summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLibravatar Glenn Washburn <development@efficientek.com>2018-10-13 03:04:03 -0500
committerLibravatar Glenn Washburn <development@efficientek.com>2018-10-13 03:07:14 -0500
commit4017e8a1359208e149b2eac10900987acd4a6f9e (patch)
tree261a276a6dea514735bf6206ce35236b70e59d00
parentMerges (diff)
downloadfirejail-4017e8a1359208e149b2eac10900987acd4a6f9e.tar.gz
firejail-4017e8a1359208e149b2eac10900987acd4a6f9e.tar.zst
firejail-4017e8a1359208e149b2eac10900987acd4a6f9e.zip
Fix issue #2148: Make sure firejail can find helper programs in sandbox regardless of options.
Diffstat
-rw-r--r--src/firejail/bandwidth.c6
-rw-r--r--src/firejail/firejail.h27
-rw-r--r--src/firejail/fs_trace.c2
-rw-r--r--src/firejail/main.c11
-rw-r--r--src/firejail/output.c6
-rw-r--r--src/firejail/preproc.c8
6 files changed, 38 insertions, 22 deletions
diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c
index d0487d49a..c3f2b3390 100644
--- a/src/firejail/bandwidth.c
+++ b/src/firejail/bandwidth.c
@@ -406,17 +406,17 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in
406 if (devname) { 406 if (devname) {
407 if (strcmp(command, "set") == 0) { 407 if (strcmp(command, "set") == 0) {
408 if (asprintf(&cmd, "%s/firejail/fshaper.sh --%s %s %d %d", 408 if (asprintf(&cmd, "%s/firejail/fshaper.sh --%s %s %d %d",
409 LIBDIR, command, devname, down, up) == -1) 409 RUN_FIREJAIL_LIB_DIR, command, devname, down, up) == -1)
410 errExit("asprintf"); 410 errExit("asprintf");
411 } 411 }
412 else { 412 else {
413 if (asprintf(&cmd, "%s/firejail/fshaper.sh --%s %s", 413 if (asprintf(&cmd, "%s/firejail/fshaper.sh --%s %s",
414 LIBDIR, command, devname) == -1) 414 RUN_FIREJAIL_LIB_DIR, command, devname) == -1)
415 errExit("asprintf"); 415 errExit("asprintf");
416 } 416 }
417 } 417 }
418 else { 418 else {
419 if (asprintf(&cmd, "%s/firejail/fshaper.sh --%s", LIBDIR, command) == -1) 419 if (asprintf(&cmd, "%s/firejail/fshaper.sh --%s", RUN_FIREJAIL_LIB_DIR, command) == -1)
420 errExit("asprintf"); 420 errExit("asprintf");
421 } 421 }
422 assert(cmd); 422 assert(cmd);
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index cae767667..63d71799a 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -32,6 +32,7 @@
32#define RUN_FIREJAIL_DIR "/run/firejail" 32#define RUN_FIREJAIL_DIR "/run/firejail"
33#define RUN_FIREJAIL_APPIMAGE_DIR "/run/firejail/appimage" 33#define RUN_FIREJAIL_APPIMAGE_DIR "/run/firejail/appimage"
34#define RUN_FIREJAIL_NAME_DIR "/run/firejail/name" // also used in src/lib/pid.c - todo: move it in a common place 34#define RUN_FIREJAIL_NAME_DIR "/run/firejail/name" // also used in src/lib/pid.c - todo: move it in a common place
35#define RUN_FIREJAIL_LIB_DIR "/run/firejail/lib"
35#define RUN_FIREJAIL_X11_DIR "/run/firejail/x11" 36#define RUN_FIREJAIL_X11_DIR "/run/firejail/x11"
36#define RUN_FIREJAIL_NETWORK_DIR "/run/firejail/network" 37#define RUN_FIREJAIL_NETWORK_DIR "/run/firejail/network"
37#define RUN_FIREJAIL_BANDWIDTH_DIR "/run/firejail/bandwidth" 38#define RUN_FIREJAIL_BANDWIDTH_DIR "/run/firejail/bandwidth"
@@ -62,11 +63,11 @@
62#define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp.mdwx" // filter for memory-deny-write-execute 63#define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp.mdwx" // filter for memory-deny-write-execute
63#define RUN_SECCOMP_BLOCK_SECONDARY "/run/firejail/mnt/seccomp.block_secondary" // secondary arch blocking filter 64#define RUN_SECCOMP_BLOCK_SECONDARY "/run/firejail/mnt/seccomp.block_secondary" // secondary arch blocking filter
64#define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp.postexec" // filter for post-exec library 65#define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp.postexec" // filter for post-exec library
65#define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make 66#define PATH_SECCOMP_DEFAULT (RUN_FIREJAIL_LIB_DIR "/firejail/seccomp") // default filter built during make
66#define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make 67#define PATH_SECCOMP_DEFAULT_DEBUG (RUN_FIREJAIL_LIB_DIR "/firejail/seccomp.debug") // default filter built during make
67#define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32") // 32bit arch filter built during make 68#define PATH_SECCOMP_32 (RUN_FIREJAIL_LIB_DIR "/firejail/seccomp.32") // 32bit arch filter built during make
68#define PATH_SECCOMP_MDWX (LIBDIR "/firejail/seccomp.mdwx") // filter for memory-deny-write-execute built during make 69#define PATH_SECCOMP_MDWX (RUN_FIREJAIL_LIB_DIR "/firejail/seccomp.mdwx") // filter for memory-deny-write-execute built during make
69#define PATH_SECCOMP_BLOCK_SECONDARY (LIBDIR "/firejail/seccomp.block_secondary") // secondary arch blocking filter built during make 70#define PATH_SECCOMP_BLOCK_SECONDARY (RUN_FIREJAIL_LIB_DIR "/firejail/seccomp.block_secondary") // secondary arch blocking filter built during make
70 71
71 72
72#define RUN_DEV_DIR "/run/firejail/mnt/dev" 73#define RUN_DEV_DIR "/run/firejail/mnt/dev"
@@ -790,16 +791,16 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc,
790 791
791// sbox.c 792// sbox.c
792// programs 793// programs
793#define PATH_FNET (LIBDIR "/firejail/fnet") 794#define PATH_FNET (RUN_FIREJAIL_LIB_DIR "/firejail/fnet")
794#define PATH_FNETFILTER (LIBDIR "/firejail/fnetfilter") 795#define PATH_FNETFILTER (RUN_FIREJAIL_LIB_DIR "/firejail/fnetfilter")
795#define PATH_FIREMON (PREFIX "/bin/firemon") 796#define PATH_FIREMON (PREFIX "/bin/firemon")
796#define PATH_FIREJAIL (PREFIX "/bin/firejail") 797#define PATH_FIREJAIL (PREFIX "/bin/firejail")
797#define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp") 798#define PATH_FSECCOMP (RUN_FIREJAIL_LIB_DIR "/firejail/fseccomp")
798#define PATH_FSEC_PRINT (LIBDIR "/firejail/fsec-print") 799#define PATH_FSEC_PRINT (RUN_FIREJAIL_LIB_DIR "/firejail/fsec-print")
799#define PATH_FSEC_OPTIMIZE (LIBDIR "/firejail/fsec-optimize") 800#define PATH_FSEC_OPTIMIZE (RUN_FIREJAIL_LIB_DIR "/firejail/fsec-optimize")
800#define PATH_FCOPY (LIBDIR "/firejail/fcopy") 801#define PATH_FCOPY (RUN_FIREJAIL_LIB_DIR "/firejail/fcopy")
801#define SBOX_STDIN_FILE "/run/firejail/mnt/sbox_stdin" 802#define SBOX_STDIN_FILE (RUN_MNT_DIR "/sbox_stdin")
802#define PATH_FLDD (LIBDIR "/firejail/fldd") 803#define PATH_FLDD (RUN_FIREJAIL_LIB_DIR "/firejail/fldd")
803 804
804// bitmapped filters for sbox_run 805// bitmapped filters for sbox_run
805#define SBOX_ROOT (1 << 0) // run the sandbox as root 806#define SBOX_ROOT (1 << 0) // run the sandbox as root
diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c
index 38ab7e2f8..00c1e3d15 100644
--- a/src/firejail/fs_trace.c
+++ b/src/firejail/fs_trace.c
@@ -51,7 +51,7 @@ void fs_trace(void) {
51 FILE *fp = fopen(RUN_LDPRELOAD_FILE, "w"); 51 FILE *fp = fopen(RUN_LDPRELOAD_FILE, "w");
52 if (!fp) 52 if (!fp)
53 errExit("fopen"); 53 errExit("fopen");
54 const char *prefix = LIBDIR "/firejail"; 54 const char *prefix = RUN_FIREJAIL_LIB_DIR "/firejail";
55 55
56 if (arg_trace) { 56 if (arg_trace) {
57 fprintf(fp, "%s/libtrace.so\n", prefix); 57 fprintf(fp, "%s/libtrace.so\n", prefix);
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 315a7260a..a2287cb55 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -838,7 +838,7 @@ static void run_builder(int argc, char **argv) {
838 assert(getenv("LD_PRELOAD") == NULL); 838 assert(getenv("LD_PRELOAD") == NULL);
839 umask(orig_umask); 839 umask(orig_umask);
840 840
841 argv[0] = LIBDIR "/firejail/fbuilder"; 841 argv[0] = RUN_FIREJAIL_LIB_DIR "/firejail/fbuilder";
842 execvp(argv[0], argv); 842 execvp(argv[0], argv);
843 843
844 perror("execvp"); 844 perror("execvp");
@@ -878,6 +878,13 @@ int main(int argc, char **argv) {
878 EUID_ROOT(); 878 EUID_ROOT();
879 atexit(clear_atexit); 879 atexit(clear_atexit);
880 880
881 // make private copy of mount namespace so that mounts in firejail do not
882 // propagate up to host
883 if (unshare(CLONE_NEWNS) != 0)
884 errExit("unshare");
885 if (mount(NULL, "/", NULL, MS_PRIVATE | MS_REC, NULL) != 0)
886 errExit("mount: make all mounts private");
887
881 // build /run/firejail directory structure 888 // build /run/firejail directory structure
882 preproc_build_firejail_dir(); 889 preproc_build_firejail_dir();
883 char *container_name = getenv("container"); 890 char *container_name = getenv("container");
@@ -2116,7 +2123,7 @@ int main(int argc, char **argv) {
2116 else if (strncmp(argv[i], "--timeout=", 10) == 0) 2123 else if (strncmp(argv[i], "--timeout=", 10) == 0)
2117 cfg.timeout = extract_timeout(argv[i] + 10); 2124 cfg.timeout = extract_timeout(argv[i] + 10);
2118 else if (strcmp(argv[i], "--audit") == 0) { 2125 else if (strcmp(argv[i], "--audit") == 0) {
2119 arg_audit_prog = LIBDIR "/firejail/faudit"; 2126 arg_audit_prog = RUN_FIREJAIL_LIB_DIR "/firejail/faudit";
2120 arg_audit = 1; 2127 arg_audit = 1;
2121 } 2128 }
2122 else if (strncmp(argv[i], "--audit=", 8) == 0) { 2129 else if (strncmp(argv[i], "--audit=", 8) == 0) {
diff --git a/src/firejail/output.c b/src/firejail/output.c
index 61c89992d..b5329d2ec 100644
--- a/src/firejail/output.c
+++ b/src/firejail/output.c
@@ -76,7 +76,7 @@ void check_output(int argc, char **argv) {
76 for (i = 0; i < argc; i++) { 76 for (i = 0; i < argc; i++) {
77 len += strlen(argv[i]) + 1; // + ' ' 77 len += strlen(argv[i]) + 1; // + ' '
78 } 78 }
79 len += 100 + strlen(LIBDIR) + strlen(outfile); // tee command 79 len += 100 + strlen(RUN_FIREJAIL_LIB_DIR) + strlen(outfile); // tee command
80 80
81 char *cmd = malloc(len + 1); // + '\0' 81 char *cmd = malloc(len + 1); // + '\0'
82 if (!cmd) 82 if (!cmd)
@@ -92,9 +92,9 @@ void check_output(int argc, char **argv) {
92 } 92 }
93 93
94 if (enable_stderr) 94 if (enable_stderr)
95 sprintf(ptr, "2>&1 | %s/firejail/ftee %s", LIBDIR, outfile); 95 sprintf(ptr, "2>&1 | %s/firejail/ftee %s", RUN_FIREJAIL_LIB_DIR, outfile);
96 else 96 else
97 sprintf(ptr, " | %s/firejail/ftee %s", LIBDIR, outfile); 97 sprintf(ptr, " | %s/firejail/ftee %s", RUN_FIREJAIL_LIB_DIR, outfile);
98 98
99 // run command 99 // run command
100 char *a[4]; 100 char *a[4];
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c
index f519ed85f..cc72cfef9 100644
--- a/src/firejail/preproc.c
+++ b/src/firejail/preproc.c
@@ -62,12 +62,20 @@ void preproc_build_firejail_dir(void) {
62 create_empty_dir_as_root(RUN_FIREJAIL_APPIMAGE_DIR, 0755); 62 create_empty_dir_as_root(RUN_FIREJAIL_APPIMAGE_DIR, 0755);
63 } 63 }
64 64
65 if (stat(RUN_FIREJAIL_LIB_DIR, &s)) {
66 create_empty_dir_as_root(RUN_FIREJAIL_LIB_DIR, 0755);
67 }
68
65 if (stat(RUN_MNT_DIR, &s)) { 69 if (stat(RUN_MNT_DIR, &s)) {
66 create_empty_dir_as_root(RUN_MNT_DIR, 0755); 70 create_empty_dir_as_root(RUN_MNT_DIR, 0755);
67 } 71 }
68 72
69 create_empty_file_as_root(RUN_RO_FILE, S_IRUSR); 73 create_empty_file_as_root(RUN_RO_FILE, S_IRUSR);
70 create_empty_dir_as_root(RUN_RO_DIR, S_IRUSR); 74 create_empty_dir_as_root(RUN_RO_DIR, S_IRUSR);
75
76 // bind-mount firejail binaries and helper programs
77 if (mount(LIBDIR, RUN_FIREJAIL_LIB_DIR, "none", MS_BIND, NULL) < 0)
78 errExit("mounting " RUN_FIREJAIL_LIB_DIR);
71} 79}
72 80
73// build /run/firejail/mnt directory 81// build /run/firejail/mnt directory
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-08 21:04:25 +0000