AppRun: do not mount /tmp RO if will be written

MartinPulec · MartinPulec · commit fb0729bb6e8f · 2022-12-02T11:18:12.000+01:00
diff --git a/data/scripts/Linux-AppImage/AppRun b/data/scripts/Linux-AppImage/AppRun
@@ -212,8 +212,11 @@ if [ -n "${ULTRAGRID_USE_FIREJAIL-}" ] && [ "$ULTRAGRID_USE_FIREJAIL" != 0 ] &&
                 FIREJAIL_OPTS="--profile=$ULTRAGRID_USE_FIREJAIL"
         else
                 FJ_TMPDIR=${TMPDIR-/tmp/ultragrid-$(id -u)}
-                FIREJAIL_OPTS="--caps.drop=all --ipc-namespace --nonewprivs --noroot --protocol=unix,inet,inet6,netlink --seccomp --shell=none --disable-mnt --private-bin=none --private-opt=none --read-only=/tmp --mkdir=$FJ_TMPDIR --read-write=$FJ_TMPDIR --writable-var"
+                FIREJAIL_OPTS="--caps.drop=all --ipc-namespace --nonewprivs --noroot --protocol=unix,inet,inet6,netlink --seccomp --shell=none --disable-mnt --private-bin=none --private-opt=none --mkdir=$FJ_TMPDIR --read-write=$FJ_TMPDIR --writable-var"
                 FIREJAIL_OPTS="$FIREJAIL_OPTS $(get_firejail_whitelist "$@") --private-etc=alsa,group,hostname,ld.so.conf,ld.so.cache,ld.so.conf.d,nsswitch.conf,passwd,resolv.conf --ignore=novideo"
+                if ! expr "$FIREJAIL_OPTS" : '.*--read-write=/tmp '; then
+                        FIREJAIL_OPTS="$FIREJAIL_OPTS --read-only=/tmp"
+                fi
         fi
         if firejail --version | grep -iq "d-\{0,1\}bus.*enabled"; then
                 FIREJAIL_OPTS="$FIREJAIL_OPTS --dbus-user=none --dbus-system=none"
