private-lib

3 files changed, 47 insertions, 16 deletions

diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c
index 165d5651d..cdfd4a6e2 100644
--- a/src/firejail/fs_lib.c
+++ b/src/firejail/fs_lib.c
@@ -135,8 +135,12 @@ static char *valid_file(const char *lib) {
 
 
 void fs_private_lib(void) {
-        char *private_list = cfg.lib_private_keep;
+#ifndef __x86_64__
+        fwarning("private-lib feature is currently available only on amd64 platforms\n");
+        return;
+#endif
 
+        char *private_list = cfg.lib_private_keep;
         if (arg_debug)
                 printf("Starting private-lib processing: program %s, shell %s\n",
                         (cfg.original_program_index > 0)? cfg.original_argv[cfg.original_program_index]: "none",
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 9dafb3c65..2a7d926b9 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -230,6 +230,10 @@ Build a new /etc in a temporary
 filesystem, and copy the files and directories in the list.
 All modifications are discarded when the sandbox is closed.
 .TP
+\fBprivate-lib file,directory
+Build a new /lib directory and bring in the libraries required by the application to run.
+This feature is still under development, see man 1 firejail for some examples.
+.TP
 \fBprivate-opt file,directory
 Build a new /optin a temporary
 filesystem, and copy the files and directories in the list.
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 690d0c1c1..4a396b809 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1272,32 +1272,55 @@ $ ls /bin
 bash  cat  ls  sed
 
 .TP
-\fB\-\-private-lib=file,file
-Build a new /lib in a temporary filesystem. For command to be executed,
-the shell (if \-\-shell=none is not used), and the listed libraries
-find out dynamic libraries and copy them to the /lib directory.
-If no listed file is found, /lib directory will be empty and no programs will be able to execute.
-The same directory is also bind-mounted over /lib64 and /usr/lib.
-All modifications are discarded when the sandbox is closed.
+\fB\-\-private-lib=file,directory
+This feature is currently under heavy development. Only amd64 platforms are supported at this moment.
+The idea is to build a new /lib in a temporary filesystem,
+with only the library files necessary to run the application.
+It could be as simple as:
 .br
 
 .br
-Example:
+$ firejail --private-lib galculator
+.br
+
+.br
+but it gets complicated really fast:
 .br
-$ firejail \-\-noprofile \-\-shell=none \-\-private-lib= \-\-private-bin=ls /bin/ls /lib /bin
+
+.br
+$ firejail --private-lib=x86_64-linux-gnu/xed,x86_64-linux-gnu/gdk-pixbuf-2.0,libenchant.so.1,librsvg-2.so.2 xed
 .br
-Parent pid 15733, child pid 15734
+
 .br
-Child process initialized in 69.61 ms
+The feature is integrated with \-\-private-bin:
+.br
+
 .br
-/bin:
+$ firejail --private-lib --private-bin=bash,ls,ps
 .br
-ls
+$ ls /lib
 .br
+ld-linux-x86-64.so.2 libgpg-error.so.0 libprocps.so.6 libsystemd.so.0
 .br
-/lib:
+libc.so.6 liblz4.so.1 libpthread.so.0 libtinfo.so.5
 .br
-ld-linux-x86-64.so.2  libc.so.6  libdl.so.2  libpcre.so.3  libpthread.so.0  libselinux.so.1
+libdl.so.2 liblzma.so.5 librt.so.1 x86_64-linux-gnu
+.br
+libgcrypt.so.20 libpcre.so.3 libselinux.so.1
+.br
+$ ps
+.br
+ PID TTY          TIME CMD
+.br
+    1 pts/0    00:00:00 firejail
+.br
+   45 pts/0    00:00:00 bash
+.br
+   48 pts/0    00:00:00 ps
+.br
+$ 
+.br
+
 
 .TP
 \fB\-\-private-dev