diff options
author | netblue30 <netblue30@protonmail.com> | 2021-03-05 10:57:13 -0500 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-03-05 10:57:13 -0500 |
commit | 72802227a3c7603d56d6d28d5aaa00cc6ab91ea6 (patch) | |
tree | 5e284134257fde499107fddf1cb1fb458d891f98 /src | |
parent | Merge pull request #4041 from smitsohu/trace (diff) | |
parent | private-lib hardening (diff) | |
download | firejail-72802227a3c7603d56d6d28d5aaa00cc6ab91ea6.tar.gz firejail-72802227a3c7603d56d6d28d5aaa00cc6ab91ea6.tar.zst firejail-72802227a3c7603d56d6d28d5aaa00cc6ab91ea6.zip |
Merge pull request #4042 from smitsohu/privatelib6
private-lib hardening
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/fs_lib.c | 31 |
1 files changed, 29 insertions, 2 deletions
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c index 7e9666fc0..7c5a22699 100644 --- a/src/firejail/fs_lib.c +++ b/src/firejail/fs_lib.c | |||
@@ -34,6 +34,31 @@ extern void fslib_install_system(void); | |||
34 | static int lib_cnt = 0; | 34 | static int lib_cnt = 0; |
35 | static int dir_cnt = 0; | 35 | static int dir_cnt = 0; |
36 | 36 | ||
37 | static const char *lib_dirs[] = { | ||
38 | "/usr/lib64", | ||
39 | "/lib64", | ||
40 | "/usr/lib", | ||
41 | "/lib", | ||
42 | "/usr/local/lib64", | ||
43 | "/usr/local/lib", | ||
44 | NULL, | ||
45 | }; | ||
46 | |||
47 | // return 1 if the file is in lib_dirs[] | ||
48 | static int valid_full_path(const char *full_path) { | ||
49 | if (strstr(full_path, "..")) | ||
50 | return 0; | ||
51 | |||
52 | int i = 0; | ||
53 | while (lib_dirs[i]) { | ||
54 | if (strncmp(full_path, lib_dirs[i], strlen(lib_dirs[i])) == 0 && | ||
55 | full_path[strlen(lib_dirs[i])] == '/') | ||
56 | return 1; | ||
57 | i++; | ||
58 | } | ||
59 | return 0; | ||
60 | } | ||
61 | |||
37 | char *find_in_path(const char *program) { | 62 | char *find_in_path(const char *program) { |
38 | EUID_ASSERT(); | 63 | EUID_ASSERT(); |
39 | if (arg_debug) | 64 | if (arg_debug) |
@@ -108,7 +133,8 @@ void fslib_duplicate(const char *full_path) { | |||
108 | assert(full_path); | 133 | assert(full_path); |
109 | 134 | ||
110 | struct stat s; | 135 | struct stat s; |
111 | if (stat(full_path, &s) != 0 || s.st_uid != 0 || access(full_path, R_OK)) | 136 | if (stat(full_path, &s) != 0 || s.st_uid != 0 || access(full_path, R_OK) |
137 | || !valid_full_path(full_path)) | ||
112 | return; | 138 | return; |
113 | 139 | ||
114 | char *dest_dir = build_dest_dir(full_path); | 140 | char *dest_dir = build_dest_dir(full_path); |
@@ -208,7 +234,8 @@ void fslib_copy_dir(const char *full_path) { | |||
208 | 234 | ||
209 | // do nothing if the directory does not exist or is not owned by root | 235 | // do nothing if the directory does not exist or is not owned by root |
210 | struct stat s; | 236 | struct stat s; |
211 | if (stat(full_path, &s) != 0 || s.st_uid != 0 || !S_ISDIR(s.st_mode) || access(full_path, R_OK)) | 237 | if (stat(full_path, &s) != 0 || s.st_uid != 0 || !S_ISDIR(s.st_mode) || access(full_path, R_OK) |
238 | || !valid_full_path(full_path)) | ||
212 | return; | 239 | return; |
213 | 240 | ||
214 | char *dir_name = strrchr(full_path, '/'); | 241 | char *dir_name = strrchr(full_path, '/'); |