2 files changed, 8 insertions, 10 deletions
diff --git a/src/fcopy/main.c b/src/fcopy/main.c
index 4be35e23f..c64d20127 100644
--- a/src/fcopy/main.c
+++ b/src/fcopy/main.c
@@ -402,15 +402,6 @@ static void duplicate_link(const char *src, const char *dest, struct stat *s) {
        gid_t gid = s->st_gid;
        mode_t mode = s->st_mode;
-        // NixOS problem #4887:
-        //      /etc/fonts is a double symlink to a directory - copy the files instead of copying the symlink
-        if (strcmp(src, "/etc/fonts") == 0) {
-                duplicate_dir(src, dest, s);
-                free(rsrc);
-                free(rdest);
-                return;
-        }
        // build destination file name
        char *name;
        //     char *ptr = strrchr(rsrc, '/');
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c
index 786e0d360..deaee31bb 100644
--- a/src/firejail/fs_etc.c
+++ b/src/firejail/fs_etc.c
@@ -165,7 +165,14 @@ static void duplicate(const char *fname, const char *private_dir, const char *pr
                errExit("asprintf");
        build_dirs(src, dst, strlen(private_dir), strlen(private_run_dir));
-        sbox_run(SBOX_ROOT | SBOX_SECCOMP, 3, PATH_FCOPY, src, dst);
+        // follow links! this will make a copy of the file or directory pointed by the symlink
+        // this will solve problems such as NixOS #4887
+        // don't follow links to dynamic directories such as /proc
+        if (strcmp(src, "/etc/mtab") == 0)
+                sbox_run(SBOX_ROOT | SBOX_SECCOMP, 3, PATH_FCOPY, src, dst);
+        else
+                sbox_run(SBOX_ROOT | SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", src, dst);
        free(dst);
        fs_logger2("clone", src);

diff --git a/src/fcopy/main.c b/src/fcopy/main.c index 4be35e23f..c64d20127 100644 --- a/src/fcopy/main.c +++ b/src/fcopy/main.c
@@ -402,15 +402,6 @@ static void duplicate_link(const char src, const char dest, struct stat *s) {
402	gid_t gid = s->st_gid;	402	gid_t gid = s->st_gid;
403	mode_t mode = s->st_mode;	403	mode_t mode = s->st_mode;
404		404
405	// NixOS problem #4887:
406	// /etc/fonts is a double symlink to a directory - copy the files instead of copying the symlink
407	if (strcmp(src, "/etc/fonts") == 0) {
408	duplicate_dir(src, dest, s);
409	free(rsrc);
410	free(rdest);
411	return;
412	}
413
414	// build destination file name	405	// build destination file name
415	char *name;	406	char *name;
416	// char *ptr = strrchr(rsrc, '/');	407	// char *ptr = strrchr(rsrc, '/');


diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index 786e0d360..deaee31bb 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c
@@ -165,7 +165,14 @@ static void duplicate(const char fname, const char private_dir, const char *pr
165	errExit("asprintf");	165	errExit("asprintf");
166		166
167	build_dirs(src, dst, strlen(private_dir), strlen(private_run_dir));	167	build_dirs(src, dst, strlen(private_dir), strlen(private_run_dir));
168	sbox_run(SBOX_ROOT \| SBOX_SECCOMP, 3, PATH_FCOPY, src, dst);	168
		169	// follow links! this will make a copy of the file or directory pointed by the symlink
		170	// this will solve problems such as NixOS #4887
		171	// don't follow links to dynamic directories such as /proc
		172	if (strcmp(src, "/etc/mtab") == 0)
		173	sbox_run(SBOX_ROOT \| SBOX_SECCOMP, 3, PATH_FCOPY, src, dst);
		174	else
		175	sbox_run(SBOX_ROOT \| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", src, dst);
169		176
170	free(dst);	177	free(dst);
171	fs_logger2("clone", src);	178	fs_logger2("clone", src);