Following links in private-bin command ported from #1100 created problems for some users. I added a follow-symlink-private-bin entry in /etc/firejail/firejail.config file to enable/disable this functionality - default disabled.

author: netblue30 <netblue30@yahoo.com> 2017-03-07 08:20:15 -0500
committer: netblue30 <netblue30@yahoo.com> 2017-03-07 08:20:15 -0500
commit: 7b48318477da5a4c7509670b55270cc7d14125b3 (patch)
tree: 5b55d6b857fd915f9973abe5fd7c2de6a71b255d /src
parent: spelling (diff)
download: firejail-7b48318477da5a4c7509670b55270cc7d14125b3.tar.gz
firejail-7b48318477da5a4c7509670b55270cc7d14125b3.tar.zst
firejail-7b48318477da5a4c7509670b55270cc7d14125b3.zip
3 files changed, 15 insertions, 1 deletions
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 56ab7c932..02bff2bfa 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -46,6 +46,7 @@ int checkcfg(int val) {
                cfg_val[CFG_FORCE_NONEWPRIVS] = 0; // disabled by default
                cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 0; // disabled by default
                cfg_val[CFG_FIREJAIL_PROMPT] = 0; // disabled by default
+                cfg_val[CFG_FOLLOW_SYMLINK_PRIVATE_BIN] = 0; // disabled by default
                
                // open configuration file
                const char *fname = SYSCONFDIR "/firejail.config";
@@ -135,6 +136,15 @@ int checkcfg(int val) {
                                else
                                        goto errout;
                        }
+                        // follow symlink in private-bin command
+                        else if (strncmp(ptr, "follow-symlink-private-bin ", 27) == 0) {
+                                if (strcmp(ptr + 27, "yes") == 0)
+                                        cfg_val[CFG_FOLLOW_SYMLINK_PRIVATE_BIN] = 1;
+                                else if (strcmp(ptr + 27, "no") == 0)
+                                        cfg_val[CFG_FOLLOW_SYMLINK_PRIVATE_BIN] = 0;
+                                else
+                                        goto errout;
+                        }
                        // nonewprivs
                        else if (strncmp(ptr, "force-nonewprivs ", 17) == 0) {
                                if (strcmp(ptr + 17, "yes") == 0)
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index aec6f3de4..a41d5fa17 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -680,6 +680,7 @@ enum {
        CFG_PRIVATE_BIN_NO_LOCAL,
        CFG_FIREJAIL_PROMPT,
        CFG_FOLLOW_SYMLINK_AS_USER,
+        CFG_FOLLOW_SYMLINK_PRIVATE_BIN,
        CFG_MAX // this should always be the last entry
 };
 extern char *xephyr_screen;
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c
index 3473fca4c..73edd2ef9 100644
--- a/src/firejail/fs_bin.c
+++ b/src/firejail/fs_bin.c
@@ -111,7 +111,10 @@ static void duplicate(char *fname) {
                errExit("asprintf");
        
        // copy the file
-        sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", full_path, RUN_BIN_DIR);
+        if (checkcfg(CFG_FOLLOW_SYMLINK_PRIVATE_BIN))
+                sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", full_path, RUN_BIN_DIR);
+        else
+                sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, full_path, RUN_BIN_DIR);
        fs_logger2("clone", fname);
        free(full_path);
 }
author	netblue30 <netblue30@yahoo.com>	2017-03-07 08:20:15 -0500
committer	netblue30 <netblue30@yahoo.com>	2017-03-07 08:20:15 -0500
commit	7b48318477da5a4c7509670b55270cc7d14125b3 (patch)
tree	5b55d6b857fd915f9973abe5fd7c2de6a71b255d /src
parent	spelling (diff)
download	firejail-7b48318477da5a4c7509670b55270cc7d14125b3.tar.gz firejail-7b48318477da5a4c7509670b55270cc7d14125b3.tar.zst firejail-7b48318477da5a4c7509670b55270cc7d14125b3.zip