fix symlink whitelist

author: netblue30 <netblue30@yahoo.com> 2015-11-11 12:30:57 -0500
committer: netblue30 <netblue30@yahoo.com> 2015-11-11 12:30:57 -0500
commit: 14c94f18ccae4739ef4b0e6771f2fd16caaec1fb (patch)
tree: ec01103064bdd8c3d8e430681df9f150d41f2f17 /src
parent: added whitelist-common.inc (diff)
download: firejail-14c94f18ccae4739ef4b0e6771f2fd16caaec1fb.tar.gz
firejail-14c94f18ccae4739ef4b0e6771f2fd16caaec1fb.tar.zst
firejail-14c94f18ccae4739ef4b0e6771f2fd16caaec1fb.zip
2 files changed, 24 insertions, 2 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 5a917fd1f..58c497cd8 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -86,7 +86,8 @@ typedef struct interface_t {
 typedef struct profile_entry_t {
        struct profile_entry_t *next;
-        char *data;
+        char *data;     // expanded name of the file
+        char *link;     // link name - set if the file is a link
 }ProfileEntry;
 typedef struct config_t {
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index fac08705d..c856359f6 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -143,9 +143,16 @@ void fs_whitelist(void) {
                }
                char *new_name = expand_home(entry->data + 10, cfg.homedir);
                assert(new_name);
                char *fname = realpath(new_name, NULL);
-                free(new_name);
+                // mark symbolic links
+                if (is_link(new_name))
+                        entry->link = new_name;
+                else
+                        free(new_name);
                if (fname) {
                        // change file name in entry->data
                        if (strcmp(fname, entry->data + 10) != 0) {
@@ -194,8 +201,22 @@ void fs_whitelist(void) {
                        continue;
                }
+                // whitelist the real file
                whitelist_path(entry->data + 10);
+                // create the link if any
+                if (entry->link) {
+                        // if the link is already there, do not bother
+                        struct stat s;
+                        if (stat(entry->link, &s) != 0) {
+                                int rv = symlink(entry->data + 10, entry->link);
+                                if (rv)
+                                        fprintf(stderr, "Warning cannot create symbolic link %s\n", entry->link);
+                                else if (arg_debug)
+                                        printf("Created symbolic link %s -> %s\n", entry->link, entry->data + 10);
+                        }
+                }
                entry = entry->next;
        }
author	netblue30 <netblue30@yahoo.com>	2015-11-11 12:30:57 -0500
committer	netblue30 <netblue30@yahoo.com>	2015-11-11 12:30:57 -0500
commit	14c94f18ccae4739ef4b0e6771f2fd16caaec1fb (patch)
tree	ec01103064bdd8c3d8e430681df9f150d41f2f17 /src
parent	added whitelist-common.inc (diff)
download	firejail-14c94f18ccae4739ef4b0e6771f2fd16caaec1fb.tar.gz firejail-14c94f18ccae4739ef4b0e6771f2fd16caaec1fb.tar.zst firejail-14c94f18ccae4739ef4b0e6771f2fd16caaec1fb.zip

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 5a917fd1f..58c497cd8 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -86,7 +86,8 @@ typedef struct interface_t {
86		86
87	typedef struct profile_entry_t {	87	typedef struct profile_entry_t {
88	struct profile_entry_t *next;	88	struct profile_entry_t *next;
89	char *data;	89	char *data; // expanded name of the file
		90	char *link; // link name - set if the file is a link
90	}ProfileEntry;	91	}ProfileEntry;
91		92
92	typedef struct config_t {	93	typedef struct config_t {


diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index fac08705d..c856359f6 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c
@@ -143,9 +143,16 @@ void fs_whitelist(void) {
143	}	143	}
144		144
145	char *new_name = expand_home(entry->data + 10, cfg.homedir);	145	char *new_name = expand_home(entry->data + 10, cfg.homedir);
		146
146	assert(new_name);	147	assert(new_name);
147	char *fname = realpath(new_name, NULL);	148	char *fname = realpath(new_name, NULL);
148	free(new_name);	149
		150	// mark symbolic links
		151	if (is_link(new_name))
		152	entry->link = new_name;
		153	else
		154	free(new_name);
		155
149	if (fname) {	156	if (fname) {
150	// change file name in entry->data	157	// change file name in entry->data
151	if (strcmp(fname, entry->data + 10) != 0) {	158	if (strcmp(fname, entry->data + 10) != 0) {
@@ -194,8 +201,22 @@ void fs_whitelist(void) {
194	continue;	201	continue;
195	}	202	}
196		203
		204	// whitelist the real file
197	whitelist_path(entry->data + 10);	205	whitelist_path(entry->data + 10);
198		206
		207	// create the link if any
		208	if (entry->link) {
		209	// if the link is already there, do not bother
		210	struct stat s;
		211	if (stat(entry->link, &s) != 0) {
		212	int rv = symlink(entry->data + 10, entry->link);
		213	if (rv)
		214	fprintf(stderr, "Warning cannot create symbolic link %s\n", entry->link);
		215	else if (arg_debug)
		216	printf("Created symbolic link %s -> %s\n", entry->link, entry->data + 10);
		217	}
		218	}
		219
199	entry = entry->next;	220	entry = entry->next;
200	}	221	}
201		222