Merge pull request #3676 from rusty-snake/tmpfs-inside-home

Allow --tmpfs and --bind inside $HOME for unprivileged users
netblue30 · Oct 25, 2020 · c3ff78f · c3ff78f
2 parents bd1819a + fb35ad6
commit c3ff78f
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 9 deletions.
diff --git a/RELNOTES b/RELNOTES
@@ -1,3 +1,6 @@
+firejail (0.9.65) baseline; urgency=low
+ * allow --tmpfs inside $HOME for unprivileged users
+
 firejail (0.9.64) baseline; urgency=low
  * replaced --nowrap option with --wrap in firemon
  * The blocking action of seccomp filters has been changed from

diff --git a/src/firejail/fs.c b/src/firejail/fs.c
@@ -366,6 +366,14 @@ void fs_blacklist(void) {
  else if (strncmp(entry->data, "tmpfs ", 6) == 0) {
  ptr = entry->data + 6;
  op = MOUNT_TMPFS;
+ char *resolved_path = realpath(ptr, NULL);
+ if (!resolved_path || strncmp(cfg.homedir, resolved_path, strlen(cfg.homedir)) != 0) {
+ if (getuid() != 0) {
+ fprintf(stderr, "Error: tmpfs outside $HOME is only available for root\n");
+ exit(1);
+ }
+ }
+ free(resolved_path);
  }
  else if (strncmp(entry->data, "mkdir ", 6) == 0) {
  EUID_USER();

diff --git a/src/firejail/profile.c b/src/firejail/profile.c
@@ -1412,11 +1412,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
  // filesystem bind
  if (strncmp(ptr, "bind ", 5) == 0) {
  if (checkcfg(CFG_BIND)) {
- if (getuid() != 0) {
- fprintf(stderr, "Error: --bind option is available only if running as root\n");
- exit(1);
- }
-
  // extract two directories
  char *dname1 = ptr + 5;
  char *dname2 = split_comma(dname1); // this inserts a '0 to separate the two dierctories
@@ -1432,6 +1427,18 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
  fprintf(stderr, "Error: invalid file name.\n");
  exit(1);
  }
+ if (getuid() != 0) {
+ char *resolved_path1 = realpath(dname1, NULL);
+ char *resolved_path2 = realpath(dname2, NULL);
+ assert(resolved_path1 && resolved_path2);
+ if (strncmp(cfg.homedir, resolved_path1, strlen(cfg.homedir)) != 0
+ || strncmp(cfg.homedir, resolved_path2, strlen(cfg.homedir)) != 0) {
+ fprintf(stderr, "Error: bind outside $HOME is only available for root\n");
+ exit(1);
+ }
+ free(resolved_path1);
+ free(resolved_path2);
+ }
  if (is_link(dname1) || is_link(dname2)) {
  fprintf(stderr, "Symbolic links are not allowed for bind command\n");
  exit(1);
@@ -1563,10 +1570,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
  else if (strncmp(ptr, "noexec ", 7) == 0)
  ptr += 7;
  else if (strncmp(ptr, "tmpfs ", 6) == 0) {
- if (getuid() != 0) {
- fprintf(stderr, "Error: tmpfs available only when running the sandbox as root\n");
- exit(1);
- }
  ptr += 6;
  }
  else {