private-lib bug: 32 bit libraries being copied instead of 64 bit versions; splitting common code for firejail and fldd in a common static library

author: startx2017 <vradu.startx@yandex.com> 2018-03-12 08:41:01 -0400
committer: startx2017 <vradu.startx@yandex.com> 2018-03-12 08:41:01 -0400
commit: 14b5746d8fba392c02733ce4c90befc32a93fb15 (patch)
tree: 2ac6a7de4adaafc730511a70f11b88aca1f47244 /src/firejail
parent: fix bash on CentOS 7 (diff)
download: firejail-14b5746d8fba392c02733ce4c90befc32a93fb15.tar.gz
firejail-14b5746d8fba392c02733ce4c90befc32a93fb15.tar.zst
firejail-14b5746d8fba392c02733ce4c90befc32a93fb15.zip
2 files changed, 29 insertions, 22 deletions
diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in
index 146bf8242..01cb929e2 100644
--- a/src/firejail/Makefile.in
+++ b/src/firejail/Makefile.in
@@ -36,8 +36,8 @@ LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
 %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h
        $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
-firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o
+firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o ../lib/ldd_utils.o
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS)
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/ldd_utils.o $(LIBS) $(EXTRA_LDFLAGS)
 clean:; rm -f *.o firejail firejail.1 firejail.1.gz *.gcov *.gcda *.gcno
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c
index f7351339c..8a105be97 100644
--- a/src/firejail/fs_lib.c
+++ b/src/firejail/fs_lib.c
@@ -18,6 +18,7 @@
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "firejail.h"
+#include "../include/ldd_utils.h"
 #include <sys/mount.h>
 #include <sys/stat.h>
 #include <sys/types.h>
@@ -25,17 +26,6 @@
 #include <dirent.h>
 #define MAXBUF 4096
-static const char * const lib_paths[] = {
-        "/lib",
-        "/lib/x86_64-linux-gnu",
-        "/lib64",
-        "/usr/lib",
-        "/usr/lib/x86_64-linux-gnu",
-        LIBDIR,
-        "/usr/local/lib",
-        NULL
-};                                                // Note: this array is duplicated in src/fldd/main.c
 extern void fslib_install_stdc(void);
 extern void fslib_install_system(void);
@@ -47,9 +37,9 @@ static void report_duplication(const char *full_path) {
        if (fname && *(++fname) != '\0') {
                // report the file on all bin paths
                int i = 0;
-                while (lib_paths[i]) {
+                while (default_lib_paths[i]) {
                        char *p;
-                        if (asprintf(&p, "%s/%s", lib_paths[i], fname) == -1)
+                        if (asprintf(&p, "%s/%s", default_lib_paths[i], fname) == -1)
                                errExit("asprintf");
                        fs_logger2("clone", p);
                        free(p);
@@ -194,19 +184,24 @@ static char *valid_file(const char *lib) {
        // find the library
        int i;
-        for (i = 0; lib_paths[i]; i++) {
+        for (i = 0; default_lib_paths[i]; i++) {
                char *fname;
-                if (asprintf(&fname, "%s/%s", lib_paths[i], lib) == -1)
+                if (asprintf(&fname, "%s/%s", default_lib_paths[i], lib) == -1)
                        errExit("asprintf");
                // existing file owned by root, read access
                struct stat s;
                if (stat(fname, &s) == 0 && s.st_uid == 0 && !access(fname, R_OK)) {
-                        return fname;
+                        if (is_dir(fname))
+                                return fname;
+                        // for regular libraries check if it is 64bit
+                        if (is_lib_64(fname))
+                                return fname;
+                        // if not 64bit, continue searching
                }
                free(fname);
        }
+printf("not found %s\n", lib);
        fwarning("%s library not found, skipping...\n", lib);
        return NULL;
 }
@@ -268,25 +263,33 @@ void fs_private_lib(void) {
        mkdir_attr(RUN_LIB_DIR, 0755, 0, 0);
        // install standard C libraries
+        if (arg_debug || arg_debug_private_lib)
+                printf("*** Installing standard C library\n");
        fslib_install_stdc();
+        // start timetrace
        timetrace_start();
        // copy the libs in the new lib directory for the main exe
-        if (cfg.original_program_index > 0)
+        if (cfg.original_program_index > 0) {
+                if (arg_debug || arg_debug_private_lib)
+                        printf("*** Installing sandboxed program libraries\n");
                fslib_copy_libs(cfg.original_argv[cfg.original_program_index]);
+        }
        // for the shell
        if (!arg_shell_none) {
+                if (arg_debug || arg_debug_private_lib)
+                        printf("*** Installing shell libraries\n");
                fslib_copy_libs(cfg.shell);
                // a shell is useless without ls command
                fslib_copy_libs("/bin/ls");
        }
-        // for the listed libs
+        // for the listed libs and directories
        if (private_list && *private_list != '\0') {
                if (arg_debug || arg_debug_private_lib)
-                        printf("Copying extra files (%s) in the new lib directory\n", private_list);
+                        printf("*** Processing private-lib files (%s)\n", private_list);
                char *dlist = strdup(private_list);
                if (!dlist)
@@ -322,6 +325,8 @@ void fs_private_lib(void) {
        // for private-bin files
        if (arg_private_bin) {
+                if (arg_debug || arg_debug_private_lib)
+                        printf("*** Processing private-bin files\n");
                FILE *fp = fopen(RUN_LIB_BIN, "r");
                if (fp) {
                        char buf[MAXBUF];
@@ -368,6 +373,8 @@ void fs_private_lib(void) {
        fmessage("Program libraries installed in %0.2f ms\n", timetrace_end());
        // install the reset of the system libraries
+        if (arg_debug || arg_debug_private_lib)
+                printf("*** Installing system libraries\n");
        fslib_install_system();
        fmessage("Installed %d libraries and %d directories\n", lib_cnt, dir_cnt);
author	startx2017 <vradu.startx@yandex.com>	2018-03-12 08:41:01 -0400
committer	startx2017 <vradu.startx@yandex.com>	2018-03-12 08:41:01 -0400
commit	14b5746d8fba392c02733ce4c90befc32a93fb15 (patch)
tree	2ac6a7de4adaafc730511a70f11b88aca1f47244 /src/firejail
parent	fix bash on CentOS 7 (diff)
download	firejail-14b5746d8fba392c02733ce4c90befc32a93fb15.tar.gz firejail-14b5746d8fba392c02733ce4c90befc32a93fb15.tar.zst firejail-14b5746d8fba392c02733ce4c90befc32a93fb15.zip

diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in index 146bf8242..01cb929e2 100644 --- a/src/firejail/Makefile.in +++ b/src/firejail/Makefile.in
@@ -36,8 +36,8 @@ LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
36	%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h	36	%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h
37	$(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@	37	$(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
38		38
39	firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o	39	firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o ../lib/ldd_utils.o
40	$(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS)	40	$(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/ldd_utils.o $(LIBS) $(EXTRA_LDFLAGS)
41		41
42	clean:; rm -f .o firejail firejail.1 firejail.1.gz .gcov .gcda .gcno	42	clean:; rm -f .o firejail firejail.1 firejail.1.gz .gcov .gcda .gcno
43		43


diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c index f7351339c..8a105be97 100644 --- a/src/firejail/fs_lib.c +++ b/src/firejail/fs_lib.c
@@ -18,6 +18,7 @@
18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.	18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
19	*/	19	*/
20	#include "firejail.h"	20	#include "firejail.h"
		21	#include "../include/ldd_utils.h"
21	#include <sys/mount.h>	22	#include <sys/mount.h>
22	#include <sys/stat.h>	23	#include <sys/stat.h>
23	#include <sys/types.h>	24	#include <sys/types.h>
@@ -25,17 +26,6 @@
25	#include <dirent.h>	26	#include <dirent.h>
26	#define MAXBUF 4096	27	#define MAXBUF 4096
27		28
28	static const char * const lib_paths[] = {
29	"/lib",
30	"/lib/x86_64-linux-gnu",
31	"/lib64",
32	"/usr/lib",
33	"/usr/lib/x86_64-linux-gnu",
34	LIBDIR,
35	"/usr/local/lib",
36	NULL
37	}; // Note: this array is duplicated in src/fldd/main.c
38
39	extern void fslib_install_stdc(void);	29	extern void fslib_install_stdc(void);
40	extern void fslib_install_system(void);	30	extern void fslib_install_system(void);
41		31
@@ -47,9 +37,9 @@ static void report_duplication(const char *full_path) {
47	if (fname && *(++fname) != '\0') {	37	if (fname && *(++fname) != '\0') {
48	// report the file on all bin paths	38	// report the file on all bin paths
49	int i = 0;	39	int i = 0;
50	while (lib_paths[i]) {	40	while (default_lib_paths[i]) {
51	char *p;	41	char *p;
52	if (asprintf(&p, "%s/%s", lib_paths[i], fname) == -1)	42	if (asprintf(&p, "%s/%s", default_lib_paths[i], fname) == -1)
53	errExit("asprintf");	43	errExit("asprintf");
54	fs_logger2("clone", p);	44	fs_logger2("clone", p);
55	free(p);	45	free(p);
@@ -194,19 +184,24 @@ static char valid_file(const char lib) {
194		184
195	// find the library	185	// find the library
196	int i;	186	int i;
197	for (i = 0; lib_paths[i]; i++) {	187	for (i = 0; default_lib_paths[i]; i++) {
198	char *fname;	188	char *fname;
199	if (asprintf(&fname, "%s/%s", lib_paths[i], lib) == -1)	189	if (asprintf(&fname, "%s/%s", default_lib_paths[i], lib) == -1)
200	errExit("asprintf");	190	errExit("asprintf");
201		191
202	// existing file owned by root, read access	192	// existing file owned by root, read access
203	struct stat s;	193	struct stat s;
204	if (stat(fname, &s) == 0 && s.st_uid == 0 && !access(fname, R_OK)) {	194	if (stat(fname, &s) == 0 && s.st_uid == 0 && !access(fname, R_OK)) {
205	return fname;	195	if (is_dir(fname))
		196	return fname;
		197	// for regular libraries check if it is 64bit
		198	if (is_lib_64(fname))
		199	return fname;
		200	// if not 64bit, continue searching
206	}	201	}
207	free(fname);	202	free(fname);
208	}	203	}
209		204	printf("not found %s\n", lib);
210	fwarning("%s library not found, skipping...\n", lib);	205	fwarning("%s library not found, skipping...\n", lib);
211	return NULL;	206	return NULL;
212	}	207	}
@@ -268,25 +263,33 @@ void fs_private_lib(void) {
268	mkdir_attr(RUN_LIB_DIR, 0755, 0, 0);	263	mkdir_attr(RUN_LIB_DIR, 0755, 0, 0);
269		264
270	// install standard C libraries	265	// install standard C libraries
		266	if (arg_debug \|\| arg_debug_private_lib)
		267	printf("*** Installing standard C library\n");
271	fslib_install_stdc();	268	fslib_install_stdc();
272		269
		270	// start timetrace
273	timetrace_start();	271	timetrace_start();
274		272
275	// copy the libs in the new lib directory for the main exe	273	// copy the libs in the new lib directory for the main exe
276	if (cfg.original_program_index > 0)	274	if (cfg.original_program_index > 0) {
		275	if (arg_debug \|\| arg_debug_private_lib)
		276	printf("*** Installing sandboxed program libraries\n");
277	fslib_copy_libs(cfg.original_argv[cfg.original_program_index]);	277	fslib_copy_libs(cfg.original_argv[cfg.original_program_index]);
		278	}
278		279
279	// for the shell	280	// for the shell
280	if (!arg_shell_none) {	281	if (!arg_shell_none) {
		282	if (arg_debug \|\| arg_debug_private_lib)
		283	printf("*** Installing shell libraries\n");
281	fslib_copy_libs(cfg.shell);	284	fslib_copy_libs(cfg.shell);
282	// a shell is useless without ls command	285	// a shell is useless without ls command
283	fslib_copy_libs("/bin/ls");	286	fslib_copy_libs("/bin/ls");
284	}	287	}
285		288
286	// for the listed libs	289	// for the listed libs and directories
287	if (private_list && *private_list != '\0') {	290	if (private_list && *private_list != '\0') {
288	if (arg_debug \|\| arg_debug_private_lib)	291	if (arg_debug \|\| arg_debug_private_lib)
289	printf("Copying extra files (%s) in the new lib directory\n", private_list);	292	printf("*** Processing private-lib files (%s)\n", private_list);
290		293
291	char *dlist = strdup(private_list);	294	char *dlist = strdup(private_list);
292	if (!dlist)	295	if (!dlist)
@@ -322,6 +325,8 @@ void fs_private_lib(void) {
322		325
323	// for private-bin files	326	// for private-bin files
324	if (arg_private_bin) {	327	if (arg_private_bin) {
		328	if (arg_debug \|\| arg_debug_private_lib)
		329	printf("*** Processing private-bin files\n");
325	FILE *fp = fopen(RUN_LIB_BIN, "r");	330	FILE *fp = fopen(RUN_LIB_BIN, "r");
326	if (fp) {	331	if (fp) {
327	char buf[MAXBUF];	332	char buf[MAXBUF];
@@ -368,6 +373,8 @@ void fs_private_lib(void) {
368	fmessage("Program libraries installed in %0.2f ms\n", timetrace_end());	373	fmessage("Program libraries installed in %0.2f ms\n", timetrace_end());
369		374
370	// install the reset of the system libraries	375	// install the reset of the system libraries
		376	if (arg_debug \|\| arg_debug_private_lib)
		377	printf("*** Installing system libraries\n");
371	fslib_install_system();	378	fslib_install_system();
372		379
373	fmessage("Installed %d libraries and %d directories\n", lib_cnt, dir_cnt);	380	fmessage("Installed %d libraries and %d directories\n", lib_cnt, dir_cnt);