diff options
| -rw-r--r-- | src/firejail/fs.c | 26 | ||||
| -rw-r--r-- | src/man/firejail-profile.txt | 2 | ||||
| -rw-r--r-- | src/man/firejail.txt | 2 |
3 files changed, 13 insertions, 17 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 1fc1c0942..5b8093885 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
| @@ -152,27 +152,24 @@ static char *create_empty_file(void) { | |||
| 152 | return RO_FILE; | 152 | return RO_FILE; |
| 153 | } | 153 | } |
| 154 | 154 | ||
| 155 | static void disable_file(OPERATION op, const char *fname, const char *emptydir, const char *emptyfile) { | 155 | static void disable_file(OPERATION op, const char *filename, const char *emptydir, const char *emptyfile) { |
| 156 | assert(fname); | 156 | assert(filename); |
| 157 | assert(emptydir); | 157 | assert(emptydir); |
| 158 | assert(emptyfile); | 158 | assert(emptyfile); |
| 159 | assert(op <OPERATION_MAX); | 159 | assert(op <OPERATION_MAX); |
| 160 | 160 | ||
| 161 | // if the file is a link, follow the link | 161 | // Resolve all symlinks |
| 162 | char *lnk = NULL; | 162 | char* fname = realpath(filename, NULL); |
| 163 | if (is_link(fname)) { | 163 | if (fname == NULL) { |
| 164 | lnk = get_link(fname); | 164 | printf("Warning: %s is an invalid file, skipping...\n", filename); |
| 165 | if (lnk) | 165 | return; |
| 166 | fname = lnk; | ||
| 167 | else | ||
| 168 | fprintf(stderr, "Warning: cannot follow link %s, skipping...\n", fname); | ||
| 169 | } | 166 | } |
| 170 | 167 | ||
| 171 | // if the file is not present, do nothing | 168 | // if the file is not present, do nothing |
| 172 | struct stat s; | 169 | struct stat s; |
| 173 | if (stat(fname, &s) == -1) { | 170 | if (stat(fname, &s) == -1) { |
| 174 | if (lnk) | 171 | printf("Warning: %s does not exist, skipping...\n", fname); |
| 175 | free(lnk); | 172 | free(fname); |
| 176 | return; | 173 | return; |
| 177 | } | 174 | } |
| 178 | 175 | ||
| @@ -211,8 +208,7 @@ static void disable_file(OPERATION op, const char *fname, const char *emptydir, | |||
| 211 | else | 208 | else |
| 212 | assert(0); | 209 | assert(0); |
| 213 | 210 | ||
| 214 | if (lnk) | 211 | free(fname); |
| 215 | free(lnk); | ||
| 216 | } | 212 | } |
| 217 | 213 | ||
| 218 | static void globbing(OPERATION op, const char *fname, const char *emptydir, const char *emptyfile) { | 214 | static void globbing(OPERATION op, const char *fname, const char *emptydir, const char *emptyfile) { |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index ff265c198..4941d8b8b 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
| @@ -130,7 +130,7 @@ Enable an user namespace without root user defined. | |||
| 130 | 130 | ||
| 131 | .SH Resource limits | 131 | .SH Resource limits |
| 132 | These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox. | 132 | These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox. |
| 133 | The limits can be modified inside the sandbox using the regular \fBulimt\fR command. Examples: | 133 | The limits can be modified inside the sandbox using the regular \fBulimit\fR command. Examples: |
| 134 | 134 | ||
| 135 | .TP | 135 | .TP |
| 136 | \f\rlimit-fsize 1024 | 136 | \f\rlimit-fsize 1024 |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 21310aebc..fe2a909c9 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
| @@ -734,7 +734,7 @@ sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotif | |||
| 734 | .br | 734 | .br |
| 735 | Example: | 735 | Example: |
| 736 | .br | 736 | .br |
| 737 | $ firejail \-\-sccomp | 737 | $ firejail \-\-seccomp |
| 738 | .TP | 738 | .TP |
| 739 | \fB\-\-seccomp=syscall,syscall,syscall | 739 | \fB\-\-seccomp=syscall,syscall,syscall |
| 740 | Enable seccomp filter, blacklist the default list and the syscalls specified by the command. | 740 | Enable seccomp filter, blacklist the default list and the syscalls specified by the command. |