From 3f3dd80ed63236c06ccbee2c54fa9d7cd2341c16 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 12 Feb 2017 10:17:32 -0500 Subject: follow-symlink-as-user runtime config option in /etc/firejail/firejail.config --- src/firejail/checkcfg.c | 9 +++++++++ src/firejail/firejail.h | 1 + src/firejail/fs_whitelist.c | 10 ++++++---- 3 files changed, 16 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 3a2101c6a..4fdc3b22a 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -124,6 +124,15 @@ int checkcfg(int val) { else goto errout; } + // follow symlink as user + else if (strncmp(ptr, "follow-symlink-as-user ", 23) == 0) { + if (strcmp(ptr + 23, "yes") == 0) + cfg_val[CFG_FOLLOW_SYMLINK_AS_USER] = 1; + else if (strcmp(ptr + 23, "no") == 0) + cfg_val[CFG_FOLLOW_SYMLINK_AS_USER] = 0; + else + goto errout; + } // nonewprivs else if (strncmp(ptr, "force-nonewprivs ", 17) == 0) { if (strcmp(ptr + 17, "yes") == 0) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index f7b3ce0ac..b7d2c4304 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -678,6 +678,7 @@ enum { CFG_PRIVATE_HOME, CFG_PRIVATE_BIN_NO_LOCAL, CFG_FIREJAIL_PROMPT, + CFG_FOLLOW_SYMLINK_AS_USER, CFG_MAX // this should always be the last entry }; extern char *xephyr_screen; diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index b0e4463ae..1794e4b35 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c @@ -406,10 +406,12 @@ void fs_whitelist(void) { // both path and absolute path are under /home if (strncmp(fname, cfg.homedir, strlen(cfg.homedir)) != 0) { - // check if the file is owned by the user - struct stat s; - if (stat(fname, &s) == 0 && s.st_uid != getuid()) - goto errexit; + if (checkcfg(CFG_FOLLOW_SYMLINK_AS_USER)) { + // check if the file is owned by the user + struct stat s; + if (stat(fname, &s) == 0 && s.st_uid != getuid()) + goto errexit; + } } } else if (strncmp(new_name, "/tmp/", 5) == 0) { -- cgit v1.2.3-70-g09d2