mkdir support in profile files

2026-05-21 06:45:29 -06:00 · 2016-02-17 12:13:19 -05:00 · 2016-02-17 12:13:19 -05:00 · 97a9d01868
commit 97a9d01868
parent eb24e76abe
7 changed files with 123 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -79,6 +79,27 @@ $ firejail --net=eth0 firefox
              $ firejail --nice=-5 firefox
 `````

+## mkdir
+
+`````
+$ man firejail-profile
+[...]
+       mkdir directory
+              Create   a   directory  in  user  home.  Use  this  command  for
+              whitelisted directories you need to preserve when the sandbox is
+              closed.  Subdirectories  also  need  to  be created using mkdir.
+              Example from firefox profile:
+
+              mkdir ~/.mozilla
+              whitelist ~/.mozilla
+              mkdir ~/.cache
+              mkdir ~/.cache/mozilla
+              mkdir ~/.cache/mozilla/firefox
+              whitelist ~/.cache/mozilla/firefox
+
+[...]
+`````
+
 ## New security profiles

 lxterminal, Epiphany, cherrytree
--- a/1
+++ b/1
@ -3,6 +3,7 @@ firejail (0.9.39) baseline; urgency=low
  * default seccomp filter update
  * disable STUN/WebRTC in default netfilter configuration
  * added --nice option
+  * addded mkdir profile command
  * --version also prints compile options
  * build rpm packages using "make rpms"
  * new profiles: lxterminal, Epiphany, cherrytree
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@ -12,7 +12,11 @@ netfilter
 tracelog
 noroot
 whitelist ${DOWNLOADS}
+mkdir ~/.mozilla
 whitelist ~/.mozilla
+mkdir ~/.cache
+mkdir ~/.cache/mozilla
+mkdir ~/.cache/mozilla/firefox
 whitelist ~/.cache/mozilla/firefox
 whitelist ~/dwhelper
 whitelist ~/.zotero
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@ -512,5 +512,8 @@ void check_user(int argc, char **argv);
 // paths.c
 char **build_paths(void);

+// fs_mkdir.c
+void fs_mkdir(const char *name);
+
 #endif

--- a/src/firejail/fs_mkdir.c
+++ b/src/firejail/fs_mkdir.c
@ -0,0 +1,70 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+#include "firejail.h"
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <unistd.h>
+#include <grp.h>
+ #include <sys/wait.h>
+ 
+void fs_mkdir(const char *name) {
+	// check directory name
+	invalid_filename(name);
+	char *expanded = expand_home(name, cfg.homedir);
+	if (strncmp(expanded, cfg.homedir, strlen(cfg.homedir)) != 0) {
+		fprintf(stderr, "Error: only directories in user home are supported by mkdir\n");
+		exit(1);
+	}
+
+	struct stat s;
+	if (stat(expanded, &s) == 0) {
+		// file exists, do nothing
+		goto doexit;
+	}
+
+	// fork a process, drop privileges, and create the directory
+	// no error recovery will be attempted
+	pid_t child = fork();
+	if (child < 0)
+		errExit("fork");
+	if (child == 0) {
+		if (arg_debug)
+			printf("Create %s directory\n", expanded);
+		
+		// drop privileges
+		if (setgroups(0, NULL) < 0)
+			errExit("setgroups");
+		if (setgid(getgid()) < 0)
+			errExit("setgid/getgid");
+		if (setuid(getuid()) < 0)
+			errExit("setuid/getuid");
+		
+		// create directory
+		if (mkdir(expanded, 0755) == -1)
+			fprintf(stderr, "Warning: cannot create %s directory\n", expanded);
+		exit(0);
+	}
+	
+	// wait for the child to finish
+	waitpid(child, NULL, 0);
+
+doexit:
+	free(expanded);
+}	
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@ -99,6 +99,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 		return 0;
 	}

+	if (strncmp(ptr, "mkdir ", 6) == 0) {
+		fs_mkdir(ptr + 6);
+		return 0;
+	}
+
 	// sandbox name
 	if (strncmp(ptr, "name ", 5) == 0) {
 		cfg.name = ptr + 5;
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@ -134,6 +134,25 @@ Mount-bind directory1 on top of directory2. This option is only available when r
 \fBbind file1,file2
 Mount-bind file1 on top of file2. This option is only available when running as root.
 .TP
+\fBmkdir directory
+Create a directory in user home. Use this command for whitelisted directories you need to preserve
+when the sandbox is closed. Subdirectories also need to be created using mkdir. Example from
+firefox profile:
+.br
+
+.br
+mkdir ~/.mozilla
+.br
+whitelist ~/.mozilla
+.br
+mkdir ~/.cache
+.br
+mkdir ~/.cache/mozilla
+.br
+mkdir ~/.cache/mozilla/firefox
+.br
+whitelist ~/.cache/mozilla/firefox
+.TP
 \fBprivate
 Mount new /root and /home/user directories in temporary
 filesystems. All modifications are discarded when the sandbox is