Allow --tmpfs inside $HOME for unprivileged users

--tmpfs was added in 0.9.14 and restricted to root only in 0.9.38 due to priv-esc CVE-2016-10117 (e.g. --tmpfs=/etc and modify /etc/sudoers). This commit reintroduce it for normal users, if the realpath of it is inside users-home.
netblue30 · Oct 23, 2020 · 1ebdf89 · 1ebdf89
1 parent 0e81b26
commit 1ebdf89
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 4 deletions.
diff --git a/RELNOTES b/RELNOTES
@@ -1,3 +1,6 @@
+firejail (0.9.65) baseline; urgency=low
+ * allow --tmpfs inside $HOME for unprivileged users
+
 firejail (0.9.64) baseline; urgency=low
  * replaced --nowrap option with --wrap in firemon
  * The blocking action of seccomp filters has been changed from

diff --git a/src/firejail/fs.c b/src/firejail/fs.c
@@ -366,6 +366,14 @@ void fs_blacklist(void) {
  else if (strncmp(entry->data, "tmpfs ", 6) == 0) {
  ptr = entry->data + 6;
  op = MOUNT_TMPFS;
+ char *resolved_path = realpath(ptr, NULL);
+ if (!resolved_path || strncmp(cfg.homedir, resolved_path, strlen(cfg.homedir)) != 0) {
+ if (getuid() != 0) {
+ fprintf(stderr, "Error: tmpfs outside $HOME is only available for root\n");
+ exit(1);
+ }
+ }
+ free(resolved_path);
  }
  else if (strncmp(entry->data, "mkdir ", 6) == 0) {
  EUID_USER();

diff --git a/src/firejail/profile.c b/src/firejail/profile.c
@@ -1563,10 +1563,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
  else if (strncmp(ptr, "noexec ", 7) == 0)
  ptr += 7;
  else if (strncmp(ptr, "tmpfs ", 6) == 0) {
- if (getuid() != 0) {
- fprintf(stderr, "Error: tmpfs available only when running the sandbox as root\n");
- exit(1);
- }
  ptr += 6;
  }
  else {