Merge pull request #3867 from smitsohu/non-dumpable

return to non-dumpable plugins
author: smitsohu <smitsohu@gmail.com> 2021-01-15 14:31:16 +0100
committer: GitHub <noreply@github.com> 2021-01-15 14:31:16 +0100
commit: 1e136df0f0f1c86d0181d796f5719c42164bab1e (patch)
tree: 122f4874026666ff7a539cb5e4096223ef799abd /src/firejail
parent: bug_report.md: improve wording (upstream/duplicates) (diff)
parent: fix broken tests and regression on 45304621a6c600d8e30e98bfbef05149caaf56c5 (diff)
download: firejail-1e136df0f0f1c86d0181d796f5719c42164bab1e.tar.gz
firejail-1e136df0f0f1c86d0181d796f5719c42164bab1e.tar.zst
firejail-1e136df0f0f1c86d0181d796f5719c42164bab1e.zip
5 files changed, 12 insertions, 28 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 80987e494..9ea3edcd0 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -513,7 +513,6 @@ void check_private_dir(void);
 void update_map(char *mapping, char *map_file);
 void wait_for_other(int fd);
 void notify_other(int fd);
-const char *gnu_basename(const char *path);
 uid_t pid_get_uid(pid_t pid);
 uid_t get_group_id(const char *group);
 int remove_overlay_directory(void);
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c
index d5b392d71..b76999d8f 100644
--- a/src/firejail/fs_lib.c
+++ b/src/firejail/fs_lib.c
@@ -336,6 +336,12 @@ void fs_private_lib(void) {
        // start timetrace
        timetrace_start();
+        // bring in firejail executable libraries in case we are redirected here by a firejail symlink from /usr/local/bin/firejail
+        fslib_install_list(PATH_FIREJAIL);
+        // bring in firejail directory
+        fslib_install_list("firejail");
        // copy the libs in the new lib directory for the main exe
        if (cfg.original_program_index > 0) {
                if (arg_debug || arg_debug_private_lib)
@@ -374,13 +380,6 @@ void fs_private_lib(void) {
                printf("Installing system libraries\n");
        fslib_install_system();
-        // bring in firejail directory for --trace and seccomp post exec
-        // bring in firejail executable libraries in case we are redirected here by a firejail symlink from /usr/local/bin/firejail
-        fslib_install_list("/usr/bin/firejail,firejail"); // todo: use the installed path for the executable
-        // install libraries needed by fcopy
-        fslib_install_list(PATH_FCOPY);
        fmessage("Installed %d %s and %d %s\n", lib_cnt, (lib_cnt == 1)? "library": "libraries",
                dir_cnt, (dir_cnt == 1)? "directory": "directories");
diff --git a/src/firejail/fs_lib2.c b/src/firejail/fs_lib2.c
index b2ae07f3e..758e079a4 100644
--- a/src/firejail/fs_lib2.c
+++ b/src/firejail/fs_lib2.c
@@ -30,6 +30,7 @@ extern void fslib_copy_dir(const char *full_path);
 //***************************************************************
 // standard libc libraries based on Debian's libc6 package
 // selinux seems to be linked in most command line utilities
+// libpcre2 is a dependency of selinux
 // locale (/usr/lib/locale) - without it, the program will default to "C" locale
 typedef struct liblist_t {
        const char *name;
@@ -38,6 +39,7 @@ typedef struct liblist_t {
 static LibList libc_list[] = {
        { "libselinux.so.", 0 },
+        { "libpcre2-8.so.", 0 },
        { "libapparmor.so.", 0},
        { "ld-linux-x86-64.so.", 0 },
        { "libanl.so.", 0 },
@@ -104,16 +106,19 @@ static void stdc(const char *dirname) {
 void fslib_install_stdc(void) {
        // install standard C libraries
+        timetrace_start();
        struct stat s;
        char *stdclib = "/lib64";                 // CentOS, Fedora, Arch
        if (stat("/lib/x86_64-linux-gnu", &s) == 0) {   // Debian & friends
+                // PT_INTERP
+                fslib_duplicate("/lib64/ld-linux-x86-64.so.2");
                mkdir_attr(RUN_LIB_DIR "/x86_64-linux-gnu", 0755, 0, 0);
                selinux_relabel_path(RUN_LIB_DIR "/x86_64-linux-gnu", "/lib/x86_64-linux-gnu");
                stdclib = "/lib/x86_64-linux-gnu";
        }
-        timetrace_start();
        stdc(stdclib);
        // install locale
diff --git a/src/firejail/main.c b/src/firejail/main.c
index e5d8a4720..0f0086a6e 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1231,11 +1231,6 @@ int main(int argc, char **argv, char **envp) {
        }
        EUID_ASSERT();
-#ifdef WARN_DUMPABLE
-        if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid())
-                fprintf(stderr, "Error: Firejail is dumpable\n");
-#endif
        // check for force-nonewprivs in /etc/firejail/firejail.config file
        if (checkcfg(CFG_FORCE_NONEWPRIVS))
                arg_nonewprivs = 1;
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 6cac535db..911c8bd94 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -811,20 +811,6 @@ void notify_other(int fd) {
        fclose(stream);
 }
-// Equivalent to the GNU version of basename, which is incompatible with
-// the POSIX basename. A few lines of code saves any portability pain.
-// https://www.gnu.org/software/libc/manual/html_node/Finding-Tokens-in-a-String.html#index-basename
-const char *gnu_basename(const char *path) {
-        const char *last_slash = strrchr(path, '/');
-        if (!last_slash)
-                return path;
-        return last_slash+1;
-}
 uid_t pid_get_uid(pid_t pid) {
        EUID_ASSERT();
        uid_t rv = 0;
author	smitsohu <smitsohu@gmail.com>	2021-01-15 14:31:16 +0100
committer	GitHub <noreply@github.com>	2021-01-15 14:31:16 +0100
commit	1e136df0f0f1c86d0181d796f5719c42164bab1e (patch)
tree	122f4874026666ff7a539cb5e4096223ef799abd /src/firejail
parent	bug_report.md: improve wording (upstream/duplicates) (diff)
parent	fix broken tests and regression on 45304621a6c600d8e30e98bfbef05149caaf56c5 (diff)
download	firejail-1e136df0f0f1c86d0181d796f5719c42164bab1e.tar.gz firejail-1e136df0f0f1c86d0181d796f5719c42164bab1e.tar.zst firejail-1e136df0f0f1c86d0181d796f5719c42164bab1e.zip