private-bin: if the file is a symlink pointing to an executable insid…

…e standard exec path, copy both the file and the symlink
onny · Oct 5, 2017 · 3884057 · 3884057
1 parent c625937
commit 3884057
Showing 1 changed file with 13 additions and 2 deletions.
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c
@@ -94,7 +94,6 @@ static char *check_dir_or_file(const char *name) {
  return paths[i];
 }
 
-
 // return 1 if the file is in paths[]
 static int valid_full_path_file(const char *name) {
  assert(name);
@@ -186,8 +185,20 @@ static void duplicate(char *fname, FILE *fplist) {
  // copy the file
  if (checkcfg(CFG_FOLLOW_SYMLINK_PRIVATE_BIN))
  sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", full_path, RUN_BIN_DIR);
- else
+ else {
+ // if full_path is simlink, and the link is in our path, copy both
+ if (is_link(full_path)) {
+ char *actual_path = realpath(full_path, NULL);
+ if (actual_path) {
+ if (valid_full_path_file(actual_path))
+ sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, actual_path, RUN_BIN_DIR);
+ free(actual_path);
+ }
+ }
+
  sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, full_path, RUN_BIN_DIR);
+ }
+
  fs_logger2("clone", fname);
  free(full_path);
 }