private-lib

README.md

@@ -139,6 +139,34 @@ Check the status of the latest build here: https://travis-ci.org/netblue30/firej
               mappings  that are both writable and executable, to change map‐
               pings to be executable or to create executable shared memory.
 
+       --private-lib=file,directory
+              This  feature  is currently under heavy development. Only amd64
+              platforms are supported at this moment.  The idea is to build a
+              new /lib in a temporary filesystem, with only the library files
+              necessary to run the application.  It could be as simple as:
+
+              $ firejail --private-lib galculator
+
+              but it gets complicated really fast:
+
+              $   firejail   --private-lib=x86_64-linux-gnu/xed,x86_64-linux-
+              gnu/gdk-pixbuf-2.0,libenchant.so.1,librsvg-2.so.2 xed
+
+              The feature is integrated with --private-bin:
+
+              $ firejail --private-lib --private-bin=bash,ls,ps
+              $ ls /lib
+              ld-linux-x86-64.so.2  libgpg-error.so.0  libprocps.so.6 libsys‐
+              temd.so.0
+              libc.so.6 liblz4.so.1 libpthread.so.0 libtinfo.so.5
+              libdl.so.2 liblzma.so.5 librt.so.1 x86_64-linux-gnu
+              libgcrypt.so.20 libpcre.so.3 libselinux.so.1
+              $ ps
+               PID TTY          TIME CMD
+                  1 pts/0    00:00:00 firejail
+                 45 pts/0    00:00:00 bash
+                 48 pts/0    00:00:00 ps
+              $
 
 `````
 

RELNOTES

@@ -4,14 +4,15 @@ firejail (0.9.49) baseline; urgency=low
   * feature: per-profile disable-mnt (--disable-mnt)
   * feature: per-profile support to set X11 Xephyr screen size (--xephyr-screen)
   * feature: --memory-deny-write-execute seccomp feature
+  * feature: private /lib directory (--private-lib)
+  * feature: disable CDROM/DVD drive (--nodvd)
+  * feature: disable DVD devices (--notv)
   * enhancement: /proc/sys mounting
   * enhancement: default seccomp list update
   * enhancement: rework IP address assingment for --net options
   * enhancement: support for newer Xpra versions (2.1+) -
      set "xpra-attach yes" in /etc/firejail/firejail.config
   * enhancement: all profiles use a standard layout style
-  * enhancement: disable CDROM/DVD drive (--nodvd)
-  * enhancement: disable DVD devices (--notv)
   * new profiles: curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite,
   * new profiles: Geary, Liferea, peek, silentarmy, IntelliJ IDEA,
   * new profiles: Android Studio, electron, riot-web, Extreme Tux Racer,

src/firejail/fs_lib.c

@@ -135,8 +135,12 @@ static char *valid_file(const char *lib) {
 
 
 void fs_private_lib(void) {
-	char *private_list = cfg.lib_private_keep;
+#ifndef __x86_64__
+	fwarning("private-lib feature is currently available only on amd64 platforms\n");
+	return;
+#endif
 
+	char *private_list = cfg.lib_private_keep;
 	if (arg_debug)
 		printf("Starting private-lib processing: program %s, shell %s\n",
 			(cfg.original_program_index > 0)? cfg.original_argv[cfg.original_program_index]: "none",

src/man/firejail-profile.txt

@@ -230,6 +230,10 @@ Build a new /etc in a temporary
 filesystem, and copy the files and directories in the list.
 All modifications are discarded when the sandbox is closed.
 .TP
+\fBprivate-lib file,directory
+Build a new /lib directory and bring in the libraries required by the application to run.
+This feature is still under development, see man 1 firejail for some examples.
+.TP
 \fBprivate-opt file,directory
 Build a new /optin a temporary
 filesystem, and copy the files and directories in the list.

src/man/firejail.txt

@@ -1272,32 +1272,55 @@ $ ls /bin
 bash  cat  ls  sed
 
 .TP
-\fB\-\-private-lib=file,file
-Build a new /lib in a temporary filesystem. For command to be executed,
-the shell (if \-\-shell=none is not used), and the listed libraries
-find out dynamic libraries and copy them to the /lib directory.
-If no listed file is found, /lib directory will be empty and no programs will be able to execute.
-The same directory is also bind-mounted over /lib64 and /usr/lib.
-All modifications are discarded when the sandbox is closed.
+\fB\-\-private-lib=file,directory
+This feature is currently under heavy development. Only amd64 platforms are supported at this moment.
+The idea is to build a new /lib in a temporary filesystem,
+with only the library files necessary to run the application.
+It could be as simple as:
 .br
 
 .br
-Example:
+$ firejail --private-lib galculator
 .br
-$ firejail \-\-noprofile \-\-shell=none \-\-private-lib= \-\-private-bin=ls /bin/ls /lib /bin
+
 .br
-Parent pid 15733, child pid 15734
+but it gets complicated really fast:
 .br
-Child process initialized in 69.61 ms
+
 .br
-/bin:
+$ firejail --private-lib=x86_64-linux-gnu/xed,x86_64-linux-gnu/gdk-pixbuf-2.0,libenchant.so.1,librsvg-2.so.2 xed
 .br
-ls
+
 .br
+The feature is integrated with \-\-private-bin:
 .br
-/lib:
+
 .br
-ld-linux-x86-64.so.2  libc.so.6  libdl.so.2  libpcre.so.3  libpthread.so.0  libselinux.so.1
+$ firejail --private-lib --private-bin=bash,ls,ps
+.br
+$ ls /lib
+.br
+ld-linux-x86-64.so.2 libgpg-error.so.0 libprocps.so.6 libsystemd.so.0
+.br
+libc.so.6 liblz4.so.1 libpthread.so.0 libtinfo.so.5
+.br
+libdl.so.2 liblzma.so.5 librt.so.1 x86_64-linux-gnu
+.br
+libgcrypt.so.20 libpcre.so.3 libselinux.so.1
+.br
+$ ps
+.br
+ PID TTY          TIME CMD
+.br
+    1 pts/0    00:00:00 firejail
+.br
+   45 pts/0    00:00:00 bash
+.br
+   48 pts/0    00:00:00 ps
+.br
+$ 
+.br
+
 
 .TP
 \fB\-\-private-dev