deprecated follow-symlink-as-user from firejail.config

netblue30 · May 26, 2021 · 4909fa7 · 4909fa7
1 parent 518633e
commit 4909fa7
Show file tree

Hide file tree

Showing 5 changed files with 6 additions and 9 deletions.
diff --git a/RELNOTES b/RELNOTES
@@ -1,4 +1,6 @@
 firejail (0.9.65) baseline; urgency=low
+ * deprecated --audit options, relpaced by jailtest
+ * deprecated follow-symlink-as-user from firejail.config
  * filtering environment variables
  * zsh completion
  * command line: --mkdir, --mkfile
@@ -7,7 +9,6 @@ firejail (0.9.65) baseline; urgency=low
  * private-lib rework
  * whitelist rework
  * jailtest utility for testing running sandboxes
- * removed --audit options, relpaced by jailtest
  * capabilities list update
  * faccessat2 syscall support
  * --private-dev keeps /dev/input

diff --git a/etc/firejail.config b/etc/firejail.config
@@ -46,12 +46,6 @@
 # Enable Firejail green prompt in terminal, default disabled
 # firejail-prompt no
 
-# Follow symlink as user. While using --whitelist feature,
-# symlinks pointing outside home directory are followed only
-# if both the link and the real file are owned by the user.
-# Enabled by default
-# follow-symlink-as-user yes
-
 # Force use of nonewprivs. This mitigates the possibility of
 # a user abusing firejail's features to trick a privileged (suid
 # or file capabilities) process into loading code or configuration

diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
@@ -103,7 +103,6 @@ int checkcfg(int val) {
  PARSE_YESNO(CFG_USERNS, "userns")
  PARSE_YESNO(CFG_CHROOT, "chroot")
  PARSE_YESNO(CFG_FIREJAIL_PROMPT, "firejail-prompt")
- PARSE_YESNO(CFG_FOLLOW_SYMLINK_AS_USER, "follow-symlink-as-user")
  PARSE_YESNO(CFG_FORCE_NONEWPRIVS, "force-nonewprivs")
  PARSE_YESNO(CFG_SECCOMP, "seccomp")
  PARSE_YESNO(CFG_WHITELIST, "whitelist")

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
@@ -765,7 +765,6 @@ enum {
  CFG_PRIVATE_HOME,
  CFG_PRIVATE_BIN_NO_LOCAL,
  CFG_FIREJAIL_PROMPT,
- CFG_FOLLOW_SYMLINK_AS_USER,
  CFG_DISABLE_MNT,
  CFG_JOIN,
  CFG_ARP_PROBES,

diff --git a/src/firejail/main.c b/src/firejail/main.c
@@ -1904,6 +1904,8 @@ int main(int argc, char **argv, char **envp) {
  }
  else if (strcmp(argv[i], "--private") == 0) {
  arg_private = 1;
+ // disable whitelisting in home directory
+ profile_add("whitelist ~/*");
  }
  else if (strncmp(argv[i], "--private=", 10) == 0) {
  if (cfg.home_private_keep) {
@@ -1925,6 +1927,8 @@ int main(int argc, char **argv, char **envp) {
  cfg.home_private = NULL;
  }
  arg_private = 1;
+ // disable whitelisting in home directory
+ profile_add("whitelist ~/*");
  }
 #ifdef HAVE_PRIVATE_HOME
  else if (strncmp(argv[i], "--private-home=", 15) == 0) {