From 3884057a6f95b2cd6d2fd4e48f045bef6126e90b Mon Sep 17 00:00:00 2001 From: startx2017 Date: Thu, 5 Oct 2017 09:14:10 -0400 Subject: private-bin: if the file is a symlink pointing to an executable inside standard exec path, copy both the file and the symlink --- src/firejail/fs_bin.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index d2c8fbbc8..9aa227caf 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c @@ -94,7 +94,6 @@ static char *check_dir_or_file(const char *name) { return paths[i]; } - // return 1 if the file is in paths[] static int valid_full_path_file(const char *name) { assert(name); @@ -186,8 +185,20 @@ static void duplicate(char *fname, FILE *fplist) { // copy the file if (checkcfg(CFG_FOLLOW_SYMLINK_PRIVATE_BIN)) sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", full_path, RUN_BIN_DIR); - else + else { + // if full_path is simlink, and the link is in our path, copy both + if (is_link(full_path)) { + char *actual_path = realpath(full_path, NULL); + if (actual_path) { + if (valid_full_path_file(actual_path)) + sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, actual_path, RUN_BIN_DIR); + free(actual_path); + } + } + sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, full_path, RUN_BIN_DIR); + } + fs_logger2("clone", fname); free(full_path); } -- cgit v1.2.3-54-g00ecf