diff options
author | netblue30 <netblue30@yahoo.com> | 2017-11-09 09:25:38 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2017-11-09 09:25:38 -0500 |
commit | f75adc62100109ed0e9f367b0216b24111aac58c (patch) | |
tree | c954038416c32f854ccd818b13b471803579b656 /src | |
parent | README (diff) | |
download | firejail-f75adc62100109ed0e9f367b0216b24111aac58c.tar.gz firejail-f75adc62100109ed0e9f367b0216b24111aac58c.tar.zst firejail-f75adc62100109ed0e9f367b0216b24111aac58c.zip |
deprecated follow-symlink-private-bin from /etc/firejail/firejail.config
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/checkcfg.c | 9 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/fs_bin.c | 35 |
3 files changed, 17 insertions, 28 deletions
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 1dee87a64..2fedb2f81 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -47,7 +47,6 @@ int checkcfg(int val) { | |||
47 | cfg_val[CFG_FORCE_NONEWPRIVS] = 0; | 47 | cfg_val[CFG_FORCE_NONEWPRIVS] = 0; |
48 | cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 0; | 48 | cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 0; |
49 | cfg_val[CFG_FIREJAIL_PROMPT] = 0; | 49 | cfg_val[CFG_FIREJAIL_PROMPT] = 0; |
50 | cfg_val[CFG_FOLLOW_SYMLINK_PRIVATE_BIN] = 0; | ||
51 | cfg_val[CFG_DISABLE_MNT] = 0; | 50 | cfg_val[CFG_DISABLE_MNT] = 0; |
52 | cfg_val[CFG_ARP_PROBES] = DEFAULT_ARP_PROBES; | 51 | cfg_val[CFG_ARP_PROBES] = DEFAULT_ARP_PROBES; |
53 | cfg_val[CFG_XPRA_ATTACH] = 0; | 52 | cfg_val[CFG_XPRA_ATTACH] = 0; |
@@ -151,12 +150,8 @@ int checkcfg(int val) { | |||
151 | } | 150 | } |
152 | // follow symlink in private-bin command | 151 | // follow symlink in private-bin command |
153 | else if (strncmp(ptr, "follow-symlink-private-bin ", 27) == 0) { | 152 | else if (strncmp(ptr, "follow-symlink-private-bin ", 27) == 0) { |
154 | if (strcmp(ptr + 27, "yes") == 0) | 153 | if (!arg_quiet) |
155 | cfg_val[CFG_FOLLOW_SYMLINK_PRIVATE_BIN] = 1; | 154 | fprintf(stderr, "Warning:follow-symlink-private-bin from firejail.config was deprecated\n"); |
156 | else if (strcmp(ptr + 27, "no") == 0) | ||
157 | cfg_val[CFG_FOLLOW_SYMLINK_PRIVATE_BIN] = 0; | ||
158 | else | ||
159 | goto errout; | ||
160 | } | 155 | } |
161 | // nonewprivs | 156 | // nonewprivs |
162 | else if (strncmp(ptr, "force-nonewprivs ", 17) == 0) { | 157 | else if (strncmp(ptr, "force-nonewprivs ", 17) == 0) { |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 5d6d94d16..59bd4b959 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -734,7 +734,6 @@ enum { | |||
734 | CFG_PRIVATE_BIN_NO_LOCAL, | 734 | CFG_PRIVATE_BIN_NO_LOCAL, |
735 | CFG_FIREJAIL_PROMPT, | 735 | CFG_FIREJAIL_PROMPT, |
736 | CFG_FOLLOW_SYMLINK_AS_USER, | 736 | CFG_FOLLOW_SYMLINK_AS_USER, |
737 | CFG_FOLLOW_SYMLINK_PRIVATE_BIN, | ||
738 | CFG_DISABLE_MNT, | 737 | CFG_DISABLE_MNT, |
739 | CFG_JOIN, | 738 | CFG_JOIN, |
740 | CFG_ARP_PROBES, | 739 | CFG_ARP_PROBES, |
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index 364431077..9e19ac8d7 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c | |||
@@ -182,29 +182,24 @@ static void duplicate(char *fname, FILE *fplist) { | |||
182 | if (fplist) | 182 | if (fplist) |
183 | fprintf(fplist, "%s\n", full_path); | 183 | fprintf(fplist, "%s\n", full_path); |
184 | 184 | ||
185 | // copy the file | 185 | // if full_path is symlink, and the link is in our path, copy both the file and the symlink |
186 | if (checkcfg(CFG_FOLLOW_SYMLINK_PRIVATE_BIN)) | 186 | if (is_link(full_path)) { |
187 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", full_path, RUN_BIN_DIR); | 187 | char *actual_path = realpath(full_path, NULL); |
188 | else { | 188 | if (actual_path) { |
189 | // if full_path is simlink, and the link is in our path, copy both | 189 | if (valid_full_path_file(actual_path)) { |
190 | if (is_link(full_path)) { | 190 | // solving problems such as /bin/sh -> /bin/dash |
191 | char *actual_path = realpath(full_path, NULL); | 191 | // copy the real file pointed by symlink |
192 | if (actual_path) { | 192 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, actual_path, RUN_BIN_DIR); |
193 | if (valid_full_path_file(actual_path)) { | 193 | char *f = strrchr(actual_path, '/'); |
194 | // solving problems such as /bin/sh -> /bin/dash | 194 | if (f && *(++f) !='\0') |
195 | // copy the real file pointed by symlink | 195 | report_duplication(f); |
196 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, actual_path, RUN_BIN_DIR); | ||
197 | char *f = strrchr(actual_path, '/'); | ||
198 | if (f && *(++f) !='\0') | ||
199 | report_duplication(f); | ||
200 | } | ||
201 | free(actual_path); | ||
202 | } | 196 | } |
197 | free(actual_path); | ||
203 | } | 198 | } |
204 | |||
205 | // copy a file or a symlink | ||
206 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, full_path, RUN_BIN_DIR); | ||
207 | } | 199 | } |
200 | |||
201 | // copy a file or a symlink | ||
202 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, full_path, RUN_BIN_DIR); | ||
208 | free(full_path); | 203 | free(full_path); |
209 | report_duplication(fname); | 204 | report_duplication(fname); |
210 | } | 205 | } |