From 678cd1495457318dad39178bb646ba1b96332ddb Mon Sep 17 00:00:00 2001
From: root <root@debian>
Date: Mon, 25 Jan 2016 14:58:27 -0500
Subject: --tmpfs allowd only as root user

---
 src/firejail/profile.c       | 7 ++++++-
 src/firejail/usage.c         | 3 ++-
 src/man/firejail-profile.txt | 2 +-
 src/man/firejail.txt         | 4 ++--
 4 files changed, 11 insertions(+), 5 deletions(-)

(limited to 'src')

diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 2d7b07c6d..5a0e9b727 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -417,8 +417,13 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 	}
 	else if (strncmp(ptr, "read-only ", 10) == 0)
 		ptr += 10;
-	else if (strncmp(ptr, "tmpfs ", 6) == 0)
+	else if (strncmp(ptr, "tmpfs ", 6) == 0) {
+		if (getuid() != 0) {
+			fprintf(stderr, "Error: tmpfs available only when running the sandbox as root\n");
+			exit(1);
+		}
 		ptr += 6;
+	}
 	else {
 		if (lineno == 0)
 			fprintf(stderr, "Error: \"%s\" as a command line option is invalid\n", ptr);
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 6a033b922..531eba379 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -291,7 +291,8 @@ void usage(void) {
 	printf("\t--shell=program - set default user shell.\n\n");
 	printf("\t--shutdown=name - shutdown the sandbox identified by name.\n\n");
 	printf("\t--shutdown=pid - shutdown the sandbox identified by PID.\n\n");
-	printf("\t--tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n\n");
+	printf("\t--tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n");
+	printf("\t\tThis option is available only when running the sandbox as root.\n\n");
 	printf("\t--top - monitor the most CPU-intensive sandboxes.\n\n");
 	printf("\t--trace - trace open, access and connect system calls.\n\n");
 	printf("\t--tracelog - add a syslog message for every access to files or\n");
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index e91c5c089..2f17c3088 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -126,7 +126,7 @@ blacklist ${HOME}/.ssh
 Make directory or file read-only.
 .TP
 \fBtmpfs directory
-Mount an empty tmpfs filesystem on top of directory.
+Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root.
 .TP
 \fBbind directory1,directory2
 Mount-bind directory1 on top of directory2. This option is only available when running as root.
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index ef65530db..43572bb4b 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1348,13 +1348,13 @@ $ firejail \-\-list
 $ firejail \-\-shutdown=3272
 .TP
 \fB\-\-tmpfs=dirname
-Mount a tmpfs filesystem on directory dirname.
+Mount a tmpfs filesystem on directory dirname. This option is available only when running the sandbox as root.
 .br
 
 .br
 Example:
 .br
-$ firejail \-\-tmpfs=/var
+# firejail \-\-tmpfs=/var
 .TP
 \fB\-\-top
 Monitor the most CPU-intensive sandboxes, see \fBMONITORING\fR section for more details.
-- 
cgit v1.2.3-54-g00ecf