removed ./configure --disable-usertmpfs option

config.mk.in

@@ -45,7 +45,6 @@ HAVE_SANDBOX_CHECK=@HAVE_SANDBOX_CHECK@
 HAVE_SELINUX=@HAVE_SELINUX@
 HAVE_SUID=@HAVE_SUID@
 HAVE_USERNS=@HAVE_USERNS@
-HAVE_USERTMPFS=@HAVE_USERTMPFS@
 HAVE_X11=@HAVE_X11@
 
 MANFLAGS = \
@@ -64,7 +63,6 @@ MANFLAGS = \
 	$(HAVE_SELINUX) \
 	$(HAVE_SUID) \
 	$(HAVE_USERNS) \
-	$(HAVE_USERTMPFS) \
 	$(HAVE_X11)
 
 # User variables - should not be modified in the code (as they are reserved for

configure

@@ -657,7 +657,6 @@ HAVE_NETWORK
 HAVE_CHROOT
 HAVE_PRIVATE_LIB
 HAVE_PRIVATE_HOME
-HAVE_USERTMPFS
 HAVE_OUTPUT
 HAVE_DBUSPROXY
 EXTRA_LDFLAGS
@@ -736,7 +735,6 @@ enable_selinux
 enable_landlock
 enable_dbusproxy
 enable_output
-enable_usertmpfs
 enable_private_home
 enable_private_lib
 enable_chroot
@@ -1394,7 +1392,6 @@ Optional Features:
   --disable-landlock      disable Landlock self-restriction support
   --disable-dbusproxy     disable dbus proxy
   --disable-output        disable --output logging
-  --disable-usertmpfs     disable tmpfs as regular user
   --disable-private-home  disable private home feature
   --disable-private-lib   disable private lib feature
   --disable-chroot        disable chroot
@@ -4309,21 +4306,6 @@ then :
 
 fi
 
-HAVE_USERTMPFS=""
-
-# Check whether --enable-usertmpfs was given.
-if test ${enable_usertmpfs+y}
-then :
-  enableval=$enable_usertmpfs;
-fi
-
-if test "x$enable_usertmpfs" != "xno"
-then :
-
-	HAVE_USERTMPFS="-DHAVE_USERTMPFS"
-
-fi
-
 HAVE_PRIVATE_HOME=""
 
 # Check whether --enable-private-home was given.
@@ -5727,7 +5709,6 @@ Compile options:
    Spectre compiler patch: $HAVE_SPECTRE
 
 Features:
-   allow tmpfs as regular user: $HAVE_USERTMPFS
    always enforce filters: $HAVE_FORCE_NONEWPRIVS
    apparmor: $HAVE_APPARMOR
    busybox workaround: $BUSYBOX_WORKAROUND

configure.ac

@@ -129,14 +129,6 @@ AS_IF([test "x$enable_output" != "xno"], [
 	HAVE_OUTPUT="-DHAVE_OUTPUT"
 ])
 
-HAVE_USERTMPFS=""
-AC_SUBST([HAVE_USERTMPFS])
-AC_ARG_ENABLE([usertmpfs],
-    [AS_HELP_STRING([--disable-usertmpfs], [disable tmpfs as regular user])])
-AS_IF([test "x$enable_usertmpfs" != "xno"], [
-	HAVE_USERTMPFS="-DHAVE_USERTMPFS"
-])
-
 HAVE_PRIVATE_HOME=""
 AC_SUBST([HAVE_PRIVATE_HOME])
 AC_ARG_ENABLE([private-home],
@@ -282,7 +274,6 @@ Compile options:
    Spectre compiler patch: $HAVE_SPECTRE
 
 Features:
-   allow tmpfs as regular user: $HAVE_USERTMPFS
    always enforce filters: $HAVE_FORCE_NONEWPRIVS
    apparmor: $HAVE_APPARMOR
    busybox workaround: $BUSYBOX_WORKAROUND

src/firejail/checkcfg.c

@@ -423,13 +423,6 @@ static const char *const compiletime_support =
 		"disabled"
 #endif
 
-	"\n\t- private-cache and tmpfs as user "
-#ifdef HAVE_USERTMPFS
-		"enabled"
-#else
-		"disabled"
-#endif
-
 	"\n\t- sandbox check is "
 #ifdef HAVE_SANDBOX_CHECK
 		"enabled"

src/firejail/main.c

@@ -2082,14 +2082,12 @@ int main(int argc, char **argv, char **envp) {
 		else if (strcmp(argv[i], "--private-tmp") == 0) {
 			arg_private_tmp = 1;
 		}
-#ifdef HAVE_USERTMPFS
 		else if (strcmp(argv[i], "--private-cache") == 0) {
 			if (checkcfg(CFG_PRIVATE_CACHE))
 				arg_private_cache = 1;
 			else
 				exit_err_feature("private-cache");
 		}
-#endif
 		else if (strcmp(argv[i], "--private-cwd") == 0) {
 			cfg.cwd = NULL;
 			arg_private_cwd = 1;

src/firejail/profile.c

@@ -424,12 +424,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 		return 0;
 	}
 	else if (strcmp(ptr, "private-cache") == 0) {
-#ifdef HAVE_USERTMPFS
 		if (checkcfg(CFG_PRIVATE_CACHE))
 			arg_private_cache = 1;
 		else
 			warning_feature_disabled("private-cache");
-#endif
 		return 0;
 	}
 	else if (strcmp(ptr, "private-dev") == 0) {
@@ -1671,15 +1669,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 		ptr += 11;
 	else if (strncmp(ptr, "noexec ", 7) == 0)
 		ptr += 7;
-	else if (strncmp(ptr, "tmpfs ", 6) == 0) {
-#ifndef HAVE_USERTMPFS
-		if (getuid() != 0) {
-			fprintf(stderr, "Error: tmpfs available only when running the sandbox as root\n");
-			exit(1);
-		}
-#endif
+	else if (strncmp(ptr, "tmpfs ", 6) == 0)
 		ptr += 6;
-	}
 	else {
 		if (lineno == 0)
 			fprintf(stderr, "Error: \"%s\" as a command line option is invalid\n", ptr);

src/firejail/sandbox.c

@@ -965,13 +965,11 @@ int sandbox(void* sandbox_arg) {
 	}
 #endif
 
-#ifdef HAVE_USERTMPFS
 	if (arg_private_cache) {
 		EUID_USER();
 		profile_add("tmpfs ${HOME}/.cache");
 		EUID_ROOT();
 	}
-#endif
 
 	if (arg_private_tmp) {
 		// private-tmp is implemented as a whitelist

test/compile/compile.sh

@@ -26,16 +26,15 @@ arr[8]="8: compile --disable-file-transfer"
 arr[9]="9: compile --enable-apparmor"
 arr[10]="10: compile --enable-busybox-workaround"
 arr[11]="11: compile --disable-private-home"
-arr[12]="12: compile --disable-usertmpfs"
-arr[13]="13: compile --disable-sandbox-check"
-arr[14]="14: compile --disable-landlock"
-arr[15]="15: compile --disable-output"
-arr[16]="16: compile --disable-man"
-arr[17]="17: compile --disable-private-lib"
-arr[18]="18: compile --disable-suid"
-arr[19]="19: compile --enable-contrib-install"
-arr[20]="20: compile --enable-only-syscfg-profiles"
-arr[21]="21: compile --enable-force-nonewprivs"
+arr[12]="12: compile --disable-sandbox-check"
+arr[13]="13: compile --disable-landlock"
+arr[14]="14: compile --disable-output"
+arr[15]="15: compile --disable-man"
+arr[16]="16: compile --disable-private-lib"
+arr[17]="17: compile --disable-suid"
+arr[18]="18: compile --enable-contrib-install"
+arr[19]="19: compile --enable-only-syscfg-profiles"
+arr[20]="20: compile --enable-force-nonewprivs"
 
 print_title() {
 	echo
@@ -311,31 +310,9 @@ cd ..
 #*****************************************************************
 # TEST 12
 #*****************************************************************
-# - disable tmpfs as regular user"
-#*****************************************************************
-print_title "${arr[12]}"
-cd firejail || exit 1
-
-./configure --enable-fatal-warnings --disable-usertmpfs 2>&1 | tee output
-if grep -E '(WARNING|ERROR)' output; then
-    echo "TESTING ERROR";
-    exit 1
-fi
-
-make -j4 2>&1 | tee output
-if grep -E -i 'error:' output; then
-    echo "TESTING ERROR";
-    exit 1
-fi
-make distclean
-cd ..
-
-#*****************************************************************
-# TEST 13
-#*****************************************************************
 # - disable sandbox check
 #*****************************************************************
-print_title "${arr[13]}"
+print_title "${arr[12]}"
 cd firejail || exit 1
 
 ./configure --enable-fatal-warnings --disable-sandbox-check 2>&1 | tee output
@@ -353,11 +330,11 @@ make distclean
 cd ..
 
 #*****************************************************************
-# TEST 14
+# TEST 13
 #*****************************************************************
 # - disable landlock
 #*****************************************************************
-print_title "${arr[14]}"
+print_title "${arr[13]}"
 cd firejail || exit 1
 
 ./configure --enable-fatal-warnings --disable-landlock 2>&1 | tee output
@@ -375,11 +352,11 @@ make distclean
 cd ..
 
 #*****************************************************************
-# TEST 15
+# TEST 14
 #*****************************************************************
 # - disable --output logging
 #*****************************************************************
-print_title "${arr[15]}"
+print_title "${arr[14]}"
 cd firejail || exit 1
 
 ./configure --enable-fatal-warnings --disable-output 2>&1 | tee output
@@ -396,11 +373,11 @@ fi
 cd ..
 
 #*****************************************************************
-# TEST 16
+# TEST 15
 #*****************************************************************
 # - disable man pages
 #*****************************************************************
-print_title "${arr[16]}"
+print_title "${arr[15]}"
 cd firejail || exit 1
 
 ./configure --enable-fatal-warnings --disable-man 2>&1 | tee output
@@ -418,11 +395,11 @@ make distclean
 cd ..
 
 #*****************************************************************
-# TEST 17
+# TEST 16
 #*****************************************************************
 # - disable private-lib
 #*****************************************************************
-print_title "${arr[17]}"
+print_title "${arr[16]}"
 cd firejail || exit 1
 
 ./configure --enable-fatal-warnings --disable-private-lib 2>&1 | tee output
@@ -440,11 +417,11 @@ make distclean
 cd ..
 
 #*****************************************************************
-# TEST 18
+# TEST 17
 #*****************************************************************
 # - disable suid
 #*****************************************************************
-print_title "${arr[18]}"
+print_title "${arr[17]}"
 cd firejail || exit 1
 
 ./configure --enable-fatal-warnings --disable-suid 2>&1 | tee output
@@ -462,11 +439,11 @@ make distclean
 cd ..
 
 #*****************************************************************
-# TEST 19
+# TEST 18
 #*****************************************************************
 # - enable contrib install
 #*****************************************************************
-print_title "${arr[19]}"
+print_title "${arr[18]}"
 cd firejail || exit 1
 
 ./configure --enable-fatal-warnings --enable-contrib-install 2>&1 | tee output
@@ -484,11 +461,11 @@ make distclean
 cd ..
 
 #*****************************************************************
-# TEST 20
+# TEST 19
 #*****************************************************************
 # --enable-only-syscfg-profile
 #*****************************************************************
-print_title "${arr[20]}"
+print_title "${arr[19]}"
 cd firejail || exit 1
 
 ./configure --enable-fatal-warnings --enable-only-syscfg-profiles 2>&1 | tee output
@@ -506,11 +483,11 @@ make distclean
 cd ..
 
 #*****************************************************************
-# TEST 21
+# TEST 20
 #*****************************************************************
 # - enable force nonewprivs
 #*****************************************************************
-print_title "${arr[21]}"
+print_title "${arr[20]}"
 cd firejail || exit 1
 
 ./configure --enable-fatal-warnings  --enable-force-nonewprivs 2>&1 | tee output