11 files changed, 89 insertions, 30 deletions

diff --git a/configure b/configure
index c40a794e9..dd210cd67 100755
--- a/configure
+++ b/configure
@@ -641,6 +641,7 @@ HAVE_USERNS
 HAVE_NETWORK
 HAVE_GLOBALCFG
 HAVE_CHROOT
+HAVE_PRIVATE_LIB
 HAVE_PRIVATE_HOME
 HAVE_FIRETUNNEL
 HAVE_GAWK
@@ -719,6 +720,7 @@ enable_usertmpfs
 enable_man
 enable_firetunnel
 enable_private_home
+enable_private_lib
 enable_chroot
 enable_globalcfg
 enable_network
@@ -1380,6 +1382,7 @@ Optional Features:
   --disable-man           disable man pages
   --enable-firetunnel     enable firetunnel
   --disable-private-home  disable private home feature
+  --disable-private-lib   disable private lib feature
   --disable-chroot        disable chroot
   --disable-globalcfg     if the global config file firejail.config is not
                           present, continue the program using defaults
@@ -3485,6 +3488,19 @@ if test "x$enable_private_home" != "xno"; then :
 
 fi
 
+HAVE_PRIVATE_LIB=""
+
+# Check whether --enable-private-lib was given.
+if test "${enable_private_lib+set}" = set; then :
+  enableval=$enable_private_lib;
+fi
+
+if test "x$enable_private_lib" = "xyes"; then :
+
+        HAVE_PRIVATE_LIB="-DHAVE_PRIVATE_LIB"
+
+fi
+
 HAVE_CHROOT=""
 
 # Check whether --enable-chroot was given.
@@ -3674,6 +3690,7 @@ if test "x$enable_lts" = "xyes"; then :
         HAVE_MAN="-DHAVE_MAN"
         HAVE_FIRETUNNEL=""
         HAVE_PRIVATE_HOME=""
+        HAVE_PRIVATE_LIB=""
         HAVE_CHROOT=""
         HAVE_GLOBALCFG=""
         HAVE_USERNS=""
@@ -5291,6 +5308,7 @@ Features:
    network: $HAVE_NETWORK
    overlayfs support: $HAVE_OVERLAYFS
    private home support: $HAVE_PRIVATE_HOME
+   private lib support: $HAVE_PRIVATE_LIB
    SELinux labeling support: $HAVE_SELINUX
    user namespace: $HAVE_USERNS
    X11 sandboxing support: $HAVE_X11
diff --git a/configure.ac b/configure.ac
index 2dd49bcb2..357d1da45 100644
--- a/configure.ac
+++ b/configure.ac
@@ -147,6 +147,14 @@ AS_IF([test "x$enable_private_home" != "xno"], [
         HAVE_PRIVATE_HOME="-DHAVE_PRIVATE_HOME"
 ])
 
+HAVE_PRIVATE_LIB=""
+AC_SUBST([HAVE_PRIVATE_LIB])
+AC_ARG_ENABLE([private-lib],
+    [AS_HELP_STRING([--disable-private-lib], [disable private lib feature])])
+AS_IF([test "x$enable_private_lib" = "xyes"], [
+        HAVE_PRIVATE_LIB="-DHAVE_PRIVATE_LIB"
+])
+
 HAVE_CHROOT=""
 AC_SUBST([HAVE_CHROOT])
 AC_ARG_ENABLE([chroot],
@@ -268,6 +276,7 @@ AS_IF([test "x$enable_lts" = "xyes"], [
         HAVE_MAN="-DHAVE_MAN"
         HAVE_FIRETUNNEL=""
         HAVE_PRIVATE_HOME=""
+        HAVE_PRIVATE_LIB=""
         HAVE_CHROOT=""
         HAVE_GLOBALCFG=""
         HAVE_USERNS=""
@@ -324,6 +333,7 @@ Features:
    network: $HAVE_NETWORK
    overlayfs support: $HAVE_OVERLAYFS
    private home support: $HAVE_PRIVATE_HOME
+   private lib support: $HAVE_PRIVATE_LIB
    SELinux labeling support: $HAVE_SELINUX
    user namespace: $HAVE_USERNS
    X11 sandboxing support: $HAVE_X11
diff --git a/gcov.sh b/gcov.sh
index 53317c098..735205668 100755
--- a/gcov.sh
+++ b/gcov.sh
@@ -5,7 +5,7 @@
 
 # GCOV test setup
 # required: sudo, lcov (apt-get install lcov)
-# setup: make distclean && ./configure --prefix=/usr --enable-apparmor --enable-gcov && make -j4 && sudo make install
+# setup: modify ./configure line below if necessary
 # run as regular user: ./gcov.sh
 # result in gcov-dir/index.html
 
@@ -17,6 +17,7 @@ gcov_generate() {
         genhtml -q gcov-file --output-directory gcov-dir
 }
 
+make distclean && ./configure --prefix=/usr --enable-apparmor --enable-gcov --enable-fatal-warnings && make -j4 && sudo make install
 rm -fr gcov-dir gcov-file
 firejail --version
 gcov_generate
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 56f983854..a39e8c667 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -409,6 +409,14 @@ void print_compiletime_support(void) {
 #endif
                 );
 
+        printf("\t- private-lib support is %s\n",
+#ifdef HAVE_PRIVATE_LIB
+                "enabled"
+#else
+                "disabled"
+#endif
+                );
+
         printf("\t- private-cache and tmpfs as user %s\n",
 #ifdef HAVE_USERTMPFS
                 "enabled"
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c
index e349941fa..ba7a291ee 100644
--- a/src/firejail/fs_lib.c
+++ b/src/firejail/fs_lib.c
@@ -32,35 +32,6 @@ extern void fslib_install_stdc(void);
 extern void fslib_install_firejail(void);
 extern void fslib_install_system(void);
 
-static int lib_cnt = 0;
-static int dir_cnt = 0;
-
-static const char *masked_lib_dirs[] = {
-        "/usr/lib64",
-        "/lib64",
-        "/usr/lib",
-        "/lib",
-        "/usr/local/lib64",
-        "/usr/local/lib",
-        NULL,
-};
-
-// return 1 if the file is in masked_lib_dirs[]
-static int valid_full_path(const char *full_path) {
-        if (strstr(full_path, ".."))
-                return 0;
-
-        int i = 0;
-        while (masked_lib_dirs[i]) {
-                size_t len = strlen(masked_lib_dirs[i]);
-                if (strncmp(full_path, masked_lib_dirs[i], len) == 0 &&
-                    full_path[len] == '/')
-                        return 1;
-                i++;
-        }
-        return 0;
-}
-
 // return 1 if symlink to firejail executable
 int is_firejail_link(const char *fname) {
         EUID_ASSERT();
@@ -116,6 +87,36 @@ char *find_in_path(const char *program) {
         return NULL;
 }
 
+#ifdef HAVE_PRIVATE_LIB
+static int lib_cnt = 0;
+static int dir_cnt = 0;
+
+static const char *masked_lib_dirs[] = {
+        "/usr/lib64",
+        "/lib64",
+        "/usr/lib",
+        "/lib",
+        "/usr/local/lib64",
+        "/usr/local/lib",
+        NULL,
+};
+
+// return 1 if the file is in masked_lib_dirs[]
+static int valid_full_path(const char *full_path) {
+        if (strstr(full_path, ".."))
+                return 0;
+
+        int i = 0;
+        while (masked_lib_dirs[i]) {
+                size_t len = strlen(masked_lib_dirs[i]);
+                if (strncmp(full_path, masked_lib_dirs[i], len) == 0 &&
+                    full_path[len] == '/')
+                        return 1;
+                i++;
+        }
+        return 0;
+}
+
 static char *build_dest_dir(const char *full_path) {
         assert(full_path);
         if (strstr(full_path, "/x86_64-linux-gnu/"))
@@ -465,3 +466,4 @@ void fs_private_lib(void) {
         // mount lib filesystem
         mount_directories();
 }
+#endif
\ No newline at end of file
diff --git a/src/firejail/fs_lib2.c b/src/firejail/fs_lib2.c
index 540c3286f..583888e0e 100644
--- a/src/firejail/fs_lib2.c
+++ b/src/firejail/fs_lib2.c
@@ -36,6 +36,7 @@ typedef struct liblist_t {
         int len;
 } LibList;
 
+#ifdef HAVE_PRIVATE_LIB
 static LibList libc_list[] = {
         { "libselinux.so.", 0 },
         { "libpcre2-8.so.", 0 },
@@ -356,3 +357,4 @@ void fslib_install_system(void) {
                 ptr++;
         }
 }
+#endif
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 62035ff04..7e23cdc63 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1355,8 +1355,10 @@ int main(int argc, char **argv, char **envp) {
                         arg_debug_blacklists = 1;
                 else if (strcmp(argv[i], "--debug-whitelists") == 0)
                         arg_debug_whitelists = 1;
+#ifdef HAVE_PRIVATE_LIB
                 else if (strcmp(argv[i], "--debug-private-lib") == 0)
                         arg_debug_private_lib = 1;
+#endif
                 else if (strcmp(argv[i], "--quiet") == 0) {
                         if (!arg_debug)
                                 arg_quiet = 1;
@@ -2137,6 +2139,7 @@ int main(int argc, char **argv, char **envp) {
                         else
                                 exit_err_feature("private-bin");
                 }
+#ifdef HAVE_PRIVATE_LIB
                 else if (strncmp(argv[i], "--private-lib", 13) == 0) {
                         if (checkcfg(CFG_PRIVATE_LIB)) {
                                 // extract private lib list (if any)
@@ -2152,6 +2155,7 @@ int main(int argc, char **argv, char **envp) {
                         else
                                 exit_err_feature("private-lib");
                 }
+#endif
                 else if (strcmp(argv[i], "--private-tmp") == 0) {
                         arg_private_tmp = 1;
                 }
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 648fc2248..19ac8d9ec 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -949,6 +949,7 @@ int sandbox(void* sandbox_arg) {
                 }
         }
 
+#ifdef HAVE_PRIVATE_LIB
         // private-lib is disabled for appimages
         if (arg_private_lib && !arg_appimage) {
                 if (cfg.chrootdir)
@@ -959,6 +960,7 @@ int sandbox(void* sandbox_arg) {
                         fs_private_lib();
                 }
         }
+#endif
 
 #ifdef HAVE_USERTMPFS
         if (arg_private_cache) {
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 965d09992..b6b60d85c 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -81,7 +81,9 @@ static char *usage_str =
         "    --debug-blacklists - debug blacklisting.\n"
         "    --debug-caps - print all recognized capabilities.\n"
         "    --debug-errnos - print all recognized error numbers.\n"
+#ifdef HAVE_PRIVATE_LIB
         "    --debug-private-lib - debug for --private-lib option.\n"
+#endif
         "    --debug-protocols - print all recognized protocols.\n"
         "    --debug-syscalls - print all recognized system calls.\n"
         "    --debug-syscalls32 - print all recognized 32 bit system calls.\n"
@@ -208,6 +210,9 @@ static char *usage_str =
         "\tcommon device files.\n"
         "    --private-etc=file,directory - build a new /etc in a temporary\n"
         "\tfilesystem, and copy the files and directories in the list.\n"
+#ifdef HAVE_PRIVATE_LIB
+        "    --private-lib - create a private /lib directory\n"
+#endif
         "    --private-tmp - mount a tmpfs on top of /tmp directory.\n"
         "    --private-cwd - do not inherit working directory inside jail.\n"
         "    --private-cwd=directory - set working directory inside jail.\n"
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 3fa07d1ee..fa294d888 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -407,12 +407,14 @@ the current user's home directory.
 All modifications are discarded when the sandbox is
 closed.
 #endif
+#ifdef HAVE_PRIVATE_LIB
 .TP
 \fBprivate-lib file,directory
 Build a new /lib directory and bring in the libraries required by the application to run.
 The files and directories in the list must be expressed as relative to
 the /lib directory.
 This feature is still under development, see \fBman 1 firejail\fR for some examples.
+#endif
 .TP
 \fBprivate-opt file,directory
 Build a new /opt in a temporary
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 6068c9ff4..ec6da6f13 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -684,9 +684,11 @@ Print all recognized error numbers in the current Firejail software build and ex
 Example:
 .br
 $ firejail \-\-debug-errnos
+#ifdef HAVE_PRIVATE_LIB
 .TP
 \fB\-\-debug-private-lib
 Debug messages for --private-lib option.
+#endif
 .TP
 \fB\-\-debug-protocols
 Print all recognized protocols in the current Firejail software build and exit.
@@ -696,6 +698,7 @@ Print all recognized protocols in the current Firejail software build and exit.
 Example:
 .br
 $ firejail \-\-debug-protocols
+#endif
 .TP
 \fB\-\-debug-syscalls
 Print all recognized system calls in the current Firejail software build and exit.
@@ -2179,6 +2182,7 @@ Example:
 .br
 $ firejail \-\-private-home=.mozilla firefox
 #endif
+#ifdef HAVE_PRIVATE_LIB
 .TP
 \fB\-\-private-lib=file,directory
 This feature is currently under heavy development. Only amd64 platforms are supported at this moment.
@@ -2234,6 +2238,7 @@ $
 .br
 Note: Support for this command is controlled in firejail.config with the
 \fBprivate-lib\fR option.
+#endif
 .TP
 \fB\-\-private-opt=file,directory
 Build a new /opt in a temporary