From 678cd1495457318dad39178bb646ba1b96332ddb Mon Sep 17 00:00:00 2001 From: root Date: Mon, 25 Jan 2016 14:58:27 -0500 Subject: --tmpfs allowd only as root user --- etc/disable-secret.inc | 1 - src/firejail/profile.c | 7 ++++++- src/firejail/usage.c | 3 ++- src/man/firejail-profile.txt | 2 +- src/man/firejail.txt | 4 ++-- test/invalid_filename.exp | 14 -------------- test/option_tmpfs.exp | 22 ++++++++++++++++++++-- test/test-root.sh | 3 +++ test/test.sh | 3 --- 9 files changed, 34 insertions(+), 25 deletions(-) diff --git a/etc/disable-secret.inc b/etc/disable-secret.inc index b09c2b0d4..7d29cda31 100644 --- a/etc/disable-secret.inc +++ b/etc/disable-secret.inc @@ -1,6 +1,5 @@ # HOME directory blacklist ${HOME}/.ssh -tmpfs ${HOME}/.gnome2_private blacklist ${HOME}/.gnome2/keyrings blacklist ${HOME}/kde4/share/apps/kwallet blacklist ${HOME}/kde/share/apps/kwallet diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 2d7b07c6d..5a0e9b727 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -417,8 +417,13 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { } else if (strncmp(ptr, "read-only ", 10) == 0) ptr += 10; - else if (strncmp(ptr, "tmpfs ", 6) == 0) + else if (strncmp(ptr, "tmpfs ", 6) == 0) { + if (getuid() != 0) { + fprintf(stderr, "Error: tmpfs available only when running the sandbox as root\n"); + exit(1); + } ptr += 6; + } else { if (lineno == 0) fprintf(stderr, "Error: \"%s\" as a command line option is invalid\n", ptr); diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 6a033b922..531eba379 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -291,7 +291,8 @@ void usage(void) { printf("\t--shell=program - set default user shell.\n\n"); printf("\t--shutdown=name - shutdown the sandbox identified by name.\n\n"); printf("\t--shutdown=pid - shutdown the sandbox identified by PID.\n\n"); - printf("\t--tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n\n"); + printf("\t--tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n"); + printf("\t\tThis option is available only when running the sandbox as root.\n\n"); printf("\t--top - monitor the most CPU-intensive sandboxes.\n\n"); printf("\t--trace - trace open, access and connect system calls.\n\n"); printf("\t--tracelog - add a syslog message for every access to files or\n"); diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index e91c5c089..2f17c3088 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -126,7 +126,7 @@ blacklist ${HOME}/.ssh Make directory or file read-only. .TP \fBtmpfs directory -Mount an empty tmpfs filesystem on top of directory. +Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root. .TP \fBbind directory1,directory2 Mount-bind directory1 on top of directory2. This option is only available when running as root. diff --git a/src/man/firejail.txt b/src/man/firejail.txt index ef65530db..43572bb4b 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1348,13 +1348,13 @@ $ firejail \-\-list $ firejail \-\-shutdown=3272 .TP \fB\-\-tmpfs=dirname -Mount a tmpfs filesystem on directory dirname. +Mount a tmpfs filesystem on directory dirname. This option is available only when running the sandbox as root. .br .br Example: .br -$ firejail \-\-tmpfs=/var +# firejail \-\-tmpfs=/var .TP \fB\-\-top Monitor the most CPU-intensive sandboxes, see \fBMONITORING\fR section for more details. diff --git a/test/invalid_filename.exp b/test/invalid_filename.exp index e496e4aaf..26563aa43 100755 --- a/test/invalid_filename.exp +++ b/test/invalid_filename.exp @@ -200,20 +200,6 @@ expect { } after 100 -send -- "firejail --debug-check-filename --tmpfs=\"bla&&bla\"\r" -expect { - timeout {puts "TESTING ERROR 13.1\n";exit} - "Checking filename bla&&bla" -} -expect { - timeout {puts "TESTING ERROR 13.2\n";exit} - "Error:" -} -expect { - timeout {puts "TESTING ERROR 13.3\n";exit} - "is an invalid filename" -} -after 100 send -- "firejail --debug-check-filename --whitelist=\"bla&&bla\"\r" expect { diff --git a/test/option_tmpfs.exp b/test/option_tmpfs.exp index 1ff47ab13..6522ef2d3 100755 --- a/test/option_tmpfs.exp +++ b/test/option_tmpfs.exp @@ -18,9 +18,27 @@ expect { } expect { timeout {puts "TESTING ERROR 2\n";exit} - "home" + "/root" } sleep 1 +send -- "exit\r" +sleep 2 -puts "\n" +send -- "firejail --debug-check-filename --tmpfs=\"bla&&bla\"\r" +expect { + timeout {puts "TESTING ERROR 13.1\n";exit} + "Checking filename bla&&bla" +} +expect { + timeout {puts "TESTING ERROR 13.2\n";exit} + "Error:" +} +expect { + timeout {puts "TESTING ERROR 13.3\n";exit} + "is an invalid filename" +} +after 100 + + +puts "\nalldone\n" diff --git a/test/test-root.sh b/test/test-root.sh index ac6b2ef00..66096f33a 100755 --- a/test/test-root.sh +++ b/test/test-root.sh @@ -2,6 +2,9 @@ ./chk_config.exp +echo "TESTING: tmpfs" +./option_tmpfs.exp + echo "TESTING: network interfaces" ./net_interface.exp diff --git a/test/test.sh b/test/test.sh index 98addc38a..985b43af0 100755 --- a/test/test.sh +++ b/test/test.sh @@ -110,9 +110,6 @@ echo "TESTING: firejail in firejail - force new sandbox" echo "TESTING: chroot overlay" ./option_chroot_overlay.exp -echo "TESTING: tmpfs" -./option_tmpfs.exp - echo "TESTING: blacklist directory" ./option_blacklist.exp -- cgit v1.2.3-54-g00ecf