summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLibravatar netblue30 <netblue30@yahoo.com>2018-10-13 09:38:38 -0400
committerLibravatar netblue30 <netblue30@yahoo.com>2018-10-13 09:38:38 -0400
commit16587f6d2bb6273ba3f519eeab867175948e388f (patch)
treeb15791a194f9cfebd729bb4f8eae3d36f51422a3
parentMerge pull request #2185 from glitsj16/masterpdfeditor (diff)
downloadfirejail-16587f6d2bb6273ba3f519eeab867175948e388f.tar.gz
firejail-16587f6d2bb6273ba3f519eeab867175948e388f.tar.zst
firejail-16587f6d2bb6273ba3f519eeab867175948e388f.zip
Revert "Fix issue #2148: Make sure firejail can find helper programs in sandbox regardless of options."
This reverts commit 4017e8a1359208e149b2eac10900987acd4a6f9e. I am running into some problems with the initial unshare/mount in main.c. I'll bring in the files one by one.
Diffstat
-rw-r--r--src/firejail/bandwidth.c6
-rw-r--r--src/firejail/firejail.h27
-rw-r--r--src/firejail/fs_trace.c2
-rw-r--r--src/firejail/main.c11
-rw-r--r--src/firejail/output.c6
-rw-r--r--src/firejail/preproc.c8
6 files changed, 22 insertions, 38 deletions
diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c
index c3f2b3390..d0487d49a 100644
--- a/src/firejail/bandwidth.c
+++ b/src/firejail/bandwidth.c
@@ -406,17 +406,17 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in
406 if (devname) { 406 if (devname) {
407 if (strcmp(command, "set") == 0) { 407 if (strcmp(command, "set") == 0) {
408 if (asprintf(&cmd, "%s/firejail/fshaper.sh --%s %s %d %d", 408 if (asprintf(&cmd, "%s/firejail/fshaper.sh --%s %s %d %d",
409 RUN_FIREJAIL_LIB_DIR, command, devname, down, up) == -1) 409 LIBDIR, command, devname, down, up) == -1)
410 errExit("asprintf"); 410 errExit("asprintf");
411 } 411 }
412 else { 412 else {
413 if (asprintf(&cmd, "%s/firejail/fshaper.sh --%s %s", 413 if (asprintf(&cmd, "%s/firejail/fshaper.sh --%s %s",
414 RUN_FIREJAIL_LIB_DIR, command, devname) == -1) 414 LIBDIR, command, devname) == -1)
415 errExit("asprintf"); 415 errExit("asprintf");
416 } 416 }
417 } 417 }
418 else { 418 else {
419 if (asprintf(&cmd, "%s/firejail/fshaper.sh --%s", RUN_FIREJAIL_LIB_DIR, command) == -1) 419 if (asprintf(&cmd, "%s/firejail/fshaper.sh --%s", LIBDIR, command) == -1)
420 errExit("asprintf"); 420 errExit("asprintf");
421 } 421 }
422 assert(cmd); 422 assert(cmd);
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 63d71799a..cae767667 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -32,7 +32,6 @@
32#define RUN_FIREJAIL_DIR "/run/firejail" 32#define RUN_FIREJAIL_DIR "/run/firejail"
33#define RUN_FIREJAIL_APPIMAGE_DIR "/run/firejail/appimage" 33#define RUN_FIREJAIL_APPIMAGE_DIR "/run/firejail/appimage"
34#define RUN_FIREJAIL_NAME_DIR "/run/firejail/name" // also used in src/lib/pid.c - todo: move it in a common place 34#define RUN_FIREJAIL_NAME_DIR "/run/firejail/name" // also used in src/lib/pid.c - todo: move it in a common place
35#define RUN_FIREJAIL_LIB_DIR "/run/firejail/lib"
36#define RUN_FIREJAIL_X11_DIR "/run/firejail/x11" 35#define RUN_FIREJAIL_X11_DIR "/run/firejail/x11"
37#define RUN_FIREJAIL_NETWORK_DIR "/run/firejail/network" 36#define RUN_FIREJAIL_NETWORK_DIR "/run/firejail/network"
38#define RUN_FIREJAIL_BANDWIDTH_DIR "/run/firejail/bandwidth" 37#define RUN_FIREJAIL_BANDWIDTH_DIR "/run/firejail/bandwidth"
@@ -63,11 +62,11 @@
63#define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp.mdwx" // filter for memory-deny-write-execute 62#define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp.mdwx" // filter for memory-deny-write-execute
64#define RUN_SECCOMP_BLOCK_SECONDARY "/run/firejail/mnt/seccomp.block_secondary" // secondary arch blocking filter 63#define RUN_SECCOMP_BLOCK_SECONDARY "/run/firejail/mnt/seccomp.block_secondary" // secondary arch blocking filter
65#define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp.postexec" // filter for post-exec library 64#define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp.postexec" // filter for post-exec library
66#define PATH_SECCOMP_DEFAULT (RUN_FIREJAIL_LIB_DIR "/firejail/seccomp") // default filter built during make 65#define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make
67#define PATH_SECCOMP_DEFAULT_DEBUG (RUN_FIREJAIL_LIB_DIR "/firejail/seccomp.debug") // default filter built during make 66#define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make
68#define PATH_SECCOMP_32 (RUN_FIREJAIL_LIB_DIR "/firejail/seccomp.32") // 32bit arch filter built during make 67#define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32") // 32bit arch filter built during make
69#define PATH_SECCOMP_MDWX (RUN_FIREJAIL_LIB_DIR "/firejail/seccomp.mdwx") // filter for memory-deny-write-execute built during make 68#define PATH_SECCOMP_MDWX (LIBDIR "/firejail/seccomp.mdwx") // filter for memory-deny-write-execute built during make
70#define PATH_SECCOMP_BLOCK_SECONDARY (RUN_FIREJAIL_LIB_DIR "/firejail/seccomp.block_secondary") // secondary arch blocking filter built during make 69#define PATH_SECCOMP_BLOCK_SECONDARY (LIBDIR "/firejail/seccomp.block_secondary") // secondary arch blocking filter built during make
71 70
72 71
73#define RUN_DEV_DIR "/run/firejail/mnt/dev" 72#define RUN_DEV_DIR "/run/firejail/mnt/dev"
@@ -791,16 +790,16 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc,
791 790
792// sbox.c 791// sbox.c
793// programs 792// programs
794#define PATH_FNET (RUN_FIREJAIL_LIB_DIR "/firejail/fnet") 793#define PATH_FNET (LIBDIR "/firejail/fnet")
795#define PATH_FNETFILTER (RUN_FIREJAIL_LIB_DIR "/firejail/fnetfilter") 794#define PATH_FNETFILTER (LIBDIR "/firejail/fnetfilter")
796#define PATH_FIREMON (PREFIX "/bin/firemon") 795#define PATH_FIREMON (PREFIX "/bin/firemon")
797#define PATH_FIREJAIL (PREFIX "/bin/firejail") 796#define PATH_FIREJAIL (PREFIX "/bin/firejail")
798#define PATH_FSECCOMP (RUN_FIREJAIL_LIB_DIR "/firejail/fseccomp") 797#define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp")
799#define PATH_FSEC_PRINT (RUN_FIREJAIL_LIB_DIR "/firejail/fsec-print") 798#define PATH_FSEC_PRINT (LIBDIR "/firejail/fsec-print")
800#define PATH_FSEC_OPTIMIZE (RUN_FIREJAIL_LIB_DIR "/firejail/fsec-optimize") 799#define PATH_FSEC_OPTIMIZE (LIBDIR "/firejail/fsec-optimize")
801#define PATH_FCOPY (RUN_FIREJAIL_LIB_DIR "/firejail/fcopy") 800#define PATH_FCOPY (LIBDIR "/firejail/fcopy")
802#define SBOX_STDIN_FILE (RUN_MNT_DIR "/sbox_stdin") 801#define SBOX_STDIN_FILE "/run/firejail/mnt/sbox_stdin"
803#define PATH_FLDD (RUN_FIREJAIL_LIB_DIR "/firejail/fldd") 802#define PATH_FLDD (LIBDIR "/firejail/fldd")
804 803
805// bitmapped filters for sbox_run 804// bitmapped filters for sbox_run
806#define SBOX_ROOT (1 << 0) // run the sandbox as root 805#define SBOX_ROOT (1 << 0) // run the sandbox as root
diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c
index 00c1e3d15..38ab7e2f8 100644
--- a/src/firejail/fs_trace.c
+++ b/src/firejail/fs_trace.c
@@ -51,7 +51,7 @@ void fs_trace(void) {
51 FILE *fp = fopen(RUN_LDPRELOAD_FILE, "w"); 51 FILE *fp = fopen(RUN_LDPRELOAD_FILE, "w");
52 if (!fp) 52 if (!fp)
53 errExit("fopen"); 53 errExit("fopen");
54 const char *prefix = RUN_FIREJAIL_LIB_DIR "/firejail"; 54 const char *prefix = LIBDIR "/firejail";
55 55
56 if (arg_trace) { 56 if (arg_trace) {
57 fprintf(fp, "%s/libtrace.so\n", prefix); 57 fprintf(fp, "%s/libtrace.so\n", prefix);
diff --git a/src/firejail/main.c b/src/firejail/main.c
index a2287cb55..315a7260a 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -838,7 +838,7 @@ static void run_builder(int argc, char **argv) {
838 assert(getenv("LD_PRELOAD") == NULL); 838 assert(getenv("LD_PRELOAD") == NULL);
839 umask(orig_umask); 839 umask(orig_umask);
840 840
841 argv[0] = RUN_FIREJAIL_LIB_DIR "/firejail/fbuilder"; 841 argv[0] = LIBDIR "/firejail/fbuilder";
842 execvp(argv[0], argv); 842 execvp(argv[0], argv);
843 843
844 perror("execvp"); 844 perror("execvp");
@@ -878,13 +878,6 @@ int main(int argc, char **argv) {
878 EUID_ROOT(); 878 EUID_ROOT();
879 atexit(clear_atexit); 879 atexit(clear_atexit);
880 880
881 // make private copy of mount namespace so that mounts in firejail do not
882 // propagate up to host
883 if (unshare(CLONE_NEWNS) != 0)
884 errExit("unshare");
885 if (mount(NULL, "/", NULL, MS_PRIVATE | MS_REC, NULL) != 0)
886 errExit("mount: make all mounts private");
887
888 // build /run/firejail directory structure 881 // build /run/firejail directory structure
889 preproc_build_firejail_dir(); 882 preproc_build_firejail_dir();
890 char *container_name = getenv("container"); 883 char *container_name = getenv("container");
@@ -2123,7 +2116,7 @@ int main(int argc, char **argv) {
2123 else if (strncmp(argv[i], "--timeout=", 10) == 0) 2116 else if (strncmp(argv[i], "--timeout=", 10) == 0)
2124 cfg.timeout = extract_timeout(argv[i] + 10); 2117 cfg.timeout = extract_timeout(argv[i] + 10);
2125 else if (strcmp(argv[i], "--audit") == 0) { 2118 else if (strcmp(argv[i], "--audit") == 0) {
2126 arg_audit_prog = RUN_FIREJAIL_LIB_DIR "/firejail/faudit"; 2119 arg_audit_prog = LIBDIR "/firejail/faudit";
2127 arg_audit = 1; 2120 arg_audit = 1;
2128 } 2121 }
2129 else if (strncmp(argv[i], "--audit=", 8) == 0) { 2122 else if (strncmp(argv[i], "--audit=", 8) == 0) {
diff --git a/src/firejail/output.c b/src/firejail/output.c
index b5329d2ec..61c89992d 100644
--- a/src/firejail/output.c
+++ b/src/firejail/output.c
@@ -76,7 +76,7 @@ void check_output(int argc, char **argv) {
76 for (i = 0; i < argc; i++) { 76 for (i = 0; i < argc; i++) {
77 len += strlen(argv[i]) + 1; // + ' ' 77 len += strlen(argv[i]) + 1; // + ' '
78 } 78 }
79 len += 100 + strlen(RUN_FIREJAIL_LIB_DIR) + strlen(outfile); // tee command 79 len += 100 + strlen(LIBDIR) + strlen(outfile); // tee command
80 80
81 char *cmd = malloc(len + 1); // + '\0' 81 char *cmd = malloc(len + 1); // + '\0'
82 if (!cmd) 82 if (!cmd)
@@ -92,9 +92,9 @@ void check_output(int argc, char **argv) {
92 } 92 }
93 93
94 if (enable_stderr) 94 if (enable_stderr)
95 sprintf(ptr, "2>&1 | %s/firejail/ftee %s", RUN_FIREJAIL_LIB_DIR, outfile); 95 sprintf(ptr, "2>&1 | %s/firejail/ftee %s", LIBDIR, outfile);
96 else 96 else
97 sprintf(ptr, " | %s/firejail/ftee %s", RUN_FIREJAIL_LIB_DIR, outfile); 97 sprintf(ptr, " | %s/firejail/ftee %s", LIBDIR, outfile);
98 98
99 // run command 99 // run command
100 char *a[4]; 100 char *a[4];
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c
index cc72cfef9..f519ed85f 100644
--- a/src/firejail/preproc.c
+++ b/src/firejail/preproc.c
@@ -62,20 +62,12 @@ void preproc_build_firejail_dir(void) {
62 create_empty_dir_as_root(RUN_FIREJAIL_APPIMAGE_DIR, 0755); 62 create_empty_dir_as_root(RUN_FIREJAIL_APPIMAGE_DIR, 0755);
63 } 63 }
64 64
65 if (stat(RUN_FIREJAIL_LIB_DIR, &s)) {
66 create_empty_dir_as_root(RUN_FIREJAIL_LIB_DIR, 0755);
67 }
68
69 if (stat(RUN_MNT_DIR, &s)) { 65 if (stat(RUN_MNT_DIR, &s)) {
70 create_empty_dir_as_root(RUN_MNT_DIR, 0755); 66 create_empty_dir_as_root(RUN_MNT_DIR, 0755);
71 } 67 }
72 68
73 create_empty_file_as_root(RUN_RO_FILE, S_IRUSR); 69 create_empty_file_as_root(RUN_RO_FILE, S_IRUSR);
74 create_empty_dir_as_root(RUN_RO_DIR, S_IRUSR); 70 create_empty_dir_as_root(RUN_RO_DIR, S_IRUSR);
75
76 // bind-mount firejail binaries and helper programs
77 if (mount(LIBDIR, RUN_FIREJAIL_LIB_DIR, "none", MS_BIND, NULL) < 0)
78 errExit("mounting " RUN_FIREJAIL_LIB_DIR);
79} 71}
80 72
81// build /run/firejail/mnt directory 73// build /run/firejail/mnt directory
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-08 20:10:54 +0000