allow tmpfs for regular users for files in home directory

netblue30 · Mar 10, 2017 · 22414ad · 22414ad
1 parent 4f455f7
commit 22414ad
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 2 deletions.
diff --git a/RELNOTES b/RELNOTES
@@ -34,6 +34,7 @@ firejail (0.9.45) baseline; urgency=low
   * feature: allow /tmp directory in mkdir and mkfile profile commands
   * feature: implemented --noblacklist command, profile support
   * feature: config support to disable access to /mnt and /media (disable-mnt)
+  * feature: allow tmpfs for regular users for files in home directory
   * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire,
   * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma,
   * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator,

diff --git a/src/firejail/profile.c b/src/firejail/profile.c
@@ -970,8 +970,19 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 		ptr += 7;
 	else if (strncmp(ptr, "tmpfs ", 6) == 0) {
 		if (getuid() != 0) {
-			fprintf(stderr, "Error: tmpfs available only when running the sandbox as root\n");
-			exit(1);
+			// allow a non-root user  to mount tmpfs in user home directory, links are not allowed
+			invalid_filename(ptr + 6);
+			char *newfname = expand_home(ptr + 6, cfg.homedir);
+			assert(newfname);
+			if (is_link(newfname)) {
+				fprintf(stderr, "Error: for regular user, tmpfs is not available for symbolic links\n");
+				exit(1);	
+			}
+			if (strncmp(newfname, cfg.homedir, strlen(cfg.homedir)) != 0) {
+				fprintf(stderr, "Error: for regular user, tmpfs is available only for files in user home directory\n");
+				exit(1);	
+			}
+			free(newfname);
 		}
 		ptr += 6;
 	}