tmpfs option enhancements

* downgrade error to warning, smiliar to read-write option; this simplifies use of tmpfs option in general purpose profiles, for example we don't need to worry about links people put in their homedir * update manpage
2026-05-21 06:45:29 -06:00 · 2021-06-21 01:26:17 +02:00 · 2021-06-21 01:26:17 +02:00 · 435d739d96
commit 435d739d96
parent 9c071c863b
3 changed files with 24 additions and 18 deletions
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@ -171,21 +171,28 @@ static void disable_file(OPERATION op, const char *filename) {
 		fs_remount_rec(fname, op);
 	}
 	else if (op == MOUNT_TMPFS) {
-		if (S_ISDIR(s.st_mode)) {
-			if (getuid()) {
-				if (strncmp(cfg.homedir, fname, strlen(cfg.homedir)) != 0 ||
-				    fname[strlen(cfg.homedir)] != '/') {
-					fprintf(stderr, "Error: tmpfs outside $HOME is only available for root\n");
-					exit(1);
-				}
-			}
-			// fs_tmpfs returns with EUID 0
-			fs_tmpfs(fname, getuid());
-			selinux_relabel_path(fname, fname);
-			EUID_USER();
-		}
-		else
+		if (!S_ISDIR(s.st_mode)) {
 			fwarning("%s is not a directory; cannot mount a tmpfs on top of it.\n", fname);
+			free(fname);
+			return;
+		}
+
+		uid_t uid = getuid();
+		if (uid != 0) {
+			// only user owned directories in user home
+			if (s.st_uid != uid ||
+			    strncmp(cfg.homedir, fname, strlen(cfg.homedir)) != 0 ||
+			    fname[strlen(cfg.homedir)] != '/') {
+				fwarning("you are not allowed to mount a tmpfs on %s\n", fname);
+				free(fname);
+				return;
+			}
+		}
+
+		fs_tmpfs(fname, uid);
+		EUID_USER(); // fs_tmpfs returns with EUID 0
+
+		selinux_relabel_path(fname, fname);
 	}
 	else
 		assert(0);
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@ -420,7 +420,7 @@ Make directory or file read-only.
 Make directory or file read-write.
 .TP
 \fBtmpfs directory
-Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root.
+Mount an empty tmpfs filesystem on top of directory. Directories outside user home or not owned by the user are not allowed. Sandboxes running as root are exempt from these restrictions.
 .TP
 \fBtracelog
 Blacklist violations logged to syslog.
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@ -2566,14 +2566,13 @@ Kill the sandbox automatically after the time has elapsed. The time is specified
 $ firejail \-\-timeout=01:30:00 firefox
 .TP
 \fB\-\-tmpfs=dirname
-Mount a writable tmpfs filesystem on directory dirname. This option is available only when running the sandbox as root.
-File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
+Mount a writable tmpfs filesystem on directory dirname. Directories outside user home or not owned by the user are not allowed. Sandboxes running as root are exempt from these restrictions. File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
 .br

 .br
 Example:
 .br
-# firejail \-\-tmpfs=/var
+$ firejail \-\-tmpfs=~/.local/share
 .TP
 \fB\-\-top
 Monitor the most CPU-intensive sandboxes, see \fBMONITORING\fR section for more details.