make --private-lib a compile time option, disabled by default

author: netblue30 <netblue30@protonmail.com> 2023-03-09 12:46:11 -0500
committer: netblue30 <netblue30@protonmail.com> 2023-03-09 12:46:11 -0500
commit: b689b69f6c3b8a8ba633d6300cef6a19972d53dc (patch)
tree: f3b4a14761bb8ad74aa408ea0f08e961c2e8e7a7 /src
parent: testing (diff)
download: firejail-b689b69f6.tar.gz
firejail-b689b69f6.tar.zst
firejail-b689b69f6.zip
8 files changed, 59 insertions, 29 deletions
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 56f983854..a39e8c667 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -409,6 +409,14 @@ void print_compiletime_support(void) {
 #endif
                );
+        printf("\t- private-lib support is %s\n",
+#ifdef HAVE_PRIVATE_LIB
+                "enabled"
+#else
+                "disabled"
+#endif
+                );
        printf("\t- private-cache and tmpfs as user %s\n",
 #ifdef HAVE_USERTMPFS
                "enabled"
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c
index e349941fa..ba7a291ee 100644
--- a/src/firejail/fs_lib.c
+++ b/src/firejail/fs_lib.c
@@ -32,35 +32,6 @@ extern void fslib_install_stdc(void);
 extern void fslib_install_firejail(void);
 extern void fslib_install_system(void);
-static int lib_cnt = 0;
-static int dir_cnt = 0;
-static const char *masked_lib_dirs[] = {
-        "/usr/lib64",
-        "/lib64",
-        "/usr/lib",
-        "/lib",
-        "/usr/local/lib64",
-        "/usr/local/lib",
-        NULL,
-};
-// return 1 if the file is in masked_lib_dirs[]
-static int valid_full_path(const char *full_path) {
-        if (strstr(full_path, ".."))
-                return 0;
-        int i = 0;
-        while (masked_lib_dirs[i]) {
-                size_t len = strlen(masked_lib_dirs[i]);
-                if (strncmp(full_path, masked_lib_dirs[i], len) == 0 &&
-                    full_path[len] == '/')
-                        return 1;
-                i++;
-        }
-        return 0;
-}
 // return 1 if symlink to firejail executable
 int is_firejail_link(const char *fname) {
        EUID_ASSERT();
@@ -116,6 +87,36 @@ char *find_in_path(const char *program) {
        return NULL;
 }
+#ifdef HAVE_PRIVATE_LIB
+static int lib_cnt = 0;
+static int dir_cnt = 0;
+static const char *masked_lib_dirs[] = {
+        "/usr/lib64",
+        "/lib64",
+        "/usr/lib",
+        "/lib",
+        "/usr/local/lib64",
+        "/usr/local/lib",
+        NULL,
+};
+// return 1 if the file is in masked_lib_dirs[]
+static int valid_full_path(const char *full_path) {
+        if (strstr(full_path, ".."))
+                return 0;
+        int i = 0;
+        while (masked_lib_dirs[i]) {
+                size_t len = strlen(masked_lib_dirs[i]);
+                if (strncmp(full_path, masked_lib_dirs[i], len) == 0 &&
+                    full_path[len] == '/')
+                        return 1;
+                i++;
+        }
+        return 0;
+}
 static char *build_dest_dir(const char *full_path) {
        assert(full_path);
        if (strstr(full_path, "/x86_64-linux-gnu/"))
@@ -465,3 +466,4 @@ void fs_private_lib(void) {
        // mount lib filesystem
        mount_directories();
 }
+#endif
+\ No newline at end of file
diff --git a/src/firejail/fs_lib2.c b/src/firejail/fs_lib2.c
index 540c3286f..583888e0e 100644
--- a/src/firejail/fs_lib2.c
+++ b/src/firejail/fs_lib2.c
@@ -36,6 +36,7 @@ typedef struct liblist_t {
        int len;
 } LibList;
+#ifdef HAVE_PRIVATE_LIB
 static LibList libc_list[] = {
        { "libselinux.so.", 0 },
        { "libpcre2-8.so.", 0 },
@@ -356,3 +357,4 @@ void fslib_install_system(void) {
                ptr++;
        }
 }
+#endif
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 62035ff04..7e23cdc63 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1355,8 +1355,10 @@ int main(int argc, char **argv, char **envp) {
                        arg_debug_blacklists = 1;
                else if (strcmp(argv[i], "--debug-whitelists") == 0)
                        arg_debug_whitelists = 1;
+#ifdef HAVE_PRIVATE_LIB
                else if (strcmp(argv[i], "--debug-private-lib") == 0)
                        arg_debug_private_lib = 1;
+#endif
                else if (strcmp(argv[i], "--quiet") == 0) {
                        if (!arg_debug)
                                arg_quiet = 1;
@@ -2137,6 +2139,7 @@ int main(int argc, char **argv, char **envp) {
                        else
                                exit_err_feature("private-bin");
                }
+#ifdef HAVE_PRIVATE_LIB
                else if (strncmp(argv[i], "--private-lib", 13) == 0) {
                        if (checkcfg(CFG_PRIVATE_LIB)) {
                                // extract private lib list (if any)
@@ -2152,6 +2155,7 @@ int main(int argc, char **argv, char **envp) {
                        else
                                exit_err_feature("private-lib");
                }
+#endif
                else if (strcmp(argv[i], "--private-tmp") == 0) {
                        arg_private_tmp = 1;
                }
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 648fc2248..19ac8d9ec 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -949,6 +949,7 @@ int sandbox(void* sandbox_arg) {
                }
        }
+#ifdef HAVE_PRIVATE_LIB
        // private-lib is disabled for appimages
        if (arg_private_lib && !arg_appimage) {
                if (cfg.chrootdir)
@@ -959,6 +960,7 @@ int sandbox(void* sandbox_arg) {
                        fs_private_lib();
                }
        }
+#endif
 #ifdef HAVE_USERTMPFS
        if (arg_private_cache) {
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 965d09992..b6b60d85c 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -81,7 +81,9 @@ static char *usage_str =
        "    --debug-blacklists - debug blacklisting.\n"
        "    --debug-caps - print all recognized capabilities.\n"
        "    --debug-errnos - print all recognized error numbers.\n"
+#ifdef HAVE_PRIVATE_LIB
        "    --debug-private-lib - debug for --private-lib option.\n"
+#endif
        "    --debug-protocols - print all recognized protocols.\n"
        "    --debug-syscalls - print all recognized system calls.\n"
        "    --debug-syscalls32 - print all recognized 32 bit system calls.\n"
@@ -208,6 +210,9 @@ static char *usage_str =
        "\tcommon device files.\n"
        "    --private-etc=file,directory - build a new /etc in a temporary\n"
        "\tfilesystem, and copy the files and directories in the list.\n"
+#ifdef HAVE_PRIVATE_LIB
+        "    --private-lib - create a private /lib directory\n"
+#endif
        "    --private-tmp - mount a tmpfs on top of /tmp directory.\n"
        "    --private-cwd - do not inherit working directory inside jail.\n"
        "    --private-cwd=directory - set working directory inside jail.\n"
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 3fa07d1ee..fa294d888 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -407,12 +407,14 @@ the current user's home directory.
 All modifications are discarded when the sandbox is
 closed.
 #endif
+#ifdef HAVE_PRIVATE_LIB
 .TP
 \fBprivate-lib file,directory
 Build a new /lib directory and bring in the libraries required by the application to run.
 The files and directories in the list must be expressed as relative to
 the /lib directory.
 This feature is still under development, see \fBman 1 firejail\fR for some examples.
+#endif
 .TP
 \fBprivate-opt file,directory
 Build a new /opt in a temporary
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 6068c9ff4..ec6da6f13 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -684,9 +684,11 @@ Print all recognized error numbers in the current Firejail software build and ex
 Example:
 .br
 $ firejail \-\-debug-errnos
+#ifdef HAVE_PRIVATE_LIB
 .TP
 \fB\-\-debug-private-lib
 Debug messages for --private-lib option.
+#endif
 .TP
 \fB\-\-debug-protocols
 Print all recognized protocols in the current Firejail software build and exit.
@@ -696,6 +698,7 @@ Print all recognized protocols in the current Firejail software build and exit.
 Example:
 .br
 $ firejail \-\-debug-protocols
+#endif
 .TP
 \fB\-\-debug-syscalls
 Print all recognized system calls in the current Firejail software build and exit.
@@ -2179,6 +2182,7 @@ Example:
 .br
 $ firejail \-\-private-home=.mozilla firefox
 #endif
+#ifdef HAVE_PRIVATE_LIB
 .TP
 \fB\-\-private-lib=file,directory
 This feature is currently under heavy development. Only amd64 platforms are supported at this moment.
@@ -2234,6 +2238,7 @@ $
 .br
 Note: Support for this command is controlled in firejail.config with the
 \fBprivate-lib\fR option.
+#endif
 .TP
 \fB\-\-private-opt=file,directory
 Build a new /opt in a temporary
author	netblue30 <netblue30@protonmail.com>	2023-03-09 12:46:11 -0500
committer	netblue30 <netblue30@protonmail.com>	2023-03-09 12:46:11 -0500
commit	b689b69f6c3b8a8ba633d6300cef6a19972d53dc (patch)
tree	f3b4a14761bb8ad74aa408ea0f08e961c2e8e7a7 /src
parent	testing (diff)
download	firejail-b689b69f6.tar.gz firejail-b689b69f6.tar.zst firejail-b689b69f6.zip