diff options
| author |  netblue30 <netblue30@yahoo.com> | 2017-11-05 15:08:24 -0500 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2017-11-05 15:08:24 -0500 |
| commit | 1a61182e9fe4561e1ebf36eb3bc725aaae0c26b0 (patch) | |
| tree | 6fd6bdd5cbf95321c1aa320d8c7c0a17d51402c7 /src/firejail/fs_lib.c | |
| parent | fix disable-programs.inc (diff) | |
| download | firejail-1a61182e9fe4561e1ebf36eb3bc725aaae0c26b0.tar.gz firejail-1a61182e9fe4561e1ebf36eb3bc725aaae0c26b0.tar.zst firejail-1a61182e9fe4561e1ebf36eb3bc725aaae0c26b0.zip | |
private-lib fix
Diffstat (limited to 'src/firejail/fs_lib.c')
| -rw-r--r-- | src/firejail/fs_lib.c | 31 |
1 files changed, 23 insertions, 8 deletions
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c index 56a66742a..59c0c5261 100644 --- a/src/firejail/fs_lib.c +++ b/src/firejail/fs_lib.c | |||
| @@ -69,6 +69,9 @@ static char *build_dest_dir(const char *full_path) { | |||
| 69 | // copy fname in private_run_dir | 69 | // copy fname in private_run_dir |
| 70 | void fslib_duplicate(const char *full_path) { | 70 | void fslib_duplicate(const char *full_path) { |
| 71 | assert(full_path); | 71 | assert(full_path); |
| 72 | if (arg_debug) | ||
| 73 | printf("fslib_duplicate %s\n", full_path); | ||
| 74 | |||
| 72 | struct stat s; | 75 | struct stat s; |
| 73 | if (stat(full_path, &s) != 0 || s.st_uid != 0 || access(full_path, R_OK)) | 76 | if (stat(full_path, &s) != 0 || s.st_uid != 0 || access(full_path, R_OK)) |
| 74 | return; | 77 | return; |
| @@ -105,6 +108,10 @@ void fslib_duplicate(const char *full_path) { | |||
| 105 | // it could be a library or an executable | 108 | // it could be a library or an executable |
| 106 | // lib is not copied, only libraries used by it | 109 | // lib is not copied, only libraries used by it |
| 107 | void fslib_copy_libs(const char *full_path) { | 110 | void fslib_copy_libs(const char *full_path) { |
| 111 | assert(full_path); | ||
| 112 | if (arg_debug) | ||
| 113 | printf("fslib_copy_libs %s\n", full_path); | ||
| 114 | |||
| 108 | // if library/executable does not exist or the user does not have read access to it | 115 | // if library/executable does not exist or the user does not have read access to it |
| 109 | // print a warning and exit the function. | 116 | // print a warning and exit the function. |
| 110 | if (access(full_path, R_OK)) { | 117 | if (access(full_path, R_OK)) { |
| @@ -120,6 +127,8 @@ void fslib_copy_libs(const char *full_path) { | |||
| 120 | errExit("chown"); | 127 | errExit("chown"); |
| 121 | 128 | ||
| 122 | // run fldd to extact the list of files | 129 | // run fldd to extact the list of files |
| 130 | if (arg_debug) | ||
| 131 | printf("runing fldd %s\n", full_path); | ||
| 123 | sbox_run(SBOX_USER | SBOX_SECCOMP | SBOX_CAPS_NONE, 3, PATH_FLDD, full_path, RUN_LIB_FILE); | 132 | sbox_run(SBOX_USER | SBOX_SECCOMP | SBOX_CAPS_NONE, 3, PATH_FLDD, full_path, RUN_LIB_FILE); |
| 124 | 133 | ||
| 125 | // open the list of libraries and install them on by one | 134 | // open the list of libraries and install them on by one |
| @@ -141,6 +150,9 @@ void fslib_copy_libs(const char *full_path) { | |||
| 141 | 150 | ||
| 142 | void fslib_copy_dir(const char *full_path) { | 151 | void fslib_copy_dir(const char *full_path) { |
| 143 | assert(full_path); | 152 | assert(full_path); |
| 153 | if (arg_debug) | ||
| 154 | printf("fslib_copy_dir %s\n", full_path); | ||
| 155 | |||
| 144 | // do nothing if the directory does not exist or is not owned by root | 156 | // do nothing if the directory does not exist or is not owned by root |
| 145 | struct stat s; | 157 | struct stat s; |
| 146 | if (stat(full_path, &s) != 0 || s.st_uid != 0 || !S_ISDIR(s.st_mode) || access(full_path, R_OK)) | 158 | if (stat(full_path, &s) != 0 || s.st_uid != 0 || !S_ISDIR(s.st_mode) || access(full_path, R_OK)) |
| @@ -151,8 +163,6 @@ void fslib_copy_dir(const char *full_path) { | |||
| 151 | dir_name++; | 163 | dir_name++; |
| 152 | assert(*dir_name != '\0'); | 164 | assert(*dir_name != '\0'); |
| 153 | 165 | ||
| 154 | |||
| 155 | |||
| 156 | // do nothing if the directory is already there | 166 | // do nothing if the directory is already there |
| 157 | char *dest; | 167 | char *dest; |
| 158 | if (asprintf(&dest, "%s/%s", build_dest_dir(full_path), dir_name) == -1) | 168 | if (asprintf(&dest, "%s/%s", build_dest_dir(full_path), dir_name) == -1) |
| @@ -371,12 +381,17 @@ void fs_private_lib(void) { | |||
| 371 | if (!arg_quiet) | 381 | if (!arg_quiet) |
| 372 | fprintf(stderr, "Installed %d libraries and %d directories\n", lib_cnt, dir_cnt); | 382 | fprintf(stderr, "Installed %d libraries and %d directories\n", lib_cnt, dir_cnt); |
| 373 | 383 | ||
| 374 | // for our trace and tracelog libs | 384 | // bring in firejail directory for --trace options |
| 375 | if (arg_trace) | 385 | fslib_copy_dir(LIBDIR "/firejail"); |
| 376 | fslib_duplicate(LIBDIR "/firejail/libtrace.so"); | 386 | |
| 377 | else if (arg_tracelog) | 387 | // ... and for sandbox in sandbox functionality |
| 378 | fslib_duplicate(LIBDIR "/firejail/libtracelog.so"); | 388 | fslib_copy_libs(LIBDIR "/firejail/faudit"); |
| 379 | 389 | fslib_copy_libs(LIBDIR "/firejail/fbuilder"); | |
| 390 | fslib_copy_libs(LIBDIR "/firejail/fcopy"); | ||
| 391 | fslib_copy_libs(LIBDIR "/firejail/fldd"); | ||
| 392 | fslib_copy_libs(LIBDIR "/firejail/fnet"); | ||
| 393 | fslib_copy_libs(LIBDIR "/firejail/fseccomp"); | ||
| 394 | fslib_copy_libs(LIBDIR "/firejail/ftee"); | ||
| 380 | // mount lib filesystem | 395 | // mount lib filesystem |
| 381 | mount_directories(); | 396 | mount_directories(); |
| 382 | } | 397 | } |