diff options
| author |  netblue30 <netblue30@protonmail.com> | 2021-03-10 09:11:21 -0500 |
|---|---|---|
| committer |  GitHub <noreply@github.com> | 2021-03-10 09:11:21 -0500 |
| commit | c3e3de5c81b1d84c4becb2ad05b743deb36a0bf1 (patch) | |
| tree | 80b75e3fada2723703c0b4bd49665269f8a366de /src | |
| parent | more jailtest (diff) | |
| parent | private-lib: move from copying to mounting (#3980) (diff) | |
| download | firejail-c3e3de5c81b1d84c4becb2ad05b743deb36a0bf1.tar.gz firejail-c3e3de5c81b1d84c4becb2ad05b743deb36a0bf1.tar.zst firejail-c3e3de5c81b1d84c4becb2ad05b743deb36a0bf1.zip | |
Merge pull request #4045 from smitsohu/privatelib8
private-lib: move to mount-only
Diffstat (limited to 'src')
| -rw-r--r-- | src/firejail/fs_lib.c | 249 | ||||
| -rw-r--r-- | src/firejail/fs_lib2.c | 42 | ||||
| -rw-r--r-- | src/lib/ldd_utils.c | 4 |
3 files changed, 131 insertions, 164 deletions
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c index 99d57fbbb..0491fd9b1 100644 --- a/src/firejail/fs_lib.c +++ b/src/firejail/fs_lib.c | |||
| @@ -23,7 +23,8 @@ | |||
| 23 | #include <sys/stat.h> | 23 | #include <sys/stat.h> |
| 24 | #include <sys/types.h> | 24 | #include <sys/types.h> |
| 25 | #include <unistd.h> | 25 | #include <unistd.h> |
| 26 | #include <dirent.h> | 26 | #include <fcntl.h> |
| 27 | #include <errno.h> | ||
| 27 | #include <glob.h> | 28 | #include <glob.h> |
| 28 | #define MAXBUF 4096 | 29 | #define MAXBUF 4096 |
| 29 | 30 | ||
| @@ -34,7 +35,7 @@ extern void fslib_install_system(void); | |||
| 34 | static int lib_cnt = 0; | 35 | static int lib_cnt = 0; |
| 35 | static int dir_cnt = 0; | 36 | static int dir_cnt = 0; |
| 36 | 37 | ||
| 37 | static const char *lib_dirs[] = { | 38 | static const char *masked_lib_dirs[] = { |
| 38 | "/usr/lib64", | 39 | "/usr/lib64", |
| 39 | "/lib64", | 40 | "/lib64", |
| 40 | "/usr/lib", | 41 | "/usr/lib", |
| @@ -44,15 +45,15 @@ static const char *lib_dirs[] = { | |||
| 44 | NULL, | 45 | NULL, |
| 45 | }; | 46 | }; |
| 46 | 47 | ||
| 47 | // return 1 if the file is in lib_dirs[] | 48 | // return 1 if the file is in masked_lib_dirs[] |
| 48 | static int valid_full_path(const char *full_path) { | 49 | static int valid_full_path(const char *full_path) { |
| 49 | if (strstr(full_path, "..")) | 50 | if (strstr(full_path, "..")) |
| 50 | return 0; | 51 | return 0; |
| 51 | 52 | ||
| 52 | int i = 0; | 53 | int i = 0; |
| 53 | while (lib_dirs[i]) { | 54 | while (masked_lib_dirs[i]) { |
| 54 | if (strncmp(full_path, lib_dirs[i], strlen(lib_dirs[i])) == 0 && | 55 | if (strncmp(full_path, masked_lib_dirs[i], strlen(masked_lib_dirs[i])) == 0 && |
| 55 | full_path[strlen(lib_dirs[i])] == '/') | 56 | full_path[strlen(masked_lib_dirs[i])] == '/') |
| 56 | return 1; | 57 | return 1; |
| 57 | i++; | 58 | i++; |
| 58 | } | 59 | } |
| @@ -70,9 +71,10 @@ char *find_in_path(const char *program) { | |||
| 70 | errExit("readlink"); | 71 | errExit("readlink"); |
| 71 | self[len] = '\0'; | 72 | self[len] = '\0'; |
| 72 | 73 | ||
| 73 | char *path = getenv("PATH"); | 74 | const char *path = env_get("PATH"); |
| 74 | if (!path) | 75 | if (!path) |
| 75 | return NULL; | 76 | return NULL; |
| 77 | |||
| 76 | char *dup = strdup(path); | 78 | char *dup = strdup(path); |
| 77 | if (!dup) | 79 | if (!dup) |
| 78 | errExit("strdup"); | 80 | errExit("strdup"); |
| @@ -105,22 +107,6 @@ char *find_in_path(const char *program) { | |||
| 105 | return NULL; | 107 | return NULL; |
| 106 | } | 108 | } |
| 107 | 109 | ||
| 108 | static void report_duplication(const char *full_path) { | ||
| 109 | char *fname = strrchr(full_path, '/'); | ||
| 110 | if (fname && *(++fname) != '\0') { | ||
| 111 | // report the file on all bin paths | ||
| 112 | int i = 0; | ||
| 113 | while (default_lib_paths[i]) { | ||
| 114 | char *p; | ||
| 115 | if (asprintf(&p, "%s/%s", default_lib_paths[i], fname) == -1) | ||
| 116 | errExit("asprintf"); | ||
| 117 | fs_logger2("clone", p); | ||
| 118 | free(p); | ||
| 119 | i++; | ||
| 120 | } | ||
| 121 | } | ||
| 122 | } | ||
| 123 | |||
| 124 | static char *build_dest_dir(const char *full_path) { | 110 | static char *build_dest_dir(const char *full_path) { |
| 125 | assert(full_path); | 111 | assert(full_path); |
| 126 | if (strstr(full_path, "/x86_64-linux-gnu/")) | 112 | if (strstr(full_path, "/x86_64-linux-gnu/")) |
| @@ -128,57 +114,107 @@ static char *build_dest_dir(const char *full_path) { | |||
| 128 | return RUN_LIB_DIR; | 114 | return RUN_LIB_DIR; |
| 129 | } | 115 | } |
| 130 | 116 | ||
| 131 | // copy fname in private_run_dir | 117 | // return name of mount target in allocated memory |
| 132 | void fslib_duplicate(const char *full_path) { | 118 | static char *build_dest_name(const char *full_path) { |
| 133 | assert(full_path); | 119 | assert(full_path); |
| 120 | char *fname = strrchr(full_path, '/'); | ||
| 121 | assert(fname); | ||
| 122 | fname++; | ||
| 123 | assert(*fname != '\0'); | ||
| 134 | 124 | ||
| 135 | struct stat s; | 125 | char *dest; |
| 136 | if (stat(full_path, &s) != 0 || s.st_uid != 0 || access(full_path, R_OK) | 126 | if (asprintf(&dest, "%s/%s", build_dest_dir(full_path), fname) == -1) |
| 137 | || !valid_full_path(full_path)) | 127 | errExit("asprintf"); |
| 138 | return; | 128 | return dest; |
| 129 | } | ||
| 139 | 130 | ||
| 140 | char *dest_dir = build_dest_dir(full_path); | 131 | static void fslib_mount_dir(const char *full_path) { |
| 132 | // create new directory and mount the original on top of it | ||
| 133 | char *dest = build_dest_name(full_path); | ||
| 134 | if (mkdir(dest, 0755) == -1) { | ||
| 135 | if (errno == EEXIST) { // directory has been mounted already, nothing to do | ||
| 136 | free(dest); | ||
| 137 | return; | ||
| 138 | } | ||
| 139 | errExit("mkdir"); | ||
| 140 | } | ||
| 141 | 141 | ||
| 142 | // don't copy it if the file is already there | 142 | if (arg_debug || arg_debug_private_lib) |
| 143 | char *ptr = strrchr(full_path, '/'); | 143 | printf(" mounting %s on %s\n", full_path, dest); |
| 144 | if (!ptr) | 144 | // if full_path is a symbolic link, mount will follow it |
| 145 | return; | 145 | if (mount(full_path, dest, NULL, MS_BIND|MS_REC, NULL) < 0) |
| 146 | ptr++; | 146 | errExit("mount bind"); |
| 147 | if (*ptr == '\0') | 147 | free(dest); |
| 148 | return; | 148 | dir_cnt++; |
| 149 | } | ||
| 149 | 150 | ||
| 150 | char *name; | 151 | static void fslib_mount_file(const char *full_path) { |
| 151 | if (asprintf(&name, "%s/%s", dest_dir, ptr) == -1) | 152 | // create new file and mount the original on top of it |
| 152 | errExit("asprintf"); | 153 | char *dest = build_dest_name(full_path); |
| 153 | if (stat(name, &s) == 0) { | 154 | int fd = open(dest, O_RDONLY|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWUSR); |
| 154 | free(name); | 155 | if (fd == -1) { |
| 155 | return; | 156 | if (errno == EEXIST) { // file has been mounted already, nothing to do |
| 157 | free(dest); | ||
| 158 | return; | ||
| 159 | } | ||
| 160 | errExit("open"); | ||
| 156 | } | 161 | } |
| 157 | free(name); | 162 | close(fd); |
| 158 | 163 | ||
| 159 | if (arg_debug || arg_debug_private_lib) | 164 | if (arg_debug || arg_debug_private_lib) |
| 160 | printf(" copying %s to private %s\n", full_path, dest_dir); | 165 | printf(" mounting %s on %s\n", full_path, dest); |
| 161 | 166 | // if full_path is a symbolic link, mount will follow it | |
| 162 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", full_path, dest_dir); | 167 | if (mount(full_path, dest, NULL, MS_BIND, NULL) < 0) |
| 163 | report_duplication(full_path); | 168 | errExit("mount bind"); |
| 169 | free(dest); | ||
| 164 | lib_cnt++; | 170 | lib_cnt++; |
| 165 | } | 171 | } |
| 166 | 172 | ||
| 173 | void fslib_mount(const char *full_path) { | ||
| 174 | assert(full_path); | ||
| 175 | struct stat s; | ||
| 176 | |||
| 177 | if (!valid_full_path(full_path) || | ||
| 178 | access(full_path, F_OK) != 0 || | ||
| 179 | stat(full_path, &s) != 0 || | ||
| 180 | s.st_uid != 0) | ||
| 181 | return; | ||
| 182 | |||
| 183 | if (S_ISDIR(s.st_mode)) | ||
| 184 | fslib_mount_dir(full_path); | ||
| 185 | else if (S_ISREG(s.st_mode) && is_lib_64(full_path)) | ||
| 186 | fslib_mount_file(full_path); | ||
| 187 | } | ||
| 188 | |||
| 167 | // requires full path for lib | 189 | // requires full path for lib |
| 168 | // it could be a library or an executable | 190 | // it could be a library or an executable |
| 169 | // lib is not copied, only libraries used by it | 191 | // lib is not copied, only libraries used by it |
| 170 | static void fslib_copy_libs(const char *full_path, unsigned mask) { | 192 | void fslib_mount_libs(const char *full_path, unsigned user) { |
| 193 | assert(full_path); | ||
| 194 | // if library/executable does not exist or the user does not have read access to it | ||
| 195 | // print a warning and exit the function. | ||
| 196 | if (user && access(full_path, R_OK)) { | ||
| 197 | if (arg_debug || arg_debug_private_lib) | ||
| 198 | printf("Cannot read %s, skipping...\n", full_path); | ||
| 199 | return; | ||
| 200 | } | ||
| 201 | |||
| 202 | if (arg_debug || arg_debug_private_lib) | ||
| 203 | printf(" fslib_mount_libs %s (parse as %s)\n", full_path, user ? "user" : "root"); | ||
| 171 | // create an empty RUN_LIB_FILE and allow the user to write to it | 204 | // create an empty RUN_LIB_FILE and allow the user to write to it |
| 172 | unlink(RUN_LIB_FILE); // in case is there | 205 | unlink(RUN_LIB_FILE); // in case is there |
| 173 | create_empty_file_as_root(RUN_LIB_FILE, 0644); | 206 | create_empty_file_as_root(RUN_LIB_FILE, 0644); |
| 174 | if (mask & SBOX_USER) { | 207 | if (user && chown(RUN_LIB_FILE, getuid(), getgid())) |
| 175 | if (chown(RUN_LIB_FILE, getuid(), getgid())) | 208 | errExit("chown"); |
| 176 | errExit("chown"); | ||
| 177 | } | ||
| 178 | 209 | ||
| 179 | // run fldd to extract the list of files | 210 | // run fldd to extract the list of files |
| 180 | if (arg_debug || arg_debug_private_lib) | 211 | if (arg_debug || arg_debug_private_lib) |
| 181 | printf(" running fldd %s\n", full_path); | 212 | printf(" running fldd %s\n", full_path); |
| 213 | unsigned mask; | ||
| 214 | if (user) | ||
| 215 | mask = SBOX_USER; | ||
| 216 | else | ||
| 217 | mask = SBOX_ROOT; | ||
| 182 | sbox_run(mask | SBOX_SECCOMP | SBOX_CAPS_NONE, 3, PATH_FLDD, full_path, RUN_LIB_FILE); | 218 | sbox_run(mask | SBOX_SECCOMP | SBOX_CAPS_NONE, 3, PATH_FLDD, full_path, RUN_LIB_FILE); |
| 183 | 219 | ||
| 184 | // open the list of libraries and install them on by one | 220 | // open the list of libraries and install them on by one |
| @@ -192,97 +228,30 @@ static void fslib_copy_libs(const char *full_path, unsigned mask) { | |||
| 192 | char *ptr = strchr(buf, '\n'); | 228 | char *ptr = strchr(buf, '\n'); |
| 193 | if (ptr) | 229 | if (ptr) |
| 194 | *ptr = '\0'; | 230 | *ptr = '\0'; |
| 195 | fslib_duplicate(buf); | 231 | |
| 232 | fslib_mount(buf); | ||
| 196 | } | 233 | } |
| 197 | fclose(fp); | 234 | fclose(fp); |
| 198 | unlink(RUN_LIB_FILE); | 235 | unlink(RUN_LIB_FILE); |
| 199 | } | 236 | } |
| 200 | 237 | ||
| 201 | void fslib_copy_libs_parse_as_root(const char *full_path) { | 238 | // fname should be a valid full path at this point |
| 202 | assert(full_path); | ||
| 203 | if (arg_debug || arg_debug_private_lib) | ||
| 204 | printf(" fslib_copy_libs_parse_as_root %s\n", full_path); | ||
| 205 | |||
| 206 | struct stat s; | ||
| 207 | if (stat(full_path, &s)) { | ||
| 208 | if (arg_debug || arg_debug_private_lib) | ||
| 209 | printf("cannot find %s for private-lib, skipping...\n", full_path); | ||
| 210 | return; | ||
| 211 | } | ||
| 212 | fslib_copy_libs(full_path, SBOX_ROOT); | ||
| 213 | } | ||
| 214 | |||
| 215 | // if library/executable does not exist or the user does not have read access to it | ||
| 216 | // print a warning and exit the function. | ||
| 217 | void fslib_copy_libs_parse_as_user(const char *full_path) { | ||
| 218 | assert(full_path); | ||
| 219 | if (arg_debug || arg_debug_private_lib) | ||
| 220 | printf(" fslib_copy_libs_parse_as_user %s\n", full_path); | ||
| 221 | |||
| 222 | if (access(full_path, R_OK)) { | ||
| 223 | if (arg_debug || arg_debug_private_lib) | ||
| 224 | printf("cannot find %s for private-lib, skipping...\n", full_path); | ||
| 225 | return; | ||
| 226 | } | ||
| 227 | fslib_copy_libs(full_path, SBOX_USER); | ||
| 228 | } | ||
| 229 | |||
| 230 | void fslib_copy_dir(const char *full_path) { | ||
| 231 | assert(full_path); | ||
| 232 | if (arg_debug || arg_debug_private_lib) | ||
| 233 | printf(" fslib_copy_dir %s\n", full_path); | ||
| 234 | |||
| 235 | // do nothing if the directory does not exist or is not owned by root | ||
| 236 | struct stat s; | ||
| 237 | if (stat(full_path, &s) != 0 || s.st_uid != 0 || !S_ISDIR(s.st_mode) || access(full_path, R_OK) | ||
| 238 | || !valid_full_path(full_path)) | ||
| 239 | return; | ||
| 240 | |||
| 241 | char *dir_name = strrchr(full_path, '/'); | ||
| 242 | assert(dir_name); | ||
| 243 | dir_name++; | ||
| 244 | assert(*dir_name != '\0'); | ||
| 245 | |||
| 246 | // do nothing if the directory is already there | ||
| 247 | char *dest; | ||
| 248 | if (asprintf(&dest, "%s/%s", build_dest_dir(full_path), dir_name) == -1) | ||
| 249 | errExit("asprintf"); | ||
| 250 | if (stat(dest, &s) == 0) { | ||
| 251 | free(dest); | ||
| 252 | return; | ||
| 253 | } | ||
| 254 | |||
| 255 | // create new directory and mount the original on top of it | ||
| 256 | mkdir_attr(dest, 0755, 0, 0); | ||
| 257 | |||
| 258 | if (mount(full_path, dest, NULL, MS_BIND|MS_REC, NULL) < 0 || | ||
| 259 | mount(NULL, dest, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0) | ||
| 260 | errExit("mount bind"); | ||
| 261 | fs_logger2("clone", full_path); | ||
| 262 | fs_logger2("mount", full_path); | ||
| 263 | dir_cnt++; | ||
| 264 | free(dest); | ||
| 265 | } | ||
| 266 | |||
| 267 | // fname should be a vallid full path at this point | ||
| 268 | static void load_library(const char *fname) { | 239 | static void load_library(const char *fname) { |
| 269 | assert(fname); | 240 | assert(fname); |
| 270 | assert(*fname == '/'); | 241 | assert(*fname == '/'); |
| 271 | 242 | ||
| 272 | // existing file owned by root, read access | 243 | // existing file owned by root |
| 273 | struct stat s; | 244 | struct stat s; |
| 274 | if (stat(fname, &s) == 0 && s.st_uid == 0 && !access(fname, R_OK)) { | 245 | if (!access(fname, F_OK) && stat(fname, &s) == 0 && s.st_uid == 0) { |
| 275 | // load directories, regular 64 bit libraries, and 64 bit executables | 246 | // load directories, regular 64 bit libraries, and 64 bit executables |
| 276 | if (is_dir(fname) || is_lib_64(fname)) { | 247 | if (S_ISDIR(s.st_mode)) |
| 277 | if (is_dir(fname)) | 248 | fslib_mount(fname); |
| 278 | fslib_copy_dir(fname); | 249 | else if (S_ISREG(s.st_mode) && is_lib_64(fname)) { |
| 279 | else { | 250 | if (strstr(fname, ".so") || |
| 280 | if (strstr(fname, ".so") || | 251 | access(fname, X_OK) != 0) // don't duplicate executables, just install the libraries |
| 281 | access(fname, X_OK) != 0) // don't duplicate executables, just install the libraries | 252 | fslib_mount(fname); |
| 282 | fslib_duplicate(fname); | 253 | |
| 283 | 254 | fslib_mount_libs(fname, 1); // parse as user | |
| 284 | fslib_copy_libs_parse_as_user(fname); | ||
| 285 | } | ||
| 286 | } | 255 | } |
| 287 | } | 256 | } |
| 288 | } | 257 | } |
| @@ -338,7 +307,6 @@ static void install_list_entry(const char *lib) { | |||
| 338 | return; | 307 | return; |
| 339 | } | 308 | } |
| 340 | 309 | ||
| 341 | |||
| 342 | void fslib_install_list(const char *lib_list) { | 310 | void fslib_install_list(const char *lib_list) { |
| 343 | assert(lib_list); | 311 | assert(lib_list); |
| 344 | if (arg_debug || arg_debug_private_lib) | 312 | if (arg_debug || arg_debug_private_lib) |
| @@ -365,14 +333,14 @@ static void mount_directories(void) { | |||
| 365 | fs_remount(RUN_LIB_DIR, MOUNT_READONLY, 1); // should be redundant except for RUN_LIB_DIR itself | 333 | fs_remount(RUN_LIB_DIR, MOUNT_READONLY, 1); // should be redundant except for RUN_LIB_DIR itself |
| 366 | 334 | ||
| 367 | int i = 0; | 335 | int i = 0; |
| 368 | while (lib_dirs[i]) { | 336 | while (masked_lib_dirs[i]) { |
| 369 | if (is_dir(lib_dirs[i])) { | 337 | if (is_dir(masked_lib_dirs[i])) { |
| 370 | if (arg_debug || arg_debug_private_lib) | 338 | if (arg_debug || arg_debug_private_lib) |
| 371 | printf("Mount-bind %s on top of %s\n", RUN_LIB_DIR, lib_dirs[i]); | 339 | printf("Mount-bind %s on top of %s\n", RUN_LIB_DIR, masked_lib_dirs[i]); |
| 372 | if (mount(RUN_LIB_DIR, lib_dirs[i], NULL, MS_BIND|MS_REC, NULL) < 0) | 340 | if (mount(RUN_LIB_DIR, masked_lib_dirs[i], NULL, MS_BIND|MS_REC, NULL) < 0) |
| 373 | errExit("mount bind"); | 341 | errExit("mount bind"); |
| 374 | fs_logger2("tmpfs", lib_dirs[i]); | 342 | fs_logger2("tmpfs", masked_lib_dirs[i]); |
| 375 | fs_logger2("mount", lib_dirs[i]); | 343 | fs_logger2("mount", masked_lib_dirs[i]); |
| 376 | } | 344 | } |
| 377 | i++; | 345 | i++; |
| 378 | } | 346 | } |
| @@ -444,7 +412,6 @@ void fs_private_lib(void) { | |||
| 444 | fslib_install_list(cfg.shell); | 412 | fslib_install_list(cfg.shell); |
| 445 | // a shell is useless without some basic commands | 413 | // a shell is useless without some basic commands |
| 446 | fslib_install_list("/bin/ls,/bin/cat,/bin/mv,/bin/rm"); | 414 | fslib_install_list("/bin/ls,/bin/cat,/bin/mv,/bin/rm"); |
| 447 | |||
| 448 | } | 415 | } |
| 449 | 416 | ||
| 450 | // for the listed libs and directories | 417 | // for the listed libs and directories |
diff --git a/src/firejail/fs_lib2.c b/src/firejail/fs_lib2.c index d46cfed86..c69bf7c98 100644 --- a/src/firejail/fs_lib2.c +++ b/src/firejail/fs_lib2.c | |||
| @@ -21,10 +21,8 @@ | |||
| 21 | #include <dirent.h> | 21 | #include <dirent.h> |
| 22 | #include <sys/stat.h> | 22 | #include <sys/stat.h> |
| 23 | 23 | ||
| 24 | extern void fslib_duplicate(const char *full_path); | 24 | extern void fslib_mount_libs(const char *full_path, unsigned user); |
| 25 | extern void fslib_copy_libs_parse_as_user(const char *full_path); | 25 | extern void fslib_mount(const char *full_path); |
| 26 | extern void fslib_copy_libs_parse_as_root(const char *full_path); | ||
| 27 | extern void fslib_copy_dir(const char *full_path); | ||
| 28 | 26 | ||
| 29 | //*************************************************************** | 27 | //*************************************************************** |
| 30 | // Standard C library | 28 | // Standard C library |
| @@ -98,7 +96,8 @@ static void stdc(const char *dirname) { | |||
| 98 | if (asprintf(&fname, "%s/%s", dirname, entry->d_name) == -1) | 96 | if (asprintf(&fname, "%s/%s", dirname, entry->d_name) == -1) |
| 99 | errExit("asprintf"); | 97 | errExit("asprintf"); |
| 100 | 98 | ||
| 101 | fslib_duplicate(fname); | 99 | fslib_mount(fname); |
| 100 | free(fname); | ||
| 102 | } | 101 | } |
| 103 | } | 102 | } |
| 104 | closedir(dir); | 103 | closedir(dir); |
| @@ -119,7 +118,7 @@ void fslib_install_stdc(void) { | |||
| 119 | 118 | ||
| 120 | // install locale | 119 | // install locale |
| 121 | if (stat("/usr/lib/locale", &s) == 0) | 120 | if (stat("/usr/lib/locale", &s) == 0) |
| 122 | fslib_copy_dir("/usr/lib/locale"); | 121 | fslib_mount("/usr/lib/locale"); |
| 123 | 122 | ||
| 124 | fmessage("Standard C library installed in %0.2f ms\n", timetrace_end()); | 123 | fmessage("Standard C library installed in %0.2f ms\n", timetrace_end()); |
| 125 | } | 124 | } |
| @@ -129,7 +128,8 @@ void fslib_install_stdc(void) { | |||
| 129 | //*************************************************************** | 128 | //*************************************************************** |
| 130 | 129 | ||
| 131 | static void fdir(void) { | 130 | static void fdir(void) { |
| 132 | fslib_copy_dir(LIBDIR "/firejail"); | 131 | // firejail directory itself |
| 132 | fslib_mount(LIBDIR "/firejail"); | ||
| 133 | 133 | ||
| 134 | // executables and libraries from firejail directory | 134 | // executables and libraries from firejail directory |
| 135 | static const char * const fbin[] = { | 135 | static const char * const fbin[] = { |
| @@ -143,30 +143,28 @@ static void fdir(void) { | |||
| 143 | NULL, | 143 | NULL, |
| 144 | }; | 144 | }; |
| 145 | 145 | ||
| 146 | // need to run fldd as root user, unprivileged users have no read permission on executables | 146 | // need to parse as root user, unprivileged users have no read permission on executables |
| 147 | int i; | 147 | int i; |
| 148 | for (i = 0; fbin[i]; i++) | 148 | for (i = 0; fbin[i]; i++) |
| 149 | fslib_copy_libs_parse_as_root(fbin[i]); | 149 | fslib_mount_libs(fbin[i], 0); |
| 150 | } | 150 | } |
| 151 | 151 | ||
| 152 | void fslib_install_firejail(void) { | 152 | void fslib_install_firejail(void) { |
| 153 | timetrace_start(); | 153 | timetrace_start(); |
| 154 | // bring in firejail executable libraries, in case we are redirected here | 154 | // bring in firejail executable libraries, in case we are redirected here |
| 155 | // by a firejail symlink from /usr/local/bin/firejail | 155 | // by a firejail symlink from /usr/local/bin/firejail |
| 156 | fslib_copy_libs_parse_as_user(PATH_FIREJAIL); | 156 | fslib_mount_libs(PATH_FIREJAIL, 1); // parse as user |
| 157 | 157 | ||
| 158 | // bring in firejail directory | 158 | // bring in firejail directory |
| 159 | fdir(); | 159 | fdir(); |
| 160 | 160 | ||
| 161 | // bring in dhclient libraries | 161 | // bring in dhclient libraries |
| 162 | if (any_dhcp()) | 162 | if (any_dhcp()) |
| 163 | fslib_copy_libs_parse_as_user(RUN_MNT_DIR "/dhclient"); | 163 | fslib_mount_libs(RUN_MNT_DIR "/dhclient", 1); // parse as user |
| 164 | 164 | ||
| 165 | #ifdef HAVE_X11 | ||
| 166 | // bring in xauth libraries | 165 | // bring in xauth libraries |
| 167 | if (arg_x11_xorg) | 166 | if (arg_x11_xorg) |
| 168 | fslib_copy_libs_parse_as_user("/usr/bin/xauth"); | 167 | fslib_mount_libs("/usr/bin/xauth", 1); // parse as user |
| 169 | #endif | ||
| 170 | 168 | ||
| 171 | fmessage("Firejail libraries installed in %0.2f ms\n", timetrace_end()); | 169 | fmessage("Firejail libraries installed in %0.2f ms\n", timetrace_end()); |
| 172 | } | 170 | } |
| @@ -315,8 +313,8 @@ void fslib_install_system(void) { | |||
| 315 | if (asprintf(&name, "/usr/lib/x86_64-linux-gnu/%s", ptr->dir1) == -1) | 313 | if (asprintf(&name, "/usr/lib/x86_64-linux-gnu/%s", ptr->dir1) == -1) |
| 316 | errExit("asprintf"); | 314 | errExit("asprintf"); |
| 317 | if (access(name, R_OK) == 0) { | 315 | if (access(name, R_OK) == 0) { |
| 318 | fslib_copy_libs_parse_as_user(name); | 316 | fslib_mount_libs(name, 1); // parse as user |
| 319 | fslib_copy_dir(name); | 317 | fslib_mount(name); |
| 320 | } | 318 | } |
| 321 | else { | 319 | else { |
| 322 | free(name); | 320 | free(name); |
| @@ -324,8 +322,8 @@ void fslib_install_system(void) { | |||
| 324 | if (asprintf(&name, "/usr/lib64/%s", ptr->dir1) == -1) | 322 | if (asprintf(&name, "/usr/lib64/%s", ptr->dir1) == -1) |
| 325 | errExit("asprintf"); | 323 | errExit("asprintf"); |
| 326 | if (access(name, R_OK) == 0) { | 324 | if (access(name, R_OK) == 0) { |
| 327 | fslib_copy_libs_parse_as_user(name); | 325 | fslib_mount_libs(name, 1); // parse as user |
| 328 | fslib_copy_dir(name); | 326 | fslib_mount(name); |
| 329 | } | 327 | } |
| 330 | } | 328 | } |
| 331 | free(name); | 329 | free(name); |
| @@ -335,8 +333,8 @@ void fslib_install_system(void) { | |||
| 335 | if (asprintf(&name, "/usr/lib/x86_64-linux-gnu/%s", ptr->dir2) == -1) | 333 | if (asprintf(&name, "/usr/lib/x86_64-linux-gnu/%s", ptr->dir2) == -1) |
| 336 | errExit("asprintf"); | 334 | errExit("asprintf"); |
| 337 | if (access(name, R_OK) == 0) { | 335 | if (access(name, R_OK) == 0) { |
| 338 | fslib_copy_libs_parse_as_user(name); | 336 | fslib_mount_libs(name, 1); // parse as user |
| 339 | fslib_copy_dir(name); | 337 | fslib_mount(name); |
| 340 | } | 338 | } |
| 341 | else { | 339 | else { |
| 342 | free(name); | 340 | free(name); |
| @@ -344,8 +342,8 @@ void fslib_install_system(void) { | |||
| 344 | if (asprintf(&name, "/usr/lib64/%s", ptr->dir2) == -1) | 342 | if (asprintf(&name, "/usr/lib64/%s", ptr->dir2) == -1) |
| 345 | errExit("asprintf"); | 343 | errExit("asprintf"); |
| 346 | if (access(name, R_OK) == 0) { | 344 | if (access(name, R_OK) == 0) { |
| 347 | fslib_copy_libs_parse_as_user(name); | 345 | fslib_mount_libs(name, 1); // parse as user |
| 348 | fslib_copy_dir(name); | 346 | fslib_mount(name); |
| 349 | } | 347 | } |
| 350 | } | 348 | } |
| 351 | free(name); | 349 | free(name); |
diff --git a/src/lib/ldd_utils.c b/src/lib/ldd_utils.c index 43fee4f21..cd60d74e4 100644 --- a/src/lib/ldd_utils.c +++ b/src/lib/ldd_utils.c | |||
| @@ -23,12 +23,14 @@ | |||
| 23 | #include <sys/stat.h> | 23 | #include <sys/stat.h> |
| 24 | #include <fcntl.h> | 24 | #include <fcntl.h> |
| 25 | 25 | ||
| 26 | // todo: resolve overlap with masked_lib_dirs[] array from fs_lib.c | ||
| 26 | const char * const default_lib_paths[] = { | 27 | const char * const default_lib_paths[] = { |
| 27 | "/usr/lib/x86_64-linux-gnu", // Debian & friends | 28 | "/usr/lib/x86_64-linux-gnu", // Debian & friends |
| 28 | "/lib/x86_64-linux-gnu", // CentOS, Fedora | 29 | "/lib/x86_64-linux-gnu", // CentOS, Fedora |
| 30 | "/usr/lib64", | ||
| 31 | "/lib64", | ||
| 29 | "/usr/lib", | 32 | "/usr/lib", |
| 30 | "/lib", | 33 | "/lib", |
| 31 | "/lib64", | ||
| 32 | LIBDIR, | 34 | LIBDIR, |
| 33 | "/usr/local/lib64", | 35 | "/usr/local/lib64", |
| 34 | "/usr/local/lib", | 36 | "/usr/local/lib", |