diff options
| author |  netblue30 <netblue30@yahoo.com> | 2017-02-12 10:17:32 -0500 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2017-02-12 10:17:32 -0500 |
| commit | 3f3dd80ed63236c06ccbee2c54fa9d7cd2341c16 (patch) | |
| tree | 14537e2a1639d68675c2b49eeb6441be16196d46 | |
| parent | firecfg.config fix (diff) | |
| download | firejail-3f3dd80ed63236c06ccbee2c54fa9d7cd2341c16.tar.gz firejail-3f3dd80ed63236c06ccbee2c54fa9d7cd2341c16.tar.zst firejail-3f3dd80ed63236c06ccbee2c54fa9d7cd2341c16.zip | |
follow-symlink-as-user runtime config option in /etc/firejail/firejail.config
| -rw-r--r-- | RELNOTES | 1 | ||||
| -rw-r--r-- | etc/firejail.config | 6 | ||||
| -rw-r--r-- | src/firejail/checkcfg.c | 9 | ||||
| -rw-r--r-- | src/firejail/firejail.h | 1 | ||||
| -rw-r--r-- | src/firejail/fs_whitelist.c | 10 |
5 files changed, 23 insertions, 4 deletions
| @@ -28,6 +28,7 @@ firejail (0.9.45) baseline; urgency=low | |||
| 28 | * feature: allow non-seccomp setup for OverlayFS sandboxes - more work to come | 28 | * feature: allow non-seccomp setup for OverlayFS sandboxes - more work to come |
| 29 | * feature: added a number o Python scripts for handling sandboxes | 29 | * feature: added a number o Python scripts for handling sandboxes |
| 30 | * feature: allow local customization using .local files under /etc/firejail | 30 | * feature: allow local customization using .local files under /etc/firejail |
| 31 | * feature: follow-symlink-as-user runtime config option in /etc/firejail/firejail.config | ||
| 31 | * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire, | 32 | * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire, |
| 32 | * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma, | 33 | * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma, |
| 33 | * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator, | 34 | * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator, |
diff --git a/etc/firejail.config b/etc/firejail.config index 824e3f503..5498b2112 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
| @@ -20,6 +20,12 @@ | |||
| 20 | # Enable Firejail green prompt in terminal, default disabled | 20 | # Enable Firejail green prompt in terminal, default disabled |
| 21 | # firejail-prompt no | 21 | # firejail-prompt no |
| 22 | 22 | ||
| 23 | # Follow symlink as user. While using --whitelist feature, | ||
| 24 | # symlinks pointing outside home directory are followed only | ||
| 25 | # if both the link and the real file are owned by the user. | ||
| 26 | # Enabled by default | ||
| 27 | # follow-symlink-as-user yes | ||
| 28 | |||
| 23 | # Force use of nonewprivs. This mitigates the possibility of | 29 | # Force use of nonewprivs. This mitigates the possibility of |
| 24 | # a user abusing firejail's features to trick a privileged (suid | 30 | # a user abusing firejail's features to trick a privileged (suid |
| 25 | # or file capabilities) process into loading code or configuration | 31 | # or file capabilities) process into loading code or configuration |
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 3a2101c6a..4fdc3b22a 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
| @@ -124,6 +124,15 @@ int checkcfg(int val) { | |||
| 124 | else | 124 | else |
| 125 | goto errout; | 125 | goto errout; |
| 126 | } | 126 | } |
| 127 | // follow symlink as user | ||
| 128 | else if (strncmp(ptr, "follow-symlink-as-user ", 23) == 0) { | ||
| 129 | if (strcmp(ptr + 23, "yes") == 0) | ||
| 130 | cfg_val[CFG_FOLLOW_SYMLINK_AS_USER] = 1; | ||
| 131 | else if (strcmp(ptr + 23, "no") == 0) | ||
| 132 | cfg_val[CFG_FOLLOW_SYMLINK_AS_USER] = 0; | ||
| 133 | else | ||
| 134 | goto errout; | ||
| 135 | } | ||
| 127 | // nonewprivs | 136 | // nonewprivs |
| 128 | else if (strncmp(ptr, "force-nonewprivs ", 17) == 0) { | 137 | else if (strncmp(ptr, "force-nonewprivs ", 17) == 0) { |
| 129 | if (strcmp(ptr + 17, "yes") == 0) | 138 | if (strcmp(ptr + 17, "yes") == 0) |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index f7b3ce0ac..b7d2c4304 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
| @@ -678,6 +678,7 @@ enum { | |||
| 678 | CFG_PRIVATE_HOME, | 678 | CFG_PRIVATE_HOME, |
| 679 | CFG_PRIVATE_BIN_NO_LOCAL, | 679 | CFG_PRIVATE_BIN_NO_LOCAL, |
| 680 | CFG_FIREJAIL_PROMPT, | 680 | CFG_FIREJAIL_PROMPT, |
| 681 | CFG_FOLLOW_SYMLINK_AS_USER, | ||
| 681 | CFG_MAX // this should always be the last entry | 682 | CFG_MAX // this should always be the last entry |
| 682 | }; | 683 | }; |
| 683 | extern char *xephyr_screen; | 684 | extern char *xephyr_screen; |
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index b0e4463ae..1794e4b35 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
| @@ -406,10 +406,12 @@ void fs_whitelist(void) { | |||
| 406 | 406 | ||
| 407 | // both path and absolute path are under /home | 407 | // both path and absolute path are under /home |
| 408 | if (strncmp(fname, cfg.homedir, strlen(cfg.homedir)) != 0) { | 408 | if (strncmp(fname, cfg.homedir, strlen(cfg.homedir)) != 0) { |
| 409 | // check if the file is owned by the user | 409 | if (checkcfg(CFG_FOLLOW_SYMLINK_AS_USER)) { |
| 410 | struct stat s; | 410 | // check if the file is owned by the user |
| 411 | if (stat(fname, &s) == 0 && s.st_uid != getuid()) | 411 | struct stat s; |
| 412 | goto errexit; | 412 | if (stat(fname, &s) == 0 && s.st_uid != getuid()) |
| 413 | goto errexit; | ||
| 414 | } | ||
| 413 | } | 415 | } |
| 414 | } | 416 | } |
| 415 | else if (strncmp(new_name, "/tmp/", 5) == 0) { | 417 | else if (strncmp(new_name, "/tmp/", 5) == 0) { |