From 4909fa7efce4a36bd16e7bf80c9642b93c262ddf Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 26 May 2021 09:12:09 -0400 Subject: [PATCH] deprecated follow-symlink-as-user from firejail.config --- RELNOTES | 3 ++- etc/firejail.config | 6 ------ src/firejail/checkcfg.c | 1 - src/firejail/firejail.h | 1 - src/firejail/main.c | 4 ++++ 5 files changed, 6 insertions(+), 9 deletions(-) diff --git a/RELNOTES b/RELNOTES index 786a1afcd13..74ef66fb9f8 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,4 +1,6 @@ firejail (0.9.65) baseline; urgency=low + * deprecated --audit options, relpaced by jailtest + * deprecated follow-symlink-as-user from firejail.config * filtering environment variables * zsh completion * command line: --mkdir, --mkfile @@ -7,7 +9,6 @@ firejail (0.9.65) baseline; urgency=low * private-lib rework * whitelist rework * jailtest utility for testing running sandboxes - * removed --audit options, relpaced by jailtest * capabilities list update * faccessat2 syscall support * --private-dev keeps /dev/input diff --git a/etc/firejail.config b/etc/firejail.config index 9dd33b5ed23..c671efef97f 100644 --- a/etc/firejail.config +++ b/etc/firejail.config @@ -46,12 +46,6 @@ # Enable Firejail green prompt in terminal, default disabled # firejail-prompt no -# Follow symlink as user. While using --whitelist feature, -# symlinks pointing outside home directory are followed only -# if both the link and the real file are owned by the user. -# Enabled by default -# follow-symlink-as-user yes - # Force use of nonewprivs. This mitigates the possibility of # a user abusing firejail's features to trick a privileged (suid # or file capabilities) process into loading code or configuration diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 614b144e57e..cb087d395c7 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -103,7 +103,6 @@ int checkcfg(int val) { PARSE_YESNO(CFG_USERNS, "userns") PARSE_YESNO(CFG_CHROOT, "chroot") PARSE_YESNO(CFG_FIREJAIL_PROMPT, "firejail-prompt") - PARSE_YESNO(CFG_FOLLOW_SYMLINK_AS_USER, "follow-symlink-as-user") PARSE_YESNO(CFG_FORCE_NONEWPRIVS, "force-nonewprivs") PARSE_YESNO(CFG_SECCOMP, "seccomp") PARSE_YESNO(CFG_WHITELIST, "whitelist") diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 1c1ad4e971b..1da70fd54f7 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -765,7 +765,6 @@ enum { CFG_PRIVATE_HOME, CFG_PRIVATE_BIN_NO_LOCAL, CFG_FIREJAIL_PROMPT, - CFG_FOLLOW_SYMLINK_AS_USER, CFG_DISABLE_MNT, CFG_JOIN, CFG_ARP_PROBES, diff --git a/src/firejail/main.c b/src/firejail/main.c index 7cfa5807848..31694558d60 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1904,6 +1904,8 @@ int main(int argc, char **argv, char **envp) { } else if (strcmp(argv[i], "--private") == 0) { arg_private = 1; + // disable whitelisting in home directory + profile_add("whitelist ~/*"); } else if (strncmp(argv[i], "--private=", 10) == 0) { if (cfg.home_private_keep) { @@ -1925,6 +1927,8 @@ int main(int argc, char **argv, char **envp) { cfg.home_private = NULL; } arg_private = 1; + // disable whitelisting in home directory + profile_add("whitelist ~/*"); } #ifdef HAVE_PRIVATE_HOME else if (strncmp(argv[i], "--private-home=", 15) == 0) {