From be5044ba408f46790c28d1f5ad4b6251a0a69234 Mon Sep 17 00:00:00 2001 From: Chiraag Nataraj Date: Tue, 1 May 2018 23:29:13 -0400 Subject: Add --keep-var-tmp and associated profile option --- src/firejail/firejail.h | 1 + src/firejail/fs.c | 9 ++++++--- src/firejail/main.c | 4 ++++ src/firejail/profile.c | 5 +++++ src/firejail/usage.c | 1 + src/man/firejail-profile.txt | 3 +++ src/man/firejail.txt | 10 ++++++++++ 7 files changed, 30 insertions(+), 3 deletions(-) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 14f87c36c..84f535575 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -366,6 +366,7 @@ extern int arg_nice; // nice value configured extern int arg_ipc; // enable ipc namespace extern int arg_writable_etc; // writable etc extern int arg_writable_var; // writable var +extern int arg_keep_var_tmp; // don't overwrite /var/tmp extern int arg_writable_run_user; // writable /run/user extern int arg_writable_var_log; // writable /var/log extern int arg_appimage; // appimage diff --git a/src/firejail/fs.c b/src/firejail/fs.c index c9158ebd5..88f92ad74 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -704,7 +704,8 @@ void fs_basic_fs(void) { // update /var directory in order to support multiple sandboxes running on the same root directory fs_var_lock(); - fs_var_tmp(); + if (!arg_keep_var_tmp) + fs_var_tmp(); if (!arg_writable_var_log) fs_var_log(); else @@ -1015,7 +1016,8 @@ void fs_overlayfs(void) { // if (!arg_private_dev) // fs_dev_shm(); fs_var_lock(); - fs_var_tmp(); + if (!arg_keep_var_tmp) + fs_var_tmp(); if (!arg_writable_var_log) fs_var_log(); else @@ -1258,7 +1260,8 @@ void fs_chroot(const char *rootdir) { // if (!arg_private_dev) // fs_dev_shm(); fs_var_lock(); - fs_var_tmp(); + if (!arg_keep_var_tmp) + fs_var_tmp(); if (!arg_writable_var_log) fs_var_log(); else diff --git a/src/firejail/main.c b/src/firejail/main.c index 9a013989a..2e47dd938 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -104,6 +104,7 @@ int arg_nice = 0; // nice value configured int arg_ipc = 0; // enable ipc namespace int arg_writable_etc = 0; // writable etc int arg_writable_var = 0; // writable var +int arg_keep_var_tmp = 0; // don't overwrite /var/tmp int arg_writable_run_user = 0; // writable /run/user int arg_writable_var_log = 0; // writable /var/log int arg_appimage = 0; // appimage @@ -1537,6 +1538,9 @@ int main(int argc, char **argv) { else if (strcmp(argv[i], "--writable-var") == 0) { arg_writable_var = 1; } + else if (strcmp(argv[1], "--keep-var-tmp") == 0) { + arg_keep_var_tmp = 1; + } else if (strcmp(argv[i], "--writable-run-user") == 0) { arg_writable_run_user = 1; } diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 156ffa24a..7b59cd48c 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -738,6 +738,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { arg_writable_var = 1; return 0; } + // don't overwrite /var/tmp + if (strcmp(ptr, "keep-var-tmp") == 0) { + arg_keep_var_tmp = 1; + return 0; + } // writable-run-user if (strcmp(ptr, "writable-run-user") == 0) { arg_writable_run_user = 1; diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 742fc0465..be5eb3989 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -221,6 +221,7 @@ static char *usage_str = " --writable-run-user - allow access to /run/user/$UID/systemd and\n" "\t/run/user/$UID/gnupg.\n" " --writable-var - /var directory is mounted read-write.\n" + " --keep-var-tmp - /var/tmp directory is untouched.\n" " --writable-var-log - use the real /var/log directory, not a clone.\n" #ifdef HAVE_X11 " --x11 - enable X11 sandboxing. The software checks first if Xpra is\n" diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 0217e1353..c73f23b94 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -280,6 +280,9 @@ Disable the default blacklisting of run/user/$UID/systemd and /run/user/$UID/gnu \fBwritable-var Mount /var directory read-write. .TP +\fBkeep-var-tmp +/var/tmp directory is untouched. +.TP \fBwritable-var-log Use the real /var/log directory, not a clone. By default, a tmpfs is mounted on top of /var/log directory, and a skeleton filesystem is created based on the original /var/log. diff --git a/src/man/firejail.txt b/src/man/firejail.txt index d8fed1f31..87326a7bd 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -2128,6 +2128,16 @@ Example: .br $ sudo firejail --writable-var +.TP +\fB\-\-keep-var-tmp +/var/tmp directory is untouched. +.br + +.br +Example: +.br +$ sudo firejail --keep-var-tmp + .TP \fB\-\-writable-var-log Use the real /var/log directory, not a clone. By default, a tmpfs is mounted on top of /var/log -- cgit v1.2.3-54-g00ecf From 3dfe93cd873f0467e7ee910f5e4463d757c9a718 Mon Sep 17 00:00:00 2001 From: Chiraag Nataraj Date: Thu, 3 May 2018 08:54:44 -0400 Subject: Moved documentation to conform with alphabetical ordering --- src/firejail/usage.c | 2 +- src/man/firejail-profile.txt | 6 +++--- src/man/firejail.txt | 20 ++++++++++---------- 3 files changed, 14 insertions(+), 14 deletions(-) diff --git a/src/firejail/usage.c b/src/firejail/usage.c index be5eb3989..88614298e 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -94,6 +94,7 @@ static char *usage_str = " --join-network=name|pid - join the network namespace.\n" #endif " --join-or-start=name|pid - join the sandbox or start a new one.\n" + " --keep-var-tmp - /var/tmp directory is untouched.\n" " --list - list all sandboxes.\n" #ifdef HAVE_FILE_TRANSFER " --ls=name|pid dir_or_filename - list files in sandbox container.\n" @@ -221,7 +222,6 @@ static char *usage_str = " --writable-run-user - allow access to /run/user/$UID/systemd and\n" "\t/run/user/$UID/gnupg.\n" " --writable-var - /var directory is mounted read-write.\n" - " --keep-var-tmp - /var/tmp directory is untouched.\n" " --writable-var-log - use the real /var/log directory, not a clone.\n" #ifdef HAVE_X11 " --x11 - enable X11 sandboxing. The software checks first if Xpra is\n" diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index c73f23b94..f136be510 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -164,6 +164,9 @@ Mount-bind file1 on top of file2. This option is only available when running as \fBdisable-mnt Disable /mnt, /media, /run/mount and /run/media access. .TP +\fBkeep-var-tmp +/var/tmp directory is untouched. +.TP \fBmkdir directory Create a directory in user home or under /tmp before the sandbox is started. The directory is created if it doesn't already exist. @@ -280,9 +283,6 @@ Disable the default blacklisting of run/user/$UID/systemd and /run/user/$UID/gnu \fBwritable-var Mount /var directory read-write. .TP -\fBkeep-var-tmp -/var/tmp directory is untouched. -.TP \fBwritable-var-log Use the real /var/log directory, not a clone. By default, a tmpfs is mounted on top of /var/log directory, and a skeleton filesystem is created based on the original /var/log. diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 87326a7bd..af9fe4b90 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -677,6 +677,16 @@ Same as "firejail --join=name" if sandbox with specified name exists, otherwise .br Note that in contrary to other join options there is respective profile option. +.TP +\fB\-\-keep-var-tmp +/var/tmp directory is untouched. +.br + +.br +Example: +.br +$ firejail --keep-var-tmp + .TP \fB\-\-ls=name|pid dir_or_filename List files in sandbox container, see \fBFILE TRANSFER\fR section for more details. @@ -2128,16 +2138,6 @@ Example: .br $ sudo firejail --writable-var -.TP -\fB\-\-keep-var-tmp -/var/tmp directory is untouched. -.br - -.br -Example: -.br -$ sudo firejail --keep-var-tmp - .TP \fB\-\-writable-var-log Use the real /var/log directory, not a clone. By default, a tmpfs is mounted on top of /var/log -- cgit v1.2.3-54-g00ecf