Revert "mounting a tmpfs on ~/.cache directory (private-cache) by default"

This reverts commit caa7ad8714.
2026-05-21 06:45:29 -06:00 · 2018-06-14 17:09:07 -04:00 · 2018-06-14 17:09:07 -04:00 · ce416de492
commit ce416de492
parent 4e64e64d94
9 changed files with 35 additions and 19 deletions
--- a/etc/firejail.config
+++ b/etc/firejail.config
@ -56,11 +56,6 @@
 # Remove /usr/local directories from private-bin list, default disabled.
 # private-bin-no-local no

-# Mount  an empty temporary filesystem on top of the .cache
-# directory in user home. All  modifications  are  discarded  when
-# the sandbox is closed. Default enabled.
-# private-cache yes
-
 # Enable or disable private-home feature, default enabled
 # private-home yes

--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@ -175,15 +175,6 @@ int checkcfg(int val) {
 				else
 					goto errout;
 			}
-			// private-cache
-			else if (strncmp(ptr, "private-cache ", 14) == 0) {
-				if (strcmp(ptr + 14, "yes") == 0)
-					cfg_val[CFG_PRIVATE_CACHE] = 1;
-				else if (strcmp(ptr + 14, "no") == 0)
-					cfg_val[CFG_PRIVATE_CACHE] = 0;
-				else
-					goto errout;
-			}
 			// seccomp
 			else if (strncmp(ptr, "seccomp ", 8) == 0) {
 				if (strcmp(ptr + 8, "yes") == 0)
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@ -308,6 +308,7 @@ static inline int any_interface_configured(void) {

 extern int arg_private;		// mount private /home
 extern int arg_private_template; // private /home template
+extern int arg_private_cache;	// private home/.cache
 extern int arg_debug;		// print debug messages
 extern int arg_debug_blacklists;	// print debug messages for blacklists
 extern int arg_debug_whitelists;	// print debug messages for whitelists
@ -753,7 +754,6 @@ enum {
 	CFG_PRIVATE_LIB,
 	CFG_APPARMOR,
 	CFG_DBUS,
-	CFG_PRIVATE_CACHE,
 	CFG_MAX // this should always be the last entry
 };
 extern char *xephyr_screen;
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@ -1353,8 +1353,10 @@ void fs_private_cache(void) {
 		fwarning("user .cache is a symbolic link, tmpfs not mounted\n");
 		return;
 	}
-	if (stat(cache, &s) == -1 || !S_ISDIR(s.st_mode))
+	if (stat(cache, &s) == -1 || !S_ISDIR(s.st_mode)) {
+		fwarning("no user .cache directory found, tmpfs not mounted\n");
 		return;
+	}
 	if (s.st_uid != getuid()) {
 		fwarning("user .cache is not owned by current user, tmpfs not mounted\n");
 		return;
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@ -46,6 +46,7 @@ static char child_stack[STACK_SIZE];		// space for child's stack
 Config cfg;					// configuration
 int arg_private = 0;				// mount private /home and /tmp directoryu
 int arg_private_template = 0; 	// mount private /home using a template
+int arg_private_cache = 0;		// mount private home/.cache
 int arg_debug = 0;				// print debug messages
 int arg_debug_blacklists = 0;			// print debug messages for blacklists
 int arg_debug_whitelists = 0;			// print debug messages for whitelists
@ -1681,6 +1682,9 @@ int main(int argc, char **argv) {
 		else if (strcmp(argv[i], "--private-tmp") == 0) {
 			arg_private_tmp = 1;
 		}
+		else if (strcmp(argv[i], "--private-cache") == 0) {
+			arg_private_cache = 1;
+		}

 		//*************************************
 		// hostname, etc
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@ -217,6 +217,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 		arg_allusers = 1;
 		return 0;
 	}
+	else if (strcmp(ptr, "private-cache") == 0) {
+		arg_private_cache = 1;
+		return 0;
+	}
 	else if (strcmp(ptr, "private-dev") == 0) {
 		arg_private_dev = 1;
 		return 0;
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@ -833,9 +833,14 @@ int sandbox(void* sandbox_arg) {
 		}
 	}

-	// private cache directory by default
-	if (checkcfg(CFG_PRIVATE_CACHE))
-		fs_private_cache();
+	if (arg_private_cache) {
+		if (cfg.chrootdir)
+			fwarning("private-cache feature is disabled in chroot\n");
+		else if (arg_overlay)
+			fwarning("private-cache feature is disabled in overlay\n");
+		else
+			fs_private_cache();
+	}

 	if (arg_private_tmp) {
 		// private-tmp is implemented as a whitelist
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@ -221,6 +221,10 @@ filesystem, and copy the files and directories in the list in the
 new home. All modifications are discarded when the sandbox is
 closed.
 .TP
+\fBprivate-cache
+Mount an empty temporary filesystem on top of the .cache directory in user home. All
+modifications are discarded when the sandbox is closed.
+.TP
 \fBprivate-bin file,file
 Build a new /bin in a temporary filesystem, and copy the programs in the list.
 The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin.
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@ -1321,6 +1321,17 @@ Example:
 .br
 $ firejail \-\-private-home=.mozilla firefox

+.TP
+\fB\-\-private-cache
+Mount an empty temporary filesystem on top of the .cache directory in user home. All
+modifications are discarded when the sandbox is closed.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-private-cache openbox
+
 .TP
 \fB\-\-private-bin=file,file
 Build a new /bin in a temporary filesystem, and copy the programs in the list.