diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/checkcfg.c | 8 | ||||
-rw-r--r-- | src/firejail/fs_lib.c | 60 | ||||
-rw-r--r-- | src/firejail/fs_lib2.c | 2 | ||||
-rw-r--r-- | src/firejail/main.c | 4 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 2 | ||||
-rw-r--r-- | src/firejail/usage.c | 5 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 2 | ||||
-rw-r--r-- | src/man/firejail.txt | 5 |
8 files changed, 59 insertions, 29 deletions
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 56f983854..a39e8c667 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -409,6 +409,14 @@ void print_compiletime_support(void) { | |||
409 | #endif | 409 | #endif |
410 | ); | 410 | ); |
411 | 411 | ||
412 | printf("\t- private-lib support is %s\n", | ||
413 | #ifdef HAVE_PRIVATE_LIB | ||
414 | "enabled" | ||
415 | #else | ||
416 | "disabled" | ||
417 | #endif | ||
418 | ); | ||
419 | |||
412 | printf("\t- private-cache and tmpfs as user %s\n", | 420 | printf("\t- private-cache and tmpfs as user %s\n", |
413 | #ifdef HAVE_USERTMPFS | 421 | #ifdef HAVE_USERTMPFS |
414 | "enabled" | 422 | "enabled" |
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c index e349941fa..ba7a291ee 100644 --- a/src/firejail/fs_lib.c +++ b/src/firejail/fs_lib.c | |||
@@ -32,35 +32,6 @@ extern void fslib_install_stdc(void); | |||
32 | extern void fslib_install_firejail(void); | 32 | extern void fslib_install_firejail(void); |
33 | extern void fslib_install_system(void); | 33 | extern void fslib_install_system(void); |
34 | 34 | ||
35 | static int lib_cnt = 0; | ||
36 | static int dir_cnt = 0; | ||
37 | |||
38 | static const char *masked_lib_dirs[] = { | ||
39 | "/usr/lib64", | ||
40 | "/lib64", | ||
41 | "/usr/lib", | ||
42 | "/lib", | ||
43 | "/usr/local/lib64", | ||
44 | "/usr/local/lib", | ||
45 | NULL, | ||
46 | }; | ||
47 | |||
48 | // return 1 if the file is in masked_lib_dirs[] | ||
49 | static int valid_full_path(const char *full_path) { | ||
50 | if (strstr(full_path, "..")) | ||
51 | return 0; | ||
52 | |||
53 | int i = 0; | ||
54 | while (masked_lib_dirs[i]) { | ||
55 | size_t len = strlen(masked_lib_dirs[i]); | ||
56 | if (strncmp(full_path, masked_lib_dirs[i], len) == 0 && | ||
57 | full_path[len] == '/') | ||
58 | return 1; | ||
59 | i++; | ||
60 | } | ||
61 | return 0; | ||
62 | } | ||
63 | |||
64 | // return 1 if symlink to firejail executable | 35 | // return 1 if symlink to firejail executable |
65 | int is_firejail_link(const char *fname) { | 36 | int is_firejail_link(const char *fname) { |
66 | EUID_ASSERT(); | 37 | EUID_ASSERT(); |
@@ -116,6 +87,36 @@ char *find_in_path(const char *program) { | |||
116 | return NULL; | 87 | return NULL; |
117 | } | 88 | } |
118 | 89 | ||
90 | #ifdef HAVE_PRIVATE_LIB | ||
91 | static int lib_cnt = 0; | ||
92 | static int dir_cnt = 0; | ||
93 | |||
94 | static const char *masked_lib_dirs[] = { | ||
95 | "/usr/lib64", | ||
96 | "/lib64", | ||
97 | "/usr/lib", | ||
98 | "/lib", | ||
99 | "/usr/local/lib64", | ||
100 | "/usr/local/lib", | ||
101 | NULL, | ||
102 | }; | ||
103 | |||
104 | // return 1 if the file is in masked_lib_dirs[] | ||
105 | static int valid_full_path(const char *full_path) { | ||
106 | if (strstr(full_path, "..")) | ||
107 | return 0; | ||
108 | |||
109 | int i = 0; | ||
110 | while (masked_lib_dirs[i]) { | ||
111 | size_t len = strlen(masked_lib_dirs[i]); | ||
112 | if (strncmp(full_path, masked_lib_dirs[i], len) == 0 && | ||
113 | full_path[len] == '/') | ||
114 | return 1; | ||
115 | i++; | ||
116 | } | ||
117 | return 0; | ||
118 | } | ||
119 | |||
119 | static char *build_dest_dir(const char *full_path) { | 120 | static char *build_dest_dir(const char *full_path) { |
120 | assert(full_path); | 121 | assert(full_path); |
121 | if (strstr(full_path, "/x86_64-linux-gnu/")) | 122 | if (strstr(full_path, "/x86_64-linux-gnu/")) |
@@ -465,3 +466,4 @@ void fs_private_lib(void) { | |||
465 | // mount lib filesystem | 466 | // mount lib filesystem |
466 | mount_directories(); | 467 | mount_directories(); |
467 | } | 468 | } |
469 | #endif \ No newline at end of file | ||
diff --git a/src/firejail/fs_lib2.c b/src/firejail/fs_lib2.c index 540c3286f..583888e0e 100644 --- a/src/firejail/fs_lib2.c +++ b/src/firejail/fs_lib2.c | |||
@@ -36,6 +36,7 @@ typedef struct liblist_t { | |||
36 | int len; | 36 | int len; |
37 | } LibList; | 37 | } LibList; |
38 | 38 | ||
39 | #ifdef HAVE_PRIVATE_LIB | ||
39 | static LibList libc_list[] = { | 40 | static LibList libc_list[] = { |
40 | { "libselinux.so.", 0 }, | 41 | { "libselinux.so.", 0 }, |
41 | { "libpcre2-8.so.", 0 }, | 42 | { "libpcre2-8.so.", 0 }, |
@@ -356,3 +357,4 @@ void fslib_install_system(void) { | |||
356 | ptr++; | 357 | ptr++; |
357 | } | 358 | } |
358 | } | 359 | } |
360 | #endif | ||
diff --git a/src/firejail/main.c b/src/firejail/main.c index 62035ff04..7e23cdc63 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1355,8 +1355,10 @@ int main(int argc, char **argv, char **envp) { | |||
1355 | arg_debug_blacklists = 1; | 1355 | arg_debug_blacklists = 1; |
1356 | else if (strcmp(argv[i], "--debug-whitelists") == 0) | 1356 | else if (strcmp(argv[i], "--debug-whitelists") == 0) |
1357 | arg_debug_whitelists = 1; | 1357 | arg_debug_whitelists = 1; |
1358 | #ifdef HAVE_PRIVATE_LIB | ||
1358 | else if (strcmp(argv[i], "--debug-private-lib") == 0) | 1359 | else if (strcmp(argv[i], "--debug-private-lib") == 0) |
1359 | arg_debug_private_lib = 1; | 1360 | arg_debug_private_lib = 1; |
1361 | #endif | ||
1360 | else if (strcmp(argv[i], "--quiet") == 0) { | 1362 | else if (strcmp(argv[i], "--quiet") == 0) { |
1361 | if (!arg_debug) | 1363 | if (!arg_debug) |
1362 | arg_quiet = 1; | 1364 | arg_quiet = 1; |
@@ -2137,6 +2139,7 @@ int main(int argc, char **argv, char **envp) { | |||
2137 | else | 2139 | else |
2138 | exit_err_feature("private-bin"); | 2140 | exit_err_feature("private-bin"); |
2139 | } | 2141 | } |
2142 | #ifdef HAVE_PRIVATE_LIB | ||
2140 | else if (strncmp(argv[i], "--private-lib", 13) == 0) { | 2143 | else if (strncmp(argv[i], "--private-lib", 13) == 0) { |
2141 | if (checkcfg(CFG_PRIVATE_LIB)) { | 2144 | if (checkcfg(CFG_PRIVATE_LIB)) { |
2142 | // extract private lib list (if any) | 2145 | // extract private lib list (if any) |
@@ -2152,6 +2155,7 @@ int main(int argc, char **argv, char **envp) { | |||
2152 | else | 2155 | else |
2153 | exit_err_feature("private-lib"); | 2156 | exit_err_feature("private-lib"); |
2154 | } | 2157 | } |
2158 | #endif | ||
2155 | else if (strcmp(argv[i], "--private-tmp") == 0) { | 2159 | else if (strcmp(argv[i], "--private-tmp") == 0) { |
2156 | arg_private_tmp = 1; | 2160 | arg_private_tmp = 1; |
2157 | } | 2161 | } |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 648fc2248..19ac8d9ec 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -949,6 +949,7 @@ int sandbox(void* sandbox_arg) { | |||
949 | } | 949 | } |
950 | } | 950 | } |
951 | 951 | ||
952 | #ifdef HAVE_PRIVATE_LIB | ||
952 | // private-lib is disabled for appimages | 953 | // private-lib is disabled for appimages |
953 | if (arg_private_lib && !arg_appimage) { | 954 | if (arg_private_lib && !arg_appimage) { |
954 | if (cfg.chrootdir) | 955 | if (cfg.chrootdir) |
@@ -959,6 +960,7 @@ int sandbox(void* sandbox_arg) { | |||
959 | fs_private_lib(); | 960 | fs_private_lib(); |
960 | } | 961 | } |
961 | } | 962 | } |
963 | #endif | ||
962 | 964 | ||
963 | #ifdef HAVE_USERTMPFS | 965 | #ifdef HAVE_USERTMPFS |
964 | if (arg_private_cache) { | 966 | if (arg_private_cache) { |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 965d09992..b6b60d85c 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -81,7 +81,9 @@ static char *usage_str = | |||
81 | " --debug-blacklists - debug blacklisting.\n" | 81 | " --debug-blacklists - debug blacklisting.\n" |
82 | " --debug-caps - print all recognized capabilities.\n" | 82 | " --debug-caps - print all recognized capabilities.\n" |
83 | " --debug-errnos - print all recognized error numbers.\n" | 83 | " --debug-errnos - print all recognized error numbers.\n" |
84 | #ifdef HAVE_PRIVATE_LIB | ||
84 | " --debug-private-lib - debug for --private-lib option.\n" | 85 | " --debug-private-lib - debug for --private-lib option.\n" |
86 | #endif | ||
85 | " --debug-protocols - print all recognized protocols.\n" | 87 | " --debug-protocols - print all recognized protocols.\n" |
86 | " --debug-syscalls - print all recognized system calls.\n" | 88 | " --debug-syscalls - print all recognized system calls.\n" |
87 | " --debug-syscalls32 - print all recognized 32 bit system calls.\n" | 89 | " --debug-syscalls32 - print all recognized 32 bit system calls.\n" |
@@ -208,6 +210,9 @@ static char *usage_str = | |||
208 | "\tcommon device files.\n" | 210 | "\tcommon device files.\n" |
209 | " --private-etc=file,directory - build a new /etc in a temporary\n" | 211 | " --private-etc=file,directory - build a new /etc in a temporary\n" |
210 | "\tfilesystem, and copy the files and directories in the list.\n" | 212 | "\tfilesystem, and copy the files and directories in the list.\n" |
213 | #ifdef HAVE_PRIVATE_LIB | ||
214 | " --private-lib - create a private /lib directory\n" | ||
215 | #endif | ||
211 | " --private-tmp - mount a tmpfs on top of /tmp directory.\n" | 216 | " --private-tmp - mount a tmpfs on top of /tmp directory.\n" |
212 | " --private-cwd - do not inherit working directory inside jail.\n" | 217 | " --private-cwd - do not inherit working directory inside jail.\n" |
213 | " --private-cwd=directory - set working directory inside jail.\n" | 218 | " --private-cwd=directory - set working directory inside jail.\n" |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 3fa07d1ee..fa294d888 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -407,12 +407,14 @@ the current user's home directory. | |||
407 | All modifications are discarded when the sandbox is | 407 | All modifications are discarded when the sandbox is |
408 | closed. | 408 | closed. |
409 | #endif | 409 | #endif |
410 | #ifdef HAVE_PRIVATE_LIB | ||
410 | .TP | 411 | .TP |
411 | \fBprivate-lib file,directory | 412 | \fBprivate-lib file,directory |
412 | Build a new /lib directory and bring in the libraries required by the application to run. | 413 | Build a new /lib directory and bring in the libraries required by the application to run. |
413 | The files and directories in the list must be expressed as relative to | 414 | The files and directories in the list must be expressed as relative to |
414 | the /lib directory. | 415 | the /lib directory. |
415 | This feature is still under development, see \fBman 1 firejail\fR for some examples. | 416 | This feature is still under development, see \fBman 1 firejail\fR for some examples. |
417 | #endif | ||
416 | .TP | 418 | .TP |
417 | \fBprivate-opt file,directory | 419 | \fBprivate-opt file,directory |
418 | Build a new /opt in a temporary | 420 | Build a new /opt in a temporary |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 6068c9ff4..ec6da6f13 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -684,9 +684,11 @@ Print all recognized error numbers in the current Firejail software build and ex | |||
684 | Example: | 684 | Example: |
685 | .br | 685 | .br |
686 | $ firejail \-\-debug-errnos | 686 | $ firejail \-\-debug-errnos |
687 | #ifdef HAVE_PRIVATE_LIB | ||
687 | .TP | 688 | .TP |
688 | \fB\-\-debug-private-lib | 689 | \fB\-\-debug-private-lib |
689 | Debug messages for --private-lib option. | 690 | Debug messages for --private-lib option. |
691 | #endif | ||
690 | .TP | 692 | .TP |
691 | \fB\-\-debug-protocols | 693 | \fB\-\-debug-protocols |
692 | Print all recognized protocols in the current Firejail software build and exit. | 694 | Print all recognized protocols in the current Firejail software build and exit. |
@@ -696,6 +698,7 @@ Print all recognized protocols in the current Firejail software build and exit. | |||
696 | Example: | 698 | Example: |
697 | .br | 699 | .br |
698 | $ firejail \-\-debug-protocols | 700 | $ firejail \-\-debug-protocols |
701 | #endif | ||
699 | .TP | 702 | .TP |
700 | \fB\-\-debug-syscalls | 703 | \fB\-\-debug-syscalls |
701 | Print all recognized system calls in the current Firejail software build and exit. | 704 | Print all recognized system calls in the current Firejail software build and exit. |
@@ -2179,6 +2182,7 @@ Example: | |||
2179 | .br | 2182 | .br |
2180 | $ firejail \-\-private-home=.mozilla firefox | 2183 | $ firejail \-\-private-home=.mozilla firefox |
2181 | #endif | 2184 | #endif |
2185 | #ifdef HAVE_PRIVATE_LIB | ||
2182 | .TP | 2186 | .TP |
2183 | \fB\-\-private-lib=file,directory | 2187 | \fB\-\-private-lib=file,directory |
2184 | This feature is currently under heavy development. Only amd64 platforms are supported at this moment. | 2188 | This feature is currently under heavy development. Only amd64 platforms are supported at this moment. |
@@ -2234,6 +2238,7 @@ $ | |||
2234 | .br | 2238 | .br |
2235 | Note: Support for this command is controlled in firejail.config with the | 2239 | Note: Support for this command is controlled in firejail.config with the |
2236 | \fBprivate-lib\fR option. | 2240 | \fBprivate-lib\fR option. |
2241 | #endif | ||
2237 | .TP | 2242 | .TP |
2238 | \fB\-\-private-opt=file,directory | 2243 | \fB\-\-private-opt=file,directory |
2239 | Build a new /opt in a temporary | 2244 | Build a new /opt in a temporary |