diff options
author | netblue30 <netblue30@yahoo.com> | 2017-08-17 11:31:21 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2017-08-17 11:31:21 -0400 |
commit | 89e3454eb3f0ca22d423bc3aaba5472d3c249115 (patch) | |
tree | 1928af809086e3fc30e177ac07eddc7483699769 | |
parent | memory-deny-write-execute (diff) | |
download | firejail-89e3454eb3f0ca22d423bc3aaba5472d3c249115.tar.gz firejail-89e3454eb3f0ca22d423bc3aaba5472d3c249115.tar.zst firejail-89e3454eb3f0ca22d423bc3aaba5472d3c249115.zip |
private-lib
-rw-r--r-- | README.md | 28 | ||||
-rw-r--r-- | RELNOTES | 5 | ||||
-rw-r--r-- | src/firejail/fs_lib.c | 6 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 4 | ||||
-rw-r--r-- | src/man/firejail.txt | 53 |
5 files changed, 78 insertions, 18 deletions
@@ -139,6 +139,34 @@ Check the status of the latest build here: https://travis-ci.org/netblue30/firej | |||
139 | mappings that are both writable and executable, to change map‐ | 139 | mappings that are both writable and executable, to change map‐ |
140 | pings to be executable or to create executable shared memory. | 140 | pings to be executable or to create executable shared memory. |
141 | 141 | ||
142 | --private-lib=file,directory | ||
143 | This feature is currently under heavy development. Only amd64 | ||
144 | platforms are supported at this moment. The idea is to build a | ||
145 | new /lib in a temporary filesystem, with only the library files | ||
146 | necessary to run the application. It could be as simple as: | ||
147 | |||
148 | $ firejail --private-lib galculator | ||
149 | |||
150 | but it gets complicated really fast: | ||
151 | |||
152 | $ firejail --private-lib=x86_64-linux-gnu/xed,x86_64-linux- | ||
153 | gnu/gdk-pixbuf-2.0,libenchant.so.1,librsvg-2.so.2 xed | ||
154 | |||
155 | The feature is integrated with --private-bin: | ||
156 | |||
157 | $ firejail --private-lib --private-bin=bash,ls,ps | ||
158 | $ ls /lib | ||
159 | ld-linux-x86-64.so.2 libgpg-error.so.0 libprocps.so.6 libsys‐ | ||
160 | temd.so.0 | ||
161 | libc.so.6 liblz4.so.1 libpthread.so.0 libtinfo.so.5 | ||
162 | libdl.so.2 liblzma.so.5 librt.so.1 x86_64-linux-gnu | ||
163 | libgcrypt.so.20 libpcre.so.3 libselinux.so.1 | ||
164 | $ ps | ||
165 | PID TTY TIME CMD | ||
166 | 1 pts/0 00:00:00 firejail | ||
167 | 45 pts/0 00:00:00 bash | ||
168 | 48 pts/0 00:00:00 ps | ||
169 | $ | ||
142 | 170 | ||
143 | ````` | 171 | ````` |
144 | 172 | ||
@@ -4,14 +4,15 @@ firejail (0.9.49) baseline; urgency=low | |||
4 | * feature: per-profile disable-mnt (--disable-mnt) | 4 | * feature: per-profile disable-mnt (--disable-mnt) |
5 | * feature: per-profile support to set X11 Xephyr screen size (--xephyr-screen) | 5 | * feature: per-profile support to set X11 Xephyr screen size (--xephyr-screen) |
6 | * feature: --memory-deny-write-execute seccomp feature | 6 | * feature: --memory-deny-write-execute seccomp feature |
7 | * feature: private /lib directory (--private-lib) | ||
8 | * feature: disable CDROM/DVD drive (--nodvd) | ||
9 | * feature: disable DVD devices (--notv) | ||
7 | * enhancement: /proc/sys mounting | 10 | * enhancement: /proc/sys mounting |
8 | * enhancement: default seccomp list update | 11 | * enhancement: default seccomp list update |
9 | * enhancement: rework IP address assingment for --net options | 12 | * enhancement: rework IP address assingment for --net options |
10 | * enhancement: support for newer Xpra versions (2.1+) - | 13 | * enhancement: support for newer Xpra versions (2.1+) - |
11 | set "xpra-attach yes" in /etc/firejail/firejail.config | 14 | set "xpra-attach yes" in /etc/firejail/firejail.config |
12 | * enhancement: all profiles use a standard layout style | 15 | * enhancement: all profiles use a standard layout style |
13 | * enhancement: disable CDROM/DVD drive (--nodvd) | ||
14 | * enhancement: disable DVD devices (--notv) | ||
15 | * new profiles: curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite, | 16 | * new profiles: curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite, |
16 | * new profiles: Geary, Liferea, peek, silentarmy, IntelliJ IDEA, | 17 | * new profiles: Geary, Liferea, peek, silentarmy, IntelliJ IDEA, |
17 | * new profiles: Android Studio, electron, riot-web, Extreme Tux Racer, | 18 | * new profiles: Android Studio, electron, riot-web, Extreme Tux Racer, |
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c index 165d5651d..cdfd4a6e2 100644 --- a/src/firejail/fs_lib.c +++ b/src/firejail/fs_lib.c | |||
@@ -135,8 +135,12 @@ static char *valid_file(const char *lib) { | |||
135 | 135 | ||
136 | 136 | ||
137 | void fs_private_lib(void) { | 137 | void fs_private_lib(void) { |
138 | char *private_list = cfg.lib_private_keep; | 138 | #ifndef __x86_64__ |
139 | fwarning("private-lib feature is currently available only on amd64 platforms\n"); | ||
140 | return; | ||
141 | #endif | ||
139 | 142 | ||
143 | char *private_list = cfg.lib_private_keep; | ||
140 | if (arg_debug) | 144 | if (arg_debug) |
141 | printf("Starting private-lib processing: program %s, shell %s\n", | 145 | printf("Starting private-lib processing: program %s, shell %s\n", |
142 | (cfg.original_program_index > 0)? cfg.original_argv[cfg.original_program_index]: "none", | 146 | (cfg.original_program_index > 0)? cfg.original_argv[cfg.original_program_index]: "none", |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 9dafb3c65..2a7d926b9 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -230,6 +230,10 @@ Build a new /etc in a temporary | |||
230 | filesystem, and copy the files and directories in the list. | 230 | filesystem, and copy the files and directories in the list. |
231 | All modifications are discarded when the sandbox is closed. | 231 | All modifications are discarded when the sandbox is closed. |
232 | .TP | 232 | .TP |
233 | \fBprivate-lib file,directory | ||
234 | Build a new /lib directory and bring in the libraries required by the application to run. | ||
235 | This feature is still under development, see man 1 firejail for some examples. | ||
236 | .TP | ||
233 | \fBprivate-opt file,directory | 237 | \fBprivate-opt file,directory |
234 | Build a new /optin a temporary | 238 | Build a new /optin a temporary |
235 | filesystem, and copy the files and directories in the list. | 239 | filesystem, and copy the files and directories in the list. |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 690d0c1c1..4a396b809 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1272,32 +1272,55 @@ $ ls /bin | |||
1272 | bash cat ls sed | 1272 | bash cat ls sed |
1273 | 1273 | ||
1274 | .TP | 1274 | .TP |
1275 | \fB\-\-private-lib=file,file | 1275 | \fB\-\-private-lib=file,directory |
1276 | Build a new /lib in a temporary filesystem. For command to be executed, | 1276 | This feature is currently under heavy development. Only amd64 platforms are supported at this moment. |
1277 | the shell (if \-\-shell=none is not used), and the listed libraries | 1277 | The idea is to build a new /lib in a temporary filesystem, |
1278 | find out dynamic libraries and copy them to the /lib directory. | 1278 | with only the library files necessary to run the application. |
1279 | If no listed file is found, /lib directory will be empty and no programs will be able to execute. | 1279 | It could be as simple as: |
1280 | The same directory is also bind-mounted over /lib64 and /usr/lib. | ||
1281 | All modifications are discarded when the sandbox is closed. | ||
1282 | .br | 1280 | .br |
1283 | 1281 | ||
1284 | .br | 1282 | .br |
1285 | Example: | 1283 | $ firejail --private-lib galculator |
1284 | .br | ||
1285 | |||
1286 | .br | ||
1287 | but it gets complicated really fast: | ||
1286 | .br | 1288 | .br |
1287 | $ firejail \-\-noprofile \-\-shell=none \-\-private-lib= \-\-private-bin=ls /bin/ls /lib /bin | 1289 | |
1290 | .br | ||
1291 | $ firejail --private-lib=x86_64-linux-gnu/xed,x86_64-linux-gnu/gdk-pixbuf-2.0,libenchant.so.1,librsvg-2.so.2 xed | ||
1288 | .br | 1292 | .br |
1289 | Parent pid 15733, child pid 15734 | 1293 | |
1290 | .br | 1294 | .br |
1291 | Child process initialized in 69.61 ms | 1295 | The feature is integrated with \-\-private-bin: |
1296 | .br | ||
1297 | |||
1292 | .br | 1298 | .br |
1293 | /bin: | 1299 | $ firejail --private-lib --private-bin=bash,ls,ps |
1294 | .br | 1300 | .br |
1295 | ls | 1301 | $ ls /lib |
1296 | .br | 1302 | .br |
1303 | ld-linux-x86-64.so.2 libgpg-error.so.0 libprocps.so.6 libsystemd.so.0 | ||
1297 | .br | 1304 | .br |
1298 | /lib: | 1305 | libc.so.6 liblz4.so.1 libpthread.so.0 libtinfo.so.5 |
1299 | .br | 1306 | .br |
1300 | ld-linux-x86-64.so.2 libc.so.6 libdl.so.2 libpcre.so.3 libpthread.so.0 libselinux.so.1 | 1307 | libdl.so.2 liblzma.so.5 librt.so.1 x86_64-linux-gnu |
1308 | .br | ||
1309 | libgcrypt.so.20 libpcre.so.3 libselinux.so.1 | ||
1310 | .br | ||
1311 | $ ps | ||
1312 | .br | ||
1313 | PID TTY TIME CMD | ||
1314 | .br | ||
1315 | 1 pts/0 00:00:00 firejail | ||
1316 | .br | ||
1317 | 45 pts/0 00:00:00 bash | ||
1318 | .br | ||
1319 | 48 pts/0 00:00:00 ps | ||
1320 | .br | ||
1321 | $ | ||
1322 | .br | ||
1323 | |||
1301 | 1324 | ||
1302 | .TP | 1325 | .TP |
1303 | \fB\-\-private-dev | 1326 | \fB\-\-private-dev |