Yet another --private-etc symlink issue, with /etc/alternatives/ #5378
Description
Description
Depending on how I set --private-etc, /etc/alternatives/cc is sometimes a symlink, sometimes a copy:
Steps to Reproduce
If I whitelist /etc/alternatives/cc alone, I get a copy of cc instead of its symlink:
$ ls -lah /etc/alternatives/cc
lrwxrwxrwx 1 root root 12 Oct 14 2019 /etc/alternatives/cc -> /usr/bin/gcc
$ firejail --quiet --private-etc=alternatives/cc ls -lah /etc/alternatives/cc
-rwxr-xr-x 1 65534 65534 1.3M Sep 23 12:22 /etc/alternatives/cc
Which is bad (cc is not happy to be here). On the other hand, if I just whielist the whole alternatives directory:
$ firejail --quiet --private-etc=alternatives ls -lah /etc/alternatives/cc
Error fcopy: size limit of 500 MB reached
lrwxrwxrwx 1 65534 65534 32 Sep 23 12:22 /etc/alternatives/cc -> /usr/bin/x86_64-linux-gnu-gcc-12
this time /etc/alternatives/cc is a symlink (and cc is happy). But fcopy whines about a 500MB limit being reached, which is probably wrong as /etc/alternatives only contains symlinks:
$ du -sh /etc/
4.0K /etc/
Expected behavior
I know that symlink is a security issue magnet, so I may miss something obvious, but as there's already a way to have the symlink I quickly though "what about the other way also giving a symlink ?".
Environment
- Debian testing (bookworm)
- Firejail 0.9.70
Checklist
- The issues is caused by firejail (i.e. running the program by path (e.g.
/usr/bin/vlc) "fixes" it). - I can reproduce the issue without custom modifications (e.g. globals.local).
- The program has a profile. (If not, request one in
https://github.com/netblue30/firejail/issues/1139) - The profile (and redirect profile if exists) hasn't already been fixed upstream.
- I have performed a short search for similar issues (to avoid opening a duplicate).
- I'm aware of
browser-allow-drm yes/browser-disable-u2f noinfirejail.configto allow DRM/U2F in browsers.
- I'm aware of
- I used
--profile=PROFILENAMEto set the right profile. (Only relevant for AppImages)