aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--src/firejail/fs.c5
-rwxr-xr-xtest/blacklist-link.exp55
-rwxr-xr-xtest/test.sh4
3 files changed, 52 insertions, 12 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 1cfdbaea7..1e74257eb 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -154,8 +154,11 @@ static void disable_file(OPERATION op, const char *filename, const char *emptydi
154 // modify the file 154 // modify the file
155 if (op == BLACKLIST_FILE) { 155 if (op == BLACKLIST_FILE) {
156 // some distros put all executables under /usr/bin and make /bin a symbolic link 156 // some distros put all executables under /usr/bin and make /bin a symbolic link
157 if (is_link(filename) && S_ISDIR(s.st_mode)) 157 if ((strcmp(fname, "/bin") == 0 || strcmp(fname, "/usr/bin") == 0) &&
158 is_link(filename) &&
159 S_ISDIR(s.st_mode))
158 fprintf(stderr, "Warning: %s directory link was not blacklisted\n", filename); 160 fprintf(stderr, "Warning: %s directory link was not blacklisted\n", filename);
161
159 else { 162 else {
160 if (arg_debug) 163 if (arg_debug)
161 printf("Disable %s\n", fname); 164 printf("Disable %s\n", fname);
diff --git a/test/blacklist-link.exp b/test/blacklist-link.exp
index da52cae4a..84fa6c3f5 100755
--- a/test/blacklist-link.exp
+++ b/test/blacklist-link.exp
@@ -8,18 +8,14 @@ match_max 100000
8send -- "firejail --blacklist=auto2\r" 8send -- "firejail --blacklist=auto2\r"
9expect { 9expect {
10 timeout {puts "TESTING ERROR 1\n";exit} 10 timeout {puts "TESTING ERROR 1\n";exit}
11 "directory link was not blacklisted"
12}
13expect {
14 timeout {puts "TESTING ERROR 1.1\n";exit}
15 "Child process initialized" 11 "Child process initialized"
16} 12}
17sleep 1 13sleep 1
18 14
19send -- "file auto2\r" 15send -- "ls auto2\r"
20expect { 16expect {
21 timeout {puts "TESTING ERROR 2\n";exit} 17 timeout {puts "TESTING ERROR 2\n";exit}
22 "symbolic link to" 18 "cannot open directory"
23} 19}
24send -- "exit\r" 20send -- "exit\r"
25sleep 1 21sleep 1
@@ -28,22 +24,59 @@ sleep 1
28send -- "firejail --profile=blacklist3.profile\r" 24send -- "firejail --profile=blacklist3.profile\r"
29expect { 25expect {
30 timeout {puts "TESTING ERROR 3\n";exit} 26 timeout {puts "TESTING ERROR 3\n";exit}
31 "directory link was not blacklisted" 27 "Child process initialized"
28}
29sleep 1
30
31send -- "ls auto2\r"
32expect {
33 timeout {puts "TESTING ERROR 4\n";exit}
34 "cannot open directory"
35}
36send -- "exit\r"
37sleep 1
38
39# do not blacklist /bin
40send -- "firejail --blacklist=auto3\r"
41expect {
42 timeout {puts "TESTING ERROR 5\n";exit}
43 "auto3 directory link was not blacklisted"
32} 44}
33expect { 45expect {
34 timeout {puts "TESTING ERROR 3.1\n";exit} 46 timeout {puts "TESTING ERROR 5.1\n";exit}
35 "Child process initialized" 47 "Child process initialized"
36} 48}
37sleep 1 49sleep 1
38 50
39send -- "file auto2\r" 51send -- "ls auto3; pwd\r"
40expect { 52expect {
41 timeout {puts "TESTING ERROR 4\n";exit} 53 timeout {puts "TESTING ERROR 6\n";exit}
42 "symbolic link to" 54 "cannot open directory" {puts "TESTING ERROR 6.1\n";exit}
55 "home"
43} 56}
44send -- "exit\r" 57send -- "exit\r"
45sleep 1 58sleep 1
46 59
60# do not blacklist /usr/bin
61send -- "firejail --blacklist=auto3\r"
62expect {
63 timeout {puts "TESTING ERROR 7\n";exit}
64 "auto3 directory link was not blacklisted"
65}
66expect {
67 timeout {puts "TESTING ERROR 7.1\n";exit}
68 "Child process initialized"
69}
70sleep 1
71
72send -- "ls auto3; pwd\r"
73expect {
74 timeout {puts "TESTING ERROR 8\n";exit}
75 "cannot open directory" {puts "TESTING ERROR 9.1\n";exit}
76 "home"
77}
78send -- "exit\r"
79sleep 1
47 80
48 81
49puts "all done\n" 82puts "all done\n"
diff --git a/test/test.sh b/test/test.sh
index 8c6be8ddd..8d49468b3 100755
--- a/test/test.sh
+++ b/test/test.sh
@@ -16,9 +16,13 @@ echo "TESTING: blacklist"
16rm -fr dir\ with\ space 16rm -fr dir\ with\ space
17 17
18ln -s auto auto2 18ln -s auto auto2
19ln -s /bin auto3
20ln -s /usr/bin auto4
19echo "TESTING: blacklist directory link" 21echo "TESTING: blacklist directory link"
20./blacklist-link.exp 22./blacklist-link.exp
21rm -fr auto2 23rm -fr auto2
24rm -fr auto3
25rm -fr auto4
22 26
23 27
24echo "TESTING: version" 28echo "TESTING: version"