diff options
author | startx2017 <vradu.startx@yandex.com> | 2017-08-06 08:20:53 -0400 |
---|---|---|
committer | startx2017 <vradu.startx@yandex.com> | 2017-08-06 08:20:53 -0400 |
commit | 2ecfdd9ba8a5382c2bd9b21e2c365e8f0157e09e (patch) | |
tree | 4dda88a8253b9f42fdd2d5300020f67710820eb0 | |
parent | fix copyright statement (diff) | |
download | firejail-2ecfdd9ba8a5382c2bd9b21e2c365e8f0157e09e.tar.gz firejail-2ecfdd9ba8a5382c2bd9b21e2c365e8f0157e09e.tar.zst firejail-2ecfdd9ba8a5382c2bd9b21e2c365e8f0157e09e.zip |
bring in private-lib libraries for all private-bin programs. Example:firejail --private-lib --private-bin=bash,ls,find,pwd,grep
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/fs_bin.c | 20 | ||||
-rw-r--r-- | src/firejail/fs_lib.c | 19 |
3 files changed, 35 insertions, 5 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 8e47a72d5..86f730aa0 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -50,6 +50,7 @@ | |||
50 | #define RUN_PULSE_DIR "/run/firejail/mnt/pulse" | 50 | #define RUN_PULSE_DIR "/run/firejail/mnt/pulse" |
51 | #define RUN_LIB_DIR "/run/firejail/mnt/lib" | 51 | #define RUN_LIB_DIR "/run/firejail/mnt/lib" |
52 | #define RUN_LIB_FILE "/run/firejail/mnt/libfiles" | 52 | #define RUN_LIB_FILE "/run/firejail/mnt/libfiles" |
53 | #define RUN_LIB_BIN "/run/firejail/mnt/binfiles" | ||
53 | 54 | ||
54 | #define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp.protocol" // protocol filter | 55 | #define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp.protocol" // protocol filter |
55 | #define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp" // configured filter | 56 | #define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp" // configured filter |
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index 5170f2edc..eb9101dad 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c | |||
@@ -94,7 +94,7 @@ static char *check_dir_or_file(const char *name) { | |||
94 | return paths[i]; | 94 | return paths[i]; |
95 | } | 95 | } |
96 | 96 | ||
97 | static void duplicate(char *fname) { | 97 | static void duplicate(char *fname, FILE *fplist) { |
98 | if (*fname == '~' || *fname == '/' || strstr(fname, "..")) { | 98 | if (*fname == '~' || *fname == '/' || strstr(fname, "..")) { |
99 | fprintf(stderr, "Error: \"%s\" is an invalid filename\n", fname); | 99 | fprintf(stderr, "Error: \"%s\" is an invalid filename\n", fname); |
100 | exit(1); | 100 | exit(1); |
@@ -110,6 +110,9 @@ static void duplicate(char *fname) { | |||
110 | if (asprintf(&full_path, "%s/%s", path, fname) == -1) | 110 | if (asprintf(&full_path, "%s/%s", path, fname) == -1) |
111 | errExit("asprintf"); | 111 | errExit("asprintf"); |
112 | 112 | ||
113 | if (fplist) | ||
114 | fprintf(fplist, "%s\n", full_path); | ||
115 | |||
113 | // copy the file | 116 | // copy the file |
114 | if (checkcfg(CFG_FOLLOW_SYMLINK_PRIVATE_BIN)) | 117 | if (checkcfg(CFG_FOLLOW_SYMLINK_PRIVATE_BIN)) |
115 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", full_path, RUN_BIN_DIR); | 118 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", full_path, RUN_BIN_DIR); |
@@ -135,12 +138,21 @@ void fs_private_bin_list(void) { | |||
135 | if (!dlist) | 138 | if (!dlist) |
136 | errExit("strdup"); | 139 | errExit("strdup"); |
137 | 140 | ||
141 | // save a list of private-bin files in order to bring in private-libs later | ||
142 | FILE *fplist = NULL; | ||
143 | if (arg_private_lib) { | ||
144 | fplist = fopen(RUN_LIB_BIN, "w"); | ||
145 | if (!fplist) | ||
146 | errExit("fopen"); | ||
147 | } | ||
148 | |||
138 | char *ptr = strtok(dlist, ","); | 149 | char *ptr = strtok(dlist, ","); |
139 | duplicate(ptr); | 150 | duplicate(ptr, fplist); |
140 | while ((ptr = strtok(NULL, ",")) != NULL) | 151 | while ((ptr = strtok(NULL, ",")) != NULL) |
141 | duplicate(ptr); | 152 | duplicate(ptr, fplist); |
142 | free(dlist); | 153 | free(dlist); |
143 | fs_logger_print(); | 154 | fs_logger_print(); |
155 | fclose(fplist); | ||
144 | 156 | ||
145 | // mount-bind | 157 | // mount-bind |
146 | int i = 0; | 158 | int i = 0; |
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c index 890f8daf9..38c23a756 100644 --- a/src/firejail/fs_lib.c +++ b/src/firejail/fs_lib.c | |||
@@ -23,6 +23,8 @@ | |||
23 | #include <sys/types.h> | 23 | #include <sys/types.h> |
24 | #include <unistd.h> | 24 | #include <unistd.h> |
25 | 25 | ||
26 | #define MAXBUF 4096 | ||
27 | |||
26 | static const char * const lib_paths[] = { | 28 | static const char * const lib_paths[] = { |
27 | "/lib", | 29 | "/lib", |
28 | "/lib/x86_64-linux-gnu", | 30 | "/lib/x86_64-linux-gnu", |
@@ -68,7 +70,6 @@ static void copy_libs(const char *lib, const char *private_run_dir, const char * | |||
68 | if (!fp) | 70 | if (!fp) |
69 | errExit("fopen"); | 71 | errExit("fopen"); |
70 | 72 | ||
71 | #define MAXBUF 4096 | ||
72 | char buf[MAXBUF]; | 73 | char buf[MAXBUF]; |
73 | while (fgets(buf, MAXBUF, fp)) { | 74 | while (fgets(buf, MAXBUF, fp)) { |
74 | // remove \n | 75 | // remove \n |
@@ -200,6 +201,22 @@ void fs_private_lib(void) { | |||
200 | fs_logger_print(); | 201 | fs_logger_print(); |
201 | } | 202 | } |
202 | 203 | ||
204 | // for private-bin files | ||
205 | if (arg_private_bin) { | ||
206 | FILE *fp = fopen(RUN_LIB_BIN, "r"); | ||
207 | if (fp) { | ||
208 | char buf[MAXBUF]; | ||
209 | while (fgets(buf, MAXBUF, fp)) { | ||
210 | // remove \n | ||
211 | char *ptr = strchr(buf, '\n'); | ||
212 | if (ptr) | ||
213 | *ptr = '\0'; | ||
214 | copy_libs(buf, RUN_LIB_DIR, RUN_LIB_FILE); | ||
215 | } | ||
216 | } | ||
217 | fclose(fp); | ||
218 | } | ||
219 | |||
203 | // for our trace and tracelog libs | 220 | // for our trace and tracelog libs |
204 | if (arg_trace) | 221 | if (arg_trace) |
205 | duplicate(LIBDIR "/firejail/libtrace.so", RUN_LIB_DIR); | 222 | duplicate(LIBDIR "/firejail/libtrace.so", RUN_LIB_DIR); |