Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

trace, tracelog: don't truncate /etc/ld.so.preload in sandbox #4586

Merged
merged 1 commit into from
Oct 9, 2021

Conversation

smitsohu
Copy link
Collaborator

@smitsohu smitsohu commented Sep 29, 2021

Add support for preloaded libraries (like for example libaslrmalloc) to --trace and --tracelog options and the seccomp post-exec feature.

#4558

@rusty-snake rusty-snake linked an issue Sep 29, 2021 that may be closed by this pull request
1 task
@smitsohu smitsohu force-pushed the trace branch 8 times, most recently from 19e1ee0 to 86df5a5 Compare October 3, 2021 13:47
@kmk3 kmk3 mentioned this pull request Oct 5, 2021
@smitsohu
Copy link
Collaborator Author

smitsohu commented Oct 7, 2021

One thing to keep in mind is that there could be competing symbol definitions in ld.so.preload, and the non-Firejail definitions might win. I'm not entirely clear atm how to avoid this, it needs a bit of extra research.

seccomp is unaffected, as are libraries like libaslrmalloc or Hardened Malloc. trace is affected but not directly relevant to sandbox security. If there is a problem it is with tracelog, which people might rely on for receiving notifications about blacklist violations.

@netblue30
Copy link
Owner

merged!

@netblue30 netblue30 merged commit 88475a5 into netblue30:master Oct 9, 2021
@smitsohu smitsohu deleted the trace branch October 23, 2021 21:28
kmk3 added a commit to kmk3/firejail that referenced this pull request Jan 26, 2022
Note: They are added in the order that the issues were fixed/closed.

Note2: The issues were found through the following url:

https://github.com/netblue30/firejail/issues?q=is%3Aclosed+label%3Abug+-label%3Asecurity+closed%3A%3E2021-06-29+

The date used is the release date of 0.9.66, so in theory the query
should return every bug closed after that.  Security-related issues are
excluded because they will be added separately.

Note3: All issues other than netblue30#4328 were fixed before 0.9.68rc1.

Relates to netblue30#2758 netblue30#4235 netblue30#4328 netblue30#4387 netblue30#4395 netblue30#4460 netblue30#4467 netblue30#4558 netblue30#4560 netblue30#4586.
@kmk3 kmk3 mentioned this pull request Jan 26, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Status: Done (on RELNOTES)
Development

Successfully merging this pull request may close these issues.

--tracelog and --trace override /etc/ld.so.preload inside the sandbox
2 participants