diff options
-rw-r--r-- | RELNOTES | 3 | ||||
-rw-r--r-- | etc/firejail.config | 4 | ||||
-rw-r--r-- | src/firejail/checkcfg.c | 9 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/fs_bin.c | 35 |
5 files changed, 19 insertions, 33 deletions
@@ -4,6 +4,7 @@ firejail (0.9.51) baseline; urgency=low | |||
4 | read-only, read-write, tmpfs and noexec are allowed in | 4 | read-only, read-write, tmpfs and noexec are allowed in |
5 | private home directories | 5 | private home directories |
6 | * modif: remount-proc-sys deprecated from firejail.config | 6 | * modif: remount-proc-sys deprecated from firejail.config |
7 | * modif: follow-symlink-private-bin deprecated from firejail.config | ||
7 | * modif: --profile-path was deprecated | 8 | * modif: --profile-path was deprecated |
8 | * enhancement: support Firejail user config directory in firecfg | 9 | * enhancement: support Firejail user config directory in firecfg |
9 | * enhancement: disable DBus activation in firecfg | 10 | * enhancement: disable DBus activation in firecfg |
@@ -39,7 +40,7 @@ firejail (0.9.51) baseline; urgency=low | |||
39 | cinelerra, openshot-qt, pinta, uefitool, aosp, pdfmod, gnome-ring, | 40 | cinelerra, openshot-qt, pinta, uefitool, aosp, pdfmod, gnome-ring, |
40 | xcalc, zaproxy, kopete, cliqz, signal-desktop, kget, nheko, Enpass | 41 | xcalc, zaproxy, kopete, cliqz, signal-desktop, kget, nheko, Enpass |
41 | 42 | ||
42 | -- netblue30 <netblue30@yahoo.com> Thu, 14 Sep 2017 20:00:00 -0500 | 43 | -- netblue30 <netblue30@yahoo.com> Thu, 9 Nov 2017 08:00:00 -0500 |
43 | 44 | ||
44 | firejail (0.9.50~rc1) baseline; urgency=low | 45 | firejail (0.9.50~rc1) baseline; urgency=low |
45 | * release pending! | 46 | * release pending! |
diff --git a/etc/firejail.config b/etc/firejail.config index 26f2dedfc..6fd5f1b06 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
@@ -37,10 +37,6 @@ | |||
37 | # Enabled by default | 37 | # Enabled by default |
38 | # follow-symlink-as-user yes | 38 | # follow-symlink-as-user yes |
39 | 39 | ||
40 | # Follow symlink for private-bin command. | ||
41 | # Disabled by default | ||
42 | # follow-symlink-private-bin no | ||
43 | |||
44 | # Force use of nonewprivs. This mitigates the possibility of | 40 | # Force use of nonewprivs. This mitigates the possibility of |
45 | # a user abusing firejail's features to trick a privileged (suid | 41 | # a user abusing firejail's features to trick a privileged (suid |
46 | # or file capabilities) process into loading code or configuration | 42 | # or file capabilities) process into loading code or configuration |
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 1dee87a64..2fedb2f81 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -47,7 +47,6 @@ int checkcfg(int val) { | |||
47 | cfg_val[CFG_FORCE_NONEWPRIVS] = 0; | 47 | cfg_val[CFG_FORCE_NONEWPRIVS] = 0; |
48 | cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 0; | 48 | cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 0; |
49 | cfg_val[CFG_FIREJAIL_PROMPT] = 0; | 49 | cfg_val[CFG_FIREJAIL_PROMPT] = 0; |
50 | cfg_val[CFG_FOLLOW_SYMLINK_PRIVATE_BIN] = 0; | ||
51 | cfg_val[CFG_DISABLE_MNT] = 0; | 50 | cfg_val[CFG_DISABLE_MNT] = 0; |
52 | cfg_val[CFG_ARP_PROBES] = DEFAULT_ARP_PROBES; | 51 | cfg_val[CFG_ARP_PROBES] = DEFAULT_ARP_PROBES; |
53 | cfg_val[CFG_XPRA_ATTACH] = 0; | 52 | cfg_val[CFG_XPRA_ATTACH] = 0; |
@@ -151,12 +150,8 @@ int checkcfg(int val) { | |||
151 | } | 150 | } |
152 | // follow symlink in private-bin command | 151 | // follow symlink in private-bin command |
153 | else if (strncmp(ptr, "follow-symlink-private-bin ", 27) == 0) { | 152 | else if (strncmp(ptr, "follow-symlink-private-bin ", 27) == 0) { |
154 | if (strcmp(ptr + 27, "yes") == 0) | 153 | if (!arg_quiet) |
155 | cfg_val[CFG_FOLLOW_SYMLINK_PRIVATE_BIN] = 1; | 154 | fprintf(stderr, "Warning:follow-symlink-private-bin from firejail.config was deprecated\n"); |
156 | else if (strcmp(ptr + 27, "no") == 0) | ||
157 | cfg_val[CFG_FOLLOW_SYMLINK_PRIVATE_BIN] = 0; | ||
158 | else | ||
159 | goto errout; | ||
160 | } | 155 | } |
161 | // nonewprivs | 156 | // nonewprivs |
162 | else if (strncmp(ptr, "force-nonewprivs ", 17) == 0) { | 157 | else if (strncmp(ptr, "force-nonewprivs ", 17) == 0) { |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 5d6d94d16..59bd4b959 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -734,7 +734,6 @@ enum { | |||
734 | CFG_PRIVATE_BIN_NO_LOCAL, | 734 | CFG_PRIVATE_BIN_NO_LOCAL, |
735 | CFG_FIREJAIL_PROMPT, | 735 | CFG_FIREJAIL_PROMPT, |
736 | CFG_FOLLOW_SYMLINK_AS_USER, | 736 | CFG_FOLLOW_SYMLINK_AS_USER, |
737 | CFG_FOLLOW_SYMLINK_PRIVATE_BIN, | ||
738 | CFG_DISABLE_MNT, | 737 | CFG_DISABLE_MNT, |
739 | CFG_JOIN, | 738 | CFG_JOIN, |
740 | CFG_ARP_PROBES, | 739 | CFG_ARP_PROBES, |
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index 364431077..9e19ac8d7 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c | |||
@@ -182,29 +182,24 @@ static void duplicate(char *fname, FILE *fplist) { | |||
182 | if (fplist) | 182 | if (fplist) |
183 | fprintf(fplist, "%s\n", full_path); | 183 | fprintf(fplist, "%s\n", full_path); |
184 | 184 | ||
185 | // copy the file | 185 | // if full_path is symlink, and the link is in our path, copy both the file and the symlink |
186 | if (checkcfg(CFG_FOLLOW_SYMLINK_PRIVATE_BIN)) | 186 | if (is_link(full_path)) { |
187 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", full_path, RUN_BIN_DIR); | 187 | char *actual_path = realpath(full_path, NULL); |
188 | else { | 188 | if (actual_path) { |
189 | // if full_path is simlink, and the link is in our path, copy both | 189 | if (valid_full_path_file(actual_path)) { |
190 | if (is_link(full_path)) { | 190 | // solving problems such as /bin/sh -> /bin/dash |
191 | char *actual_path = realpath(full_path, NULL); | 191 | // copy the real file pointed by symlink |
192 | if (actual_path) { | 192 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, actual_path, RUN_BIN_DIR); |
193 | if (valid_full_path_file(actual_path)) { | 193 | char *f = strrchr(actual_path, '/'); |
194 | // solving problems such as /bin/sh -> /bin/dash | 194 | if (f && *(++f) !='\0') |
195 | // copy the real file pointed by symlink | 195 | report_duplication(f); |
196 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, actual_path, RUN_BIN_DIR); | ||
197 | char *f = strrchr(actual_path, '/'); | ||
198 | if (f && *(++f) !='\0') | ||
199 | report_duplication(f); | ||
200 | } | ||
201 | free(actual_path); | ||
202 | } | 196 | } |
197 | free(actual_path); | ||
203 | } | 198 | } |
204 | |||
205 | // copy a file or a symlink | ||
206 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, full_path, RUN_BIN_DIR); | ||
207 | } | 199 | } |
200 | |||
201 | // copy a file or a symlink | ||
202 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, full_path, RUN_BIN_DIR); | ||
208 | free(full_path); | 203 | free(full_path); |
209 | report_duplication(fname); | 204 | report_duplication(fname); |
210 | } | 205 | } |