private-lib bug: 32 bit libraries being copied instead of 64 bit versions; splitting common code for firejail and fldd in a common static library

7 files changed, 162 insertions, 60 deletions

diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in
index 146bf8242..01cb929e2 100644
--- a/src/firejail/Makefile.in
+++ b/src/firejail/Makefile.in
@@ -36,8 +36,8 @@ LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
 %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h
         $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
 
-firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS)
+firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o ../lib/ldd_utils.o
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/ldd_utils.o $(LIBS) $(EXTRA_LDFLAGS)
 
 clean:; rm -f *.o firejail firejail.1 firejail.1.gz *.gcov *.gcda *.gcno
 
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c
index f7351339c..8a105be97 100644
--- a/src/firejail/fs_lib.c
+++ b/src/firejail/fs_lib.c
@@ -18,6 +18,7 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 #include "firejail.h"
+#include "../include/ldd_utils.h"
 #include <sys/mount.h>
 #include <sys/stat.h>
 #include <sys/types.h>
@@ -25,17 +26,6 @@
 #include <dirent.h>
 #define MAXBUF 4096
 
-static const char * const lib_paths[] = {
-        "/lib",
-        "/lib/x86_64-linux-gnu",
-        "/lib64",
-        "/usr/lib",
-        "/usr/lib/x86_64-linux-gnu",
-        LIBDIR,
-        "/usr/local/lib",
-        NULL
-};                                                // Note: this array is duplicated in src/fldd/main.c
-
 extern void fslib_install_stdc(void);
 extern void fslib_install_system(void);
 
@@ -47,9 +37,9 @@ static void report_duplication(const char *full_path) {
         if (fname && *(++fname) != '\0') {
                 // report the file on all bin paths
                 int i = 0;
-                while (lib_paths[i]) {
+                while (default_lib_paths[i]) {
                         char *p;
-                        if (asprintf(&p, "%s/%s", lib_paths[i], fname) == -1)
+                        if (asprintf(&p, "%s/%s", default_lib_paths[i], fname) == -1)
                                 errExit("asprintf");
                         fs_logger2("clone", p);
                         free(p);
@@ -194,19 +184,24 @@ static char *valid_file(const char *lib) {
 
         // find the library
         int i;
-        for (i = 0; lib_paths[i]; i++) {
+        for (i = 0; default_lib_paths[i]; i++) {
                 char *fname;
-                if (asprintf(&fname, "%s/%s", lib_paths[i], lib) == -1)
+                if (asprintf(&fname, "%s/%s", default_lib_paths[i], lib) == -1)
                         errExit("asprintf");
 
                 // existing file owned by root, read access
                 struct stat s;
                 if (stat(fname, &s) == 0 && s.st_uid == 0 && !access(fname, R_OK)) {
-                        return fname;
+                        if (is_dir(fname))
+                                return fname;
+                        // for regular libraries check if it is 64bit
+                        if (is_lib_64(fname))
+                                return fname;
+                        // if not 64bit, continue searching
                 }
                 free(fname);
         }
-
+printf("not found %s\n", lib);
         fwarning("%s library not found, skipping...\n", lib);
         return NULL;
 }
@@ -268,25 +263,33 @@ void fs_private_lib(void) {
         mkdir_attr(RUN_LIB_DIR, 0755, 0, 0);
 
         // install standard C libraries
+        if (arg_debug || arg_debug_private_lib)
+                printf("*** Installing standard C library\n");
         fslib_install_stdc();
 
+        // start timetrace
         timetrace_start();
 
         // copy the libs in the new lib directory for the main exe
-        if (cfg.original_program_index > 0)
+        if (cfg.original_program_index > 0) {
+                if (arg_debug || arg_debug_private_lib)
+                        printf("*** Installing sandboxed program libraries\n");
                 fslib_copy_libs(cfg.original_argv[cfg.original_program_index]);
+        }
 
         // for the shell
         if (!arg_shell_none) {
+                if (arg_debug || arg_debug_private_lib)
+                        printf("*** Installing shell libraries\n");
                 fslib_copy_libs(cfg.shell);
                 // a shell is useless without ls command
                 fslib_copy_libs("/bin/ls");
         }
 
-        // for the listed libs
+        // for the listed libs and directories
         if (private_list && *private_list != '\0') {
                 if (arg_debug || arg_debug_private_lib)
-                        printf("Copying extra files (%s) in the new lib directory\n", private_list);
+                        printf("*** Processing private-lib files (%s)\n", private_list);
 
                 char *dlist = strdup(private_list);
                 if (!dlist)
@@ -322,6 +325,8 @@ void fs_private_lib(void) {
 
         // for private-bin files
         if (arg_private_bin) {
+                if (arg_debug || arg_debug_private_lib)
+                        printf("*** Processing private-bin files\n");
                 FILE *fp = fopen(RUN_LIB_BIN, "r");
                 if (fp) {
                         char buf[MAXBUF];
@@ -368,6 +373,8 @@ void fs_private_lib(void) {
         fmessage("Program libraries installed in %0.2f ms\n", timetrace_end());
 
         // install the reset of the system libraries
+        if (arg_debug || arg_debug_private_lib)
+                printf("*** Installing system libraries\n");
         fslib_install_system();
 
         fmessage("Installed %d libraries and %d directories\n", lib_cnt, dir_cnt);
diff --git a/src/fldd/Makefile.in b/src/fldd/Makefile.in
index 7369c835b..e2bf4b787 100644
--- a/src/fldd/Makefile.in
+++ b/src/fldd/Makefile.in
@@ -33,11 +33,11 @@ BINOBJS =  $(foreach file, $(OBJS), $file)
 CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
 LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
 
-%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h
+%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h ../include/ldd_utils.h
         $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
 
-fldd: $(OBJS)
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
+fldd: $(OBJS) ../lib/ldd_utils.o
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/ldd_utils.o $(LIBS) $(EXTRA_LDFLAGS)
 
 clean:; rm -f *.o fldd *.gcov *.gcda *.gcno
 
diff --git a/src/fldd/main.c b/src/fldd/main.c
index a0530c235..be4500d2a 100644
--- a/src/fldd/main.c
+++ b/src/fldd/main.c
@@ -19,8 +19,8 @@
 */
 
 #include "../include/common.h"
+#include "../include/ldd_utils.h"
 
-#include <elf.h>
 #include <fcntl.h>
 #include <sys/mman.h>
 #include <sys/mount.h>
@@ -29,36 +29,10 @@
 #include <unistd.h>
 #include <dirent.h>
 
-#ifdef __LP64__
-#define Elf_Ehdr Elf64_Ehdr
-#define Elf_Phdr Elf64_Phdr
-#define Elf_Shdr Elf64_Shdr
-#define Elf_Dyn Elf64_Dyn
-#else
-#define Elf_Ehdr Elf32_Ehdr
-#define Elf_Phdr Elf32_Phdr
-#define Elf_Shdr Elf32_Shdr
-#define Elf_Dyn Elf32_Dyn
-#endif
 
 static int arg_quiet = 0;
 static void copy_libs_for_lib(const char *lib);
 
-static const char * const default_lib_paths[] = {
-        "/lib",
-        "/lib/x86_64-linux-gnu",
-        "/lib64",
-        "/usr/lib",
-        "/usr/lib/x86_64-linux-gnu",
-        LIBDIR,
-        "/usr/local/lib",
-        "/usr/lib/x86_64-linux-gnu/mesa", // libGL.so is sometimes a symlink into this directory
-        "/usr/lib/x86_64-linux-gnu/mesa-egl", // libGL.so is sometimes a symlink into this directory
-//    "/usr/lib/x86_64-linux-gnu/plasma-discover",
-        NULL
-};
-
-
 typedef struct storage_t {
         struct storage_t *next;
         const char *name;
@@ -107,7 +81,8 @@ static bool ptr_ok(const void *ptr, const void *base, const void *end, const cha
         return r;
 }
 
-static void copy_libs_for_exe(const char *exe) {
+
+static void parse_elf(const char *exe) {
         int f;
         f = open(exe, O_RDONLY);
         if (f < 0) {
@@ -132,6 +107,12 @@ static void copy_libs_for_exe(const char *exe) {
                         fprintf(stderr, "Warning fldd: %s is not an ELF executable or library\n", exe);
                 goto close;
         }
+//unsigned char elfclass = ebuf->e_ident[EI_CLASS];
+//if (elfclass == ELFCLASS32)
+//printf("%s 32bit\n", exe);
+//else if (elfclass == ELFCLASS64)
+//printf("%s 64bit\n", exe);
+
 
         Elf_Phdr *pbuf = (Elf_Phdr *)(base + sizeof(*ebuf));
         while (ebuf->e_phnum-- > 0 && ptr_ok(pbuf, base, end, "pbuf")) {
@@ -227,11 +208,11 @@ static void copy_libs_for_lib(const char *lib) {
                 char *fname;
                 if (asprintf(&fname, "%s/%s", lib_path->name, lib) == -1)
                         errExit("asprintf");
-                if (access(fname, R_OK) == 0) {
+                if (access(fname, R_OK) == 0 && is_lib_64(fname)) {
                         if (!storage_find(libs, fname)) {
                                 storage_add(&libs, fname);
                                 // libs may need other libs
-                                copy_libs_for_exe(fname);
+                                parse_elf(fname);
                         }
                         free(fname);
                         return;
@@ -270,9 +251,9 @@ static void walk_directory(const char *dirname) {
 
                         // check regular so library
                         char *ptr = strstr(entry->d_name, ".so");
-                        if (ptr) {
+                        if (ptr && is_lib_64(path)) {
                                 if (*(ptr + 3) == '\0' || *(ptr + 3) == '.') {
-                                        copy_libs_for_exe(path);
+                                        parse_elf(path);
                                         free(path);
                                         continue;
                                 }
@@ -356,8 +337,14 @@ printf("\n");
                 errExit("stat");
         if (S_ISDIR(s.st_mode))
                 walk_directory(argv[1]);
-        else
-                copy_libs_for_exe(argv[1]);
+        else {
+                if (is_lib_64(argv[1]))
+                        parse_elf(argv[1]);
+                else {
+                        fprintf(stderr, "Error fldd: %s is not a 64bit program/library\n", argv[1]);
+                        exit(1);
+                }
+        }
 
 
         // print libraries and exit
diff --git a/src/include/ldd_utils.h b/src/include/ldd_utils.h
new file mode 100644
index 000000000..28f5be7bf
--- /dev/null
+++ b/src/include/ldd_utils.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) 2014-2018 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+
+#ifndef LDD_UTILS_H
+#define LDD_UTILS_H
+
+#include "../include/common.h"
+#include <elf.h>
+
+#ifdef __LP64__
+#define Elf_Ehdr Elf64_Ehdr
+#define Elf_Phdr Elf64_Phdr
+#define Elf_Shdr Elf64_Shdr
+#define Elf_Dyn Elf64_Dyn
+#else
+#define Elf_Ehdr Elf32_Ehdr
+#define Elf_Phdr Elf32_Phdr
+#define Elf_Shdr Elf32_Shdr
+#define Elf_Dyn Elf32_Dyn
+#endif
+
+extern const char * const default_lib_paths[];
+
+// return 1 if this is a 64 bit program/library
+int is_lib_64(const char *exe);
+
+
+
+#endif
\ No newline at end of file
diff --git a/src/lib/Makefile.in b/src/lib/Makefile.in
index 63b0ad56d..a49e56ad2 100644
--- a/src/lib/Makefile.in
+++ b/src/lib/Makefile.in
@@ -10,7 +10,7 @@ H_FILE_LIST       = $(sort $(wildcard *.[h]))
 C_FILE_LIST       = $(sort $(wildcard *.c))
 OBJS = $(C_FILE_LIST:.c=.o)
 BINOBJS =  $(foreach file, $(OBJS), $file)
-CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security
+CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DLIBDIR='"$(libdir)"' $(HAVE_GCOV) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security
 LDFLAGS:=-pic -Wl,-z,relro -Wl,-z,now
 
 all: $(OBJS)
diff --git a/src/lib/ldd_utils.c b/src/lib/ldd_utils.c
new file mode 100644
index 000000000..556fb02eb
--- /dev/null
+++ b/src/lib/ldd_utils.c
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2014-2018 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+
+#include "../include/ldd_utils.h"
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+
+const char * const default_lib_paths[] = {
+        "/lib",
+        "/lib/x86_64-linux-gnu",
+        "/lib64",
+        "/usr/lib",
+        "/usr/lib/x86_64-linux-gnu",
+        LIBDIR,
+        "/usr/local/lib",
+        "/usr/lib/x86_64-linux-gnu/mesa", // libGL.so is sometimes a symlink into this directory
+        "/usr/lib/x86_64-linux-gnu/mesa-egl", // libGL.so is sometimes a symlink into this directory
+//    "/usr/lib/x86_64-linux-gnu/plasma-discover",
+        NULL
+};
+
+// return 1 if this is a 64 bit program/library
+int is_lib_64(const char *exe) {
+        int retval = 0;
+        int fd = open(exe, O_RDONLY);
+        if (fd < 0)
+                return 0;
+        
+        unsigned char buf[EI_NIDENT];
+        ssize_t len = 0;
+        while (len < EI_NIDENT) {
+                ssize_t sz = read(fd, buf, EI_NIDENT);
+                if (sz <= 0)
+                        goto doexit;
+                len += sz;
+        }
+
+        if (buf[EI_CLASS] == ELFCLASS64)
+                retval = 1;
+
+doexit:
+        close(fd);
+        return retval;
+}