diff options
author | smitsohu <smitsohu@gmail.com> | 2019-08-09 15:24:45 +0200 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2019-08-09 15:24:45 +0200 |
commit | d32509945f13ccb9892ad15303230955bb525fae (patch) | |
tree | be817141d532145f569ac8a43d153158949304b1 | |
parent | Fix printer detection in okular and gwenview (diff) | |
download | firejail-d32509945f13ccb9892ad15303230955bb525fae.tar.gz firejail-d32509945f13ccb9892ad15303230955bb525fae.tar.zst firejail-d32509945f13ccb9892ad15303230955bb525fae.zip |
rewrite/partial revert of 8bff773d6a7bf70c97b3d5b751df9ec0dd6c8b5d
the commit in question introduced an early check of Firejail configuration
file, which broke "firejail in firejail" for some sandboxes.
see issue #2877
-rw-r--r-- | etc/firejail.config | 3 | ||||
-rw-r--r-- | src/firejail/checkcfg.c | 2 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/main.c | 28 |
4 files changed, 10 insertions, 24 deletions
diff --git a/etc/firejail.config b/etc/firejail.config index 1f80cedee..565796d5a 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
@@ -2,9 +2,6 @@ | |||
2 | # keyword-argument pairs, one per line. Most features are enabled by default. | 2 | # keyword-argument pairs, one per line. Most features are enabled by default. |
3 | # Use 'yes' or 'no' as configuration values. | 3 | # Use 'yes' or 'no' as configuration values. |
4 | 4 | ||
5 | # Resolve symbolic links in path of user home directories, default disabled. | ||
6 | # homedir-symlink no | ||
7 | |||
8 | # Enable AppArmor functionality, default enabled. | 5 | # Enable AppArmor functionality, default enabled. |
9 | # apparmor yes | 6 | # apparmor yes |
10 | 7 | ||
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 84054fe76..f94b95d60 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -50,7 +50,6 @@ int checkcfg(int val) { | |||
50 | cfg_val[CFG_DISABLE_MNT] = 0; | 50 | cfg_val[CFG_DISABLE_MNT] = 0; |
51 | cfg_val[CFG_ARP_PROBES] = DEFAULT_ARP_PROBES; | 51 | cfg_val[CFG_ARP_PROBES] = DEFAULT_ARP_PROBES; |
52 | cfg_val[CFG_XPRA_ATTACH] = 0; | 52 | cfg_val[CFG_XPRA_ATTACH] = 0; |
53 | cfg_val[CFG_HOMEDIR_SYMLINK] = 0; | ||
54 | 53 | ||
55 | // open configuration file | 54 | // open configuration file |
56 | const char *fname = SYSCONFDIR "/firejail.config"; | 55 | const char *fname = SYSCONFDIR "/firejail.config"; |
@@ -86,7 +85,6 @@ int checkcfg(int val) { | |||
86 | ptr = line_remove_spaces(buf); | 85 | ptr = line_remove_spaces(buf); |
87 | if (!ptr) | 86 | if (!ptr) |
88 | continue; | 87 | continue; |
89 | PARSE_YESNO(CFG_HOMEDIR_SYMLINK, "homedir-symlink") | ||
90 | PARSE_YESNO(CFG_FILE_TRANSFER, "file-transfer") | 88 | PARSE_YESNO(CFG_FILE_TRANSFER, "file-transfer") |
91 | PARSE_YESNO(CFG_DBUS, "dbus") | 89 | PARSE_YESNO(CFG_DBUS, "dbus") |
92 | PARSE_YESNO(CFG_JOIN, "join") | 90 | PARSE_YESNO(CFG_JOIN, "join") |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index d547f9840..14cad4190 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -722,7 +722,6 @@ enum { | |||
722 | CFG_PRIVATE_CACHE, | 722 | CFG_PRIVATE_CACHE, |
723 | CFG_CGROUP, | 723 | CFG_CGROUP, |
724 | CFG_NAME_CHANGE, | 724 | CFG_NAME_CHANGE, |
725 | CFG_HOMEDIR_SYMLINK, | ||
726 | // CFG_FILE_COPY_LIMIT - file copy limit handled using setenv/getenv | 725 | // CFG_FILE_COPY_LIMIT - file copy limit handled using setenv/getenv |
727 | CFG_MAX // this should always be the last entry | 726 | CFG_MAX // this should always be the last entry |
728 | }; | 727 | }; |
diff --git a/src/firejail/main.c b/src/firejail/main.c index f5785ff50..9f44c6281 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -259,25 +259,17 @@ static int has_link(const char *dir) { | |||
259 | return 0; | 259 | return 0; |
260 | } | 260 | } |
261 | 261 | ||
262 | static void build_cfg_homedir(const char *dir) { | 262 | static void check_homedir(void) { |
263 | EUID_ASSERT(); | 263 | assert(cfg.homedir); |
264 | assert(dir); | 264 | if (cfg.homedir[0] != '/' || cfg.homedir[1] == '\0') { // system users sometimes have root directory as home |
265 | if (dir[0] != '/' || dir[1] == '\0') { // system users sometimes have root directory as home | 265 | fprintf(stderr, "Error: invalid user directory \"%s\"\n", cfg.homedir); |
266 | fprintf(stderr, "Error: invalid user directory \"%s\"\n", dir); | ||
267 | exit(1); | 266 | exit(1); |
268 | } | 267 | } |
269 | // symlinks are rejected in many places, offer a solution for home directories | 268 | // symlinks are rejected in many places |
270 | if (checkcfg(CFG_HOMEDIR_SYMLINK)) { | 269 | if (has_link(cfg.homedir)) { |
271 | cfg.homedir = realpath(dir, NULL); | 270 | fprintf(stderr, "No full support for symbolic links in path of user directory.\n" |
272 | if (cfg.homedir) | 271 | "Please provide resolved path in password database (/etc/passwd).\n\n"); |
273 | return; | ||
274 | } | 272 | } |
275 | else if (has_link(dir)) { | ||
276 | fwarning("no full support for symbolic links in path of user directory.\n" | ||
277 | "Please provide resolved path in password database (/etc/passwd)\n" | ||
278 | "or enable symbolic link resolution in Firejail configuration file.\n\n"); | ||
279 | } | ||
280 | cfg.homedir = clean_pathname(dir); | ||
281 | } | 273 | } |
282 | 274 | ||
283 | // init configuration | 275 | // init configuration |
@@ -323,8 +315,8 @@ static void init_cfg(int argc, char **argv) { | |||
323 | fprintf(stderr, "Error: user %s doesn't have a user directory assigned\n", cfg.username); | 315 | fprintf(stderr, "Error: user %s doesn't have a user directory assigned\n", cfg.username); |
324 | exit(1); | 316 | exit(1); |
325 | } | 317 | } |
326 | build_cfg_homedir(pw->pw_dir); | 318 | cfg.homedir = clean_pathname(pw->pw_dir); |
327 | assert(cfg.homedir); | 319 | check_homedir(); |
328 | 320 | ||
329 | // initialize random number generator | 321 | // initialize random number generator |
330 | sandbox_pid = getpid(); | 322 | sandbox_pid = getpid(); |