deprecated follow-symlink-as-user from firejail.config

2026-05-16 14:16:16 -06:00 · 2021-05-26 09:12:09 -04:00 · 2021-05-26 09:12:09 -04:00 · 4909fa7efc
commit 4909fa7efc
parent 518633eb42
5 changed files with 6 additions and 9 deletions
--- a/3
+++ b/3
@ -1,4 +1,6 @@
 firejail (0.9.65) baseline; urgency=low
+  * deprecated --audit options, relpaced by jailtest
+  * deprecated follow-symlink-as-user from firejail.config
  * filtering environment variables
  * zsh completion
  * command line: --mkdir, --mkfile
@ -7,7 +9,6 @@ firejail (0.9.65) baseline; urgency=low
  * private-lib rework
  * whitelist rework
  * jailtest utility for testing running sandboxes
-  * removed --audit options, relpaced by jailtest
  * capabilities list update
  * faccessat2 syscall support
  * --private-dev keeps /dev/input
--- a/etc/firejail.config
+++ b/etc/firejail.config
@ -46,12 +46,6 @@
 # Enable Firejail green prompt in terminal, default disabled
 # firejail-prompt no

-# Follow symlink as user. While using --whitelist feature,
-# symlinks pointing outside home directory are followed only
-# if both the link and the real file are owned by the user.
-# Enabled by default
-# follow-symlink-as-user yes
-
 # Force use of nonewprivs.  This mitigates the possibility of
 # a user abusing firejail's features to trick a privileged (suid
 # or file capabilities) process into loading code or configuration
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@ -103,7 +103,6 @@ int checkcfg(int val) {
 			PARSE_YESNO(CFG_USERNS, "userns")
 			PARSE_YESNO(CFG_CHROOT, "chroot")
 			PARSE_YESNO(CFG_FIREJAIL_PROMPT, "firejail-prompt")
-			PARSE_YESNO(CFG_FOLLOW_SYMLINK_AS_USER, "follow-symlink-as-user")
 			PARSE_YESNO(CFG_FORCE_NONEWPRIVS, "force-nonewprivs")
 			PARSE_YESNO(CFG_SECCOMP, "seccomp")
 			PARSE_YESNO(CFG_WHITELIST, "whitelist")
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@ -765,7 +765,6 @@ enum {
 	CFG_PRIVATE_HOME,
 	CFG_PRIVATE_BIN_NO_LOCAL,
 	CFG_FIREJAIL_PROMPT,
-	CFG_FOLLOW_SYMLINK_AS_USER,
 	CFG_DISABLE_MNT,
 	CFG_JOIN,
 	CFG_ARP_PROBES,
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@ -1904,6 +1904,8 @@ int main(int argc, char **argv, char **envp) {
 		}
 		else if (strcmp(argv[i], "--private") == 0) {
 			arg_private = 1;
+			// disable whitelisting in home directory
+			profile_add("whitelist ~/*");
 		}
 		else if (strncmp(argv[i], "--private=", 10) == 0) {
 			if (cfg.home_private_keep) {
@ -1925,6 +1927,8 @@ int main(int argc, char **argv, char **envp) {
 				cfg.home_private = NULL;
 			}
 			arg_private = 1;
+			// disable whitelisting in home directory
+			profile_add("whitelist ~/*");
 		}
 #ifdef HAVE_PRIVATE_HOME
 		else if (strncmp(argv[i], "--private-home=", 15) == 0) {