private-lib

author: netblue30 <netblue30@yahoo.com> 2017-08-17 11:31:21 -0400
committer: netblue30 <netblue30@yahoo.com> 2017-08-17 11:31:21 -0400
commit: 89e3454eb3f0ca22d423bc3aaba5472d3c249115 (patch)
tree: 1928af809086e3fc30e177ac07eddc7483699769
parent: memory-deny-write-execute (diff)
download: firejail-89e3454eb3f0ca22d423bc3aaba5472d3c249115.tar.gz
firejail-89e3454eb3f0ca22d423bc3aaba5472d3c249115.tar.zst
firejail-89e3454eb3f0ca22d423bc3aaba5472d3c249115.zip
5 files changed, 78 insertions, 18 deletions
diff --git a/README.md b/README.md
index 6cac86da1..d12b9ee4e 100644
--- a/README.md
+++ b/README.md
@@ -139,6 +139,34 @@ Check the status of the latest build here: https://travis-ci.org/netblue30/firej
              mappings  that are both writable and executable, to change map‐
              pings to be executable or to create executable shared memory.
+       --private-lib=file,directory
+              This  feature  is currently under heavy development. Only amd64
+              platforms are supported at this moment.  The idea is to build a
+              new /lib in a temporary filesystem, with only the library files
+              necessary to run the application.  It could be as simple as:
+              $ firejail --private-lib galculator
+              but it gets complicated really fast:
+              $   firejail   --private-lib=x86_64-linux-gnu/xed,x86_64-linux-
+              gnu/gdk-pixbuf-2.0,libenchant.so.1,librsvg-2.so.2 xed
+              The feature is integrated with --private-bin:
+              $ firejail --private-lib --private-bin=bash,ls,ps
+              $ ls /lib
+              ld-linux-x86-64.so.2  libgpg-error.so.0  libprocps.so.6 libsys‐
+              temd.so.0
+              libc.so.6 liblz4.so.1 libpthread.so.0 libtinfo.so.5
+              libdl.so.2 liblzma.so.5 librt.so.1 x86_64-linux-gnu
+              libgcrypt.so.20 libpcre.so.3 libselinux.so.1
+              $ ps
+               PID TTY          TIME CMD
+                  1 pts/0    00:00:00 firejail
+                 45 pts/0    00:00:00 bash
+                 48 pts/0    00:00:00 ps
+              $
 `````
diff --git a/RELNOTES b/RELNOTES
index 02848ca82..36dd39686 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -4,14 +4,15 @@ firejail (0.9.49) baseline; urgency=low
  * feature: per-profile disable-mnt (--disable-mnt)
  * feature: per-profile support to set X11 Xephyr screen size (--xephyr-screen)
  * feature: --memory-deny-write-execute seccomp feature
+  * feature: private /lib directory (--private-lib)
+  * feature: disable CDROM/DVD drive (--nodvd)
+  * feature: disable DVD devices (--notv)
  * enhancement: /proc/sys mounting
  * enhancement: default seccomp list update
  * enhancement: rework IP address assingment for --net options
  * enhancement: support for newer Xpra versions (2.1+) -
     set "xpra-attach yes" in /etc/firejail/firejail.config
  * enhancement: all profiles use a standard layout style
-  * enhancement: disable CDROM/DVD drive (--nodvd)
-  * enhancement: disable DVD devices (--notv)
  * new profiles: curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite,
  * new profiles: Geary, Liferea, peek, silentarmy, IntelliJ IDEA,
  * new profiles: Android Studio, electron, riot-web, Extreme Tux Racer,
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c
index 165d5651d..cdfd4a6e2 100644
--- a/src/firejail/fs_lib.c
+++ b/src/firejail/fs_lib.c
@@ -135,8 +135,12 @@ static char *valid_file(const char *lib) {
 void fs_private_lib(void) {
-        char *private_list = cfg.lib_private_keep;
+#ifndef __x86_64__
+        fwarning("private-lib feature is currently available only on amd64 platforms\n");
+        return;
+#endif
+        char *private_list = cfg.lib_private_keep;
        if (arg_debug)
                printf("Starting private-lib processing: program %s, shell %s\n",
                        (cfg.original_program_index > 0)? cfg.original_argv[cfg.original_program_index]: "none",
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 9dafb3c65..2a7d926b9 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -230,6 +230,10 @@ Build a new /etc in a temporary
 filesystem, and copy the files and directories in the list.
 All modifications are discarded when the sandbox is closed.
 .TP
+\fBprivate-lib file,directory
+Build a new /lib directory and bring in the libraries required by the application to run.
+This feature is still under development, see man 1 firejail for some examples.
+.TP
 \fBprivate-opt file,directory
 Build a new /optin a temporary
 filesystem, and copy the files and directories in the list.
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 690d0c1c1..4a396b809 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1272,32 +1272,55 @@ $ ls /bin
 bash  cat  ls  sed
 .TP
-\fB\-\-private-lib=file,file
+\fB\-\-private-lib=file,directory
-Build a new /lib in a temporary filesystem. For command to be executed,
+This feature is currently under heavy development. Only amd64 platforms are supported at this moment.
-the shell (if \-\-shell=none is not used), and the listed libraries
+The idea is to build a new /lib in a temporary filesystem,
-find out dynamic libraries and copy them to the /lib directory.
+with only the library files necessary to run the application.
-If no listed file is found, /lib directory will be empty and no programs will be able to execute.
+It could be as simple as:
-The same directory is also bind-mounted over /lib64 and /usr/lib.
-All modifications are discarded when the sandbox is closed.
 .br
 .br
-Example:
+$ firejail --private-lib galculator
+.br
+.br
+but it gets complicated really fast:
 .br
-$ firejail \-\-noprofile \-\-shell=none \-\-private-lib= \-\-private-bin=ls /bin/ls /lib /bin
+.br
+$ firejail --private-lib=x86_64-linux-gnu/xed,x86_64-linux-gnu/gdk-pixbuf-2.0,libenchant.so.1,librsvg-2.so.2 xed
 .br
-Parent pid 15733, child pid 15734
 .br
-Child process initialized in 69.61 ms
+The feature is integrated with \-\-private-bin:
+.br
 .br
-/bin:
+$ firejail --private-lib --private-bin=bash,ls,ps
 .br
-ls
+$ ls /lib
 .br
+ld-linux-x86-64.so.2 libgpg-error.so.0 libprocps.so.6 libsystemd.so.0
 .br
-/lib:
+libc.so.6 liblz4.so.1 libpthread.so.0 libtinfo.so.5
 .br
-ld-linux-x86-64.so.2  libc.so.6  libdl.so.2  libpcre.so.3  libpthread.so.0  libselinux.so.1
+libdl.so.2 liblzma.so.5 librt.so.1 x86_64-linux-gnu
+.br
+libgcrypt.so.20 libpcre.so.3 libselinux.so.1
+.br
+$ ps
+.br
+ PID TTY          TIME CMD
+.br
+    1 pts/0    00:00:00 firejail
+.br
+   45 pts/0    00:00:00 bash
+.br
+   48 pts/0    00:00:00 ps
+.br
+$ 
+.br
 .TP
 \fB\-\-private-dev
author	netblue30 <netblue30@yahoo.com>	2017-08-17 11:31:21 -0400
committer	netblue30 <netblue30@yahoo.com>	2017-08-17 11:31:21 -0400
commit	89e3454eb3f0ca22d423bc3aaba5472d3c249115 (patch)
tree	1928af809086e3fc30e177ac07eddc7483699769
parent	memory-deny-write-execute (diff)
download	firejail-89e3454eb3f0ca22d423bc3aaba5472d3c249115.tar.gz firejail-89e3454eb3f0ca22d423bc3aaba5472d3c249115.tar.zst firejail-89e3454eb3f0ca22d423bc3aaba5472d3c249115.zip

diff --git a/README.md b/README.md index 6cac86da1..d12b9ee4e 100644 --- a/README.md +++ b/README.md
@@ -139,6 +139,34 @@ Check the status of the latest build here: https://travis-ci.org/netblue30/firej
139	mappings that are both writable and executable, to change map‐	139	mappings that are both writable and executable, to change map‐
140	pings to be executable or to create executable shared memory.	140	pings to be executable or to create executable shared memory.
141		141
		142	--private-lib=file,directory
		143	This feature is currently under heavy development. Only amd64
		144	platforms are supported at this moment. The idea is to build a
		145	new /lib in a temporary filesystem, with only the library files
		146	necessary to run the application. It could be as simple as:
		147
		148	$ firejail --private-lib galculator
		149
		150	but it gets complicated really fast:
		151
		152	$ firejail --private-lib=x86_64-linux-gnu/xed,x86_64-linux-
		153	gnu/gdk-pixbuf-2.0,libenchant.so.1,librsvg-2.so.2 xed
		154
		155	The feature is integrated with --private-bin:
		156
		157	$ firejail --private-lib --private-bin=bash,ls,ps
		158	$ ls /lib
		159	ld-linux-x86-64.so.2 libgpg-error.so.0 libprocps.so.6 libsys‐
		160	temd.so.0
		161	libc.so.6 liblz4.so.1 libpthread.so.0 libtinfo.so.5
		162	libdl.so.2 liblzma.so.5 librt.so.1 x86_64-linux-gnu
		163	libgcrypt.so.20 libpcre.so.3 libselinux.so.1
		164	$ ps
		165	PID TTY TIME CMD
		166	1 pts/0 00:00:00 firejail
		167	45 pts/0 00:00:00 bash
		168	48 pts/0 00:00:00 ps
		169	$
142		170
143	`````	171	`````
144		172


diff --git a/RELNOTES b/RELNOTES index 02848ca82..36dd39686 100644 --- a/RELNOTES +++ b/RELNOTES
@@ -4,14 +4,15 @@ firejail (0.9.49) baseline; urgency=low
4	* feature: per-profile disable-mnt (--disable-mnt)	4	* feature: per-profile disable-mnt (--disable-mnt)
5	* feature: per-profile support to set X11 Xephyr screen size (--xephyr-screen)	5	* feature: per-profile support to set X11 Xephyr screen size (--xephyr-screen)
6	* feature: --memory-deny-write-execute seccomp feature	6	* feature: --memory-deny-write-execute seccomp feature
		7	* feature: private /lib directory (--private-lib)
		8	* feature: disable CDROM/DVD drive (--nodvd)
		9	* feature: disable DVD devices (--notv)
7	* enhancement: /proc/sys mounting	10	* enhancement: /proc/sys mounting
8	* enhancement: default seccomp list update	11	* enhancement: default seccomp list update
9	* enhancement: rework IP address assingment for --net options	12	* enhancement: rework IP address assingment for --net options
10	* enhancement: support for newer Xpra versions (2.1+) -	13	* enhancement: support for newer Xpra versions (2.1+) -
11	set "xpra-attach yes" in /etc/firejail/firejail.config	14	set "xpra-attach yes" in /etc/firejail/firejail.config
12	* enhancement: all profiles use a standard layout style	15	* enhancement: all profiles use a standard layout style
13	* enhancement: disable CDROM/DVD drive (--nodvd)
14	* enhancement: disable DVD devices (--notv)
15	* new profiles: curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite,	16	* new profiles: curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite,
16	* new profiles: Geary, Liferea, peek, silentarmy, IntelliJ IDEA,	17	* new profiles: Geary, Liferea, peek, silentarmy, IntelliJ IDEA,
17	* new profiles: Android Studio, electron, riot-web, Extreme Tux Racer,	18	* new profiles: Android Studio, electron, riot-web, Extreme Tux Racer,


diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c index 165d5651d..cdfd4a6e2 100644 --- a/src/firejail/fs_lib.c +++ b/src/firejail/fs_lib.c
@@ -135,8 +135,12 @@ static char valid_file(const char lib) {
135		135
136		136
137	void fs_private_lib(void) {	137	void fs_private_lib(void) {
138	char *private_list = cfg.lib_private_keep;	138	#ifndef __x86_64__
		139	fwarning("private-lib feature is currently available only on amd64 platforms\n");
		140	return;
		141	#endif
139		142
		143	char *private_list = cfg.lib_private_keep;
140	if (arg_debug)	144	if (arg_debug)
141	printf("Starting private-lib processing: program %s, shell %s\n",	145	printf("Starting private-lib processing: program %s, shell %s\n",
142	(cfg.original_program_index > 0)? cfg.original_argv[cfg.original_program_index]: "none",	146	(cfg.original_program_index > 0)? cfg.original_argv[cfg.original_program_index]: "none",


diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 9dafb3c65..2a7d926b9 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt
@@ -230,6 +230,10 @@ Build a new /etc in a temporary
230	filesystem, and copy the files and directories in the list.	230	filesystem, and copy the files and directories in the list.
231	All modifications are discarded when the sandbox is closed.	231	All modifications are discarded when the sandbox is closed.
232	.TP	232	.TP
		233	\fBprivate-lib file,directory
		234	Build a new /lib directory and bring in the libraries required by the application to run.
		235	This feature is still under development, see man 1 firejail for some examples.
		236	.TP
233	\fBprivate-opt file,directory	237	\fBprivate-opt file,directory
234	Build a new /optin a temporary	238	Build a new /optin a temporary
235	filesystem, and copy the files and directories in the list.	239	filesystem, and copy the files and directories in the list.


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 690d0c1c1..4a396b809 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -1272,32 +1272,55 @@ $ ls /bin
1272	bash cat ls sed	1272	bash cat ls sed
1273		1273
1274	.TP	1274	.TP
1275	\fB\-\-private-lib=file,file	1275	\fB\-\-private-lib=file,directory
1276	Build a new /lib in a temporary filesystem. For command to be executed,	1276	This feature is currently under heavy development. Only amd64 platforms are supported at this moment.
1277	the shell (if \-\-shell=none is not used), and the listed libraries	1277	The idea is to build a new /lib in a temporary filesystem,
1278	find out dynamic libraries and copy them to the /lib directory.	1278	with only the library files necessary to run the application.
1279	If no listed file is found, /lib directory will be empty and no programs will be able to execute.	1279	It could be as simple as:
1280	The same directory is also bind-mounted over /lib64 and /usr/lib.
1281	All modifications are discarded when the sandbox is closed.
1282	.br	1280	.br
1283		1281
1284	.br	1282	.br
1285	Example:	1283	$ firejail --private-lib galculator
		1284	.br
		1285
		1286	.br
		1287	but it gets complicated really fast:
1286	.br	1288	.br
1287	$ firejail \-\-noprofile \-\-shell=none \-\-private-lib= \-\-private-bin=ls /bin/ls /lib /bin	1289
		1290	.br
		1291	$ firejail --private-lib=x86_64-linux-gnu/xed,x86_64-linux-gnu/gdk-pixbuf-2.0,libenchant.so.1,librsvg-2.so.2 xed
1288	.br	1292	.br
1289	Parent pid 15733, child pid 15734	1293
1290	.br	1294	.br
1291	Child process initialized in 69.61 ms	1295	The feature is integrated with \-\-private-bin:
		1296	.br
		1297
1292	.br	1298	.br
1293	/bin:	1299	$ firejail --private-lib --private-bin=bash,ls,ps
1294	.br	1300	.br
1295	ls	1301	$ ls /lib
1296	.br	1302	.br
		1303	ld-linux-x86-64.so.2 libgpg-error.so.0 libprocps.so.6 libsystemd.so.0
1297	.br	1304	.br
1298	/lib:	1305	libc.so.6 liblz4.so.1 libpthread.so.0 libtinfo.so.5
1299	.br	1306	.br
1300	ld-linux-x86-64.so.2 libc.so.6 libdl.so.2 libpcre.so.3 libpthread.so.0 libselinux.so.1	1307	libdl.so.2 liblzma.so.5 librt.so.1 x86_64-linux-gnu
		1308	.br
		1309	libgcrypt.so.20 libpcre.so.3 libselinux.so.1
		1310	.br
		1311	$ ps
		1312	.br
		1313	PID TTY TIME CMD
		1314	.br
		1315	1 pts/0 00:00:00 firejail
		1316	.br
		1317	45 pts/0 00:00:00 bash
		1318	.br
		1319	48 pts/0 00:00:00 ps
		1320	.br
		1321	$
		1322	.br
		1323
1301		1324
1302	.TP	1325	.TP
1303	\fB\-\-private-dev	1326	\fB\-\-private-dev