From 2ecfdd9ba8a5382c2bd9b21e2c365e8f0157e09e Mon Sep 17 00:00:00 2001
From: startx2017 <vradu.startx@yandex.com>
Date: Sun, 6 Aug 2017 08:20:53 -0400
Subject: bring in private-lib libraries for all private-bin programs.
 Example:firejail --private-lib --private-bin=bash,ls,find,pwd,grep

---
 src/firejail/firejail.h |  1 +
 src/firejail/fs_bin.c   | 20 ++++++++++++++++----
 src/firejail/fs_lib.c   | 19 ++++++++++++++++++-
 3 files changed, 35 insertions(+), 5 deletions(-)

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 8e47a72d5..86f730aa0 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -50,6 +50,7 @@
 #define RUN_PULSE_DIR	"/run/firejail/mnt/pulse"
 #define RUN_LIB_DIR	"/run/firejail/mnt/lib"
 #define RUN_LIB_FILE	"/run/firejail/mnt/libfiles"
+#define RUN_LIB_BIN	"/run/firejail/mnt/binfiles"
 
 #define RUN_SECCOMP_PROTOCOL	"/run/firejail/mnt/seccomp.protocol"	// protocol filter
 #define RUN_SECCOMP_CFG	"/run/firejail/mnt/seccomp"			// configured filter
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c
index 5170f2edc..eb9101dad 100644
--- a/src/firejail/fs_bin.c
+++ b/src/firejail/fs_bin.c
@@ -94,7 +94,7 @@ static char *check_dir_or_file(const char *name) {
 	return paths[i];
 }
 
-static void duplicate(char *fname) {
+static void duplicate(char *fname, FILE *fplist) {
 	if (*fname == '~' || *fname == '/' || strstr(fname, "..")) {
 		fprintf(stderr, "Error: \"%s\" is an invalid filename\n", fname);
 		exit(1);
@@ -110,6 +110,9 @@ static void duplicate(char *fname) {
 	if (asprintf(&full_path, "%s/%s", path, fname) == -1)
 		errExit("asprintf");
 
+	if (fplist)
+		fprintf(fplist, "%s\n", full_path);
+
 	// copy the file
 	if (checkcfg(CFG_FOLLOW_SYMLINK_PRIVATE_BIN))
 		sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", full_path, RUN_BIN_DIR);
@@ -135,12 +138,21 @@ void fs_private_bin_list(void) {
 	if (!dlist)
 		errExit("strdup");
 
+	// save a list of private-bin files in order to bring in private-libs later
+	FILE *fplist = NULL;
+	if (arg_private_lib) {
+		fplist = fopen(RUN_LIB_BIN, "w");
+		if (!fplist)
+			errExit("fopen");
+	}
+
 	char *ptr = strtok(dlist, ",");
-	duplicate(ptr);
+	duplicate(ptr, fplist);
 	while ((ptr = strtok(NULL, ",")) != NULL)
-		duplicate(ptr);
+		duplicate(ptr, fplist);
 	free(dlist);
-		fs_logger_print();
+	fs_logger_print();
+	fclose(fplist);
 
 	// mount-bind
 	int i = 0;
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c
index 890f8daf9..38c23a756 100644
--- a/src/firejail/fs_lib.c
+++ b/src/firejail/fs_lib.c
@@ -23,6 +23,8 @@
 #include <sys/types.h>
 #include <unistd.h>
 
+#define MAXBUF 4096
+
 static const char * const lib_paths[] = {
 	"/lib",
 	"/lib/x86_64-linux-gnu",
@@ -68,7 +70,6 @@ static void copy_libs(const char *lib, const char *private_run_dir, const char *
 	if (!fp)
 		errExit("fopen");
 
-#define MAXBUF 4096
 	char buf[MAXBUF];
 	while (fgets(buf, MAXBUF, fp)) {
 		// remove \n
@@ -200,6 +201,22 @@ void fs_private_lib(void) {
 		fs_logger_print();
 	}
 
+	// for private-bin files
+	if (arg_private_bin) {
+		FILE *fp = fopen(RUN_LIB_BIN, "r");
+		if (fp) {
+			char buf[MAXBUF];
+			while (fgets(buf, MAXBUF, fp)) {
+				// remove \n
+				char *ptr = strchr(buf, '\n');
+				if (ptr)
+					*ptr = '\0';
+				copy_libs(buf, RUN_LIB_DIR, RUN_LIB_FILE);
+			}
+		}
+		fclose(fp);
+	}
+
 	// for our trace and tracelog libs
 	if (arg_trace)
 		duplicate(LIBDIR "/firejail/libtrace.so", RUN_LIB_DIR);
-- 
cgit v1.2.3-70-g09d2