deprecated follow-symlink-as-user from firejail.config

5 files changed, 6 insertions, 9 deletions

diff --git a/RELNOTES b/RELNOTES
index 786a1afcd..74ef66fb9 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,4 +1,6 @@
 firejail (0.9.65) baseline; urgency=low
+  * deprecated --audit options, relpaced by jailtest
+  * deprecated follow-symlink-as-user from firejail.config
   * filtering environment variables
   * zsh completion
   * command line: --mkdir, --mkfile
@@ -7,7 +9,6 @@ firejail (0.9.65) baseline; urgency=low
   * private-lib rework
   * whitelist rework
   * jailtest utility for testing running sandboxes
-  * removed --audit options, relpaced by jailtest
   * capabilities list update
   * faccessat2 syscall support
   * --private-dev keeps /dev/input
diff --git a/etc/firejail.config b/etc/firejail.config
index 9dd33b5ed..c671efef9 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -46,12 +46,6 @@
 # Enable Firejail green prompt in terminal, default disabled
 # firejail-prompt no
 
-# Follow symlink as user. While using --whitelist feature,
-# symlinks pointing outside home directory are followed only
-# if both the link and the real file are owned by the user.
-# Enabled by default
-# follow-symlink-as-user yes
-
 # Force use of nonewprivs.  This mitigates the possibility of
 # a user abusing firejail's features to trick a privileged (suid
 # or file capabilities) process into loading code or configuration
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 614b144e5..cb087d395 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -103,7 +103,6 @@ int checkcfg(int val) {
                         PARSE_YESNO(CFG_USERNS, "userns")
                         PARSE_YESNO(CFG_CHROOT, "chroot")
                         PARSE_YESNO(CFG_FIREJAIL_PROMPT, "firejail-prompt")
-                        PARSE_YESNO(CFG_FOLLOW_SYMLINK_AS_USER, "follow-symlink-as-user")
                         PARSE_YESNO(CFG_FORCE_NONEWPRIVS, "force-nonewprivs")
                         PARSE_YESNO(CFG_SECCOMP, "seccomp")
                         PARSE_YESNO(CFG_WHITELIST, "whitelist")
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 1c1ad4e97..1da70fd54 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -765,7 +765,6 @@ enum {
         CFG_PRIVATE_HOME,
         CFG_PRIVATE_BIN_NO_LOCAL,
         CFG_FIREJAIL_PROMPT,
-        CFG_FOLLOW_SYMLINK_AS_USER,
         CFG_DISABLE_MNT,
         CFG_JOIN,
         CFG_ARP_PROBES,
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 7cfa58078..31694558d 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1904,6 +1904,8 @@ int main(int argc, char **argv, char **envp) {
                 }
                 else if (strcmp(argv[i], "--private") == 0) {
                         arg_private = 1;
+                        // disable whitelisting in home directory
+                        profile_add("whitelist ~/*");
                 }
                 else if (strncmp(argv[i], "--private=", 10) == 0) {
                         if (cfg.home_private_keep) {
@@ -1925,6 +1927,8 @@ int main(int argc, char **argv, char **envp) {
                                 cfg.home_private = NULL;
                         }
                         arg_private = 1;
+                        // disable whitelisting in home directory
+                        profile_add("whitelist ~/*");
                 }
 #ifdef HAVE_PRIVATE_HOME
                 else if (strncmp(argv[i], "--private-home=", 15) == 0) {