From 3f3dd80ed63236c06ccbee2c54fa9d7cd2341c16 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 12 Feb 2017 10:17:32 -0500 Subject: follow-symlink-as-user runtime config option in /etc/firejail/firejail.config --- RELNOTES | 1 + etc/firejail.config | 6 ++++++ src/firejail/checkcfg.c | 9 +++++++++ src/firejail/firejail.h | 1 + src/firejail/fs_whitelist.c | 10 ++++++---- 5 files changed, 23 insertions(+), 4 deletions(-) diff --git a/RELNOTES b/RELNOTES index 16360bc64..0af08404c 100644 --- a/RELNOTES +++ b/RELNOTES @@ -28,6 +28,7 @@ firejail (0.9.45) baseline; urgency=low * feature: allow non-seccomp setup for OverlayFS sandboxes - more work to come * feature: added a number o Python scripts for handling sandboxes * feature: allow local customization using .local files under /etc/firejail + * feature: follow-symlink-as-user runtime config option in /etc/firejail/firejail.config * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire, * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma, * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator, diff --git a/etc/firejail.config b/etc/firejail.config index 824e3f503..5498b2112 100644 --- a/etc/firejail.config +++ b/etc/firejail.config @@ -20,6 +20,12 @@ # Enable Firejail green prompt in terminal, default disabled # firejail-prompt no +# Follow symlink as user. While using --whitelist feature, +# symlinks pointing outside home directory are followed only +# if both the link and the real file are owned by the user. +# Enabled by default +# follow-symlink-as-user yes + # Force use of nonewprivs. This mitigates the possibility of # a user abusing firejail's features to trick a privileged (suid # or file capabilities) process into loading code or configuration diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 3a2101c6a..4fdc3b22a 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -124,6 +124,15 @@ int checkcfg(int val) { else goto errout; } + // follow symlink as user + else if (strncmp(ptr, "follow-symlink-as-user ", 23) == 0) { + if (strcmp(ptr + 23, "yes") == 0) + cfg_val[CFG_FOLLOW_SYMLINK_AS_USER] = 1; + else if (strcmp(ptr + 23, "no") == 0) + cfg_val[CFG_FOLLOW_SYMLINK_AS_USER] = 0; + else + goto errout; + } // nonewprivs else if (strncmp(ptr, "force-nonewprivs ", 17) == 0) { if (strcmp(ptr + 17, "yes") == 0) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index f7b3ce0ac..b7d2c4304 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -678,6 +678,7 @@ enum { CFG_PRIVATE_HOME, CFG_PRIVATE_BIN_NO_LOCAL, CFG_FIREJAIL_PROMPT, + CFG_FOLLOW_SYMLINK_AS_USER, CFG_MAX // this should always be the last entry }; extern char *xephyr_screen; diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index b0e4463ae..1794e4b35 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c @@ -406,10 +406,12 @@ void fs_whitelist(void) { // both path and absolute path are under /home if (strncmp(fname, cfg.homedir, strlen(cfg.homedir)) != 0) { - // check if the file is owned by the user - struct stat s; - if (stat(fname, &s) == 0 && s.st_uid != getuid()) - goto errexit; + if (checkcfg(CFG_FOLLOW_SYMLINK_AS_USER)) { + // check if the file is owned by the user + struct stat s; + if (stat(fname, &s) == 0 && s.st_uid != getuid()) + goto errexit; + } } } else if (strncmp(new_name, "/tmp/", 5) == 0) { -- cgit v1.2.3-54-g00ecf