diff options
author | smitsohu <smitsohu@gmail.com> | 2021-03-04 00:43:30 +0100 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2021-03-04 00:53:01 +0100 |
commit | fdf32b2b479b09c3489d9c18c6bf2468e869cab2 (patch) | |
tree | faae85174ac14b8f50ecf235a2b5abd9e6defe66 /src | |
parent | private-lib hardening (diff) | |
download | firejail-fdf32b2b479b09c3489d9c18c6bf2468e869cab2.tar.gz firejail-fdf32b2b479b09c3489d9c18c6bf2468e869cab2.tar.zst firejail-fdf32b2b479b09c3489d9c18c6bf2468e869cab2.zip |
private-lib: mask /usr/local/lib[,64] directories, too
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/fs_lib.c | 38 | ||||
-rw-r--r-- | src/lib/ldd_utils.c | 1 |
2 files changed, 13 insertions, 26 deletions
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c index 53a8818af..72be472d3 100644 --- a/src/firejail/fs_lib.c +++ b/src/firejail/fs_lib.c | |||
@@ -343,34 +343,20 @@ void fslib_install_list(const char *lib_list) { | |||
343 | fs_logger_print(); | 343 | fs_logger_print(); |
344 | } | 344 | } |
345 | 345 | ||
346 | |||
347 | |||
348 | static void mount_directories(void) { | 346 | static void mount_directories(void) { |
349 | if (arg_debug || arg_debug_private_lib) | 347 | fs_remount(RUN_LIB_DIR, MOUNT_READONLY, 1); // should be redundant except for RUN_LIB_DIR itself |
350 | printf("Mount-bind %s on top of /lib /lib64 /usr/lib\n", RUN_LIB_DIR); | ||
351 | |||
352 | if (is_dir("/lib")) { | ||
353 | if (mount(RUN_LIB_DIR, "/lib", NULL, MS_BIND|MS_REC, NULL) < 0 || | ||
354 | mount(NULL, "/lib", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0) | ||
355 | errExit("mount bind"); | ||
356 | fs_logger2("tmpfs", "/lib"); | ||
357 | fs_logger("mount /lib"); | ||
358 | } | ||
359 | |||
360 | if (is_dir("/lib64")) { | ||
361 | if (mount(RUN_LIB_DIR, "/lib64", NULL, MS_BIND|MS_REC, NULL) < 0 || | ||
362 | mount(NULL, "/lib64", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0) | ||
363 | errExit("mount bind"); | ||
364 | fs_logger2("tmpfs", "/lib64"); | ||
365 | fs_logger("mount /lib64"); | ||
366 | } | ||
367 | 348 | ||
368 | if (is_dir("/usr/lib")) { | 349 | int i = 0; |
369 | if (mount(RUN_LIB_DIR, "/usr/lib", NULL, MS_BIND|MS_REC, NULL) < 0 || | 350 | while (lib_dirs[i]) { |
370 | mount(NULL, "/usr/lib", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0) | 351 | if (is_dir(lib_dirs[i])) { |
371 | errExit("mount bind"); | 352 | if (arg_debug || arg_debug_private_lib) |
372 | fs_logger2("tmpfs", "/usr/lib"); | 353 | printf("Mount-bind %s on top of %s\n", RUN_LIB_DIR, lib_dirs[i]); |
373 | fs_logger("mount /usr/lib"); | 354 | if (mount(RUN_LIB_DIR, lib_dirs[i], NULL, MS_BIND|MS_REC, NULL) < 0) |
355 | errExit("mount bind"); | ||
356 | fs_logger2("tmpfs", lib_dirs[i]); | ||
357 | fs_logger2("mount", lib_dirs[i]); | ||
358 | } | ||
359 | i++; | ||
374 | } | 360 | } |
375 | 361 | ||
376 | // for amd64 only - we'll deal with i386 later | 362 | // for amd64 only - we'll deal with i386 later |
diff --git a/src/lib/ldd_utils.c b/src/lib/ldd_utils.c index adde4a9b9..43fee4f21 100644 --- a/src/lib/ldd_utils.c +++ b/src/lib/ldd_utils.c | |||
@@ -30,6 +30,7 @@ const char * const default_lib_paths[] = { | |||
30 | "/lib", | 30 | "/lib", |
31 | "/lib64", | 31 | "/lib64", |
32 | LIBDIR, | 32 | LIBDIR, |
33 | "/usr/local/lib64", | ||
33 | "/usr/local/lib", | 34 | "/usr/local/lib", |
34 | "/usr/lib/x86_64-linux-gnu/mesa", // libGL.so is sometimes a symlink into this directory | 35 | "/usr/lib/x86_64-linux-gnu/mesa", // libGL.so is sometimes a symlink into this directory |
35 | "/usr/lib/x86_64-linux-gnu/mesa-egl", // libGL.so is sometimes a symlink into this directory | 36 | "/usr/lib/x86_64-linux-gnu/mesa-egl", // libGL.so is sometimes a symlink into this directory |