From 7b48318477da5a4c7509670b55270cc7d14125b3 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Tue, 7 Mar 2017 08:20:15 -0500
Subject: Following links in private-bin command ported from #1100 created
 problems for some users. I added a follow-symlink-private-bin entry in
 /etc/firejail/firejail.config file to enable/disable this functionality -
 default disabled.

---
 src/firejail/checkcfg.c | 10 ++++++++++
 src/firejail/firejail.h |  1 +
 src/firejail/fs_bin.c   |  5 ++++-
 3 files changed, 15 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 56ab7c932..02bff2bfa 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -46,6 +46,7 @@ int checkcfg(int val) {
 		cfg_val[CFG_FORCE_NONEWPRIVS] = 0; // disabled by default
 		cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 0; // disabled by default
 		cfg_val[CFG_FIREJAIL_PROMPT] = 0; // disabled by default
+		cfg_val[CFG_FOLLOW_SYMLINK_PRIVATE_BIN] = 0; // disabled by default
 		
 		// open configuration file
 		const char *fname = SYSCONFDIR "/firejail.config";
@@ -135,6 +136,15 @@ int checkcfg(int val) {
 				else
 					goto errout;
 			}
+			// follow symlink in private-bin command
+			else if (strncmp(ptr, "follow-symlink-private-bin ", 27) == 0) {
+				if (strcmp(ptr + 27, "yes") == 0)
+					cfg_val[CFG_FOLLOW_SYMLINK_PRIVATE_BIN] = 1;
+				else if (strcmp(ptr + 27, "no") == 0)
+					cfg_val[CFG_FOLLOW_SYMLINK_PRIVATE_BIN] = 0;
+				else
+					goto errout;
+			}
 			// nonewprivs
 			else if (strncmp(ptr, "force-nonewprivs ", 17) == 0) {
 				if (strcmp(ptr + 17, "yes") == 0)
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index aec6f3de4..a41d5fa17 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -680,6 +680,7 @@ enum {
 	CFG_PRIVATE_BIN_NO_LOCAL,
 	CFG_FIREJAIL_PROMPT,
 	CFG_FOLLOW_SYMLINK_AS_USER,
+	CFG_FOLLOW_SYMLINK_PRIVATE_BIN,
 	CFG_MAX // this should always be the last entry
 };
 extern char *xephyr_screen;
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c
index 3473fca4c..73edd2ef9 100644
--- a/src/firejail/fs_bin.c
+++ b/src/firejail/fs_bin.c
@@ -111,7 +111,10 @@ static void duplicate(char *fname) {
 		errExit("asprintf");
 	
 	// copy the file
-	sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", full_path, RUN_BIN_DIR);
+	if (checkcfg(CFG_FOLLOW_SYMLINK_PRIVATE_BIN))
+		sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", full_path, RUN_BIN_DIR);
+	else
+		sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, full_path, RUN_BIN_DIR);
 	fs_logger2("clone", fname);
 	free(full_path);
 }
-- 
cgit v1.2.3-70-g09d2