3 files changed, 48 insertions, 5 deletions

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 8e47a72d5..86f730aa0 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -50,6 +50,7 @@
 #define RUN_PULSE_DIR   "/run/firejail/mnt/pulse"
 #define RUN_LIB_DIR     "/run/firejail/mnt/lib"
 #define RUN_LIB_FILE    "/run/firejail/mnt/libfiles"
+#define RUN_LIB_BIN     "/run/firejail/mnt/binfiles"
 
 #define RUN_SECCOMP_PROTOCOL    "/run/firejail/mnt/seccomp.protocol"    // protocol filter
 #define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp"                     // configured filter
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c
index 5170f2edc..7b259bf03 100644
--- a/src/firejail/fs_bin.c
+++ b/src/firejail/fs_bin.c
@@ -94,7 +94,7 @@ static char *check_dir_or_file(const char *name) {
         return paths[i];
 }
 
-static void duplicate(char *fname) {
+static void duplicate(char *fname, FILE *fplist) {
         if (*fname == '~' || *fname == '/' || strstr(fname, "..")) {
                 fprintf(stderr, "Error: \"%s\" is an invalid filename\n", fname);
                 exit(1);
@@ -110,6 +110,9 @@ static void duplicate(char *fname) {
         if (asprintf(&full_path, "%s/%s", path, fname) == -1)
                 errExit("asprintf");
 
+        if (fplist)
+                fprintf(fplist, "%s\n", full_path);
+
         // copy the file
         if (checkcfg(CFG_FOLLOW_SYMLINK_PRIVATE_BIN))
                 sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", full_path, RUN_BIN_DIR);
@@ -135,12 +138,22 @@ void fs_private_bin_list(void) {
         if (!dlist)
                 errExit("strdup");
 
+        // save a list of private-bin files in order to bring in private-libs later
+        FILE *fplist = NULL;
+        if (arg_private_lib) {
+                fplist = fopen(RUN_LIB_BIN, "w");
+                if (!fplist)
+                        errExit("fopen");
+        }
+
         char *ptr = strtok(dlist, ",");
-        duplicate(ptr);
+        duplicate(ptr, fplist);
         while ((ptr = strtok(NULL, ",")) != NULL)
-                duplicate(ptr);
+                duplicate(ptr, fplist);
         free(dlist);
-                fs_logger_print();
+        fs_logger_print();
+    if (fplist)
+        fclose(fplist);
 
         // mount-bind
         int i = 0;
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c
index 890f8daf9..f39349fe6 100644
--- a/src/firejail/fs_lib.c
+++ b/src/firejail/fs_lib.c
@@ -23,6 +23,8 @@
 #include <sys/types.h>
 #include <unistd.h>
 
+#define MAXBUF 4096
+
 static const char * const lib_paths[] = {
         "/lib",
         "/lib/x86_64-linux-gnu",
@@ -68,7 +70,6 @@ static void copy_libs(const char *lib, const char *private_run_dir, const char *
         if (!fp)
                 errExit("fopen");
 
-#define MAXBUF 4096
         char buf[MAXBUF];
         while (fgets(buf, MAXBUF, fp)) {
                 // remove \n
@@ -98,6 +99,7 @@ static void copy_directory(const char *full_path, const char *dir_name, const ch
         if (mount(full_path, dest, NULL, MS_BIND|MS_REC, NULL) < 0 ||
             mount(NULL, dest, NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0)
                 errExit("mount bind");
+        fs_logger2("clone", full_path);
         fs_logger2("mount", full_path);
         free(dest);
 }
@@ -200,6 +202,22 @@ void fs_private_lib(void) {
                 fs_logger_print();
         }
 
+        // for private-bin files
+        if (arg_private_bin) {
+                FILE *fp = fopen(RUN_LIB_BIN, "r");
+                if (fp) {
+                        char buf[MAXBUF];
+                        while (fgets(buf, MAXBUF, fp)) {
+                                // remove \n
+                                char *ptr = strchr(buf, '\n');
+                                if (ptr)
+                                        *ptr = '\0';
+                                copy_libs(buf, RUN_LIB_DIR, RUN_LIB_FILE);
+                        }
+                }
+                fclose(fp);
+        }
+
         // for our trace and tracelog libs
         if (arg_trace)
                 duplicate(LIBDIR "/firejail/libtrace.so", RUN_LIB_DIR);
@@ -212,15 +230,26 @@ void fs_private_lib(void) {
         if (mount(RUN_LIB_DIR, "/lib", NULL, MS_BIND|MS_REC, NULL) < 0 ||
             mount(NULL, "/lib", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0)
                 errExit("mount bind");
+        fs_logger2("tmpfs", "/lib");
         fs_logger("mount /lib");
 
         if (mount(RUN_LIB_DIR, "/lib64", NULL, MS_BIND|MS_REC, NULL) < 0 ||
             mount(NULL, "/lib64", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0)
                 errExit("mount bind");
+        fs_logger2("tmpfs", "/lib64");
         fs_logger("mount /lib64");
 
         if (mount(RUN_LIB_DIR, "/usr/lib", NULL, MS_BIND|MS_REC, NULL) < 0 ||
             mount(NULL, "/usr/lib", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0)
                 errExit("mount bind");
+        fs_logger2("tmpfs", "/usr/lib");
         fs_logger("mount /usr/lib");
+
+        // for amd64 only - we'll deal with i386 later
+        if (mount(RUN_RO_DIR, "/lib32", "none", MS_BIND, "mode=400,gid=0") < 0)
+                errExit("disable file");
+        fs_logger("blacklist-nolog /lib32");
+        if (mount(RUN_RO_DIR, "/libx32", "none", MS_BIND, "mode=400,gid=0") < 0)
+                errExit("disable file");
+        fs_logger("blacklist-nolog /libx32");
 }