diff options
author | valoq <valoq@mailbox.org> | 2016-12-06 15:51:56 +0100 |
---|---|---|
committer | valoq <valoq@mailbox.org> | 2016-12-06 15:51:56 +0100 |
commit | 6c262c3e8746b4460a6a42a6686b89e44018ed99 (patch) | |
tree | f53c005e49a3e54cbb7ad755089f8d75a1d38dea | |
parent | truecrypt and zuluCrypt support (diff) | |
download | firejail-6c262c3e8746b4460a6a42a6686b89e44018ed99.tar.gz firejail-6c262c3e8746b4460a6a42a6686b89e44018ed99.tar.zst firejail-6c262c3e8746b4460a6a42a6686b89e44018ed99.zip |
block dbus ipc
-rw-r--r-- | src/firejail/fs.c | 65 |
1 files changed, 64 insertions, 1 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 9a2f4facc..d71478fc0 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -225,7 +225,7 @@ static void globbing(OPERATION op, const char *pattern, const char *noblacklist[ | |||
225 | } | 225 | } |
226 | 226 | ||
227 | 227 | ||
228 | // blacklist files or directoies by mounting empty files on top of them | 228 | // blacklist files or directories by mounting empty files on top of them |
229 | void fs_blacklist(void) { | 229 | void fs_blacklist(void) { |
230 | char *homedir = cfg.homedir; | 230 | char *homedir = cfg.homedir; |
231 | assert(homedir); | 231 | assert(homedir); |
@@ -530,6 +530,69 @@ void fs_proc_sys_dev_boot(void) { | |||
530 | 530 | ||
531 | // disable /dev/port | 531 | // disable /dev/port |
532 | disable_file(BLACKLIST_FILE, "/dev/port"); | 532 | disable_file(BLACKLIST_FILE, "/dev/port"); |
533 | |||
534 | |||
535 | // WARNING: this is not reliable. When services like gpg-agent are started after the jail, the sockets are not blacklisted | ||
536 | |||
537 | // disable various ipc sockets | ||
538 | struct stat s; | ||
539 | |||
540 | // disable /run/user/{uid}/bus | ||
541 | char *fnamebus; | ||
542 | if (asprintf(&fnamebus, "/run/user/%d/bus", getuid()) == -1) | ||
543 | errExit("asprintf"); | ||
544 | if (stat(fnamebus, &s) == 0) | ||
545 | disable_file(BLACKLIST_FILE, fnamebus); | ||
546 | free(fnamebus); | ||
547 | |||
548 | // disable /run/user/{uid}/gnupg | ||
549 | char *fnamegpg; | ||
550 | if (asprintf(&fnamegpg, "/run/user/%d/gnupg", getuid()) == -1) | ||
551 | errExit("asprintf"); | ||
552 | if (stat(fnamegpg, &s) == 0) | ||
553 | disable_file(BLACKLIST_FILE, fnamegpg); | ||
554 | free(fnamegpg); | ||
555 | |||
556 | // disable /run/user/{uid}/systemd | ||
557 | char *fnamesysd; | ||
558 | if (asprintf(&fnamesysd, "/run/user/%d/systemd", getuid()) == -1) | ||
559 | errExit("asprintf"); | ||
560 | if (stat(fnamesysd, &s) == 0) | ||
561 | disable_file(BLACKLIST_FILE, fnamesysd); | ||
562 | free(fnamesysd); | ||
563 | |||
564 | |||
565 | // WARNING: not working | ||
566 | // disable /run/user/{uid}/kdeinit* | ||
567 | //char *fnamekde; | ||
568 | //if (asprintf(&fnamekde, "/run/user/%d/kdeinit*", getuid()) == -1) | ||
569 | // errExit("asprintf"); | ||
570 | //if (stat(fnamekde, &s) == 0) | ||
571 | // disable_file(BLACKLIST_FILE, fnamekde); | ||
572 | //free(fnamekde); | ||
573 | |||
574 | |||
575 | // disable /run/user/{uid}/pulse | ||
576 | /* char *fnamepulse; */ | ||
577 | /* if (asprintf(&fnamepulse, "/run/user/%d/pulse", getuid()) == -1) */ | ||
578 | /* errExit("asprintf"); */ | ||
579 | /* if (stat(fnamepulse, &s) == 0) */ | ||
580 | /* disable_file(BLACKLIST_FILE, fnamepulse); */ | ||
581 | /* free(fnamepulse); */ | ||
582 | |||
583 | // disable /run/user/{uid}/dconf | ||
584 | /* char *fnamedconf; */ | ||
585 | /* if (asprintf(&fnamedconf, "/run/user/%d/dconf", getuid()) == -1) */ | ||
586 | /* errExit("asprintf"); */ | ||
587 | /* if (stat(fnamedconf, &s) == 0) */ | ||
588 | /* disable_file(BLACKLIST_FILE, fnamedconf); */ | ||
589 | /* free(fnamedconf); */ | ||
590 | |||
591 | |||
592 | //more files with sockets to be blacklisted | ||
593 | // /run/dbus /run/systemd /run/udev /run/lvm | ||
594 | |||
595 | |||
533 | 596 | ||
534 | if (getuid() != 0) { | 597 | if (getuid() != 0) { |
535 | // disable /dev/kmsg and /proc/kmsg | 598 | // disable /dev/kmsg and /proc/kmsg |