compile time option to disable --private-cache and --tmpfs for regula…

…r user
netblue30 · Oct 27, 2020 · 64a8d6a · rusty-snake · Oct 27, 2020 · 64a8d6a
1 parent 8f13038
commit 64a8d6a
Show file tree

Hide file tree

Showing 8 changed files with 54 additions and 7 deletions.
diff --git a/configure b/configure
@@ -644,6 +644,7 @@ HAVE_PRIVATE_HOME
 HAVE_FIRETUNNEL
 HAVE_GAWK
 HAVE_MAN
+HAVE_USERTMPFS
 HAVE_OVERLAYFS
 HAVE_DBUSPROXY
 EXTRA_LDFLAGS
@@ -711,6 +712,7 @@ enable_analyzer
 enable_apparmor
 enable_dbusproxy
 enable_overlayfs
+enable_usertmpfs
 enable_man
 enable_firetunnel
 enable_private_home
@@ -1366,6 +1368,7 @@ Optional Features:
  --enable-apparmor enable apparmor
  --disable-dbusproxy disable dbus proxy
  --disable-overlayfs disable overlayfs
+ --disable-usertmpfs disable tmpfs as regular user
  --disable-man disable man pages
  --disable-firetunnel disable firetunnel
  --disable-private-home disable private home feature
@@ -3417,8 +3420,8 @@ if test "x$enable_apparmor" = "xyes"; then :
  HAVE_APPARMOR="-DHAVE_APPARMOR"
 
 pkg_failed=no
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for libapparmor" >&5
-$as_echo_n "checking for libapparmor... " >&6; }
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for AA" >&5
+$as_echo_n "checking for AA... " >&6; }
 
 if test -n "$AA_CFLAGS"; then
  pkg_cv_AA_CFLAGS="$AA_CFLAGS"
@@ -3458,7 +3461,7 @@ fi
 
 
 if test $pkg_failed = yes; then
-  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 
 if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
@@ -3485,7 +3488,7 @@ Alternatively, you may set the environment variables AA_CFLAGS
 and AA_LIBS to avoid the need to call pkg-config.
 See the pkg-config man page for more details." "$LINENO" 5
 elif test $pkg_failed = untried; then
-  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
  { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
@@ -3538,6 +3541,19 @@ if test "x$enable_overlayfs" != "xno"; then :
  HAVE_OVERLAYFS="-DHAVE_OVERLAYFS"
 
 
+fi
+
+HAVE_USERTMPS=""
+# Check whether --enable-usertmpfs was given.
+if test "${enable_usertmpfs+set}" = set; then :
+ enableval=$enable_usertmpfs;
+fi
+
+if test "x$enable_usertmpfs" != "xno"; then :
+
+ HAVE_USERTMPFS="-DHAVE_USERTMPFS"
+
+
 fi
 
 HAVE_MAN="no"
@@ -5464,6 +5480,7 @@ echo " private home support: $HAVE_PRIVATE_HOME"
 echo " file transfer support: $HAVE_FILE_TRANSFER"
 echo " overlayfs support: $HAVE_OVERLAYFS"
 echo " DBUS proxy support: $HAVE_DBUSPROXY"
+echo " allow tmpfs as regular user: $HAVE_USERTMPFS"
 echo " Manpage support: $HAVE_MAN"
 echo " firetunnel support: $HAVE_FIRETUNNEL"
 echo " busybox workaround: $BUSYBOX_WORKAROUND"

diff --git a/configure.ac b/configure.ac
@@ -74,6 +74,14 @@ AS_IF([test "x$enable_overlayfs" != "xno"], [
  AC_SUBST(HAVE_OVERLAYFS)
 ])
 
+HAVE_USERTMPS=""
+AC_ARG_ENABLE([usertmpfs],
+ AS_HELP_STRING([--disable-usertmpfs], [disable tmpfs as regular user]))
+AS_IF([test "x$enable_usertmpfs" != "xno"], [
+ HAVE_USERTMPFS="-DHAVE_USERTMPFS"
+ AC_SUBST(HAVE_USERTMPFS)
+])
+
 HAVE_MAN="no"
 AC_ARG_ENABLE([man],
  AS_HELP_STRING([--disable-man], [disable man pages]))
@@ -240,6 +248,7 @@ echo " private home support: $HAVE_PRIVATE_HOME"
 echo " file transfer support: $HAVE_FILE_TRANSFER"
 echo " overlayfs support: $HAVE_OVERLAYFS"
 echo " DBUS proxy support: $HAVE_DBUSPROXY"
+echo " allow tmpfs as regular user: $HAVE_USERTMPFS"
 echo " Manpage support: $HAVE_MAN"
 echo " firetunnel support: $HAVE_FIRETUNNEL"
 echo " busybox workaround: $BUSYBOX_WORKAROUND"

diff --git a/src/common.mk.in b/src/common.mk.in
@@ -24,6 +24,7 @@ HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
 HAVE_GCOV=@HAVE_GCOV@
 HAVE_SELINUX=@HAVE_SELINUX@
 HAVE_DBUSPROXY=@HAVE_DBUSPROXY@
+HAVE_USERTMPFS=@HAVE_USERTMPFS@
 
 H_FILE_LIST = $(sort $(wildcard *.[h]))
 C_FILE_LIST = $(sort $(wildcard *.c))
@@ -33,7 +34,7 @@ BINOBJS = $(foreach file, $(OBJS), $file)
 CFLAGS = @CFLAGS@
 CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV)
 CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"'
-MANFLAGS = $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX)
+MANFLAGS = $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX)
 CFLAGS += $(MANFLAGS)
 CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security
 LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread

diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
@@ -351,6 +351,14 @@ void print_compiletime_support(void) {
 #endif
  );
 
+ printf("\t- private-cache and tmpfs as user %s\n",
+#ifdef HAVE_USERTMPFS
+ "enabled"
+#else
+ "disabled"
+#endif
+ );
+
  printf("\t- SELinux support is %s\n",
 #ifdef HAVE_SELINUX
  "enabled"

diff --git a/src/firejail/fs.c b/src/firejail/fs.c
@@ -162,7 +162,7 @@ static void disable_file(OPERATION op, const char *filename) {
  }
  else if (op == MOUNT_TMPFS) {
  if (S_ISDIR(s.st_mode)) {
- fs_tmpfs(fname, 0);
+ fs_tmpfs(fname, getuid());
  last_disable = SUCCESSFUL;
  }
  else
@@ -451,7 +451,7 @@ void fs_blacklist(void) {
 void fs_tmpfs(const char *dir, unsigned check_owner) {
  assert(dir);
  if (arg_debug)
- printf("Mounting tmpfs on %s\n", dir);
+ printf("Mounting tmpfs on %s, check owner: %s\n", dir, (check_owner)? "yes": "no");
  // get a file descriptor for dir, fails if there is any symlink
  int fd = safe_fd(dir, O_PATH|O_DIRECTORY|O_|O_CLOEXEC);
  if (fd == -1)

diff --git a/src/firejail/main.c b/src/firejail/main.c
@@ -2000,12 +2000,14 @@ int main(int argc, char **argv, char **envp) {
  else if (strcmp(argv[i], "--private-tmp") == 0) {
  arg_private_tmp = 1;
  }
+#ifdef HAVE_USERTMPFS
  else if (strcmp(argv[i], "--private-cache") == 0) {
  if (checkcfg(CFG_PRIVATE_CACHE))
  arg_private_cache = 1;
  else
  exit_err_feature("private-cache");
  }
+#endif
  else if (strcmp(argv[i], "--private-cwd") == 0) {
  cfg.cwd = NULL;
  arg_private_cwd = 1;

diff --git a/src/firejail/profile.c b/src/firejail/profile.c
@@ -383,10 +383,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
  return 0;
  }
  else if (strcmp(ptr, "private-cache") == 0) {
+#ifdef HAVE_USERTMPFS
  if (checkcfg(CFG_PRIVATE_CACHE))
  arg_private_cache = 1;
  else
  warning_feature_disabled("private-cache");
+#endif
  return 0;
  }
  else if (strcmp(ptr, "private-dev") == 0) {
@@ -1570,6 +1572,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
  else if (strncmp(ptr, "noexec ", 7) == 0)
  ptr += 7;
  else if (strncmp(ptr, "tmpfs ", 6) == 0) {
+#ifndef HAVE_USERTMPFS
+ if (getuid() != 0) {
+ fprintf(stderr, "Error: tmpfs available only when running the sandbox as root\n");
+ exit(1);
+ }
+#endif
  ptr += 6;
  }
  else {

diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
@@ -921,6 +921,7 @@ int sandbox(void* sandbox_arg) {
  }
  }
 
+#ifdef HAVE_USERTMPFS
  if (arg_private_cache) {
  if (cfg.chrootdir)
  fwarning("private-cache feature is disabled in chroot\n");
@@ -929,6 +930,7 @@ int sandbox(void* sandbox_arg) {
  else
  fs_private_cache();
  }
+#endif
 
  if (arg_private_tmp) {
  // private-tmp is implemented as a whitelist