From 6cddc32564529573ddc3057fd8aefce1e0ae23a2 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 7 Mar 2017 15:43:55 -0500 Subject: allow /tmp in mkdir and mkfile profile commands --- RELNOTES | 2 ++ src/firejail/fs_mkdir.c | 12 ++++++++---- src/man/firejail-profile.txt | 6 +++--- 3 files changed, 13 insertions(+), 7 deletions(-) diff --git a/RELNOTES b/RELNOTES index 471b8c6cb..4651449eb 100644 --- a/RELNOTES +++ b/RELNOTES @@ -31,7 +31,9 @@ firejail (0.9.45) baseline; urgency=low * feature: added a number o Python scripts for handling sandboxes * feature: allow local customization using .local files under /etc/firejail * feature: follow-symlink-as-user runtime config option in /etc/firejail/firejail.config + * feature: follow-symlink-private-bin option in /etc/firejail/firejail.config * feature: xvfb X11 server support (--x11=xvfb) + * feature: allow /tmp directory in mkdir and mkfile profile commands * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire, * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma, * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator, diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c index a0bda7443..35d043dde 100644 --- a/src/firejail/fs_mkdir.c +++ b/src/firejail/fs_mkdir.c @@ -57,12 +57,15 @@ static void mkdir_recursive(char *path) { void fs_mkdir(const char *name) { EUID_ASSERT(); +printf("****************************\n"); + // check directory name invalid_filename(name); char *expanded = expand_home(name, cfg.homedir); - if (strncmp(expanded, cfg.homedir, strlen(cfg.homedir)) != 0) { - fprintf(stderr, "Error: only directories in user home are supported by mkdir\n"); + if (strncmp(expanded, cfg.homedir, strlen(cfg.homedir)) != 0 && + strncmp(expanded, "/tmp", 4) != 0) { + fprintf(stderr, "Error: only directories in user home or /tmp are supported by mkdir\n"); exit(1); } @@ -100,8 +103,9 @@ void fs_mkfile(const char *name) { // check file name invalid_filename(name); char *expanded = expand_home(name, cfg.homedir); - if (strncmp(expanded, cfg.homedir, strlen(cfg.homedir)) != 0) { - fprintf(stderr, "Error: only files in user home are supported by mkfile\n"); + if (strncmp(expanded, cfg.homedir, strlen(cfg.homedir)) != 0 && + strncmp(expanded, "/tmp", 4) != 0) { + fprintf(stderr, "Error: only files in user home or /tmp are supported by mkfile\n"); exit(1); } diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index d60d48072..cf2398ad4 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -156,7 +156,7 @@ Mount-bind directory1 on top of directory2. This option is only available when r Mount-bind file1 on top of file2. This option is only available when running as root. .TP \fBmkdir directory -Create a directory in user home before the sandbox is started. +Create a directory in user home or under /tmp before the sandbox is started. The directory is created if it doesn't already exist. .br @@ -177,8 +177,8 @@ mkdir ~/.cache/mozilla/firefox whitelist ~/.cache/mozilla/firefox .TP \fBmkfile file -Similar to mkdir, this command creates a file in user home before the sandbox is started. -The file is created if it doesn't already exist, but it's target directory has to exist. +Similar to mkdir, this command creates a file in user home or under /tmp before the sandbox is started. +The file is created if it doesn't already exist. .TP \fBnoexec file_or_directory Remount the file or the directory noexec, nodev and nosuid. -- cgit v1.2.3-70-g09d2