From 66cd15982d1d763afe70852aa4b3342313d04656 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 20 Apr 2016 09:16:35 -0400 Subject: profile support for writable-etc and writable-var --- src/firejail/profile.c | 24 ++++++++++++++++++++++++ src/man/firejail-profile.txt | 8 ++++++++ src/man/firejail.txt | 4 ++-- 3 files changed, 34 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/firejail/profile.c b/src/firejail/profile.c index a2336090f..9e0f0325e 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -570,6 +570,30 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { return 0; } + // writable-etc + if (strcmp(ptr, "writable-etc") == 0) { + if (getuid() != 0) { + fprintf(stderr, "Error: writable-etc is available only for root user\n"); + exit(1); + } + if (cfg.etc_private_keep) { + fprintf(stderr, "Error: private-etc and writable-etc are mutually exclusive\n"); + exit(1); + } + arg_writable_etc = 1; + return 0; + } + + // writable-var + if (strcmp(ptr, "writable-var") == 0) { + if (getuid() != 0) { + fprintf(stderr, "Error: writable-var is available only for root user\n"); + exit(1); + } + arg_writable_var = 1; + return 0; + } + // private directory if (strncmp(ptr, "private ", 8) == 0) { cfg.home_private = ptr + 8; diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index f5610cafc..8d0b6a890 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -181,6 +181,14 @@ Build a new user home in a temporary filesystem, and mount-bind file_or_director The modifications to file_or_directory are persistent, everything else is discarded when the sandbox is closed. .TP +\fBwritable-etc +Mount /etc directory read-write. This option is available only +when running the sandbox as root user. +.TP +\fBwritable-var +Mount /var directory read-write. This option is available only +when running the sandbox as root user. +.TP \fBtracelog Blacklist violations logged to syslog. .SH Security filters diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 14b3c6a60..51abaef28 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1463,7 +1463,7 @@ $ firejail "\-\-whitelist=/home/username/My Virtual Machines" .TP \fB\-\-writable-etc -Mount /etc directory read-write. This option is available only when running the sandbox as root user +Mount /etc directory read-write. This option is available only when running the sandbox as root user. .br .br @@ -1473,7 +1473,7 @@ $ sudo firejail --writable-etc .TP \fB\-\-writable-var -Mount /var directory read-write. This option is available only when running the sandbox as root user +Mount /var directory read-write. This option is available only when running the sandbox as root user. .br .br -- cgit v1.2.3-54-g00ecf