fixed firejail symlink problem for --private-bin option

author: netblue30 <netblue30@yahoo.com> 2016-06-03 09:20:55 -0400
committer: netblue30 <netblue30@yahoo.com> 2016-06-03 09:20:55 -0400
commit: ae906b1042ee87166f43488adf4910d8d1b60af4 (patch)
tree: c7e22df6386ebd6fd8a4b1a23affccf7746b00ec /src
parent: lxc test fixes (diff)
download: firejail-ae906b1042ee87166f43488adf4910d8d1b60af4.tar.gz
firejail-ae906b1042ee87166f43488adf4910d8d1b60af4.tar.zst
firejail-ae906b1042ee87166f43488adf4910d8d1b60af4.zip
1 files changed, 18 insertions, 1 deletions
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c
index 251a1cb8f..8c1fd8e81 100644
--- a/src/firejail/fs_bin.c
+++ b/src/firejail/fs_bin.c
@@ -48,8 +48,25 @@ static char *check_dir_or_file(const char *name) {
                        errExit("asprintf");
                if (arg_debug)
                        printf("Checking %s/%s\n", paths[i], name);             
-                if (stat(fname, &s) == 0 && !S_ISDIR(s.st_mode)) // do not allow directories
+                if (stat(fname, &s) == 0 && !S_ISDIR(s.st_mode)) { // do not allow directories
+                        // check symlink to firejail executable in /usr/local/bin
+                        if (strcmp(paths[i], "/usr/local/bin") == 0 && is_link(fname)) {
+                                char *actual_path = realpath(fname, NULL);
+                                if (actual_path) {
+                                        char *ptr = strstr(actual_path, "/firejail");
+                                        if (ptr && strlen(ptr) == strlen("/firejail")) {
+                                                if (arg_debug)
+                                                        printf("firejail exec symlink detected\n");
+                                                free(fname);
+                                                fname = NULL;
+                                                i++;
+                                                continue;
+                                        }
+                                }
+                                
+                        }               
                        break; // file found
+                }
                
                free(fname);
                fname = NULL;
author	netblue30 <netblue30@yahoo.com>	2016-06-03 09:20:55 -0400
committer	netblue30 <netblue30@yahoo.com>	2016-06-03 09:20:55 -0400
commit	ae906b1042ee87166f43488adf4910d8d1b60af4 (patch)
tree	c7e22df6386ebd6fd8a4b1a23affccf7746b00ec /src
parent	lxc test fixes (diff)
download	firejail-ae906b1042ee87166f43488adf4910d8d1b60af4.tar.gz firejail-ae906b1042ee87166f43488adf4910d8d1b60af4.tar.zst firejail-ae906b1042ee87166f43488adf4910d8d1b60af4.zip

diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index 251a1cb8f..8c1fd8e81 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c
@@ -48,8 +48,25 @@ static char check_dir_or_file(const char name) {
48	errExit("asprintf");	48	errExit("asprintf");
49	if (arg_debug)	49	if (arg_debug)
50	printf("Checking %s/%s\n", paths[i], name);	50	printf("Checking %s/%s\n", paths[i], name);
51	if (stat(fname, &s) == 0 && !S_ISDIR(s.st_mode)) // do not allow directories	51	if (stat(fname, &s) == 0 && !S_ISDIR(s.st_mode)) { // do not allow directories
		52	// check symlink to firejail executable in /usr/local/bin
		53	if (strcmp(paths[i], "/usr/local/bin") == 0 && is_link(fname)) {
		54	char *actual_path = realpath(fname, NULL);
		55	if (actual_path) {
		56	char *ptr = strstr(actual_path, "/firejail");
		57	if (ptr && strlen(ptr) == strlen("/firejail")) {
		58	if (arg_debug)
		59	printf("firejail exec symlink detected\n");
		60	free(fname);
		61	fname = NULL;
		62	i++;
		63	continue;
		64	}
		65	}
		66
		67	}
52	break; // file found	68	break; // file found
		69	}
53		70
54	free(fname);	71	free(fname);
55	fname = NULL;	72	fname = NULL;