diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/checkcfg.c | 9 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/fs_whitelist.c | 10 |
3 files changed, 16 insertions, 4 deletions
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 3a2101c6a..4fdc3b22a 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -124,6 +124,15 @@ int checkcfg(int val) { | |||
124 | else | 124 | else |
125 | goto errout; | 125 | goto errout; |
126 | } | 126 | } |
127 | // follow symlink as user | ||
128 | else if (strncmp(ptr, "follow-symlink-as-user ", 23) == 0) { | ||
129 | if (strcmp(ptr + 23, "yes") == 0) | ||
130 | cfg_val[CFG_FOLLOW_SYMLINK_AS_USER] = 1; | ||
131 | else if (strcmp(ptr + 23, "no") == 0) | ||
132 | cfg_val[CFG_FOLLOW_SYMLINK_AS_USER] = 0; | ||
133 | else | ||
134 | goto errout; | ||
135 | } | ||
127 | // nonewprivs | 136 | // nonewprivs |
128 | else if (strncmp(ptr, "force-nonewprivs ", 17) == 0) { | 137 | else if (strncmp(ptr, "force-nonewprivs ", 17) == 0) { |
129 | if (strcmp(ptr + 17, "yes") == 0) | 138 | if (strcmp(ptr + 17, "yes") == 0) |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index f7b3ce0ac..b7d2c4304 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -678,6 +678,7 @@ enum { | |||
678 | CFG_PRIVATE_HOME, | 678 | CFG_PRIVATE_HOME, |
679 | CFG_PRIVATE_BIN_NO_LOCAL, | 679 | CFG_PRIVATE_BIN_NO_LOCAL, |
680 | CFG_FIREJAIL_PROMPT, | 680 | CFG_FIREJAIL_PROMPT, |
681 | CFG_FOLLOW_SYMLINK_AS_USER, | ||
681 | CFG_MAX // this should always be the last entry | 682 | CFG_MAX // this should always be the last entry |
682 | }; | 683 | }; |
683 | extern char *xephyr_screen; | 684 | extern char *xephyr_screen; |
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index b0e4463ae..1794e4b35 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -406,10 +406,12 @@ void fs_whitelist(void) { | |||
406 | 406 | ||
407 | // both path and absolute path are under /home | 407 | // both path and absolute path are under /home |
408 | if (strncmp(fname, cfg.homedir, strlen(cfg.homedir)) != 0) { | 408 | if (strncmp(fname, cfg.homedir, strlen(cfg.homedir)) != 0) { |
409 | // check if the file is owned by the user | 409 | if (checkcfg(CFG_FOLLOW_SYMLINK_AS_USER)) { |
410 | struct stat s; | 410 | // check if the file is owned by the user |
411 | if (stat(fname, &s) == 0 && s.st_uid != getuid()) | 411 | struct stat s; |
412 | goto errexit; | 412 | if (stat(fname, &s) == 0 && s.st_uid != getuid()) |
413 | goto errexit; | ||
414 | } | ||
413 | } | 415 | } |
414 | } | 416 | } |
415 | else if (strncmp(new_name, "/tmp/", 5) == 0) { | 417 | else if (strncmp(new_name, "/tmp/", 5) == 0) { |