diff options
author | netblue30 <netblue30@protonmail.com> | 2021-03-05 10:57:49 -0500 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-03-05 10:57:49 -0500 |
commit | af53a8c95f31cf81354362f11bf4a0ace9849674 (patch) | |
tree | e74ac759aeeef8bf9d69f157e939f614d437ed23 /src | |
parent | Merge pull request #4042 from smitsohu/privatelib6 (diff) | |
parent | private-lib: mask /usr/local/lib[,64] directories, too (diff) | |
download | firejail-af53a8c95f31cf81354362f11bf4a0ace9849674.tar.gz firejail-af53a8c95f31cf81354362f11bf4a0ace9849674.tar.zst firejail-af53a8c95f31cf81354362f11bf4a0ace9849674.zip |
Merge pull request #4043 from smitsohu/privatelib7
private-lib: mask /usr/local/lib[,64] directories, too
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/fs_lib.c | 38 | ||||
-rw-r--r-- | src/lib/ldd_utils.c | 1 |
2 files changed, 13 insertions, 26 deletions
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c index 7c5a22699..99d57fbbb 100644 --- a/src/firejail/fs_lib.c +++ b/src/firejail/fs_lib.c | |||
@@ -361,34 +361,20 @@ void fslib_install_list(const char *lib_list) { | |||
361 | fs_logger_print(); | 361 | fs_logger_print(); |
362 | } | 362 | } |
363 | 363 | ||
364 | |||
365 | |||
366 | static void mount_directories(void) { | 364 | static void mount_directories(void) { |
367 | if (arg_debug || arg_debug_private_lib) | 365 | fs_remount(RUN_LIB_DIR, MOUNT_READONLY, 1); // should be redundant except for RUN_LIB_DIR itself |
368 | printf("Mount-bind %s on top of /lib /lib64 /usr/lib\n", RUN_LIB_DIR); | ||
369 | |||
370 | if (is_dir("/lib")) { | ||
371 | if (mount(RUN_LIB_DIR, "/lib", NULL, MS_BIND|MS_REC, NULL) < 0 || | ||
372 | mount(NULL, "/lib", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0) | ||
373 | errExit("mount bind"); | ||
374 | fs_logger2("tmpfs", "/lib"); | ||
375 | fs_logger("mount /lib"); | ||
376 | } | ||
377 | |||
378 | if (is_dir("/lib64")) { | ||
379 | if (mount(RUN_LIB_DIR, "/lib64", NULL, MS_BIND|MS_REC, NULL) < 0 || | ||
380 | mount(NULL, "/lib64", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0) | ||
381 | errExit("mount bind"); | ||
382 | fs_logger2("tmpfs", "/lib64"); | ||
383 | fs_logger("mount /lib64"); | ||
384 | } | ||
385 | 366 | ||
386 | if (is_dir("/usr/lib")) { | 367 | int i = 0; |
387 | if (mount(RUN_LIB_DIR, "/usr/lib", NULL, MS_BIND|MS_REC, NULL) < 0 || | 368 | while (lib_dirs[i]) { |
388 | mount(NULL, "/usr/lib", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0) | 369 | if (is_dir(lib_dirs[i])) { |
389 | errExit("mount bind"); | 370 | if (arg_debug || arg_debug_private_lib) |
390 | fs_logger2("tmpfs", "/usr/lib"); | 371 | printf("Mount-bind %s on top of %s\n", RUN_LIB_DIR, lib_dirs[i]); |
391 | fs_logger("mount /usr/lib"); | 372 | if (mount(RUN_LIB_DIR, lib_dirs[i], NULL, MS_BIND|MS_REC, NULL) < 0) |
373 | errExit("mount bind"); | ||
374 | fs_logger2("tmpfs", lib_dirs[i]); | ||
375 | fs_logger2("mount", lib_dirs[i]); | ||
376 | } | ||
377 | i++; | ||
392 | } | 378 | } |
393 | 379 | ||
394 | // for amd64 only - we'll deal with i386 later | 380 | // for amd64 only - we'll deal with i386 later |
diff --git a/src/lib/ldd_utils.c b/src/lib/ldd_utils.c index adde4a9b9..43fee4f21 100644 --- a/src/lib/ldd_utils.c +++ b/src/lib/ldd_utils.c | |||
@@ -30,6 +30,7 @@ const char * const default_lib_paths[] = { | |||
30 | "/lib", | 30 | "/lib", |
31 | "/lib64", | 31 | "/lib64", |
32 | LIBDIR, | 32 | LIBDIR, |
33 | "/usr/local/lib64", | ||
33 | "/usr/local/lib", | 34 | "/usr/local/lib", |
34 | "/usr/lib/x86_64-linux-gnu/mesa", // libGL.so is sometimes a symlink into this directory | 35 | "/usr/lib/x86_64-linux-gnu/mesa", // libGL.so is sometimes a symlink into this directory |
35 | "/usr/lib/x86_64-linux-gnu/mesa-egl", // libGL.so is sometimes a symlink into this directory | 36 | "/usr/lib/x86_64-linux-gnu/mesa-egl", // libGL.so is sometimes a symlink into this directory |