feature: create the link only if its endpoint is available

src/firejail/firejail.h

@@ -36,6 +36,7 @@
 #define DEFAULT_ROOT_PROFILE "server"
 #define MAX_INCLUDE_LEVEL 16 // include levels in profile files
 
+#define MAX_LINKS_LEVEL 5 // maximum link depth
 
 #define ASSERT_PERMS(file, uid, gid, mode) \
  do { \
@@ -162,6 +163,13 @@ typedef struct landlock_entry_t {
  char *data;
 } LandlockEntry;
 
+typedef struct delayed_link_entry_t {
+ struct delayed_link_entry_t *next;
+ char link_filenames[MAX_LINKS_LEVEL][PATH_MAX]; // contains all links from initial file to final one
+ char dst[PATH_MAX];
+ int size; // size of link_filenames
+} DelayedLinkEntry;
+
 typedef struct config_t {
  // user data
  char *username;
@@ -172,6 +180,7 @@ typedef struct config_t {
  ProfileEntry *profile;
  ProfileEntry *profile_rebuild_etc; // blacklist files in /etc directory used by fs_rebuild_etc()
  LandlockEntry *lprofile;
+ DelayedLinkEntry *delayed_links; // delay links until we can copy them correctly
 
 #define MAX_PROFILE_IGNORE 32
  char *profile_ignore[MAX_PROFILE_IGNORE];
@@ -495,6 +504,10 @@ char *profile_list_normalize(char *list);
 char *profile_list_compress(char *list);
 void profile_list_augment(char **list, const char *items);
 
+void fs_create_delayed_links();
+void remove_blacklisted_delayed_links(const char *blacklist_path, bool can_whitelist_save);
+void delayed_links_add(char *src, char *dst);
+
 // list.c
 void list(void);
 void tree(void);
@@ -614,6 +627,8 @@ int ascii_isupper(unsigned char c);
 int ascii_isxdigit(unsigned char c);
 int invalid_name(const char *name);
 void check_homedir(const char *dir);
+void normalize_link_path(const char *link_src, const char *link_dst, char *res);
+bool dir_contains(const char *directory, const char *item);
 
 // Get info regarding the last kernel mount operation from /proc/self/mountinfo
 // The return value points to a static area, and will be overwritten by subsequent calls.

src/firejail/fs.c

@@ -121,6 +121,8 @@ static void disable_file(OPERATION op, const char *filename) {
 
  // modify the file
  if (op == BLACKLIST_FILE || op == BLACKLIST_NOLOG) {
+ remove_blacklisted_delayed_links(fname, false);
+
  // some distros put all executables under /usr/bin and make /bin a symbolic link
  if ((strcmp(fname, "/bin") == 0 || strcmp(fname, "/usr/bin") == 0) &&
  is_link(filename) &&

src/firejail/fs_etc.c

@@ -285,19 +285,34 @@ static void duplicate(const char *fname, const char *private_dir, const char *pr
 
  build_dirs(src, dst, strlen(private_dir), strlen(private_run_dir));
 
- // follow links by default, thus making a copy of the file or directory pointed by the symlink
- // this will solve problems such as NixOS #4887
- //
- // don't follow links to dynamic directories such as /proc
- if (strcmp(src, "/etc/mtab") == 0)
- sbox_run(SBOX_ROOT | SBOX_SECCOMP, 3, PATH_FCOPY, src, dst);
- else
+ // Delay link creation until we are sure that the final link file
+ // will (or will not) be available in the sandbox. If the final link file is not available,
+ // it will not be created. A warning will be written.
+ if (is_link(src)) {
+ if (arg_debug)
+ printf("Delay creating link %s in the sandbox\n", src);
+ delayed_links_add(src, dst);
+ } else
  sbox_run(SBOX_ROOT | SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", src, dst);
 
  free(dst);
  fs_logger2("clone", src);
 }
 
+void fs_create_delayed_links() {
+ DelayedLinkEntry *ptr = cfg.delayed_links;
+ DelayedLinkEntry *tmp = NULL;
+
+ while (ptr) {
+ if (arg_debug)
+ printf("Create delayed link %s\n", ptr->link_filenames[0]);
+ sbox_run(SBOX_ROOT | SBOX_SECCOMP, 3, PATH_FCOPY, ptr->link_filenames[0], ptr->dst);
+ tmp = ptr;
+ ptr = ptr->next;
+ free(tmp);
+ }
+}
+
 static void duplicate_globbing(const char *fname, const char *private_dir, const char *private_run_dir) {
  assert(fname);
 

src/firejail/fs_whitelist.c

@@ -341,6 +341,11 @@ static void tmpfs_topdirs(const TopDir * const topdirs) {
  continue;
  }
 
+ // Check whether bind mount of tmpfs on topdirs[i].path will affect delayed links
+ // Bind mount of tmpfs on topdirs[i].path has the same meaning that blacklisting topdirs[i].path)
+ // exсept that whitelisted entries will be restored inside topdirs[i].path later.
+ remove_blacklisted_delayed_links(topdirs[i].path, true);
+
  // special case /run
  // open /run/firejail, so it can be restored right after mounting the tmpfs
  int fd = -1;

src/firejail/profile.c

@@ -1759,6 +1759,122 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
  return 1;
 }
 
+bool does_whitelist_entry_save_file(const char *file, const char *whitelisted_file) {
+ bool is_whitelisted = false;
+ if (!is_dir(whitelisted_file))
+ is_whitelisted = strcmp(whitelisted_file, file) == 0;
+ else
+ is_whitelisted = dir_contains(whitelisted_file, file);
+
+ return is_whitelisted;
+}
+
+bool does_whitelist_save_file(const char *file) {
+ ProfileEntry *entry = cfg.profile;
+ bool is_whitelisted = false;
+
+ while (entry) {
+ if (entry->wparam) {
+ char *wfile = entry->wparam->file;
+ char *wlink = entry->wparam->link;
+
+ is_whitelisted = does_whitelist_entry_save_file(file, wfile);
+ if (!is_whitelisted && wlink) {
+ is_whitelisted = does_whitelist_entry_save_file(file, wlink);
+ }
+
+ if (is_whitelisted)
+ return true;
+ }
+
+ entry = entry->next;
+ }
+
+ return false;
+}
+
+bool is_link_blacklisted(DelayedLinkEntry *link, const char *rblacklist_path, bool can_whitelist_save) {
+ for (int i = 0; i < link->size; i++) {
+ bool is_blacklisted = false;
+
+ if (!is_dir(rblacklist_path))
+ is_blacklisted = strcmp(link->link_filenames[i], rblacklist_path) == 0;
+ else
+ is_blacklisted = dir_contains(rblacklist_path, link->link_filenames[i]);
+
+ if (is_blacklisted) {
+ // used to check whether whitelist will save link
+ if (!can_whitelist_save || can_whitelist_save && !does_whitelist_save_file(link->link_filenames[i]))
+ return true;
+ }
+ }
+
+ return false;
+}
+
+void remove_blacklisted_delayed_links(const char *blacklist_path, bool can_whitelist_save) {
+ char *rblacklist_path = realpath(blacklist_path, NULL);
+ if (rblacklist_path == NULL)
+ errExit("realpath");
+
+ DelayedLinkEntry *prev = NULL;
+ DelayedLinkEntry *ptr = cfg.delayed_links;
+
+ while (ptr) {
+ if (is_link_blacklisted(ptr, rblacklist_path, can_whitelist_save)) {
+
+ fprintf(stderr, "***\n");
+ fprintf(stderr, "*** Warning: cannot create delayed link %s\n", ptr->link_filenames[0]);
+ fprintf(stderr, "*** One of the intermediate links or the final file blacklisted by path %s\n", rblacklist_path);
+ fprintf(stderr, "***\n");
+
+ // Remove link from the delayed links
+ if (prev)
+ prev->next = ptr->next;
+ else
+ cfg.delayed_links = ptr->next;
+
+ DelayedLinkEntry *tmp = ptr;
+ ptr = ptr->next;
+ free(tmp);
+ } else {
+ prev = ptr;
+ ptr = ptr->next;
+ }
+ }
+}
+
+// Accept normalized absolute path
+void delayed_links_add(char *src, char *dst) {
+ char link_point[PATH_MAX];
+ DelayedLinkEntry *link = malloc(sizeof(DelayedLinkEntry));
+
+ if (link == NULL)
+ errExit("malloc");
+
+ link->size = 0;
+ char *link_src = link->link_filenames[link->size++];
+ strncpy(link_src, src, PATH_MAX);
+ link_src[PATH_MAX - 1] = '\0';
+ strncpy(link->dst, dst, PATH_MAX);
+ link->dst[PATH_MAX - 1] = '\0';
+
+ char *cur_absolute = src;
+ size_t link_point_len = 0;
+
+ while ((link_point_len = readlink(cur_absolute, link_point, PATH_MAX)) != (size_t)-1) {
+ if (link->size == MAX_LINKS_LEVEL)
+ errExit("too many intermediate links");
+
+ link_point[link_point_len] = '\0';
+ normalize_link_path(cur_absolute, link_point, link->link_filenames[link->size]);
+ cur_absolute = link->link_filenames[link->size++];
+ }
+
+ link->next = cfg.delayed_links;
+ cfg.delayed_links = link;
+}
+
 // add a profile entry in cfg.profile list; use str to populate the list
 void profile_add(char *str) {
  EUID_ASSERT();

src/firejail/sandbox.c

@@ -1025,6 +1025,7 @@ int sandbox(void* sandbox_arg) {
  fs_mnt(0);
 
  // Install new /etc last, so we can use it as long as possible
+ float time_private_etc = 0;
  if (arg_private_etc) {
  if (cfg.chrootdir)
  fwarning("private-etc feature is disabled in chroot\n");
@@ -1051,17 +1052,8 @@ int sandbox(void* sandbox_arg) {
  if (umount2("/etc/passwd", MNT_DETACH) == -1)
  fprintf(stderr, "/etc/passwd: unmount: %s\n", strerror(errno));
 
- fs_private_dir_mount("/etc", RUN_ETC_DIR);
- fmessage("Private /etc installed in %0.2f ms\n", timetrace_end());
+ time_private_etc += timetrace_end();
 
- // create /etc/ld.so.preload file again
- if (need_preload)
- fs_trace_touch_preload();
-
- // openSUSE configuration is split between /etc and /usr/etc
- // process private-etc a second time
- if (access("/usr/etc", F_OK) == 0)
- fs_private_dir_list("/usr/etc", RUN_USR_ETC_DIR, cfg.etc_private_keep);
  }
  }
 
@@ -1076,6 +1068,23 @@ int sandbox(void* sandbox_arg) {
  fs_blacklist(); // mkdir and mkfile are processed all over again
  EUID_ROOT();
 
+ if (arg_private_etc && !cfg.chrootdir && !arg_overlay) {
+ timetrace_start();
+ // create delayed links from etc
+ fs_create_delayed_links();
+ fs_private_dir_mount("/etc", RUN_ETC_DIR);
+ fmessage("Private /etc installed in %0.2f ms\n", timetrace_end());
+
+ // create /etc/ld.so.preload file again
+ if (need_preload)
+ fs_trace_touch_preload();
+
+ // openSUSE configuration is split between /etc and /usr/etc
+ // process private-etc a second time
+ if (access("/usr/etc", F_OK) == 0)
+ fs_private_dir_list("/usr/etc", RUN_USR_ETC_DIR, cfg.etc_private_keep);
+ }
+
  //****************************
  // nosound/no3d/notv/novideo and fix for pulseaudio 7.0
  //****************************

src/firejail/util.c

@@ -1541,3 +1541,82 @@ void check_homedir(const char *dir) {
  fmessage("No full support for symbolic links in path of user directory.\n"
  "Please provide resolved path in password database (/etc/passwd).\n\n");
 }
+
+/*
+ * Normalize link destination path according to link source path
+ *
+ * Examples:
+ * Input: /usr/share/timezone/localtime, Europe/Moscow, ...
+ * Output: /usr/share/timezone/Europe/Moscow
+ *
+ * Input: /usr/share/timezone/localtime, ../../../../////usr/share//././timezone/Europe/Moscow, ...
+ * Output: /usr/share/timezone/Europe/Moscow
+ *
+ * Input: /usr/share/timezone/localtime, /some/other/location/./Europe/Moscow, ...
+ * Output: /some/other/location/Europe/Moscow
+ */
+void normalize_link_path(const char *link_src, const char *link_dst, char *res)
+{
+ size_t res_len = 0;
+ size_t link_dst_len = strlen(link_dst);
+ const char *ptr = link_dst;
+ const char *end = &link_dst[link_dst_len];
+ const char *next;
+
+ if (link_dst[0] != '/') {
+ // relative path
+ size_t link_src_len = strlen(link_src);
+ if (!is_dir(link_src)) {
+ char *slash = strrchr(link_src, '/');
+ if (slash != NULL)
+ link_src_len = slash - link_src;
+ }
+
+ memcpy(res, link_src, link_src_len);
+ res_len = link_src_len;
+ }
+
+ for (ptr = link_dst; ptr < end; ptr = next + 1) {
+ size_t len;
+ next = memchr(ptr, '/', end - ptr);
+ if (next == NULL)
+ next = end;
+ len = next - ptr;
+
+ switch (len) {
+ case 2:
+ if (ptr[0] == '.' && ptr[1] == '.') {
+ const char *slash = memrchr(res, '/', res_len);
+ if (slash != NULL)
+ res_len = slash - res;
+ continue;
+ }
+ break;
+ case 1:
+ if (ptr[0] == '.')
+ continue;
+ break;
+ case 0:
+ continue;
+ }
+ res[res_len++] = '/';
+ memcpy(&res[res_len], ptr, len);
+ res_len += len;
+ }
+
+ if (res_len == 0)
+ res[res_len++] = '/';
+
+ res[res_len] = '\0';
+}
+
+// Checks if the path is a subpath
+// example: /some/path /some/path/some/subpath
+bool dir_contains(const char *directory, const char *item) {
+ char tmp[PATH_MAX];
+ strcpy(tmp, directory);
+ size_t tmp_len = strlen(tmp);
+ tmp[tmp_len++] = '/';
+ tmp[tmp_len] = '\0';
+ return strncmp(tmp, item, tmp_len) == 0;
+}