From 82a636a1da84ec2972bf5c10d0992add8affbabe Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Sat, 13 Oct 2018 14:05:27 -0400
Subject: bringing in the fix for always have helpers in sandbox (original pull
 rq from crass)

---
 src/firejail/firejail.h     | 29 +++++++++++++++++++++++------
 src/firejail/network_main.c | 18 +++++++++---------
 src/firejail/preproc.c      |  4 ++++
 src/firejail/sandbox.c      |  3 +++
 4 files changed, 39 insertions(+), 15 deletions(-)

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index cae767667..441042233 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -32,6 +32,7 @@
 #define RUN_FIREJAIL_DIR	"/run/firejail"
 #define RUN_FIREJAIL_APPIMAGE_DIR	"/run/firejail/appimage"
 #define RUN_FIREJAIL_NAME_DIR	"/run/firejail/name" // also used in src/lib/pid.c - todo: move it in a common place
+#define RUN_FIREJAIL_LIB_DIR		"/run/firejail/lib"
 #define RUN_FIREJAIL_X11_DIR	"/run/firejail/x11"
 #define RUN_FIREJAIL_NETWORK_DIR	"/run/firejail/network"
 #define RUN_FIREJAIL_BANDWIDTH_DIR	"/run/firejail/bandwidth"
@@ -790,16 +791,32 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc,
 
 // sbox.c
 // programs
-#define PATH_FNET (LIBDIR "/firejail/fnet")
-#define PATH_FNETFILTER (LIBDIR "/firejail/fnetfilter")
+#define PATH_FNET_MAIN (LIBDIR "/firejail/fnet")		// when called from main thread
+#define PATH_FNET (RUN_FIREJAIL_LIB_DIR "/fnet")	// when called from sandbox thread
+
+//#define PATH_FNETFILTER (LIBDIR "/firejail/fnetfilter")
+#define PATH_FNETFILTER (RUN_FIREJAIL_LIB_DIR "/fnetfilter")
+
 #define PATH_FIREMON (PREFIX "/bin/firemon")
 #define PATH_FIREJAIL (PREFIX "/bin/firejail")
-#define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp")
+
+//#define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp")
+#define PATH_FSECCOMP ( RUN_FIREJAIL_LIB_DIR "/fseccomp")
+
+// FSEC_PRINT is run outside of sandbox by --seccomp.print
+// it is also run from inside the sandbox by --debug; in this case we do an access(filename, X_OK) test first
 #define PATH_FSEC_PRINT (LIBDIR "/firejail/fsec-print")
-#define PATH_FSEC_OPTIMIZE (LIBDIR "/firejail/fsec-optimize")
-#define PATH_FCOPY (LIBDIR "/firejail/fcopy")
+
+//#define PATH_FSEC_OPTIMIZE (LIBDIR "/firejail/fsec-optimize")
+#define PATH_FSEC_OPTIMIZE (RUN_FIREJAIL_LIB_DIR "/fsec-optimize")
+
+//#define PATH_FCOPY (LIBDIR "/firejail/fcopy")
+#define PATH_FCOPY (RUN_FIREJAIL_LIB_DIR "/fcopy")
+
 #define SBOX_STDIN_FILE "/run/firejail/mnt/sbox_stdin"
-#define PATH_FLDD (LIBDIR "/firejail/fldd")
+
+//#define PATH_FLDD (LIBDIR "/firejail/fldd")
+#define PATH_FLDD (RUN_FIREJAIL_LIB_DIR "/fldd")
 
 // bitmapped filters for sbox_run
 #define SBOX_ROOT (1 << 0)			// run the sandbox as root
diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c
index e3c750767..cdb4c6514 100644
--- a/src/firejail/network_main.c
+++ b/src/firejail/network_main.c
@@ -157,7 +157,7 @@ void net_configure_veth_pair(Bridge *br, const char *ifname, pid_t child) {
 	char *cstr;
 	if (asprintf(&cstr, "%d", child) == -1)
 		errExit("asprintf");
-	sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 7, PATH_FNET, "create", "veth", dev, ifname, br->dev, cstr);
+	sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 7, PATH_FNET_MAIN, "create", "veth", dev, ifname, br->dev, cstr);
 	free(cstr);
 
 	char *msg;
@@ -332,42 +332,42 @@ void network_main(pid_t child) {
 			net_configure_veth_pair(&cfg.bridge0, "eth0", child);
 		}
 		else
-			sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge0.devsandbox, cfg.bridge0.dev, cstr);
+			sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET_MAIN, "create", "macvlan", cfg.bridge0.devsandbox, cfg.bridge0.dev, cstr);
 	}
 
 	if (cfg.bridge1.configured) {
 		if (cfg.bridge1.macvlan == 0)
 			net_configure_veth_pair(&cfg.bridge1, "eth1", child);
 		else
-			sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge1.devsandbox, cfg.bridge1.dev, cstr);
+			sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET_MAIN, "create", "macvlan", cfg.bridge1.devsandbox, cfg.bridge1.dev, cstr);
 	}
 
 	if (cfg.bridge2.configured) {
 		if (cfg.bridge2.macvlan == 0)
 			net_configure_veth_pair(&cfg.bridge2, "eth2", child);
 		else
-			sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge2.devsandbox, cfg.bridge2.dev, cstr);
+			sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET_MAIN, "create", "macvlan", cfg.bridge2.devsandbox, cfg.bridge2.dev, cstr);
 	}
 
 	if (cfg.bridge3.configured) {
 		if (cfg.bridge3.macvlan == 0)
 			net_configure_veth_pair(&cfg.bridge3, "eth3", child);
 		else
-			sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge3.devsandbox, cfg.bridge3.dev, cstr);
+			sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET_MAIN, "create", "macvlan", cfg.bridge3.devsandbox, cfg.bridge3.dev, cstr);
 	}
 
 	// move interfaces in sandbox
 	if (cfg.interface0.configured) {
-		sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface0.dev, cstr);
+		sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET_MAIN, "moveif", cfg.interface0.dev, cstr);
 	}
 	if (cfg.interface1.configured) {
-		sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface1.dev, cstr);
+		sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET_MAIN, "moveif", cfg.interface1.dev, cstr);
 	}
 	if (cfg.interface2.configured) {
-		sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface2.dev, cstr);
+		sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET_MAIN, "moveif", cfg.interface2.dev, cstr);
 	}
 	if (cfg.interface3.configured) {
-		sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface3.dev, cstr);
+		sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET_MAIN, "moveif", cfg.interface3.dev, cstr);
 	}
 
 	free(cstr);
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c
index f519ed85f..236f7f427 100644
--- a/src/firejail/preproc.c
+++ b/src/firejail/preproc.c
@@ -62,6 +62,10 @@ void preproc_build_firejail_dir(void) {
 		create_empty_dir_as_root(RUN_FIREJAIL_APPIMAGE_DIR, 0755);
 	}
 
+	if (stat(RUN_FIREJAIL_LIB_DIR, &s)) {
+		create_empty_dir_as_root(RUN_FIREJAIL_LIB_DIR, 0755);
+	}
+
 	if (stat(RUN_MNT_DIR, &s)) {
 		create_empty_dir_as_root(RUN_MNT_DIR, 0755);
 	}
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 8eede6f93..3abeb174e 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -587,6 +587,9 @@ int sandbox(void* sandbox_arg) {
 	}
 	// ... and mount a tmpfs on top of /run/firejail/mnt directory
 	preproc_mount_mnt_dir();
+	// bind-mount firejail binaries and helper programs
+	if (mount(LIBDIR "/firejail", RUN_FIREJAIL_LIB_DIR, "none", MS_BIND, NULL) < 0)
+		errExit("mounting " RUN_FIREJAIL_LIB_DIR);
 
 	//****************************
 	// log sandbox data
-- 
cgit v1.2.3-54-g00ecf