bwrap replacement - part3

src/firejail/firejail.h

@@ -467,6 +467,7 @@ void fs_basic_fs(void);
 void fs_private_tmp(void);
 void fs_private_cache(void);
 void fs_mnt(const int enforce);
+void fs_bwrap(void);
 
 // chroot.c
 // chroot into an existing directory; mount existing /dev and update /etc/resolv.conf

src/firejail/fs.c

@@ -713,10 +713,31 @@ void fs_mnt(const int enforce) {
 	EUID_ROOT();
 }
 
+// replace /usr/bin/bwrap if present in the system
+void fs_bwrap(void) {
+        // open bwrap without following symbolic links
+        if (is_link("/usr/bin/bwrap")) // just in case O_NOFOLLOW below failes in glibc
+                goto out;       
+        int fd = open("/usr/bin/bwrap", O_NOFOLLOW|O_CLOEXEC);
+        if (fd < 0)
+                goto out;
+        
+        int err = bind_mount_path_to_fd("/usr/lib/firejail/fbwrap", fd);
+        if (err) {
+                close(fd);
+                goto out;
+        }
+        close(fd);
+        fprintf(stderr, "Info: /usr/bin/bwrap was disabled\n");
+        return;
+
+out:
+        fprintf(stderr, "Warning: /usr/bin/bwrap was not disabled\n");
+}
+
 
 // mount /proc and /sys directories
 void fs_proc_sys_dev_boot(void) {
-
 	// remount /proc/sys readonly
 	if (arg_debug)
 		printf("Mounting read-only /proc/sys\n");

src/firejail/fs_bin.c

@@ -285,6 +285,7 @@ void fs_private_bin_list(void) {
 	while ((ptr = strtok(NULL, ",")) != NULL)
 		globbing(ptr);
 	free(dlist);
+	globbing("/usr/bin/bwrap");
 
 	// mount-bind
 	EUID_ROOT();

src/firejail/sandbox.c

@@ -931,6 +931,8 @@ int sandbox(void* sandbox_arg) {
 		}
 	}
 
+	// bwrap is replaced by our own program
+	fs_bwrap();
 	// private-bin is disabled for appimages
 	if (arg_private_bin && !arg_appimage) {
 		if (cfg.chrootdir)