clone. By default, a tmpfs is mounted on top of /var/log |
285 | directory, and a skeleton filesystem is created based on the original /var/log. | 288 | directory, and a skeleton filesystem is created based on the original /var/log. |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index d8fed1f31..87326a7bd 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -2129,6 +2129,16 @@ Example: | |||
2129 | $ sudo firejail --writable-var | 2129 | $ sudo firejail --writable-var |
2130 | 2130 | ||
2131 | .TP | 2131 | .TP |
2132 | \fB\-\-keep-var-tmp | ||
2133 | /var/tmp directory is untouched. | ||
2134 | .br | ||
2135 | |||
2136 | .br | ||
2137 | Example: | ||
2138 | .br | ||
2139 | $ sudo firejail --keep-var-tmp | ||
2140 | |||
2141 | .TP | ||
2132 | \fB\-\-writable-var-log | 2142 | \fB\-\-writable-var-log |
2133 | Use the real /var/log directory, not a clone. By default, a tmpfs is mounted on top of /var/log | 2143 | Use the real /var/log directory, not a clone. By default, a tmpfs is mounted on top of /var/log |
2134 | directory, and a skeleton filesystem is created based on the original /var/log. | 2144 | directory, and a skeleton filesystem is created based on the original /var/log. |