From 89e3454eb3f0ca22d423bc3aaba5472d3c249115 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 17 Aug 2017 11:31:21 -0400 Subject: [PATCH] private-lib --- README.md | 28 +++++++++++++++++++ RELNOTES | 5 ++-- src/firejail/fs_lib.c | 6 +++- src/man/firejail-profile.txt | 4 +++ src/man/firejail.txt | 53 ++++++++++++++++++++++++++---------- 5 files changed, 78 insertions(+), 18 deletions(-) diff --git a/README.md b/README.md index 6cac86da1..d12b9ee4e 100644 --- a/README.md +++ b/README.md @@ -139,6 +139,34 @@ Check the status of the latest build here: https://travis-ci.org/netblue30/firej mappings that are both writable and executable, to change map‐ pings to be executable or to create executable shared memory. + --private-lib=file,directory + This feature is currently under heavy development. Only amd64 + platforms are supported at this moment. The idea is to build a + new /lib in a temporary filesystem, with only the library files + necessary to run the application. It could be as simple as: + + $ firejail --private-lib galculator + + but it gets complicated really fast: + + $ firejail --private-lib=x86_64-linux-gnu/xed,x86_64-linux- + gnu/gdk-pixbuf-2.0,libenchant.so.1,librsvg-2.so.2 xed + + The feature is integrated with --private-bin: + + $ firejail --private-lib --private-bin=bash,ls,ps + $ ls /lib + ld-linux-x86-64.so.2 libgpg-error.so.0 libprocps.so.6 libsys‐ + temd.so.0 + libc.so.6 liblz4.so.1 libpthread.so.0 libtinfo.so.5 + libdl.so.2 liblzma.so.5 librt.so.1 x86_64-linux-gnu + libgcrypt.so.20 libpcre.so.3 libselinux.so.1 + $ ps + PID TTY TIME CMD + 1 pts/0 00:00:00 firejail + 45 pts/0 00:00:00 bash + 48 pts/0 00:00:00 ps + $ ````` diff --git a/RELNOTES b/RELNOTES index 02848ca82..36dd39686 100644 --- a/RELNOTES +++ b/RELNOTES @@ -4,14 +4,15 @@ firejail (0.9.49) baseline; urgency=low * feature: per-profile disable-mnt (--disable-mnt) * feature: per-profile support to set X11 Xephyr screen size (--xephyr-screen) * feature: --memory-deny-write-execute seccomp feature + * feature: private /lib directory (--private-lib) + * feature: disable CDROM/DVD drive (--nodvd) + * feature: disable DVD devices (--notv) * enhancement: /proc/sys mounting * enhancement: default seccomp list update * enhancement: rework IP address assingment for --net options * enhancement: support for newer Xpra versions (2.1+) - set "xpra-attach yes" in /etc/firejail/firejail.config * enhancement: all profiles use a standard layout style - * enhancement: disable CDROM/DVD drive (--nodvd) - * enhancement: disable DVD devices (--notv) * new profiles: curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite, * new profiles: Geary, Liferea, peek, silentarmy, IntelliJ IDEA, * new profiles: Android Studio, electron, riot-web, Extreme Tux Racer, diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c index 165d5651d..cdfd4a6e2 100644 --- a/src/firejail/fs_lib.c +++ b/src/firejail/fs_lib.c @@ -135,8 +135,12 @@ static char *valid_file(const char *lib) { void fs_private_lib(void) { - char *private_list = cfg.lib_private_keep; +#ifndef __x86_64__ + fwarning("private-lib feature is currently available only on amd64 platforms\n"); + return; +#endif + char *private_list = cfg.lib_private_keep; if (arg_debug) printf("Starting private-lib processing: program %s, shell %s\n", (cfg.original_program_index > 0)? cfg.original_argv[cfg.original_program_index]: "none", diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 9dafb3c65..2a7d926b9 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -230,6 +230,10 @@ Build a new /etc in a temporary filesystem, and copy the files and directories in the list. All modifications are discarded when the sandbox is closed. .TP +\fBprivate-lib file,directory +Build a new /lib directory and bring in the libraries required by the application to run. +This feature is still under development, see man 1 firejail for some examples. +.TP \fBprivate-opt file,directory Build a new /optin a temporary filesystem, and copy the files and directories in the list. diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 690d0c1c1..4a396b809 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1272,32 +1272,55 @@ $ ls /bin bash cat ls sed .TP -\fB\-\-private-lib=file,file -Build a new /lib in a temporary filesystem. For command to be executed, -the shell (if \-\-shell=none is not used), and the listed libraries -find out dynamic libraries and copy them to the /lib directory. -If no listed file is found, /lib directory will be empty and no programs will be able to execute. -The same directory is also bind-mounted over /lib64 and /usr/lib. -All modifications are discarded when the sandbox is closed. +\fB\-\-private-lib=file,directory +This feature is currently under heavy development. Only amd64 platforms are supported at this moment. +The idea is to build a new /lib in a temporary filesystem, +with only the library files necessary to run the application. +It could be as simple as: .br .br -Example: +$ firejail --private-lib galculator .br -$ firejail \-\-noprofile \-\-shell=none \-\-private-lib= \-\-private-bin=ls /bin/ls /lib /bin + .br -Parent pid 15733, child pid 15734 +but it gets complicated really fast: .br -Child process initialized in 69.61 ms + .br -/bin: +$ firejail --private-lib=x86_64-linux-gnu/xed,x86_64-linux-gnu/gdk-pixbuf-2.0,libenchant.so.1,librsvg-2.so.2 xed .br -ls + .br +The feature is integrated with \-\-private-bin: .br -/lib: + .br -ld-linux-x86-64.so.2 libc.so.6 libdl.so.2 libpcre.so.3 libpthread.so.0 libselinux.so.1 +$ firejail --private-lib --private-bin=bash,ls,ps +.br +$ ls /lib +.br +ld-linux-x86-64.so.2 libgpg-error.so.0 libprocps.so.6 libsystemd.so.0 +.br +libc.so.6 liblz4.so.1 libpthread.so.0 libtinfo.so.5 +.br +libdl.so.2 liblzma.so.5 librt.so.1 x86_64-linux-gnu +.br +libgcrypt.so.20 libpcre.so.3 libselinux.so.1 +.br +$ ps +.br + PID TTY TIME CMD +.br + 1 pts/0 00:00:00 firejail +.br + 45 pts/0 00:00:00 bash +.br + 48 pts/0 00:00:00 ps +.br +$ +.br + .TP \fB\-\-private-dev