From ce416de492c229b09b4cb466e042f03ed3ce2e40 Mon Sep 17 00:00:00 2001 From: Tad Date: Thu, 14 Jun 2018 17:09:07 -0400 Subject: [PATCH] Revert "mounting a tmpfs on ~/.cache directory (private-cache) by default" This reverts commit caa7ad8714206a158123773ddcaca6ef219a5501. --- etc/firejail.config | 5 ----- src/firejail/checkcfg.c | 9 --------- src/firejail/firejail.h | 2 +- src/firejail/fs.c | 4 +++- src/firejail/main.c | 4 ++++ src/firejail/profile.c | 4 ++++ src/firejail/sandbox.c | 11 ++++++++--- src/man/firejail-profile.txt | 4 ++++ src/man/firejail.txt | 11 +++++++++++ 9 files changed, 35 insertions(+), 19 deletions(-) diff --git a/etc/firejail.config b/etc/firejail.config index 42dfaf3c6..1f47f77d0 100644 --- a/etc/firejail.config +++ b/etc/firejail.config @@ -56,11 +56,6 @@ # Remove /usr/local directories from private-bin list, default disabled. # private-bin-no-local no -# Mount an empty temporary filesystem on top of the .cache -# directory in user home. All modifications are discarded when -# the sandbox is closed. Default enabled. -# private-cache yes - # Enable or disable private-home feature, default enabled # private-home yes diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 6dc28b9bb..68e93e16e 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -175,15 +175,6 @@ int checkcfg(int val) { else goto errout; } - // private-cache - else if (strncmp(ptr, "private-cache ", 14) == 0) { - if (strcmp(ptr + 14, "yes") == 0) - cfg_val[CFG_PRIVATE_CACHE] = 1; - else if (strcmp(ptr + 14, "no") == 0) - cfg_val[CFG_PRIVATE_CACHE] = 0; - else - goto errout; - } // seccomp else if (strncmp(ptr, "seccomp ", 8) == 0) { if (strcmp(ptr + 8, "yes") == 0) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 3e05591b8..92a18af25 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -308,6 +308,7 @@ static inline int any_interface_configured(void) { extern int arg_private; // mount private /home extern int arg_private_template; // private /home template +extern int arg_private_cache; // private home/.cache extern int arg_debug; // print debug messages extern int arg_debug_blacklists; // print debug messages for blacklists extern int arg_debug_whitelists; // print debug messages for whitelists @@ -753,7 +754,6 @@ enum { CFG_PRIVATE_LIB, CFG_APPARMOR, CFG_DBUS, - CFG_PRIVATE_CACHE, CFG_MAX // this should always be the last entry }; extern char *xephyr_screen; diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 68b09dcbd..0e104699f 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -1353,8 +1353,10 @@ void fs_private_cache(void) { fwarning("user .cache is a symbolic link, tmpfs not mounted\n"); return; } - if (stat(cache, &s) == -1 || !S_ISDIR(s.st_mode)) + if (stat(cache, &s) == -1 || !S_ISDIR(s.st_mode)) { + fwarning("no user .cache directory found, tmpfs not mounted\n"); return; + } if (s.st_uid != getuid()) { fwarning("user .cache is not owned by current user, tmpfs not mounted\n"); return; diff --git a/src/firejail/main.c b/src/firejail/main.c index 9babb72de..6aebd9ab2 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -46,6 +46,7 @@ static char child_stack[STACK_SIZE]; // space for child's stack Config cfg; // configuration int arg_private = 0; // mount private /home and /tmp directoryu int arg_private_template = 0; // mount private /home using a template +int arg_private_cache = 0; // mount private home/.cache int arg_debug = 0; // print debug messages int arg_debug_blacklists = 0; // print debug messages for blacklists int arg_debug_whitelists = 0; // print debug messages for whitelists @@ -1681,6 +1682,9 @@ int main(int argc, char **argv) { else if (strcmp(argv[i], "--private-tmp") == 0) { arg_private_tmp = 1; } + else if (strcmp(argv[i], "--private-cache") == 0) { + arg_private_cache = 1; + } //************************************* // hostname, etc diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 88d27f09f..22db6f5fb 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -217,6 +217,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { arg_allusers = 1; return 0; } + else if (strcmp(ptr, "private-cache") == 0) { + arg_private_cache = 1; + return 0; + } else if (strcmp(ptr, "private-dev") == 0) { arg_private_dev = 1; return 0; diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index a1400db34..7922da9b9 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -833,9 +833,14 @@ int sandbox(void* sandbox_arg) { } } - // private cache directory by default - if (checkcfg(CFG_PRIVATE_CACHE)) - fs_private_cache(); + if (arg_private_cache) { + if (cfg.chrootdir) + fwarning("private-cache feature is disabled in chroot\n"); + else if (arg_overlay) + fwarning("private-cache feature is disabled in overlay\n"); + else + fs_private_cache(); + } if (arg_private_tmp) { // private-tmp is implemented as a whitelist diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index c32fdf8f4..851eb1026 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -221,6 +221,10 @@ filesystem, and copy the files and directories in the list in the new home. All modifications are discarded when the sandbox is closed. .TP +\fBprivate-cache +Mount an empty temporary filesystem on top of the .cache directory in user home. All +modifications are discarded when the sandbox is closed. +.TP \fBprivate-bin file,file Build a new /bin in a temporary filesystem, and copy the programs in the list. The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin. diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 760249e70..d527c05d8 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1321,6 +1321,17 @@ Example: .br $ firejail \-\-private-home=.mozilla firefox +.TP +\fB\-\-private-cache +Mount an empty temporary filesystem on top of the .cache directory in user home. All +modifications are discarded when the sandbox is closed. +.br + +.br +Example: +.br +$ firejail \-\-private-cache openbox + .TP \fB\-\-private-bin=file,file Build a new /bin in a temporary filesystem, and copy the programs in the list.