private-lib: add std C library and locale by default

author: netblue30 <netblue30@yahoo.com> 2017-10-04 08:29:31 -0400
committer: netblue30 <netblue30@yahoo.com> 2017-10-04 08:29:31 -0400
commit: 63e177af7278012d7064d4e1695d3a500f51c9eb (patch)
tree: 57b64ed01d1b888f2bc3db304a4928c6bd2eaa61 /src/firejail/fs_lib.c
parent: updated authors list (diff)
download: firejail-63e177af7278012d7064d4e1695d3a500f51c9eb.tar.gz
firejail-63e177af7278012d7064d4e1695d3a500f51c9eb.tar.zst
firejail-63e177af7278012d7064d4e1695d3a500f51c9eb.zip
1 files changed, 84 insertions, 5 deletions
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c
index cdfd4a6e2..abd7cee1a 100644
--- a/src/firejail/fs_lib.c
+++ b/src/firejail/fs_lib.c
@@ -22,6 +22,7 @@
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <unistd.h>
+#include <dirent.h>
 #define MAXBUF 4096
@@ -133,6 +134,85 @@ static char *valid_file(const char *lib) {
        return NULL;
 }
+// standard libc libraries based on Debian's libc6 package
+// selinux seems to be linked in most command line utilities
+// locale (/usr/lib/locale) - without it, the program will default to "C" locale
+typedef struct liblist_t {
+        const char *name;
+        int len;
+} LibList;
+static LibList libc_list[] = {
+//      { "locale", 0 },   hardcoded!
+        { "libselinux.so.", 0 },
+        { "ld-linux-x86-64.so.", 0 },
+        { "libanl.so.", 0 },
+        { "libc.so.", 0 },
+        { "libcidn.so.", 0 },
+        { "libcrypt.so.", 0 },
+        { "libdl.so.", 0 },
+        { "libm.so.", 0 },
+        { "libmemusage.so", 0 },
+        { "libmvec.so.", 0 },
+        { "libnsl.so.", 0 },
+        { "libnss_compat.so.", 0 },
+        { "libnss_dns.so.", 0 },
+        { "libnss_files.so.", 0 },
+        { "libnss_hesiod.so.", 0 },
+        { "libnss_nisplus.so.", 0 },
+        { "libnss_nis.so.", 0 },
+        { "libpthread.so.", 0 },
+        { "libresolv.so.", 0 },
+        { "librt.so.", 0 },
+        { "libthread_db.so.", 0 },
+        { "libutil.so.", 0 },
+        { NULL, 0}
+};
+static int find(const char *name) {
+        assert(name);
+        int i = 0;
+        while (libc_list[i].name) {
+                if (libc_list[i].len == 0)
+                        libc_list[i].len = strlen(libc_list[i].name);
+                if (strncmp(name, libc_list[i].name, libc_list[i].len) == 0)
+                        return 1;
+                i++;
+        }
+        return 0;
+}
+// compare the files in dirname against liblist above
+static void walk_directory(const char *dirname, const char *destdir) {
+        assert(dirname);
+        assert(destdir);
+        DIR *dir = opendir(dirname);
+        if (dir) {
+                struct dirent *entry;
+                while ((entry = readdir(dir)) != NULL) {
+                        if (strcmp(entry->d_name, ".") == 0)
+                                continue;
+                        if (strcmp(entry->d_name, "..") == 0)
+                                continue;
+                        
+                        if (find(entry->d_name)) {
+                                char *fname;
+                                if (asprintf(&fname, "%s/%s", dirname, entry->d_name) == -1)
+                                        errExit("asprintf");
+                                if (is_dir(fname))
+                                        copy_directory(fname, entry->d_name, RUN_LIB_DIR);
+                                else
+                                        duplicate(fname, destdir);
+                        }
+                }
+                closedir(dir);
+        }
+        else
+                fprintf(stderr, "Error: cannot open %s in order to set --private-lib\n", dirname);
+}
 void fs_private_lib(void) {
 #ifndef __x86_64__
@@ -149,14 +229,13 @@ void fs_private_lib(void) {
        // create /run/firejail/mnt/lib directory
        mkdir_attr(RUN_LIB_DIR, 0755, 0, 0);
-        //  fix libselinux linking problem on Debian stretch; the library is
-        //  linked in most  basic command utilities (ls, cp, find etc.), and it
-        //  seems to have a path hardlinked under /lib/x86_64-linux-gnu directory.
        struct stat s;
-        if (stat("/lib/x86_64-linux-gnu/libselinux.so.1", &s) == 0) {
+        if (stat("/lib/x86_64-linux-gnu", &s) == 0) {
                mkdir_attr(RUN_LIB_DIR "/x86_64-linux-gnu", 0755, 0, 0);
-                duplicate("/lib/x86_64-linux-gnu/libselinux.so.1", RUN_LIB_DIR "/x86_64-linux-gnu");
+                walk_directory("/lib/x86_64-linux-gnu", RUN_LIB_DIR "/x86_64-linux-gnu");
        }
+        if (stat("/usr/lib/locale", &s) == 0)
+                copy_directory("/usr/lib/locale", "locale", RUN_LIB_DIR);
        // copy the libs in the new lib directory for the main exe
        if (cfg.original_program_index > 0)
author	netblue30 <netblue30@yahoo.com>	2017-10-04 08:29:31 -0400
committer	netblue30 <netblue30@yahoo.com>	2017-10-04 08:29:31 -0400
commit	63e177af7278012d7064d4e1695d3a500f51c9eb (patch)
tree	57b64ed01d1b888f2bc3db304a4928c6bd2eaa61 /src/firejail/fs_lib.c
parent	updated authors list (diff)
download	firejail-63e177af7278012d7064d4e1695d3a500f51c9eb.tar.gz firejail-63e177af7278012d7064d4e1695d3a500f51c9eb.tar.zst firejail-63e177af7278012d7064d4e1695d3a500f51c9eb.zip

diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c index cdfd4a6e2..abd7cee1a 100644 --- a/src/firejail/fs_lib.c +++ b/src/firejail/fs_lib.c
@@ -22,6 +22,7 @@
22	#include <sys/stat.h>	22	#include <sys/stat.h>
23	#include <sys/types.h>	23	#include <sys/types.h>
24	#include <unistd.h>	24	#include <unistd.h>
		25	#include <dirent.h>
25		26
26	#define MAXBUF 4096	27	#define MAXBUF 4096
27		28
@@ -133,6 +134,85 @@ static char valid_file(const char lib) {
133	return NULL;	134	return NULL;
134	}	135	}
135		136
		137	// standard libc libraries based on Debian's libc6 package
		138	// selinux seems to be linked in most command line utilities
		139	// locale (/usr/lib/locale) - without it, the program will default to "C" locale
		140	typedef struct liblist_t {
		141	const char *name;
		142	int len;
		143	} LibList;
		144
		145	static LibList libc_list[] = {
		146	// { "locale", 0 }, hardcoded!
		147	{ "libselinux.so.", 0 },
		148	{ "ld-linux-x86-64.so.", 0 },
		149	{ "libanl.so.", 0 },
		150	{ "libc.so.", 0 },
		151	{ "libcidn.so.", 0 },
		152	{ "libcrypt.so.", 0 },
		153	{ "libdl.so.", 0 },
		154	{ "libm.so.", 0 },
		155	{ "libmemusage.so", 0 },
		156	{ "libmvec.so.", 0 },
		157	{ "libnsl.so.", 0 },
		158	{ "libnss_compat.so.", 0 },
		159	{ "libnss_dns.so.", 0 },
		160	{ "libnss_files.so.", 0 },
		161	{ "libnss_hesiod.so.", 0 },
		162	{ "libnss_nisplus.so.", 0 },
		163	{ "libnss_nis.so.", 0 },
		164	{ "libpthread.so.", 0 },
		165	{ "libresolv.so.", 0 },
		166	{ "librt.so.", 0 },
		167	{ "libthread_db.so.", 0 },
		168	{ "libutil.so.", 0 },
		169	{ NULL, 0}
		170	};
		171
		172	static int find(const char *name) {
		173	assert(name);
		174
		175	int i = 0;
		176	while (libc_list[i].name) {
		177	if (libc_list[i].len == 0)
		178	libc_list[i].len = strlen(libc_list[i].name);
		179	if (strncmp(name, libc_list[i].name, libc_list[i].len) == 0)
		180	return 1;
		181	i++;
		182	}
		183	return 0;
		184	}
		185
		186	// compare the files in dirname against liblist above
		187	static void walk_directory(const char dirname, const char destdir) {
		188	assert(dirname);
		189	assert(destdir);
		190
		191	DIR *dir = opendir(dirname);
		192	if (dir) {
		193	struct dirent *entry;
		194	while ((entry = readdir(dir)) != NULL) {
		195	if (strcmp(entry->d_name, ".") == 0)
		196	continue;
		197	if (strcmp(entry->d_name, "..") == 0)
		198	continue;
		199
		200	if (find(entry->d_name)) {
		201	char *fname;
		202	if (asprintf(&fname, "%s/%s", dirname, entry->d_name) == -1)
		203	errExit("asprintf");
		204
		205	if (is_dir(fname))
		206	copy_directory(fname, entry->d_name, RUN_LIB_DIR);
		207	else
		208	duplicate(fname, destdir);
		209	}
		210	}
		211	closedir(dir);
		212	}
		213	else
		214	fprintf(stderr, "Error: cannot open %s in order to set --private-lib\n", dirname);
		215	}
136		216
137	void fs_private_lib(void) {	217	void fs_private_lib(void) {
138	#ifndef __x86_64__	218	#ifndef __x86_64__
@@ -149,14 +229,13 @@ void fs_private_lib(void) {
149	// create /run/firejail/mnt/lib directory	229	// create /run/firejail/mnt/lib directory
150	mkdir_attr(RUN_LIB_DIR, 0755, 0, 0);	230	mkdir_attr(RUN_LIB_DIR, 0755, 0, 0);
151		231
152	// fix libselinux linking problem on Debian stretch; the library is
153	// linked in most basic command utilities (ls, cp, find etc.), and it
154	// seems to have a path hardlinked under /lib/x86_64-linux-gnu directory.
155	struct stat s;	232	struct stat s;
156	if (stat("/lib/x86_64-linux-gnu/libselinux.so.1", &s) == 0) {	233	if (stat("/lib/x86_64-linux-gnu", &s) == 0) {
157	mkdir_attr(RUN_LIB_DIR "/x86_64-linux-gnu", 0755, 0, 0);	234	mkdir_attr(RUN_LIB_DIR "/x86_64-linux-gnu", 0755, 0, 0);
158	duplicate("/lib/x86_64-linux-gnu/libselinux.so.1", RUN_LIB_DIR "/x86_64-linux-gnu");	235	walk_directory("/lib/x86_64-linux-gnu", RUN_LIB_DIR "/x86_64-linux-gnu");
159	}	236	}
		237	if (stat("/usr/lib/locale", &s) == 0)
		238	copy_directory("/usr/lib/locale", "locale", RUN_LIB_DIR);
160		239
161	// copy the libs in the new lib directory for the main exe	240	// copy the libs in the new lib directory for the main exe
162	if (cfg.original_program_index > 0)	241	if (cfg.original_program_index > 0)