netblue30 / firejail

Linux namespaces and seccomp-bpf sandbox
https://firejail.wordpress.com
GNU General Public License v2.0
5.78k stars 565 forks source link

fldd returns different output from ldd #1938

Open chiraag-nataraj opened 6 years ago

chiraag-nataraj commented 6 years ago

So after using the script in #1920, I got Viber working well enough. Keen to reduce the horrendous list of libraries that is displayed everywhere (obscuring the name of the executable!), I tried using --private-lib= with just the libraries I manually added, assuming fldd would find the rest. Surprisingly, Viber failed to start, saying it couldn't find a specific library. After digging deeper, I realized it was because ldd was resolving the libraries stored in /opt/viber/lib, whereas fldd was not. The libraries in /opt/viber/lib depend on various sundry things which aren't picked up by fldd, leading to the error message.

topimiettinen commented 6 years ago

fldd does not read /etc.ld.so.conf, which is where nonstandard paths like /opt/viber/lib can be specified. Of course fldd could be enhanced, but it could just use LD_TRACE_LOADED_OBJECTS=1 ld-linux.so $program like ldd does and parse the output.

chiraag-nataraj commented 6 years ago

The interesting thing is that /opt/viber/lib isn't specified anywhere in /etc/ld.so.conf or /etc/ld.so.conf.d (that's the first thing I checked). But yes, I think we should use LD_TRACE_LOADED_OBJECTS=1 as ldd does.

chiraag-nataraj commented 6 years ago

@netblue30 Is there any reason we aren't just using ldd's method of setting the environment variable?

chiraag-nataraj commented 6 years ago

I don't trust myself enough to work on fldd, but I think we should switch to using the same method as ldd to enumerate the libraries needed.

chiraag-nataraj commented 5 years ago

@netblue30, is this fixable? If not, I'll go ahead and close, since I've found a workaround which works.