Merge pull request #4042 from smitsohu/privatelib6

private-lib hardening
author: netblue30 <netblue30@protonmail.com> 2021-03-05 10:57:13 -0500
committer: GitHub <noreply@github.com> 2021-03-05 10:57:13 -0500
commit: 72802227a3c7603d56d6d28d5aaa00cc6ab91ea6 (patch)
tree: 5e284134257fde499107fddf1cb1fb458d891f98 /src/firejail/fs_lib.c
parent: Merge pull request #4041 from smitsohu/trace (diff)
parent: private-lib hardening (diff)
download: firejail-72802227a3c7603d56d6d28d5aaa00cc6ab91ea6.tar.gz
firejail-72802227a3c7603d56d6d28d5aaa00cc6ab91ea6.tar.zst
firejail-72802227a3c7603d56d6d28d5aaa00cc6ab91ea6.zip
1 files changed, 29 insertions, 2 deletions
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c
index 7e9666fc0..7c5a22699 100644
--- a/src/firejail/fs_lib.c
+++ b/src/firejail/fs_lib.c
@@ -34,6 +34,31 @@ extern void fslib_install_system(void);
 static int lib_cnt = 0;
 static int dir_cnt = 0;
+static const char *lib_dirs[] = {
+        "/usr/lib64",
+        "/lib64",
+        "/usr/lib",
+        "/lib",
+        "/usr/local/lib64",
+        "/usr/local/lib",
+        NULL,
+};
+// return 1 if the file is in lib_dirs[]
+static int valid_full_path(const char *full_path) {
+        if (strstr(full_path, ".."))
+                return 0;
+        int i = 0;
+        while (lib_dirs[i]) {
+                if (strncmp(full_path, lib_dirs[i], strlen(lib_dirs[i])) == 0 &&
+                    full_path[strlen(lib_dirs[i])] == '/')
+                        return 1;
+                i++;
+        }
+        return 0;
+}
 char *find_in_path(const char *program) {
        EUID_ASSERT();
        if (arg_debug)
@@ -108,7 +133,8 @@ void fslib_duplicate(const char *full_path) {
        assert(full_path);
        struct stat s;
-        if (stat(full_path, &s) != 0 || s.st_uid != 0 || access(full_path, R_OK))
+        if (stat(full_path, &s) != 0 || s.st_uid != 0 || access(full_path, R_OK)
+           || !valid_full_path(full_path))
                return;
        char *dest_dir = build_dest_dir(full_path);
@@ -208,7 +234,8 @@ void fslib_copy_dir(const char *full_path) {
        // do nothing if the directory does not exist or is not owned by root
        struct stat s;
-        if (stat(full_path, &s) != 0 || s.st_uid != 0 || !S_ISDIR(s.st_mode) || access(full_path, R_OK))
+        if (stat(full_path, &s) != 0 || s.st_uid != 0 || !S_ISDIR(s.st_mode) || access(full_path, R_OK)
+           || !valid_full_path(full_path))
                return;
        char *dir_name = strrchr(full_path, '/');
author	netblue30 <netblue30@protonmail.com>	2021-03-05 10:57:13 -0500
committer	GitHub <noreply@github.com>	2021-03-05 10:57:13 -0500
commit	72802227a3c7603d56d6d28d5aaa00cc6ab91ea6 (patch)
tree	5e284134257fde499107fddf1cb1fb458d891f98 /src/firejail/fs_lib.c
parent	Merge pull request #4041 from smitsohu/trace (diff)
parent	private-lib hardening (diff)
download	firejail-72802227a3c7603d56d6d28d5aaa00cc6ab91ea6.tar.gz firejail-72802227a3c7603d56d6d28d5aaa00cc6ab91ea6.tar.zst firejail-72802227a3c7603d56d6d28d5aaa00cc6ab91ea6.zip

diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c index 7e9666fc0..7c5a22699 100644 --- a/src/firejail/fs_lib.c +++ b/src/firejail/fs_lib.c
@@ -34,6 +34,31 @@ extern void fslib_install_system(void);
34	static int lib_cnt = 0;	34	static int lib_cnt = 0;
35	static int dir_cnt = 0;	35	static int dir_cnt = 0;
36		36
		37	static const char *lib_dirs[] = {
		38	"/usr/lib64",
		39	"/lib64",
		40	"/usr/lib",
		41	"/lib",
		42	"/usr/local/lib64",
		43	"/usr/local/lib",
		44	NULL,
		45	};
		46
		47	// return 1 if the file is in lib_dirs[]
		48	static int valid_full_path(const char *full_path) {
		49	if (strstr(full_path, ".."))
		50	return 0;
		51
		52	int i = 0;
		53	while (lib_dirs[i]) {
		54	if (strncmp(full_path, lib_dirs[i], strlen(lib_dirs[i])) == 0 &&
		55	full_path[strlen(lib_dirs[i])] == '/')
		56	return 1;
		57	i++;
		58	}
		59	return 0;
		60	}
		61
37	char find_in_path(const char program) {	62	char find_in_path(const char program) {
38	EUID_ASSERT();	63	EUID_ASSERT();
39	if (arg_debug)	64	if (arg_debug)
@@ -108,7 +133,8 @@ void fslib_duplicate(const char *full_path) {
108	assert(full_path);	133	assert(full_path);
109		134
110	struct stat s;	135	struct stat s;
111	if (stat(full_path, &s) != 0 \|\| s.st_uid != 0 \|\| access(full_path, R_OK))	136	if (stat(full_path, &s) != 0 \|\| s.st_uid != 0 \|\| access(full_path, R_OK)
		137	\|\| !valid_full_path(full_path))
112	return;	138	return;
113		139
114	char *dest_dir = build_dest_dir(full_path);	140	char *dest_dir = build_dest_dir(full_path);
@@ -208,7 +234,8 @@ void fslib_copy_dir(const char *full_path) {
208		234
209	// do nothing if the directory does not exist or is not owned by root	235	// do nothing if the directory does not exist or is not owned by root
210	struct stat s;	236	struct stat s;
211	if (stat(full_path, &s) != 0 \|\| s.st_uid != 0 \|\| !S_ISDIR(s.st_mode) \|\| access(full_path, R_OK))	237	if (stat(full_path, &s) != 0 \|\| s.st_uid != 0 \|\| !S_ISDIR(s.st_mode) \|\| access(full_path, R_OK)
		238	\|\| !valid_full_path(full_path))
212	return;	239	return;
213		240
214	char *dir_name = strrchr(full_path, '/');	241	char *dir_name = strrchr(full_path, '/');