diff options
-rw-r--r-- | RELNOTES | 1 | ||||
-rw-r--r-- | etc/firejail.config | 6 | ||||
-rw-r--r-- | src/firecfg/firecfg.config | 3 | ||||
-rw-r--r-- | src/firejail/checkcfg.c | 13 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/fs_whitelist.c | 10 |
6 files changed, 27 insertions, 7 deletions
@@ -28,6 +28,7 @@ firejail (0.9.45) baseline; urgency=low | |||
28 | * feature: allow non-seccomp setup for OverlayFS sandboxes - more work to come | 28 | * feature: allow non-seccomp setup for OverlayFS sandboxes - more work to come |
29 | * feature: added a number o Python scripts for handling sandboxes | 29 | * feature: added a number o Python scripts for handling sandboxes |
30 | * feature: allow local customization using .local files under /etc/firejail | 30 | * feature: allow local customization using .local files under /etc/firejail |
31 | * feature: follow-symlink-as-user runtime config option in /etc/firejail/firejail.config | ||
31 | * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire, | 32 | * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire, |
32 | * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma, | 33 | * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma, |
33 | * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator, | 34 | * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator, |
diff --git a/etc/firejail.config b/etc/firejail.config index 824e3f503..5498b2112 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
@@ -20,6 +20,12 @@ | |||
20 | # Enable Firejail green prompt in terminal, default disabled | 20 | # Enable Firejail green prompt in terminal, default disabled |
21 | # firejail-prompt no | 21 | # firejail-prompt no |
22 | 22 | ||
23 | # Follow symlink as user. While using --whitelist feature, | ||
24 | # symlinks pointing outside home directory are followed only | ||
25 | # if both the link and the real file are owned by the user. | ||
26 | # Enabled by default | ||
27 | # follow-symlink-as-user yes | ||
28 | |||
23 | # Force use of nonewprivs. This mitigates the possibility of | 29 | # Force use of nonewprivs. This mitigates the possibility of |
24 | # a user abusing firejail's features to trick a privileged (suid | 30 | # a user abusing firejail's features to trick a privileged (suid |
25 | # or file capabilities) process into loading code or configuration | 31 | # or file capabilities) process into loading code or configuration |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 4e4e5488a..d5030bae0 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -80,7 +80,7 @@ xchat | |||
80 | 80 | ||
81 | # dns | 81 | # dns |
82 | dnscrypt-proxy | 82 | dnscrypt-proxy |
83 | dnsmaq | 83 | dnsmasq |
84 | unbound | 84 | unbound |
85 | 85 | ||
86 | # emulators/compatibility layers | 86 | # emulators/compatibility layers |
@@ -135,6 +135,7 @@ spotify | |||
135 | totem | 135 | totem |
136 | vlc | 136 | vlc |
137 | xfburn | 137 | xfburn |
138 | xmms | ||
138 | xplayer | 139 | xplayer |
139 | xviewer | 140 | xviewer |
140 | eom | 141 | eom |
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 3a2101c6a..dff892ea3 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -124,12 +124,21 @@ int checkcfg(int val) { | |||
124 | else | 124 | else |
125 | goto errout; | 125 | goto errout; |
126 | } | 126 | } |
127 | // follow symlink as user | ||
128 | else if (strncmp(ptr, "follow-symlink-as-user ", 23) == 0) { | ||
129 | if (strcmp(ptr + 23, "yes") == 0) | ||
130 | cfg_val[CFG_FOLLOW_SYMLINK_AS_USER] = 1; | ||
131 | else if (strcmp(ptr + 23, "no") == 0) | ||
132 | cfg_val[CFG_FOLLOW_SYMLINK_AS_USER] = 0; | ||
133 | else | ||
134 | goto errout; | ||
135 | } | ||
127 | // nonewprivs | 136 | // nonewprivs |
128 | else if (strncmp(ptr, "force-nonewprivs ", 17) == 0) { | 137 | else if (strncmp(ptr, "force-nonewprivs ", 17) == 0) { |
129 | if (strcmp(ptr + 17, "yes") == 0) | 138 | if (strcmp(ptr + 17, "yes") == 0) |
130 | cfg_val[CFG_SECCOMP] = 1; | 139 | cfg_val[CFG_FORCE_NONEWPRIVS] = 1; |
131 | else if (strcmp(ptr + 17, "no") == 0) | 140 | else if (strcmp(ptr + 17, "no") == 0) |
132 | cfg_val[CFG_SECCOMP] = 0; | 141 | cfg_val[CFG_FORCE_NONEWPRIVS] = 0; |
133 | else | 142 | else |
134 | goto errout; | 143 | goto errout; |
135 | } | 144 | } |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index f7b3ce0ac..b7d2c4304 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -678,6 +678,7 @@ enum { | |||
678 | CFG_PRIVATE_HOME, | 678 | CFG_PRIVATE_HOME, |
679 | CFG_PRIVATE_BIN_NO_LOCAL, | 679 | CFG_PRIVATE_BIN_NO_LOCAL, |
680 | CFG_FIREJAIL_PROMPT, | 680 | CFG_FIREJAIL_PROMPT, |
681 | CFG_FOLLOW_SYMLINK_AS_USER, | ||
681 | CFG_MAX // this should always be the last entry | 682 | CFG_MAX // this should always be the last entry |
682 | }; | 683 | }; |
683 | extern char *xephyr_screen; | 684 | extern char *xephyr_screen; |
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index b0e4463ae..1794e4b35 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -406,10 +406,12 @@ void fs_whitelist(void) { | |||
406 | 406 | ||
407 | // both path and absolute path are under /home | 407 | // both path and absolute path are under /home |
408 | if (strncmp(fname, cfg.homedir, strlen(cfg.homedir)) != 0) { | 408 | if (strncmp(fname, cfg.homedir, strlen(cfg.homedir)) != 0) { |
409 | // check if the file is owned by the user | 409 | if (checkcfg(CFG_FOLLOW_SYMLINK_AS_USER)) { |
410 | struct stat s; | 410 | // check if the file is owned by the user |
411 | if (stat(fname, &s) == 0 && s.st_uid != getuid()) | 411 | struct stat s; |
412 | goto errexit; | 412 | if (stat(fname, &s) == 0 && s.st_uid != getuid()) |
413 | goto errexit; | ||
414 | } | ||
413 | } | 415 | } |
414 | } | 416 | } |
415 | else if (strncmp(new_name, "/tmp/", 5) == 0) { | 417 | else if (strncmp(new_name, "/tmp/", 5) == 0) { |