4 files changed, 14 insertions, 10 deletions
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 5a189559a..255da0fbd 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -286,6 +286,7 @@ blacklist ${HOME}/.config/LibreCAD
 blacklist ${HOME}/.config/Loop_Hero
 blacklist ${HOME}/.config/Luminance
 blacklist ${HOME}/.config/LyX
+blacklist ${HOME}/.config/MangoHud
 blacklist ${HOME}/.config/Mattermost
 blacklist ${HOME}/.config/Meltytech
 blacklist ${HOME}/.config/Mendeley Ltd.
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile
index b31818274..b0be8a517 100644
--- a/etc/profile-m-z/steam.profile
+++ b/etc/profile-m-z/steam.profile
@@ -8,6 +8,7 @@ include globals.local
 noblacklist ${HOME}/.config/Epic
 noblacklist ${HOME}/.config/Loop_Hero
+noblacklist ${HOME}/.config/MangoHud
 noblacklist ${HOME}/.config/ModTheSpire
 noblacklist ${HOME}/.config/RogueLegacy
 noblacklist ${HOME}/.config/RogueLegacyStorageContainer
@@ -55,6 +56,7 @@ include disable-programs.inc
 mkdir ${HOME}/.config/Epic
 mkdir ${HOME}/.config/Loop_Hero
+mkdir ${HOME}/.config/MangoHud
 mkdir ${HOME}/.config/ModTheSpire
 mkdir ${HOME}/.config/RogueLegacy
 mkdir ${HOME}/.config/unity3d
@@ -85,6 +87,7 @@ mkfile ${HOME}/.steampath
 mkfile ${HOME}/.steampid
 whitelist ${HOME}/.config/Epic
 whitelist ${HOME}/.config/Loop_Hero
+whitelist ${HOME}/.config/MangoHud
 whitelist ${HOME}/.config/ModTheSpire
 whitelist ${HOME}/.config/RogueLegacy
 whitelist ${HOME}/.config/RogueLegacyStorageContainer
@@ -162,3 +165,5 @@ private-tmp
 # dbus-user none
 # dbus-system none
+read-only ${HOME}/.config/MangoHud
diff --git a/src/fcopy/main.c b/src/fcopy/main.c
index 4be35e23f..c64d20127 100644
--- a/src/fcopy/main.c
+++ b/src/fcopy/main.c
@@ -402,15 +402,6 @@ static void duplicate_link(const char *src, const char *dest, struct stat *s) {
        gid_t gid = s->st_gid;
        mode_t mode = s->st_mode;
-        // NixOS problem #4887:
-        //      /etc/fonts is a double symlink to a directory - copy the files instead of copying the symlink
-        if (strcmp(src, "/etc/fonts") == 0) {
-                duplicate_dir(src, dest, s);
-                free(rsrc);
-                free(rdest);
-                return;
-        }
        // build destination file name
        char *name;
        //     char *ptr = strrchr(rsrc, '/');
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c
index 786e0d360..deaee31bb 100644
--- a/src/firejail/fs_etc.c
+++ b/src/firejail/fs_etc.c
@@ -165,7 +165,14 @@ static void duplicate(const char *fname, const char *private_dir, const char *pr
                errExit("asprintf");
        build_dirs(src, dst, strlen(private_dir), strlen(private_run_dir));
-        sbox_run(SBOX_ROOT | SBOX_SECCOMP, 3, PATH_FCOPY, src, dst);
+        // follow links! this will make a copy of the file or directory pointed by the symlink
+        // this will solve problems such as NixOS #4887
+        // don't follow links to dynamic directories such as /proc
+        if (strcmp(src, "/etc/mtab") == 0)
+                sbox_run(SBOX_ROOT | SBOX_SECCOMP, 3, PATH_FCOPY, src, dst);
+        else
+                sbox_run(SBOX_ROOT | SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", src, dst);
        free(dst);
        fs_logger2("clone", src);

diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 5a189559a..255da0fbd 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc
@@ -286,6 +286,7 @@ blacklist ${HOME}/.config/LibreCAD
286	blacklist ${HOME}/.config/Loop_Hero	286	blacklist ${HOME}/.config/Loop_Hero
287	blacklist ${HOME}/.config/Luminance	287	blacklist ${HOME}/.config/Luminance
288	blacklist ${HOME}/.config/LyX	288	blacklist ${HOME}/.config/LyX
		289	blacklist ${HOME}/.config/MangoHud
289	blacklist ${HOME}/.config/Mattermost	290	blacklist ${HOME}/.config/Mattermost
290	blacklist ${HOME}/.config/Meltytech	291	blacklist ${HOME}/.config/Meltytech
291	blacklist ${HOME}/.config/Mendeley Ltd.	292	blacklist ${HOME}/.config/Mendeley Ltd.


diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile index b31818274..b0be8a517 100644 --- a/etc/profile-m-z/steam.profile +++ b/etc/profile-m-z/steam.profile
@@ -8,6 +8,7 @@ include globals.local
8		8
9	noblacklist ${HOME}/.config/Epic	9	noblacklist ${HOME}/.config/Epic
10	noblacklist ${HOME}/.config/Loop_Hero	10	noblacklist ${HOME}/.config/Loop_Hero
		11	noblacklist ${HOME}/.config/MangoHud
11	noblacklist ${HOME}/.config/ModTheSpire	12	noblacklist ${HOME}/.config/ModTheSpire
12	noblacklist ${HOME}/.config/RogueLegacy	13	noblacklist ${HOME}/.config/RogueLegacy
13	noblacklist ${HOME}/.config/RogueLegacyStorageContainer	14	noblacklist ${HOME}/.config/RogueLegacyStorageContainer
@@ -55,6 +56,7 @@ include disable-programs.inc
55		56
56	mkdir ${HOME}/.config/Epic	57	mkdir ${HOME}/.config/Epic
57	mkdir ${HOME}/.config/Loop_Hero	58	mkdir ${HOME}/.config/Loop_Hero
		59	mkdir ${HOME}/.config/MangoHud
58	mkdir ${HOME}/.config/ModTheSpire	60	mkdir ${HOME}/.config/ModTheSpire
59	mkdir ${HOME}/.config/RogueLegacy	61	mkdir ${HOME}/.config/RogueLegacy
60	mkdir ${HOME}/.config/unity3d	62	mkdir ${HOME}/.config/unity3d
@@ -85,6 +87,7 @@ mkfile ${HOME}/.steampath
85	mkfile ${HOME}/.steampid	87	mkfile ${HOME}/.steampid
86	whitelist ${HOME}/.config/Epic	88	whitelist ${HOME}/.config/Epic
87	whitelist ${HOME}/.config/Loop_Hero	89	whitelist ${HOME}/.config/Loop_Hero
		90	whitelist ${HOME}/.config/MangoHud
88	whitelist ${HOME}/.config/ModTheSpire	91	whitelist ${HOME}/.config/ModTheSpire
89	whitelist ${HOME}/.config/RogueLegacy	92	whitelist ${HOME}/.config/RogueLegacy
90	whitelist ${HOME}/.config/RogueLegacyStorageContainer	93	whitelist ${HOME}/.config/RogueLegacyStorageContainer
@@ -162,3 +165,5 @@ private-tmp
162		165
163	# dbus-user none	166	# dbus-user none
164	# dbus-system none	167	# dbus-system none
		168
		169	read-only ${HOME}/.config/MangoHud


diff --git a/src/fcopy/main.c b/src/fcopy/main.c index 4be35e23f..c64d20127 100644 --- a/src/fcopy/main.c +++ b/src/fcopy/main.c
@@ -402,15 +402,6 @@ static void duplicate_link(const char src, const char dest, struct stat *s) {
402	gid_t gid = s->st_gid;	402	gid_t gid = s->st_gid;
403	mode_t mode = s->st_mode;	403	mode_t mode = s->st_mode;
404		404
405	// NixOS problem #4887:
406	// /etc/fonts is a double symlink to a directory - copy the files instead of copying the symlink
407	if (strcmp(src, "/etc/fonts") == 0) {
408	duplicate_dir(src, dest, s);
409	free(rsrc);
410	free(rdest);
411	return;
412	}
413
414	// build destination file name	405	// build destination file name
415	char *name;	406	char *name;
416	// char *ptr = strrchr(rsrc, '/');	407	// char *ptr = strrchr(rsrc, '/');


diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index 786e0d360..deaee31bb 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c
@@ -165,7 +165,14 @@ static void duplicate(const char fname, const char private_dir, const char *pr
165	errExit("asprintf");	165	errExit("asprintf");
166		166
167	build_dirs(src, dst, strlen(private_dir), strlen(private_run_dir));	167	build_dirs(src, dst, strlen(private_dir), strlen(private_run_dir));
168	sbox_run(SBOX_ROOT \| SBOX_SECCOMP, 3, PATH_FCOPY, src, dst);	168
		169	// follow links! this will make a copy of the file or directory pointed by the symlink
		170	// this will solve problems such as NixOS #4887
		171	// don't follow links to dynamic directories such as /proc
		172	if (strcmp(src, "/etc/mtab") == 0)
		173	sbox_run(SBOX_ROOT \| SBOX_SECCOMP, 3, PATH_FCOPY, src, dst);
		174	else
		175	sbox_run(SBOX_ROOT \| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", src, dst);
169		176
170	free(dst);	177	free(dst);
171	fs_logger2("clone", src);	178	fs_logger2("clone", src);