From 435d739d961cc71406db8114d3040999d096d2fa Mon Sep 17 00:00:00 2001 From: smitsohu Date: Mon, 21 Jun 2021 01:26:17 +0200 Subject: tmpfs option enhancements * downgrade error to warning, smiliar to read-write option; this simplifies use of tmpfs option in general purpose profiles, for example we don't need to worry about links people put in their homedir * update manpage --- src/firejail/fs.c | 33 ++++++++++++++++++++------------- src/man/firejail-profile.txt | 2 +- src/man/firejail.txt | 5 ++--- 3 files changed, 23 insertions(+), 17 deletions(-) diff --git a/src/firejail/fs.c b/src/firejail/fs.c index e57038ee0..4ae7dbfa4 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -171,21 +171,28 @@ static void disable_file(OPERATION op, const char *filename) { fs_remount_rec(fname, op); } else if (op == MOUNT_TMPFS) { - if (S_ISDIR(s.st_mode)) { - if (getuid()) { - if (strncmp(cfg.homedir, fname, strlen(cfg.homedir)) != 0 || - fname[strlen(cfg.homedir)] != '/') { - fprintf(stderr, "Error: tmpfs outside $HOME is only available for root\n"); - exit(1); - } + if (!S_ISDIR(s.st_mode)) { + fwarning("%s is not a directory; cannot mount a tmpfs on top of it.\n", fname); + free(fname); + return; + } + + uid_t uid = getuid(); + if (uid != 0) { + // only user owned directories in user home + if (s.st_uid != uid || + strncmp(cfg.homedir, fname, strlen(cfg.homedir)) != 0 || + fname[strlen(cfg.homedir)] != '/') { + fwarning("you are not allowed to mount a tmpfs on %s\n", fname); + free(fname); + return; } - // fs_tmpfs returns with EUID 0 - fs_tmpfs(fname, getuid()); - selinux_relabel_path(fname, fname); - EUID_USER(); } - else - fwarning("%s is not a directory; cannot mount a tmpfs on top of it.\n", fname); + + fs_tmpfs(fname, uid); + EUID_USER(); // fs_tmpfs returns with EUID 0 + + selinux_relabel_path(fname, fname); } else assert(0); diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 6f3bef7f2..db58e0910 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -420,7 +420,7 @@ Make directory or file read-only. Make directory or file read-write. .TP \fBtmpfs directory -Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root. +Mount an empty tmpfs filesystem on top of directory. Directories outside user home or not owned by the user are not allowed. Sandboxes running as root are exempt from these restrictions. .TP \fBtracelog Blacklist violations logged to syslog. diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 3212a88e4..4a2e520c5 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -2566,14 +2566,13 @@ Kill the sandbox automatically after the time has elapsed. The time is specified $ firejail \-\-timeout=01:30:00 firefox .TP \fB\-\-tmpfs=dirname -Mount a writable tmpfs filesystem on directory dirname. This option is available only when running the sandbox as root. -File globbing is supported, see \fBFILE GLOBBING\fR section for more details. +Mount a writable tmpfs filesystem on directory dirname. Directories outside user home or not owned by the user are not allowed. Sandboxes running as root are exempt from these restrictions. File globbing is supported, see \fBFILE GLOBBING\fR section for more details. .br .br Example: .br -# firejail \-\-tmpfs=/var +$ firejail \-\-tmpfs=~/.local/share .TP \fB\-\-top Monitor the most CPU-intensive sandboxes, see \fBMONITORING\fR section for more details. -- cgit v1.2.3-54-g00ecf