4 files changed, 70 insertions, 8 deletions

diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index f4384faf7..1cfdbaea7 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -153,15 +153,20 @@ static void disable_file(OPERATION op, const char *filename, const char *emptydi
 
         // modify the file
         if (op == BLACKLIST_FILE) {
-                if (arg_debug)
-                        printf("Disable %s\n", fname);
-                if (S_ISDIR(s.st_mode)) {
-                        if (mount(emptydir, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
-                                errExit("disable file");
-                }
+                // some distros put all executables under /usr/bin and make /bin a symbolic link
+                if (is_link(filename) && S_ISDIR(s.st_mode))
+                        fprintf(stderr, "Warning: %s directory link was not blacklisted\n", filename);
                 else {
-                        if (mount(emptyfile, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
-                                errExit("disable file");
+                        if (arg_debug)
+                                printf("Disable %s\n", fname);
+                        if (S_ISDIR(s.st_mode)) {
+                                if (mount(emptydir, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
+                                        errExit("disable file");
+                        }
+                        else {
+                                if (mount(emptyfile, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
+                                        errExit("disable file");
+                        }
                 }
         }
         else if (op == MOUNT_READONLY) {
diff --git a/test/blacklist-link.exp b/test/blacklist-link.exp
new file mode 100755
index 000000000..da52cae4a
--- /dev/null
+++ b/test/blacklist-link.exp
@@ -0,0 +1,50 @@
+#!/usr/bin/expect -f
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+# blacklist a directory symlink
+send -- "firejail --blacklist=auto2\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "directory link was not blacklisted"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.1\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "file auto2\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "symbolic link to"
+}
+send -- "exit\r"
+sleep 1
+
+# blacklist a directory symlink from a profile file
+send -- "firejail --profile=blacklist3.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "directory link was not blacklisted"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "file auto2\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "symbolic link to"
+}
+send -- "exit\r"
+sleep 1
+
+
+
+puts "all done\n"
+
diff --git a/test/blacklist3.profile b/test/blacklist3.profile
new file mode 100644
index 000000000..08f754f3f
--- /dev/null
+++ b/test/blacklist3.profile
@@ -0,0 +1 @@
+blacklist auto2
diff --git a/test/test.sh b/test/test.sh
index 8ddbc476f..8c6be8ddd 100755
--- a/test/test.sh
+++ b/test/test.sh
@@ -15,6 +15,12 @@ echo "TESTING: blacklist"
 ./blacklist.exp
 rm -fr dir\ with\ space
 
+ln -s auto auto2
+echo "TESTING: blacklist directory link"
+./blacklist-link.exp
+rm -fr auto2
+
+
 echo "TESTING: version"
 ./option_version.exp