compile time option to disable --private-cache and --tmpfs for regular user

2026-05-15 14:16:14 -06:00 · 2020-10-27 09:35:41 -04:00 · 2020-10-27 09:35:41 -04:00 · 64a8d6a7f7
commit 64a8d6a7f7
parent 8f130383e1
8 changed files with 54 additions and 7 deletions
--- a/25
+++ b/25
@ -644,6 +644,7 @@ HAVE_PRIVATE_HOME
 HAVE_FIRETUNNEL
 HAVE_GAWK
 HAVE_MAN
+HAVE_USERTMPFS
 HAVE_OVERLAYFS
 HAVE_DBUSPROXY
 EXTRA_LDFLAGS
@ -711,6 +712,7 @@ enable_analyzer
 enable_apparmor
 enable_dbusproxy
 enable_overlayfs
+enable_usertmpfs
 enable_man
 enable_firetunnel
 enable_private_home
@ -1366,6 +1368,7 @@ Optional Features:
  --enable-apparmor       enable apparmor
  --disable-dbusproxy     disable dbus proxy
  --disable-overlayfs     disable overlayfs
+  --disable-usertmpfs     disable tmpfs as regular user
  --disable-man           disable man pages
  --disable-firetunnel    disable firetunnel
  --disable-private-home  disable private home feature
@ -3417,8 +3420,8 @@ if test "x$enable_apparmor" = "xyes"; then :
 	HAVE_APPARMOR="-DHAVE_APPARMOR"

 pkg_failed=no
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for libapparmor" >&5
-$as_echo_n "checking for libapparmor... " >&6; }
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for AA" >&5
+$as_echo_n "checking for AA... " >&6; }

 if test -n "$AA_CFLAGS"; then
    pkg_cv_AA_CFLAGS="$AA_CFLAGS"
@ -3458,7 +3461,7 @@ fi


 if test $pkg_failed = yes; then
-        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+   	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }

 if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
@ -3485,7 +3488,7 @@ Alternatively, you may set the environment variables AA_CFLAGS
 and AA_LIBS to avoid the need to call pkg-config.
 See the pkg-config man page for more details." "$LINENO" 5
 elif test $pkg_failed = untried; then
-        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+     	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 	{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
@ -3538,6 +3541,19 @@ if test "x$enable_overlayfs" != "xno"; then :
 	HAVE_OVERLAYFS="-DHAVE_OVERLAYFS"


+fi
+
+HAVE_USERTMPS=""
+# Check whether --enable-usertmpfs was given.
+if test "${enable_usertmpfs+set}" = set; then :
+  enableval=$enable_usertmpfs;
+fi
+
+if test "x$enable_usertmpfs" != "xno"; then :
+
+	HAVE_USERTMPFS="-DHAVE_USERTMPFS"
+
+
 fi

 HAVE_MAN="no"
@ -5464,6 +5480,7 @@ echo "   private home support: $HAVE_PRIVATE_HOME"
 echo "   file transfer support: $HAVE_FILE_TRANSFER"
 echo "   overlayfs support: $HAVE_OVERLAYFS"
 echo "   DBUS proxy support: $HAVE_DBUSPROXY"
+echo "   allow tmpfs as regular user: $HAVE_USERTMPFS"
 echo "   Manpage support: $HAVE_MAN"
 echo "   firetunnel support: $HAVE_FIRETUNNEL"
 echo "   busybox workaround: $BUSYBOX_WORKAROUND"
--- a/configure.ac
+++ b/configure.ac
@ -74,6 +74,14 @@ AS_IF([test "x$enable_overlayfs" != "xno"], [
 	AC_SUBST(HAVE_OVERLAYFS)
 ])

+HAVE_USERTMPS=""
+AC_ARG_ENABLE([usertmpfs],
+    AS_HELP_STRING([--disable-usertmpfs], [disable tmpfs as regular user]))
+AS_IF([test "x$enable_usertmpfs" != "xno"], [
+	HAVE_USERTMPFS="-DHAVE_USERTMPFS"
+	AC_SUBST(HAVE_USERTMPFS)
+])
+
 HAVE_MAN="no"
 AC_ARG_ENABLE([man],
    AS_HELP_STRING([--disable-man], [disable man pages]))
@ -240,6 +248,7 @@ echo "   private home support: $HAVE_PRIVATE_HOME"
 echo "   file transfer support: $HAVE_FILE_TRANSFER"
 echo "   overlayfs support: $HAVE_OVERLAYFS"
 echo "   DBUS proxy support: $HAVE_DBUSPROXY"
+echo "   allow tmpfs as regular user: $HAVE_USERTMPFS"
 echo "   Manpage support: $HAVE_MAN"
 echo "   firetunnel support: $HAVE_FIRETUNNEL"
 echo "   busybox workaround: $BUSYBOX_WORKAROUND"
--- a/src/common.mk.in
+++ b/src/common.mk.in
@ -24,6 +24,7 @@ HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
 HAVE_GCOV=@HAVE_GCOV@
 HAVE_SELINUX=@HAVE_SELINUX@
 HAVE_DBUSPROXY=@HAVE_DBUSPROXY@
+HAVE_USERTMPFS=@HAVE_USERTMPFS@

 H_FILE_LIST       = $(sort $(wildcard *.[h]))
 C_FILE_LIST       = $(sort $(wildcard *.c))
@ -33,7 +34,7 @@ BINOBJS =  $(foreach file, $(OBJS), $file)
 CFLAGS = @CFLAGS@
 CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV)
 CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"'
-MANFLAGS = $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX)
+MANFLAGS = $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX)
 CFLAGS += $(MANFLAGS)
 CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security
 LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@ -351,6 +351,14 @@ void print_compiletime_support(void) {
 #endif
 		);

+	printf("\t- private-cache and tmpfs as user %s\n",
+#ifdef HAVE_USERTMPFS
+		"enabled"
+#else
+		"disabled"
+#endif
+		);
+
 	printf("\t- SELinux support is %s\n",
 #ifdef HAVE_SELINUX
 		"enabled"
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@ -162,7 +162,7 @@ static void disable_file(OPERATION op, const char *filename) {
 	}
 	else if (op == MOUNT_TMPFS) {
 		if (S_ISDIR(s.st_mode)) {
-			fs_tmpfs(fname, 0);
+			fs_tmpfs(fname, getuid());
 			last_disable = SUCCESSFUL;
 		}
 		else
@ -451,7 +451,7 @@ void fs_blacklist(void) {
 void fs_tmpfs(const char *dir, unsigned check_owner) {
 	assert(dir);
 	if (arg_debug)
-		printf("Mounting tmpfs on %s\n", dir);
+		printf("Mounting tmpfs on %s, check owner: %s\n", dir, (check_owner)? "yes": "no");
 	// get a file descriptor for dir, fails if there is any symlink
 	int fd = safe_fd(dir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
 	if (fd == -1)
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@ -2000,12 +2000,14 @@ int main(int argc, char **argv, char **envp) {
 		else if (strcmp(argv[i], "--private-tmp") == 0) {
 			arg_private_tmp = 1;
 		}
+#ifdef HAVE_USERTMPFS
 		else if (strcmp(argv[i], "--private-cache") == 0) {
 			if (checkcfg(CFG_PRIVATE_CACHE))
 				arg_private_cache = 1;
 			else
 				exit_err_feature("private-cache");
 		}
+#endif
 		else if (strcmp(argv[i], "--private-cwd") == 0) {
 			cfg.cwd = NULL;
 			arg_private_cwd = 1;
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@ -383,10 +383,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 		return 0;
 	}
 	else if (strcmp(ptr, "private-cache") == 0) {
+#ifdef HAVE_USERTMPFS
 		if (checkcfg(CFG_PRIVATE_CACHE))
 			arg_private_cache = 1;
 		else
 			warning_feature_disabled("private-cache");
+#endif
 		return 0;
 	}
 	else if (strcmp(ptr, "private-dev") == 0) {
@ -1570,6 +1572,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 	else if (strncmp(ptr, "noexec ", 7) == 0)
 		ptr += 7;
 	else if (strncmp(ptr, "tmpfs ", 6) == 0) {
+#ifndef HAVE_USERTMPFS
+		if (getuid() != 0) {
+			fprintf(stderr, "Error: tmpfs available only when running the sandbox as root\n");
+			exit(1);
+		}
+#endif
 		ptr += 6;
 	}
 	else {
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@ -921,6 +921,7 @@ int sandbox(void* sandbox_arg) {
 		}
 	}

+#ifdef HAVE_USERTMPFS
 	if (arg_private_cache) {
 		if (cfg.chrootdir)
 			fwarning("private-cache feature is disabled in chroot\n");
@ -929,6 +930,7 @@ int sandbox(void* sandbox_arg) {
 		else
 			fs_private_cache();
 	}
+#endif

 	if (arg_private_tmp) {
 		// private-tmp is implemented as a whitelist