diff options
author | 2021-01-15 14:31:16 +0100 | |
---|---|---|
committer | 2021-01-15 14:31:16 +0100 | |
commit | 1e136df0f0f1c86d0181d796f5719c42164bab1e (patch) | |
tree | 122f4874026666ff7a539cb5e4096223ef799abd /src/firejail | |
parent | bug_report.md: improve wording (upstream/duplicates) (diff) | |
parent | fix broken tests and regression on 45304621a6c600d8e30e98bfbef05149caaf56c5 (diff) | |
download | firejail-1e136df0f0f1c86d0181d796f5719c42164bab1e.tar.gz firejail-1e136df0f0f1c86d0181d796f5719c42164bab1e.tar.zst firejail-1e136df0f0f1c86d0181d796f5719c42164bab1e.zip |
Merge pull request #3867 from smitsohu/non-dumpable
return to non-dumpable plugins
Diffstat (limited to 'src/firejail')
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/fs_lib.c | 13 | ||||
-rw-r--r-- | src/firejail/fs_lib2.c | 7 | ||||
-rw-r--r-- | src/firejail/main.c | 5 | ||||
-rw-r--r-- | src/firejail/util.c | 14 |
5 files changed, 12 insertions, 28 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 80987e494..9ea3edcd0 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -513,7 +513,6 @@ void check_private_dir(void); | |||
513 | void update_map(char *mapping, char *map_file); | 513 | void update_map(char *mapping, char *map_file); |
514 | void wait_for_other(int fd); | 514 | void wait_for_other(int fd); |
515 | void notify_other(int fd); | 515 | void notify_other(int fd); |
516 | const char *gnu_basename(const char *path); | ||
517 | uid_t pid_get_uid(pid_t pid); | 516 | uid_t pid_get_uid(pid_t pid); |
518 | uid_t get_group_id(const char *group); | 517 | uid_t get_group_id(const char *group); |
519 | int remove_overlay_directory(void); | 518 | int remove_overlay_directory(void); |
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c index d5b392d71..b76999d8f 100644 --- a/src/firejail/fs_lib.c +++ b/src/firejail/fs_lib.c | |||
@@ -336,6 +336,12 @@ void fs_private_lib(void) { | |||
336 | // start timetrace | 336 | // start timetrace |
337 | timetrace_start(); | 337 | timetrace_start(); |
338 | 338 | ||
339 | // bring in firejail executable libraries in case we are redirected here by a firejail symlink from /usr/local/bin/firejail | ||
340 | fslib_install_list(PATH_FIREJAIL); | ||
341 | |||
342 | // bring in firejail directory | ||
343 | fslib_install_list("firejail"); | ||
344 | |||
339 | // copy the libs in the new lib directory for the main exe | 345 | // copy the libs in the new lib directory for the main exe |
340 | if (cfg.original_program_index > 0) { | 346 | if (cfg.original_program_index > 0) { |
341 | if (arg_debug || arg_debug_private_lib) | 347 | if (arg_debug || arg_debug_private_lib) |
@@ -374,13 +380,6 @@ void fs_private_lib(void) { | |||
374 | printf("Installing system libraries\n"); | 380 | printf("Installing system libraries\n"); |
375 | fslib_install_system(); | 381 | fslib_install_system(); |
376 | 382 | ||
377 | // bring in firejail directory for --trace and seccomp post exec | ||
378 | // bring in firejail executable libraries in case we are redirected here by a firejail symlink from /usr/local/bin/firejail | ||
379 | fslib_install_list("/usr/bin/firejail,firejail"); // todo: use the installed path for the executable | ||
380 | |||
381 | // install libraries needed by fcopy | ||
382 | fslib_install_list(PATH_FCOPY); | ||
383 | |||
384 | fmessage("Installed %d %s and %d %s\n", lib_cnt, (lib_cnt == 1)? "library": "libraries", | 383 | fmessage("Installed %d %s and %d %s\n", lib_cnt, (lib_cnt == 1)? "library": "libraries", |
385 | dir_cnt, (dir_cnt == 1)? "directory": "directories"); | 384 | dir_cnt, (dir_cnt == 1)? "directory": "directories"); |
386 | 385 | ||
diff --git a/src/firejail/fs_lib2.c b/src/firejail/fs_lib2.c index b2ae07f3e..758e079a4 100644 --- a/src/firejail/fs_lib2.c +++ b/src/firejail/fs_lib2.c | |||
@@ -30,6 +30,7 @@ extern void fslib_copy_dir(const char *full_path); | |||
30 | //*************************************************************** | 30 | //*************************************************************** |
31 | // standard libc libraries based on Debian's libc6 package | 31 | // standard libc libraries based on Debian's libc6 package |
32 | // selinux seems to be linked in most command line utilities | 32 | // selinux seems to be linked in most command line utilities |
33 | // libpcre2 is a dependency of selinux | ||
33 | // locale (/usr/lib/locale) - without it, the program will default to "C" locale | 34 | // locale (/usr/lib/locale) - without it, the program will default to "C" locale |
34 | typedef struct liblist_t { | 35 | typedef struct liblist_t { |
35 | const char *name; | 36 | const char *name; |
@@ -38,6 +39,7 @@ typedef struct liblist_t { | |||
38 | 39 | ||
39 | static LibList libc_list[] = { | 40 | static LibList libc_list[] = { |
40 | { "libselinux.so.", 0 }, | 41 | { "libselinux.so.", 0 }, |
42 | { "libpcre2-8.so.", 0 }, | ||
41 | { "libapparmor.so.", 0}, | 43 | { "libapparmor.so.", 0}, |
42 | { "ld-linux-x86-64.so.", 0 }, | 44 | { "ld-linux-x86-64.so.", 0 }, |
43 | { "libanl.so.", 0 }, | 45 | { "libanl.so.", 0 }, |
@@ -104,16 +106,19 @@ static void stdc(const char *dirname) { | |||
104 | 106 | ||
105 | void fslib_install_stdc(void) { | 107 | void fslib_install_stdc(void) { |
106 | // install standard C libraries | 108 | // install standard C libraries |
109 | timetrace_start(); | ||
107 | struct stat s; | 110 | struct stat s; |
108 | char *stdclib = "/lib64"; // CentOS, Fedora, Arch | 111 | char *stdclib = "/lib64"; // CentOS, Fedora, Arch |
109 | 112 | ||
110 | if (stat("/lib/x86_64-linux-gnu", &s) == 0) { // Debian & friends | 113 | if (stat("/lib/x86_64-linux-gnu", &s) == 0) { // Debian & friends |
114 | // PT_INTERP | ||
115 | fslib_duplicate("/lib64/ld-linux-x86-64.so.2"); | ||
116 | |||
111 | mkdir_attr(RUN_LIB_DIR "/x86_64-linux-gnu", 0755, 0, 0); | 117 | mkdir_attr(RUN_LIB_DIR "/x86_64-linux-gnu", 0755, 0, 0); |
112 | selinux_relabel_path(RUN_LIB_DIR "/x86_64-linux-gnu", "/lib/x86_64-linux-gnu"); | 118 | selinux_relabel_path(RUN_LIB_DIR "/x86_64-linux-gnu", "/lib/x86_64-linux-gnu"); |
113 | stdclib = "/lib/x86_64-linux-gnu"; | 119 | stdclib = "/lib/x86_64-linux-gnu"; |
114 | } | 120 | } |
115 | 121 | ||
116 | timetrace_start(); | ||
117 | stdc(stdclib); | 122 | stdc(stdclib); |
118 | 123 | ||
119 | // install locale | 124 | // install locale |
diff --git a/src/firejail/main.c b/src/firejail/main.c index e5d8a4720..0f0086a6e 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1231,11 +1231,6 @@ int main(int argc, char **argv, char **envp) { | |||
1231 | } | 1231 | } |
1232 | EUID_ASSERT(); | 1232 | EUID_ASSERT(); |
1233 | 1233 | ||
1234 | #ifdef WARN_DUMPABLE | ||
1235 | if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid()) | ||
1236 | fprintf(stderr, "Error: Firejail is dumpable\n"); | ||
1237 | #endif | ||
1238 | |||
1239 | // check for force-nonewprivs in /etc/firejail/firejail.config file | 1234 | // check for force-nonewprivs in /etc/firejail/firejail.config file |
1240 | if (checkcfg(CFG_FORCE_NONEWPRIVS)) | 1235 | if (checkcfg(CFG_FORCE_NONEWPRIVS)) |
1241 | arg_nonewprivs = 1; | 1236 | arg_nonewprivs = 1; |
diff --git a/src/firejail/util.c b/src/firejail/util.c index 6cac535db..911c8bd94 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -811,20 +811,6 @@ void notify_other(int fd) { | |||
811 | fclose(stream); | 811 | fclose(stream); |
812 | } | 812 | } |
813 | 813 | ||
814 | |||
815 | |||
816 | |||
817 | // Equivalent to the GNU version of basename, which is incompatible with | ||
818 | // the POSIX basename. A few lines of code saves any portability pain. | ||
819 | // https://www.gnu.org/software/libc/manual/html_node/Finding-Tokens-in-a-String.html#index-basename | ||
820 | const char *gnu_basename(const char *path) { | ||
821 | const char *last_slash = strrchr(path, '/'); | ||
822 | if (!last_slash) | ||
823 | return path; | ||
824 | return last_slash+1; | ||
825 | } | ||
826 | |||
827 | |||
828 | uid_t pid_get_uid(pid_t pid) { | 814 | uid_t pid_get_uid(pid_t pid) { |
829 | EUID_ASSERT(); | 815 | EUID_ASSERT(); |
830 | uid_t rv = 0; | 816 | uid_t rv = 0; |