[PR #4042] [MERGED] private-lib hardening #5011

New issue

Closed

opened 2026-05-05 10:30:38 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented

2026-05-05 10:30:38 -06:00

Owner

📋 Pull Request Information

Original PR: https://github.com/netblue30/firejail/pull/4042
Author: @smitsohu
Created: 3/3/2021
Status: ✅ Merged
Merged: 3/5/2021
Merged by: @netblue30

Base: master ← Head: privatelib6

📝 Commits (1)

dd2c1e5 private-lib hardening

📊 Changes

1 file changed (+29 additions, -2 deletions)

View changed files

📝 src/firejail/fs_lib.c (+29 -2)

📄 Description

Ensure that libraries are loaded from below a default ld.so search path

It is reasonable for firejail to expect that unprivileged users have
no write permission on these paths; lax permissions there would
mean that the system is probably screwed anyway.

A somewhat similar check exists already in private-bin : 3565217343/src/firejail/fs_bin.c (L166)

From a functional perspective this should be no limitation, because
private-lib not need to bother about libraries from paths that are
not masked in the end.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/netblue30/firejail/pull/4042 **Author:** [@smitsohu](https://github.com/smitsohu) **Created:** 3/3/2021 **Status:** ✅ Merged **Merged:** 3/5/2021 **Merged by:** [@netblue30](https://github.com/netblue30) **Base:** `master` ← **Head:** `privatelib6` --- ### 📝 Commits (1) - [`dd2c1e5`](https://github.com/netblue30/firejail/commit/dd2c1e50a6fac06f5eac7aa94865078a55021d62) private-lib hardening ### 📊 Changes **1 file changed** (+29 additions, -2 deletions) <details> <summary>View changed files</summary> 📝 `src/firejail/fs_lib.c` (+29 -2) </details> ### 📄 Description Ensure that libraries are loaded from below a default ld.so search path It is reasonable for firejail to expect that unprivileged users have no write permission on these paths; lax permissions there would mean that the system is probably screwed anyway. A somewhat similar check exists already in `private-bin` : https://github.com/netblue30/firejail/blob/3565217343a64b71c60e376053dda6af1bfff42f/src/firejail/fs_bin.c#L166 From a functional perspective this should be no limitation, because `private-lib` not need to bother about libraries from paths that are not masked in the end. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

gitea-mirror

2026-05-05 10:30:38 -06:00

closed this issue
added the
pull-request
label

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#5011

No description provided.

Rows
Columns