From 3a8649e37789151f235c5f01e846b7228bac402b Mon Sep 17 00:00:00 2001
From: root <root@debian>
Date: Tue, 26 Jan 2016 08:38:54 -0500
Subject: --private-tmp

---
 RELNOTES                     |  7 ++++---
 etc/server.profile           |  1 +
 src/firejail/firejail.h      |  2 ++
 src/firejail/fs.c            |  7 +++++++
 src/firejail/main.c          | 10 ++++++----
 src/firejail/profile.c       |  4 ++++
 src/firejail/sandbox.c       |  2 ++
 src/firejail/usage.c         |  2 ++
 src/man/firejail-profile.txt |  9 ++++++---
 src/man/firejail.txt         | 11 +++++++++++
 10 files changed, 45 insertions(+), 10 deletions(-)

diff --git a/RELNOTES b/RELNOTES
index 459fdd37b..d8d03b912 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,11 +1,12 @@
 firejail (0.9.37) baseline; urgency=low
   * IPv6 support (--ip6 and --netfilter6)
   * --join command enhancement (--join-network, --join-filesystem)
-  * --user command
-  * --disable-network and --disable-userns compile time flags
+  * added --user command
+  * added --disable-network and --disable-userns compile time flags
   * symlink invocation
   * added KMail, Seamonkey, Telegram profiles
-  * --tmpfs option allowd only running as root
+  * --tmpfs option allowed only running as root
+  * added --private-tmp option
   * bugfixes
  -- netblue30 <netblue30@yahoo.com>  Sun,  24 Jan 2016 20:00:00 -0500
 
diff --git a/etc/server.profile b/etc/server.profile
index 5b706df9a..5471aed91 100644
--- a/etc/server.profile
+++ b/etc/server.profile
@@ -5,5 +5,6 @@ noblacklist /usr/sbin
 include /etc/firejail/disable-mgmt.inc
 private
 private-dev
+private-tmp
 seccomp
 
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index a2afd4a8d..2f40b4d86 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -224,6 +224,7 @@ extern int arg_shell_none;	// run the program directly without a shell
 extern int arg_private_dev;	// private dev directory
 extern int arg_private_etc;	// private etc directory
 extern int arg_private_bin;	// private bin directory
+extern int arg_private_tmp;	// private tmp directory
 extern int arg_scan;		// arp-scan all interfaces
 extern int arg_whitelist;	// whitelist commad
 extern int arg_nosound;	// disable sound
@@ -288,6 +289,7 @@ void fs_overlayfs(void);
 // chroot into an existing directory; mount exiting /dev and update /etc/resolv.conf
 void fs_chroot(const char *rootdir);
 int fs_check_chroot_dir(const char *rootdir);
+void fs_private_tmp(void);
 
 // profile.c
 // find and read the profile specified by name from dir directory
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index cad101bf9..b0add91e2 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -959,4 +959,11 @@ void fs_chroot(const char *rootdir) {
 }
 #endif
 
+void fs_private_tmp(void) {
+	// mount tmpfs on top of /run/firejail/mnt
+	if (arg_debug)
+		printf("Mounting tmpfs on /tmp directory\n");
+	if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=777,gid=0") < 0)
+		errExit("mounting /tmp/firejail/mnt");
+}
 
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 2fda8f1ab..21e6e4975 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -85,6 +85,7 @@ int arg_shell_none = 0;			// run the program directly without a shell
 int arg_private_dev = 0;			// private dev directory
 int arg_private_etc = 0;			// private etc directory
 int arg_private_bin = 0;			// private bin directory
+int arg_private_tmp = 0;			// private tmp directory
 int arg_scan = 0;				// arp-scan all interfaces
 int arg_whitelist = 0;				// whitelist commad
 int arg_nosound = 0;				// disable sound
@@ -922,7 +923,7 @@ int main(int argc, char **argv) {
 			arg_private_dev = 1;
 		}
 		else if (strncmp(argv[i], "--private-etc=", 14) == 0) {
-			// extract private etc dirname
+			// extract private etc list
 			cfg.etc_private_keep = argv[i] + 14;
 			if (*cfg.etc_private_keep == '\0') {
 				fprintf(stderr, "Error: invalid private-etc option\n");
@@ -937,7 +938,7 @@ int main(int argc, char **argv) {
 			}
 		}
 		else if (strncmp(argv[i], "--private-bin=", 14) == 0) {
-			// extract private etc dirname
+			// extract private bin list
 			cfg.bin_private_keep = argv[i] + 14;
 			if (*cfg.bin_private_keep == '\0') {
 				fprintf(stderr, "Error: invalid private-bin option\n");
@@ -946,8 +947,9 @@ int main(int argc, char **argv) {
 			fs_check_bin_list();
 			arg_private_bin = 1;
 		}
-			
-
+		else if (strcmp(argv[i], "--private-tmp") == 0) {
+			arg_private_tmp = 1;
+		}
 
 		//*************************************
 		// hostname, etc
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 5a0e9b727..76adbb934 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -143,6 +143,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 		arg_private_dev = 1;
 		return 0;
 	}
+	else if (strcmp(ptr, "private-tmp") == 0) {
+		arg_private_tmp = 1;
+		return 0;
+	}
 	else if (strcmp(ptr, "nogroups") == 0) {
 		arg_nogroups = 1;
 		return 0;
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index ddf6f785d..02ff7737f 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -426,6 +426,8 @@ int sandbox(void* sandbox_arg) {
 	}
 	if (arg_private_bin)
 		fs_private_bin_list();
+	if (arg_private_tmp)
+		fs_private_tmp();
 	
 	//****************************
 	// apply the profile file
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 531eba379..5021025e8 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -230,6 +230,8 @@ void usage(void) {
 	printf("\t\tfilesystem, and copy the files and directories in the list.\n");
 	printf("\t\tAll modifications are discarded when the sandbox is closed.\n\n");
 	
+	printf("\t--private-tmp - mount a tmpfs on top of /tmp directory\n\n");
+	
 	printf("\t--profile=filename - use a custom profile.\n\n");
 	printf("\t--profile-path=directory - use this directory to look for profile files.\n\n");
 	
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 2f17c3088..90c59d753 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -139,13 +139,13 @@ Mount new /root and /home/user directories in temporary
 filesystems. All modifications are discarded when the sandbox is
 closed.
 .TP
+\fBprivate directory
+Use directory as user home.
+.TP
 \fBprivate-bin file,file
 Build a new /bin in a temporary filesystem, and copy the programs in the list.
 The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin.
 .TP
-\fBprivate directory
-Use directory as user home.
-.TP
 \fBprivate-home file,directory
 Build a new user home in a temporary
 filesystem, and copy the files and directories in the list in the
@@ -160,6 +160,9 @@ Build a new /etc in a temporary
 filesystem, and copy the files and directories in the list.
 All modifications are discarded when the sandbox is closed.
 .TP
+\fBprivate-tmp
+Mount an empty temporary filesystem on top of /tmp directory.
+.TP
 \fBwhitelist file_or_directory
 Build a new user home in a temporary filesystem, and mount-bind file_or_directory.
 The modifications to file_or_directory are persistent, everything else is discarded
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 43572bb4b..877ee0ce5 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1004,6 +1004,17 @@ Example:
 $ firejail --private-etc=group,hostname,localtime, \\
 .br
 nsswitch.conf,passwd,resolv.conf
+
+.TP
+\fB\-\-private-tmp
+Mount an empty temporary filesystem on top of /tmp directory.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-private-tmp
+
 .TP
 \fB\-\-profile=filename
 Load a custom security profile from filename. For filename use an absolute path or a path relative to the current path.
-- 
cgit v1.2.3-54-g00ecf