Unset TMP if it doesn't exist inside of sandbox

[matthew-cline]

I have this weird setup where the TMP env var is set to /tmp/$USER and that directory is automatically created. This causes sandboxed apps to not work if the profile uses private-tmp, and the error messages the app generates aren't necessarily useful. I solved the problem by making a wrapper script for firejail which unsets TMP, but other users might have TMP point to a non-standard location and have the sandboxed app not give them and useful error messages, leaving them confused frustrated.

One way to solve the problem would be, if TMP is set, to check if what it points to exists within the sandbox, and unset the var if it doesn't.

[rusty-snake]

where the TMP env var is set to /tmp/$USER

We have already code for TMP=/tmp/user/$UID, maybe this need further adjustments:

firejail/src/firejail/fs_whitelist.c

Lines 780 to 796 in 0c1b99f

	// pam-tmpdir - issue #2685
	const char *env = env_get("TMP");
	if (env) {
	char *pamtmpdir;
	if (asprintf(&pamtmpdir, "/tmp/user/%u", getuid()) == -1)
	errExit("asprintf");
	if (strcmp(env, pamtmpdir) == 0) {
	// create empty user-owned /tmp/user/$uid directory
	mkdir_attr("/tmp/user", 0711, 0, 0);
	selinux_relabel_path("/tmp/user", "/tmp/user");
	fs_logger("mkdir /tmp/user");
	mkdir_attr(pamtmpdir, 0700, getuid(), 0);
	selinux_relabel_path(pamtmpdir, pamtmpdir);
	fs_logger2("mkdir", pamtmpdir);
	}
	free(pamtmpdir);
	}

I solved the problem by making a wrapper script for firejail which unsets TMP

Just add rmenv TMP to <PROFILE>.local.