diff options
author | startx2017 <vradu.startx@yandex.com> | 2017-10-05 09:14:10 -0400 |
---|---|---|
committer | startx2017 <vradu.startx@yandex.com> | 2017-10-05 09:14:10 -0400 |
commit | 3884057a6f95b2cd6d2fd4e48f045bef6126e90b (patch) | |
tree | 78ec984c0d6455ff26769c8e224dd9f6ff0b6859 | |
parent | Tighten multiple profiles. (diff) | |
download | firejail-3884057a6f95b2cd6d2fd4e48f045bef6126e90b.tar.gz firejail-3884057a6f95b2cd6d2fd4e48f045bef6126e90b.tar.zst firejail-3884057a6f95b2cd6d2fd4e48f045bef6126e90b.zip |
private-bin: if the file is a symlink pointing to an executable inside standard exec path, copy both the file and the symlink
-rw-r--r-- | src/firejail/fs_bin.c | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index d2c8fbbc8..9aa227caf 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c | |||
@@ -94,7 +94,6 @@ static char *check_dir_or_file(const char *name) { | |||
94 | return paths[i]; | 94 | return paths[i]; |
95 | } | 95 | } |
96 | 96 | ||
97 | |||
98 | // return 1 if the file is in paths[] | 97 | // return 1 if the file is in paths[] |
99 | static int valid_full_path_file(const char *name) { | 98 | static int valid_full_path_file(const char *name) { |
100 | assert(name); | 99 | assert(name); |
@@ -186,8 +185,20 @@ static void duplicate(char *fname, FILE *fplist) { | |||
186 | // copy the file | 185 | // copy the file |
187 | if (checkcfg(CFG_FOLLOW_SYMLINK_PRIVATE_BIN)) | 186 | if (checkcfg(CFG_FOLLOW_SYMLINK_PRIVATE_BIN)) |
188 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", full_path, RUN_BIN_DIR); | 187 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", full_path, RUN_BIN_DIR); |
189 | else | 188 | else { |
189 | // if full_path is simlink, and the link is in our path, copy both | ||
190 | if (is_link(full_path)) { | ||
191 | char *actual_path = realpath(full_path, NULL); | ||
192 | if (actual_path) { | ||
193 | if (valid_full_path_file(actual_path)) | ||
194 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, actual_path, RUN_BIN_DIR); | ||
195 | free(actual_path); | ||
196 | } | ||
197 | } | ||
198 | |||
190 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, full_path, RUN_BIN_DIR); | 199 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, full_path, RUN_BIN_DIR); |
200 | } | ||
201 | |||
191 | fs_logger2("clone", fname); | 202 | fs_logger2("clone", fname); |
192 | free(full_path); | 203 | free(full_path); |
193 | } | 204 | } |