diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/checkcfg.c | 10 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/fs_bin.c | 5 |
3 files changed, 15 insertions, 1 deletions
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 56ab7c932..02bff2bfa 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -46,6 +46,7 @@ int checkcfg(int val) { | |||
46 | cfg_val[CFG_FORCE_NONEWPRIVS] = 0; // disabled by default | 46 | cfg_val[CFG_FORCE_NONEWPRIVS] = 0; // disabled by default |
47 | cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 0; // disabled by default | 47 | cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 0; // disabled by default |
48 | cfg_val[CFG_FIREJAIL_PROMPT] = 0; // disabled by default | 48 | cfg_val[CFG_FIREJAIL_PROMPT] = 0; // disabled by default |
49 | cfg_val[CFG_FOLLOW_SYMLINK_PRIVATE_BIN] = 0; // disabled by default | ||
49 | 50 | ||
50 | // open configuration file | 51 | // open configuration file |
51 | const char *fname = SYSCONFDIR "/firejail.config"; | 52 | const char *fname = SYSCONFDIR "/firejail.config"; |
@@ -135,6 +136,15 @@ int checkcfg(int val) { | |||
135 | else | 136 | else |
136 | goto errout; | 137 | goto errout; |
137 | } | 138 | } |
139 | // follow symlink in private-bin command | ||
140 | else if (strncmp(ptr, "follow-symlink-private-bin ", 27) == 0) { | ||
141 | if (strcmp(ptr + 27, "yes") == 0) | ||
142 | cfg_val[CFG_FOLLOW_SYMLINK_PRIVATE_BIN] = 1; | ||
143 | else if (strcmp(ptr + 27, "no") == 0) | ||
144 | cfg_val[CFG_FOLLOW_SYMLINK_PRIVATE_BIN] = 0; | ||
145 | else | ||
146 | goto errout; | ||
147 | } | ||
138 | // nonewprivs | 148 | // nonewprivs |
139 | else if (strncmp(ptr, "force-nonewprivs ", 17) == 0) { | 149 | else if (strncmp(ptr, "force-nonewprivs ", 17) == 0) { |
140 | if (strcmp(ptr + 17, "yes") == 0) | 150 | if (strcmp(ptr + 17, "yes") == 0) |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index aec6f3de4..a41d5fa17 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -680,6 +680,7 @@ enum { | |||
680 | CFG_PRIVATE_BIN_NO_LOCAL, | 680 | CFG_PRIVATE_BIN_NO_LOCAL, |
681 | CFG_FIREJAIL_PROMPT, | 681 | CFG_FIREJAIL_PROMPT, |
682 | CFG_FOLLOW_SYMLINK_AS_USER, | 682 | CFG_FOLLOW_SYMLINK_AS_USER, |
683 | CFG_FOLLOW_SYMLINK_PRIVATE_BIN, | ||
683 | CFG_MAX // this should always be the last entry | 684 | CFG_MAX // this should always be the last entry |
684 | }; | 685 | }; |
685 | extern char *xephyr_screen; | 686 | extern char *xephyr_screen; |
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index 3473fca4c..73edd2ef9 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c | |||
@@ -111,7 +111,10 @@ static void duplicate(char *fname) { | |||
111 | errExit("asprintf"); | 111 | errExit("asprintf"); |
112 | 112 | ||
113 | // copy the file | 113 | // copy the file |
114 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", full_path, RUN_BIN_DIR); | 114 | if (checkcfg(CFG_FOLLOW_SYMLINK_PRIVATE_BIN)) |
115 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", full_path, RUN_BIN_DIR); | ||
116 | else | ||
117 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, full_path, RUN_BIN_DIR); | ||
115 | fs_logger2("clone", fname); | 118 | fs_logger2("clone", fname); |
116 | free(full_path); | 119 | free(full_path); |
117 | } | 120 | } |