Private /lib feature

6 files changed, 269 insertions, 0 deletions

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index b90c8d8ed..37e4aeb30 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -48,6 +48,7 @@
 #define RUN_SRV_DIR     "/run/firejail/mnt/srv"
 #define RUN_BIN_DIR     "/run/firejail/mnt/bin"
 #define RUN_PULSE_DIR   "/run/firejail/mnt/pulse"
+#define RUN_LIB_DIR     "/run/firejail/mnt/lib"
 
 #define RUN_SECCOMP_PROTOCOL    "/run/firejail/mnt/seccomp.protocol"    // protocol filter
 #define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp"                     // configured filter
@@ -207,6 +208,7 @@ typedef struct config_t {
         char *opt_private_keep; // keep list for private opt directory
         char *srv_private_keep; // keep list for private srv directory
         char *bin_private_keep; // keep list for private bin directory
+        char *lib_private_keep; // keep list for private bin directory
         char *cwd;              // current working directory
         char *overlay_dir;
         char *private_template; // template dir for tmpfs home
@@ -328,6 +330,7 @@ extern int arg_private_opt;	// private opt directory
 extern int arg_private_srv;     // private srv directory
 extern int arg_private_bin;     // private bin directory
 extern int arg_private_tmp;     // private tmp directory
+extern int arg_private_lib;     // private lib directory
 extern int arg_scan;            // arp-scan all interfaces
 extern int arg_whitelist;       // whitelist commad
 extern int arg_nosound; // disable sound
@@ -625,6 +628,9 @@ void pulseaudio_disable(void);
 // fs_bin.c
 void fs_private_bin_list(void);
 
+// fs_lib.c
+void fs_private_lib(void);
+
 // protocol.c
 void protocol_filter_save(void);
 void protocol_filter_load(const char *fname);
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c
new file mode 100644
index 000000000..4d328af7f
--- /dev/null
+++ b/src/firejail/fs_lib.c
@@ -0,0 +1,203 @@
+/*
+ * Copyright (C) 2017 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "firejail.h"
+#include <elf.h>
+#include <fcntl.h>
+#include <sys/mman.h>
+#include <sys/mount.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+#ifdef __LP64__
+#define Elf_Ehdr Elf64_Ehdr
+#define Elf_Phdr Elf64_Phdr
+#define Elf_Shdr Elf64_Shdr
+#define Elf_Dyn Elf64_Dyn
+#else
+#define Elf_Ehdr Elf32_Ehdr
+#define Elf_Phdr Elf32_Phdr
+#define Elf_Shdr Elf32_Shdr
+#define Elf_Dyn Elf32_Dyn
+#endif
+
+static const char * const lib_paths[] = {
+        "/lib",
+        "/lib/x86_64-linux-gnu",
+        "/lib64",
+        "/usr/lib",
+        "/usr/lib/x86_64-linux-gnu",
+        LIBDIR,
+        "/usr/local/lib",
+        NULL
+};
+
+static void copy_libs_for_lib(const char *lib, const char *private_run_dir);
+
+static void duplicate(const char *fname, const char *private_run_dir) {
+        if (arg_debug)
+                printf("copying %s to private %s\n", fname, private_run_dir);
+        sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", fname, private_run_dir);
+}
+
+static void copy_libs_for_exe(const char *exe, const char *private_run_dir) {
+        if (arg_debug)
+                printf("copy libs for %s\n", exe);
+        int f;
+        f = open(exe, O_RDONLY);
+        if (f < 0)
+                return;
+        struct stat s;
+        char *base = NULL;
+        if (fstat(f, &s) == -1)
+                goto error_close;
+        base = mmap(0, s.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, f, 0);
+        if (base == MAP_FAILED)
+                goto error_close;
+
+        Elf_Ehdr *ebuf = (Elf_Ehdr *)base;
+        if (strncmp((const char *)ebuf->e_ident, ELFMAG, SELFMAG) != 0)
+                goto close;
+
+        Elf_Phdr *pbuf = (Elf_Phdr *)(base + sizeof(*ebuf));
+        while (ebuf->e_phnum-- > 0) {
+                switch (pbuf->p_type) {
+                case PT_INTERP:
+                        // dynamic loader ld-linux.so
+                        duplicate(base + pbuf->p_offset, private_run_dir);
+                        break;
+                }
+                pbuf++;
+        }
+
+        Elf_Shdr *sbuf = (Elf_Shdr *)(base + ebuf->e_shoff);
+
+        // Find strings section
+        char *strbase = NULL;
+        int sections = ebuf->e_shnum;
+        while (sections-- > 0) {
+                if (sbuf->sh_type == SHT_STRTAB) {
+                        strbase = base + sbuf->sh_offset;
+                        break;
+                }
+                sbuf++;
+        }
+        if (strbase == NULL)
+                goto error_close;
+
+        // Find dynamic section
+        sections = ebuf->e_shnum;
+        while (sections-- > 0) {
+                if (sbuf->sh_type == SHT_DYNAMIC) {
+                        // Find DT_NEEDED tags
+                        Elf_Dyn *dbuf = (Elf_Dyn *)(base + sbuf->sh_offset);
+                        while (sbuf->sh_size >= sizeof(*dbuf)) {
+                                if (dbuf->d_tag == DT_NEEDED) {
+                                        const char *lib = strbase + dbuf->d_un.d_ptr;
+                                        copy_libs_for_lib(lib, private_run_dir);
+                                }
+                                sbuf->sh_size -= sizeof(*dbuf);
+                                dbuf++;
+                        }
+                }
+                sbuf++;
+        }
+        goto close;
+
+ error_close:
+        perror("copy libs");
+ close:
+        if (base)
+                munmap(base, s.st_size);
+        close(f);
+}
+
+static void copy_libs_for_lib(const char *lib, const char *private_run_dir) {
+        for (int i = 0; lib_paths[i]; i++) {
+                char *fname;
+                if (asprintf(&fname, "%s/%s", lib_paths[i], lib) == -1)
+                        errExit("asprintf");
+                if (access(fname, R_OK) == 0) {
+                        char *dst;
+                        if (asprintf(&dst, "%s/%s", private_run_dir, lib) == -1)
+                                errExit("asprintf");
+
+                        if (access(dst, R_OK) != 0) {
+                                duplicate(fname, private_run_dir);
+                                // libs may need other libs
+                                copy_libs_for_exe(fname, private_run_dir);
+                        }
+                        free(dst);
+                        free(fname);
+                        return;
+                }
+                free(fname);
+        }
+        errExit("library not found");
+}
+
+void fs_private_lib(void) {
+        char *private_list = cfg.lib_private_keep;
+        assert(private_list);
+
+        // create /run/firejail/mnt/lib directory
+        mkdir_attr(RUN_LIB_DIR, 0755, 0, 0);
+
+        // copy the libs in the new lib directory for the main exe
+        if (cfg.original_program_index > 0)
+                copy_libs_for_exe(cfg.original_argv[cfg.original_program_index], RUN_LIB_DIR);
+
+        // for the shell
+        if (!arg_shell_none)
+                copy_libs_for_exe(cfg.shell, RUN_LIB_DIR);
+
+        // for the listed libs
+        if (*private_list != '\0') {
+                if (arg_debug)
+                        printf("Copying extra files in the new lib directory:\n");
+
+                char *dlist = strdup(private_list);
+                if (!dlist)
+                        errExit("strdup");
+
+                char *ptr = strtok(dlist, ",");
+                copy_libs_for_lib(ptr, RUN_LIB_DIR);
+
+                while ((ptr = strtok(NULL, ",")) != NULL)
+                        copy_libs_for_lib(ptr, RUN_LIB_DIR);
+                free(dlist);
+                fs_logger_print();
+        }
+
+        if (arg_debug)
+                printf("Mount-bind %s on top of /lib /lib64 /usr/lib\n", RUN_LIB_DIR);
+        if (mount(RUN_LIB_DIR, "/lib", NULL, MS_BIND|MS_REC, NULL) < 0 ||
+            mount(NULL, "/lib", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0)
+                errExit("mount bind");
+        fs_logger("mount /lib");
+        if (mount(RUN_LIB_DIR, "/lib64", NULL, MS_BIND|MS_REC, NULL) < 0 ||
+            mount(NULL, "/lib64", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0)
+                errExit("mount bind");
+        fs_logger("mount /lib64");
+        if (mount(RUN_LIB_DIR, "/usr/lib", NULL, MS_BIND|MS_REC, NULL) < 0 ||
+            mount(NULL, "/usr/lib", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0)
+                errExit("mount bind");
+        fs_logger("mount /usr/lib");
+}
diff --git a/src/firejail/main.c b/src/firejail/main.c
index c055a1537..4ed8e30c9 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -85,6 +85,7 @@ int arg_private_opt = 0;			// private opt directory
 int arg_private_srv = 0;                        // private srv directory
 int arg_private_bin = 0;                        // private bin directory
 int arg_private_tmp = 0;                        // private tmp directory
+int arg_private_lib = 0;                        // private lib directory
 int arg_scan = 0;                               // arp-scan all interfaces
 int arg_whitelist = 0;                          // whitelist commad
 int arg_nosound = 0;                            // disable sound
@@ -1622,6 +1623,15 @@ int main(int argc, char **argv) {
                                 cfg.bin_private_keep = argv[i] + 14;
                         arg_private_bin = 1;
                 }
+                else if (strncmp(argv[i], "--private-lib=", 14) == 0) {
+                        // extract private lib list (if any)
+                        if (cfg.lib_private_keep) {
+                                if (asprintf(&cfg.lib_private_keep, "%s,%s", cfg.lib_private_keep, argv[i] + 14) < 0 )
+                                        errExit("asprintf");
+                        } else
+                                cfg.lib_private_keep = argv[i] + 14;
+                        arg_private_lib = 1;
+                }
                 else if (strcmp(argv[i], "--private-tmp") == 0) {
                         arg_private_tmp = 1;
                 }
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 18891ac58..f084edaad 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -849,6 +849,18 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 return 0;
         }
 
+        // private /lib list of files
+        if (strncmp(ptr, "private-lib ", 12) == 0) {
+                if (cfg.lib_private_keep) {
+                        if (asprintf(&cfg.lib_private_keep, "%s,%s", cfg.lib_private_keep, ptr + 12) < 0 )
+                                errExit("asprintf");
+                } else {
+                        cfg.lib_private_keep = ptr + 12;
+                }
+                arg_private_lib = 1;
+                return 0;
+        }
+
 
 #ifdef HAVE_OVERLAYFS
         if (strncmp(ptr, "overlay-named ", 14) == 0) {
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 55733d5d7..4b30cb991 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -811,6 +811,16 @@ int sandbox(void* sandbox_arg) {
                 }
         }
 
+        if (arg_private_lib) {
+                if (cfg.chrootdir)
+                        fwarning("private-lib feature is disabled in chroot\n");
+                else if (arg_overlay)
+                        fwarning("private-lib feature is disabled in overlay\n");
+                else {
+                        fs_private_lib();
+                }
+        }
+
         if (arg_private_tmp) {
                 if (cfg.chrootdir)
                         fwarning("private-tmp feature is disabled in chroot\n");
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index cd47800c5..0ce72f845 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1232,6 +1232,34 @@ $ ls /bin
 bash  cat  ls  sed
 
 .TP
+\fB\-\-private-lib=file,file
+Build a new /lib in a temporary filesystem. For command to be executed,
+the shell (if \-\-shell=none is not used), and the listed libraries
+find out dynamic libraries and copy them to the /lib directory.
+If no listed file is found, /lib directory will be empty and no programs will be able to execute.
+The same directory is also bind-mounted over /lib64 and /usr/lib.
+All modifications are discarded when the sandbox is closed.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-noprofile \-\-shell=none \-\-private-lib= \-\-private-bin=ls /bin/ls /lib /bin
+.br
+Parent pid 15733, child pid 15734
+.br
+Child process initialized in 69.61 ms
+.br
+/bin:
+.br
+ls
+.br
+.br
+/lib:
+.br
+ld-linux-x86-64.so.2  libc.so.6  libdl.so.2  libpcre.so.3  libpthread.so.0  libselinux.so.1
+
+.TP
 \fB\-\-private-dev
 Create a new /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, snd, urandom, video, log and shm devices are available.
 .br