From fdf32b2b479b09c3489d9c18c6bf2468e869cab2 Mon Sep 17 00:00:00 2001
From: smitsohu <smitsohu@gmail.com>
Date: Thu, 4 Mar 2021 00:43:30 +0100
Subject: private-lib: mask /usr/local/lib[,64] directories, too

---
 src/firejail/fs_lib.c | 38 ++++++++++++--------------------------
 src/lib/ldd_utils.c   |  1 +
 2 files changed, 13 insertions(+), 26 deletions(-)

(limited to 'src')

diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c
index 53a8818af..72be472d3 100644
--- a/src/firejail/fs_lib.c
+++ b/src/firejail/fs_lib.c
@@ -343,34 +343,20 @@ void fslib_install_list(const char *lib_list) {
 	fs_logger_print();
 }
 
-
-
 static void mount_directories(void) {
-	if (arg_debug || arg_debug_private_lib)
-		printf("Mount-bind %s on top of /lib /lib64 /usr/lib\n", RUN_LIB_DIR);
-
-	if (is_dir("/lib")) {
-		if (mount(RUN_LIB_DIR, "/lib", NULL, MS_BIND|MS_REC, NULL) < 0 ||
-			mount(NULL, "/lib", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0)
-			errExit("mount bind");
-		fs_logger2("tmpfs", "/lib");
-		fs_logger("mount /lib");
-	}
-
-	if (is_dir("/lib64")) {
-		if (mount(RUN_LIB_DIR, "/lib64", NULL, MS_BIND|MS_REC, NULL) < 0 ||
-			mount(NULL, "/lib64", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0)
-			errExit("mount bind");
-		fs_logger2("tmpfs", "/lib64");
-		fs_logger("mount /lib64");
-	}
+	fs_remount(RUN_LIB_DIR, MOUNT_READONLY, 1); // should be redundant except for RUN_LIB_DIR itself
 
-	if (is_dir("/usr/lib")) {
-		if (mount(RUN_LIB_DIR, "/usr/lib", NULL, MS_BIND|MS_REC, NULL) < 0 ||
-			mount(NULL, "/usr/lib", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0)
-			errExit("mount bind");
-		fs_logger2("tmpfs", "/usr/lib");
-		fs_logger("mount /usr/lib");
+	int i = 0;
+	while (lib_dirs[i]) {
+		if (is_dir(lib_dirs[i])) {
+			if (arg_debug || arg_debug_private_lib)
+				printf("Mount-bind %s on top of %s\n", RUN_LIB_DIR, lib_dirs[i]);
+			if (mount(RUN_LIB_DIR, lib_dirs[i], NULL, MS_BIND|MS_REC, NULL) < 0)
+				errExit("mount bind");
+			fs_logger2("tmpfs", lib_dirs[i]);
+			fs_logger2("mount", lib_dirs[i]);
+		}
+		i++;
 	}
 
 	// for amd64 only - we'll deal with i386 later
diff --git a/src/lib/ldd_utils.c b/src/lib/ldd_utils.c
index adde4a9b9..43fee4f21 100644
--- a/src/lib/ldd_utils.c
+++ b/src/lib/ldd_utils.c
@@ -30,6 +30,7 @@ const char * const default_lib_paths[] = {
 	"/lib",
 	"/lib64",
 	LIBDIR,
+	"/usr/local/lib64",
 	"/usr/local/lib",
 	"/usr/lib/x86_64-linux-gnu/mesa", // libGL.so is sometimes a symlink into this directory
 	"/usr/lib/x86_64-linux-gnu/mesa-egl", // libGL.so is sometimes a symlink into this directory
-- 
cgit v1.2.3-54-g00ecf