From f75adc62100109ed0e9f367b0216b24111aac58c Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 9 Nov 2017 09:25:38 -0500 Subject: deprecated follow-symlink-private-bin from /etc/firejail/firejail.config --- src/firejail/checkcfg.c | 9 ++------- src/firejail/firejail.h | 1 - src/firejail/fs_bin.c | 35 +++++++++++++++-------------------- 3 files changed, 17 insertions(+), 28 deletions(-) (limited to 'src') diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 1dee87a64..2fedb2f81 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -47,7 +47,6 @@ int checkcfg(int val) { cfg_val[CFG_FORCE_NONEWPRIVS] = 0; cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 0; cfg_val[CFG_FIREJAIL_PROMPT] = 0; - cfg_val[CFG_FOLLOW_SYMLINK_PRIVATE_BIN] = 0; cfg_val[CFG_DISABLE_MNT] = 0; cfg_val[CFG_ARP_PROBES] = DEFAULT_ARP_PROBES; cfg_val[CFG_XPRA_ATTACH] = 0; @@ -151,12 +150,8 @@ int checkcfg(int val) { } // follow symlink in private-bin command else if (strncmp(ptr, "follow-symlink-private-bin ", 27) == 0) { - if (strcmp(ptr + 27, "yes") == 0) - cfg_val[CFG_FOLLOW_SYMLINK_PRIVATE_BIN] = 1; - else if (strcmp(ptr + 27, "no") == 0) - cfg_val[CFG_FOLLOW_SYMLINK_PRIVATE_BIN] = 0; - else - goto errout; + if (!arg_quiet) + fprintf(stderr, "Warning:follow-symlink-private-bin from firejail.config was deprecated\n"); } // nonewprivs else if (strncmp(ptr, "force-nonewprivs ", 17) == 0) { diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 5d6d94d16..59bd4b959 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -734,7 +734,6 @@ enum { CFG_PRIVATE_BIN_NO_LOCAL, CFG_FIREJAIL_PROMPT, CFG_FOLLOW_SYMLINK_AS_USER, - CFG_FOLLOW_SYMLINK_PRIVATE_BIN, CFG_DISABLE_MNT, CFG_JOIN, CFG_ARP_PROBES, diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index 364431077..9e19ac8d7 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c @@ -182,29 +182,24 @@ static void duplicate(char *fname, FILE *fplist) { if (fplist) fprintf(fplist, "%s\n", full_path); - // copy the file - if (checkcfg(CFG_FOLLOW_SYMLINK_PRIVATE_BIN)) - sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", full_path, RUN_BIN_DIR); - else { - // if full_path is simlink, and the link is in our path, copy both - if (is_link(full_path)) { - char *actual_path = realpath(full_path, NULL); - if (actual_path) { - if (valid_full_path_file(actual_path)) { - // solving problems such as /bin/sh -> /bin/dash - // copy the real file pointed by symlink - sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, actual_path, RUN_BIN_DIR); - char *f = strrchr(actual_path, '/'); - if (f && *(++f) !='\0') - report_duplication(f); - } - free(actual_path); + // if full_path is symlink, and the link is in our path, copy both the file and the symlink + if (is_link(full_path)) { + char *actual_path = realpath(full_path, NULL); + if (actual_path) { + if (valid_full_path_file(actual_path)) { + // solving problems such as /bin/sh -> /bin/dash + // copy the real file pointed by symlink + sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, actual_path, RUN_BIN_DIR); + char *f = strrchr(actual_path, '/'); + if (f && *(++f) !='\0') + report_duplication(f); } + free(actual_path); } - - // copy a file or a symlink - sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, full_path, RUN_BIN_DIR); } + + // copy a file or a symlink + sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, full_path, RUN_BIN_DIR); free(full_path); report_duplication(fname); } -- cgit v1.2.3-54-g00ecf