From 22414adf2a79b08a77bacbc002fb6ebb126d5b32 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 10 Mar 2017 10:17:00 -0500 Subject: allow tmpfs for regular users for files in home directory --- RELNOTES | 1 + src/firejail/profile.c | 15 +++++++++++++-- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/RELNOTES b/RELNOTES index 28bb6c307..87c1a462e 100644 --- a/RELNOTES +++ b/RELNOTES @@ -34,6 +34,7 @@ firejail (0.9.45) baseline; urgency=low * feature: allow /tmp directory in mkdir and mkfile profile commands * feature: implemented --noblacklist command, profile support * feature: config support to disable access to /mnt and /media (disable-mnt) + * feature: allow tmpfs for regular users for files in home directory * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire, * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma, * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator, diff --git a/src/firejail/profile.c b/src/firejail/profile.c index c4feadad0..d5d62e929 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -970,8 +970,19 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { ptr += 7; else if (strncmp(ptr, "tmpfs ", 6) == 0) { if (getuid() != 0) { - fprintf(stderr, "Error: tmpfs available only when running the sandbox as root\n"); - exit(1); + // allow a non-root user to mount tmpfs in user home directory, links are not allowed + invalid_filename(ptr + 6); + char *newfname = expand_home(ptr + 6, cfg.homedir); + assert(newfname); + if (is_link(newfname)) { + fprintf(stderr, "Error: for regular user, tmpfs is not available for symbolic links\n"); + exit(1); + } + if (strncmp(newfname, cfg.homedir, strlen(cfg.homedir)) != 0) { + fprintf(stderr, "Error: for regular user, tmpfs is available only for files in user home directory\n"); + exit(1); + } + free(newfname); } ptr += 6; } -- cgit v1.2.3-70-g09d2