From da53c4ebf0b7f5c6d07cb14dd7ec3ff3910fe180 Mon Sep 17 00:00:00 2001 From: smitsohu Date: Fri, 20 Nov 2020 20:04:20 +0100 Subject: reimplement --private-cache using --tmpfs --- src/firejail/fs.c | 36 ++++++------------------------------ src/firejail/sandbox.c | 9 +++------ test/fs/private-cache.exp | 30 ++++++++---------------------- 3 files changed, 17 insertions(+), 58 deletions(-) diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 65f53bf76..0d4e496e8 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -162,11 +162,12 @@ static void disable_file(OPERATION op, const char *filename) { } else if (op == MOUNT_TMPFS) { if (S_ISDIR(s.st_mode)) { - if (getuid() && - (strncmp(cfg.homedir, fname, strlen(cfg.homedir)) != 0 || - fname[strlen(cfg.homedir)] != '/')) { - fprintf(stderr, "Error: tmpfs outside $HOME is only available for root\n"); - exit(1); + if (getuid()) { + if (strncmp(cfg.homedir, fname, strlen(cfg.homedir)) != 0 || + fname[strlen(cfg.homedir)] != '/') { + fprintf(stderr, "Error: tmpfs outside $HOME is only available for root\n"); + exit(1); + } } fs_tmpfs(fname, getuid()); last_disable = SUCCESSFUL; @@ -1260,28 +1261,3 @@ void fs_private_tmp(void) { } closedir(dir); } - -// this function is called from sandbox.c before blacklist/whitelist functions -void fs_private_cache(void) { - char *cache; - if (asprintf(&cache, "%s/.cache", cfg.homedir) == -1) - errExit("asprintf"); - // check if ~/.cache is a valid destination - struct stat s; - if (lstat(cache, &s) == -1) { - fwarning("skipping private-cache: cannot find %s\n", cache); - free(cache); - return; - } - if (!S_ISDIR(s.st_mode)) { - if (S_ISLNK(s.st_mode)) - fwarning("skipping private-cache: %s is a symbolic link\n", cache); - else - fwarning("skipping private-cache: %s is not a directory\n", cache); - free(cache); - return; - } - // do the mount - fs_tmpfs(cache, getuid()); // check ownership of ~/.cache - free(cache); -} diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 8bfe76603..41951f38f 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -923,12 +923,9 @@ int sandbox(void* sandbox_arg) { #ifdef HAVE_USERTMPFS if (arg_private_cache) { - if (cfg.chrootdir) - fwarning("private-cache feature is disabled in chroot\n"); - else if (arg_overlay) - fwarning("private-cache feature is disabled in overlay\n"); - else - fs_private_cache(); + EUID_USER(); + profile_add("tmpfs ${HOME}/.cache"); + EUID_ROOT(); } #endif diff --git a/test/fs/private-cache.exp b/test/fs/private-cache.exp index 0597e8921..6e4c6bd1b 100755 --- a/test/fs/private-cache.exp +++ b/test/fs/private-cache.exp @@ -7,16 +7,17 @@ set timeout 10 spawn $env(SHELL) match_max 100000 -if {[file exists ~/.cache]} { - puts "found .cache directory\n" -} else { - send -- "mkdir --mode=755 ~/.cache\r" -} +send -- "mkdir --mode=700 ~/.cache\r" after 100 send -- "touch ~/.cache/abcdefg\r" after 100 +if { ! [file exists ~/.cache/abcdefg] } { + puts "TESTING ERROR 0\n" + exit +} + send -- "firejail --noprofile --private-cache\r" expect { timeout {puts "TESTING ERROR 1\n";exit} @@ -34,23 +35,8 @@ after 100 send -- "exit\r" sleep 1 -send -- "rm -v ~/.cache/abcdefg\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "removed" -} +# cleanup +send -- "rm ~/.cache/abcdefg\r" after 100 -# redo the test with --private - -send -- "firejail --noprofile --private --private-cache\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Warning" -} -sleep 1 - -send -- "exit\r" -sleep 1 - puts "\nall done\n" -- cgit v1.2.3-54-g00ecf