4 files changed, 19 insertions, 1 deletions

diff --git a/etc/firejail.config b/etc/firejail.config
index 766802a7d..858ac4ec1 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -26,6 +26,10 @@
 # Enabled by default
 # follow-symlink-as-user yes
 
+# Follow symlink for private-bin command.
+# Disabled by default
+# follow-symlink-private-bin no
+
 # Force use of nonewprivs.  This mitigates the possibility of
 # a user abusing firejail's features to trick a privileged (suid
 # or file capabilities) process into loading code or configuration
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 56ab7c932..02bff2bfa 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -46,6 +46,7 @@ int checkcfg(int val) {
                 cfg_val[CFG_FORCE_NONEWPRIVS] = 0; // disabled by default
                 cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 0; // disabled by default
                 cfg_val[CFG_FIREJAIL_PROMPT] = 0; // disabled by default
+                cfg_val[CFG_FOLLOW_SYMLINK_PRIVATE_BIN] = 0; // disabled by default
                 
                 // open configuration file
                 const char *fname = SYSCONFDIR "/firejail.config";
@@ -135,6 +136,15 @@ int checkcfg(int val) {
                                 else
                                         goto errout;
                         }
+                        // follow symlink in private-bin command
+                        else if (strncmp(ptr, "follow-symlink-private-bin ", 27) == 0) {
+                                if (strcmp(ptr + 27, "yes") == 0)
+                                        cfg_val[CFG_FOLLOW_SYMLINK_PRIVATE_BIN] = 1;
+                                else if (strcmp(ptr + 27, "no") == 0)
+                                        cfg_val[CFG_FOLLOW_SYMLINK_PRIVATE_BIN] = 0;
+                                else
+                                        goto errout;
+                        }
                         // nonewprivs
                         else if (strncmp(ptr, "force-nonewprivs ", 17) == 0) {
                                 if (strcmp(ptr + 17, "yes") == 0)
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index aec6f3de4..a41d5fa17 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -680,6 +680,7 @@ enum {
         CFG_PRIVATE_BIN_NO_LOCAL,
         CFG_FIREJAIL_PROMPT,
         CFG_FOLLOW_SYMLINK_AS_USER,
+        CFG_FOLLOW_SYMLINK_PRIVATE_BIN,
         CFG_MAX // this should always be the last entry
 };
 extern char *xephyr_screen;
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c
index 3473fca4c..73edd2ef9 100644
--- a/src/firejail/fs_bin.c
+++ b/src/firejail/fs_bin.c
@@ -111,7 +111,10 @@ static void duplicate(char *fname) {
                 errExit("asprintf");
         
         // copy the file
-        sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", full_path, RUN_BIN_DIR);
+        if (checkcfg(CFG_FOLLOW_SYMLINK_PRIVATE_BIN))
+                sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", full_path, RUN_BIN_DIR);
+        else
+                sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, full_path, RUN_BIN_DIR);
         fs_logger2("clone", fname);
         free(full_path);
 }