diff options
author | startx2017 <vradu.startx@yandex.com> | 2018-03-26 10:37:02 -0400 |
---|---|---|
committer | startx2017 <vradu.startx@yandex.com> | 2018-03-26 10:37:02 -0400 |
commit | ae008e5fa9e8a901fbf255664f3de775415a39a3 (patch) | |
tree | 6a9288e88ada7d9097b292d84422e8ced69d9ec3 | |
parent | Add atril thumbnailer and previewer profiles (diff) | |
download | firejail-ae008e5fa9e8a901fbf255664f3de775415a39a3.tar.gz firejail-ae008e5fa9e8a901fbf255664f3de775415a39a3.tar.zst firejail-ae008e5fa9e8a901fbf255664f3de775415a39a3.zip |
--nodbus, first draft for #1825
-rw-r--r-- | src/firejail/firejail.h | 6 | ||||
-rw-r--r-- | src/firejail/fs_dev.c | 20 | ||||
-rw-r--r-- | src/firejail/main.c | 5 | ||||
-rw-r--r-- | src/firejail/profile.c | 6 | ||||
-rw-r--r-- | src/firejail/pulseaudio.c | 37 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 7 | ||||
-rw-r--r-- | src/firejail/util.c | 31 |
7 files changed, 57 insertions, 55 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 5af141289..6141d6223 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -382,6 +382,7 @@ extern int arg_noprofile; // use default.profile if none other found/specified | |||
382 | extern int arg_memory_deny_write_execute; // block writable and executable memory | 382 | extern int arg_memory_deny_write_execute; // block writable and executable memory |
383 | extern int arg_notv; // --notv | 383 | extern int arg_notv; // --notv |
384 | extern int arg_nodvd; // --nodvd | 384 | extern int arg_nodvd; // --nodvd |
385 | extern int arg_nodbus; // -nodbus | ||
385 | 386 | ||
386 | extern int login_shell; | 387 | extern int login_shell; |
387 | extern int parent_to_child_fds[2]; | 388 | extern int parent_to_child_fds[2]; |
@@ -520,6 +521,8 @@ void create_empty_file_as_root(const char *dir, mode_t mode); | |||
520 | int set_perms(const char *fname, uid_t uid, gid_t gid, mode_t mode); | 521 | int set_perms(const char *fname, uid_t uid, gid_t gid, mode_t mode); |
521 | void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid); | 522 | void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid); |
522 | unsigned extract_timeout(const char *str); | 523 | unsigned extract_timeout(const char *str); |
524 | void disable_file_or_dir(const char *fname); | ||
525 | void disable_file_path(const char *path, const char *file); | ||
523 | 526 | ||
524 | // fs_var.c | 527 | // fs_var.c |
525 | void fs_var_log(void); // mounting /var/log | 528 | void fs_var_log(void); // mounting /var/log |
@@ -800,4 +803,7 @@ void set_name_run_file(pid_t pid); | |||
800 | void set_x11_run_file(pid_t pid, int display); | 803 | void set_x11_run_file(pid_t pid, int display); |
801 | void set_profile_run_file(pid_t pid, const char *fname); | 804 | void set_profile_run_file(pid_t pid, const char *fname); |
802 | 805 | ||
806 | // dbus.c | ||
807 | void dbus_session_disable(void); | ||
808 | |||
803 | #endif | 809 | #endif |
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index 6eac78d96..152ddf5f7 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c | |||
@@ -297,26 +297,6 @@ void fs_private_dev(void){ | |||
297 | } | 297 | } |
298 | } | 298 | } |
299 | 299 | ||
300 | |||
301 | |||
302 | static void disable_file_or_dir(const char *fname) { | ||
303 | if (arg_debug) | ||
304 | printf("disable %s\n", fname); | ||
305 | struct stat s; | ||
306 | if (stat(fname, &s) != -1) { | ||
307 | if (is_dir(fname)) { | ||
308 | if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0) | ||
309 | errExit("disable directory"); | ||
310 | } | ||
311 | else { | ||
312 | if (mount(RUN_RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0) | ||
313 | errExit("disable file"); | ||
314 | } | ||
315 | } | ||
316 | fs_logger2("blacklist", fname); | ||
317 | |||
318 | } | ||
319 | |||
320 | void fs_dev_disable_sound(void) { | 300 | void fs_dev_disable_sound(void) { |
321 | unsigned i = 0; | 301 | unsigned i = 0; |
322 | while (dev[i].dev_fname != NULL) { | 302 | while (dev[i].dev_fname != NULL) { |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 38db165e8..6dc19abdd 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -120,6 +120,7 @@ int arg_noprofile = 0; // use default.profile if none other found/specified | |||
120 | int arg_memory_deny_write_execute = 0; // block writable and executable memory | 120 | int arg_memory_deny_write_execute = 0; // block writable and executable memory |
121 | int arg_notv = 0; // --notv | 121 | int arg_notv = 0; // --notv |
122 | int arg_nodvd = 0; // --nodvd | 122 | int arg_nodvd = 0; // --nodvd |
123 | int arg_nodbus = 0; // -nodbus | ||
123 | int login_shell = 0; | 124 | int login_shell = 0; |
124 | 125 | ||
125 | 126 | ||
@@ -1111,7 +1112,7 @@ int main(int argc, char **argv) { | |||
1111 | else if (strncmp(argv[i], "--protocol=", 11) == 0) { | 1112 | else if (strncmp(argv[i], "--protocol=", 11) == 0) { |
1112 | if (checkcfg(CFG_SECCOMP)) { | 1113 | if (checkcfg(CFG_SECCOMP)) { |
1113 | if (cfg.protocol) { | 1114 | if (cfg.protocol) { |
1114 | fwarning("a protocol list is present, the new list \"%s\" will not be installed\n", argv[i] + 11); | 1115 | fwarning("two protocol lists are present, \"%s\" will be installed\n", cfg.protocol); |
1115 | } | 1116 | } |
1116 | else { | 1117 | else { |
1117 | // store list | 1118 | // store list |
@@ -1734,6 +1735,8 @@ int main(int argc, char **argv) { | |||
1734 | arg_notv = 1; | 1735 | arg_notv = 1; |
1735 | else if (strcmp(argv[i], "--nodvd") == 0) | 1736 | else if (strcmp(argv[i], "--nodvd") == 0) |
1736 | arg_nodvd = 1; | 1737 | arg_nodvd = 1; |
1738 | else if (strcmp(argv[i], "--nodbus") == 0) | ||
1739 | arg_nodbus = 1; | ||
1737 | 1740 | ||
1738 | //************************************* | 1741 | //************************************* |
1739 | // network | 1742 | // network |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 5566b9860..2cb91964a 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -249,6 +249,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
249 | arg_no3d = 1; | 249 | arg_no3d = 1; |
250 | return 0; | 250 | return 0; |
251 | } | 251 | } |
252 | else if (strcmp(ptr, "nodbus") == 0) { | ||
253 | arg_nodbus = 1; | ||
254 | return 0; | ||
255 | } | ||
252 | else if (strcmp(ptr, "allow-private-blacklist") == 0) { | 256 | else if (strcmp(ptr, "allow-private-blacklist") == 0) { |
253 | fmessage("--allow-private-blacklist was deprecated\n"); | 257 | fmessage("--allow-private-blacklist was deprecated\n"); |
254 | return 0; | 258 | return 0; |
@@ -549,7 +553,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
549 | #ifdef HAVE_SECCOMP | 553 | #ifdef HAVE_SECCOMP |
550 | if (checkcfg(CFG_SECCOMP)) { | 554 | if (checkcfg(CFG_SECCOMP)) { |
551 | if (cfg.protocol) { | 555 | if (cfg.protocol) { |
552 | fwarning("a protocol list is present, the new list \"%s\" will not be installed\n", ptr + 9); | 556 | fwarning("two protocol lists are present, \"%s\" will be installed\n", cfg.protocol); |
553 | return 0; | 557 | return 0; |
554 | } | 558 | } |
555 | 559 | ||
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c index ef674fb4a..9109a6865 100644 --- a/src/firejail/pulseaudio.c +++ b/src/firejail/pulseaudio.c | |||
@@ -24,52 +24,24 @@ | |||
24 | #include <dirent.h> | 24 | #include <dirent.h> |
25 | #include <sys/wait.h> | 25 | #include <sys/wait.h> |
26 | 26 | ||
27 | static void disable_file(const char *path, const char *file) { | ||
28 | assert(file); | ||
29 | assert(path); | ||
30 | |||
31 | struct stat s; | ||
32 | char *fname; | ||
33 | if (asprintf(&fname, "%s/%s", path, file) == -1) | ||
34 | errExit("asprintf"); | ||
35 | if (stat(fname, &s) == -1) | ||
36 | goto doexit; | ||
37 | |||
38 | if (arg_debug) | ||
39 | printf("Disable%s\n", fname); | ||
40 | |||
41 | if (S_ISDIR(s.st_mode)) { | ||
42 | if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0) | ||
43 | errExit("disable file"); | ||
44 | } | ||
45 | else { | ||
46 | if (mount(RUN_RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0) | ||
47 | errExit("disable file"); | ||
48 | } | ||
49 | fs_logger2("blacklist", fname); | ||
50 | |||
51 | doexit: | ||
52 | free(fname); | ||
53 | } | ||
54 | |||
55 | // disable pulseaudio socket | 27 | // disable pulseaudio socket |
56 | void pulseaudio_disable(void) { | 28 | void pulseaudio_disable(void) { |
57 | if (arg_debug) | 29 | if (arg_debug) |
58 | printf("disable pulseaudio\n"); | 30 | printf("disable pulseaudio\n"); |
59 | // blacklist user config directory | 31 | // blacklist user config directory |
60 | disable_file(cfg.homedir, ".config/pulse"); | 32 | disable_file_path(cfg.homedir, ".config/pulse"); |
61 | 33 | ||
62 | 34 | ||
63 | // blacklist pulseaudio socket in XDG_RUNTIME_DIR | 35 | // blacklist pulseaudio socket in XDG_RUNTIME_DIR |
64 | char *name = getenv("XDG_RUNTIME_DIR"); | 36 | char *name = getenv("XDG_RUNTIME_DIR"); |
65 | if (name) | 37 | if (name) |
66 | disable_file(name, "pulse/native"); | 38 | disable_file_path(name, "pulse/native"); |
67 | 39 | ||
68 | // try the default location anyway | 40 | // try the default location anyway |
69 | char *path; | 41 | char *path; |
70 | if (asprintf(&path, "/run/user/%d", getuid()) == -1) | 42 | if (asprintf(&path, "/run/user/%d", getuid()) == -1) |
71 | errExit("asprintf"); | 43 | errExit("asprintf"); |
72 | disable_file(path, "pulse/native"); | 44 | disable_file_path(path, "pulse/native"); |
73 | free(path); | 45 | free(path); |
74 | 46 | ||
75 | 47 | ||
@@ -87,12 +59,11 @@ void pulseaudio_disable(void) { | |||
87 | struct dirent *entry; | 59 | struct dirent *entry; |
88 | while ((entry = readdir(dir))) { | 60 | while ((entry = readdir(dir))) { |
89 | if (strncmp(entry->d_name, "pulse-", 6) == 0) { | 61 | if (strncmp(entry->d_name, "pulse-", 6) == 0) { |
90 | disable_file("/tmp", entry->d_name); | 62 | disable_file_path("/tmp", entry->d_name); |
91 | } | 63 | } |
92 | } | 64 | } |
93 | 65 | ||
94 | closedir(dir); | 66 | closedir(dir); |
95 | |||
96 | } | 67 | } |
97 | 68 | ||
98 | 69 | ||
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 96b7b267b..75dbc976d 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -838,6 +838,13 @@ int sandbox(void* sandbox_arg) { | |||
838 | } | 838 | } |
839 | 839 | ||
840 | //**************************** | 840 | //**************************** |
841 | // Session D-BUS | ||
842 | //**************************** | ||
843 | if (arg_nodbus) | ||
844 | dbus_session_disable(); | ||
845 | |||
846 | |||
847 | //**************************** | ||
841 | // hosts and hostname | 848 | // hosts and hostname |
842 | //**************************** | 849 | //**************************** |
843 | if (cfg.hostname) | 850 | if (cfg.hostname) |
diff --git a/src/firejail/util.c b/src/firejail/util.c index 0adca5e33..c644f83a8 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -21,6 +21,7 @@ | |||
21 | #include "firejail.h" | 21 | #include "firejail.h" |
22 | #include <ftw.h> | 22 | #include <ftw.h> |
23 | #include <sys/stat.h> | 23 | #include <sys/stat.h> |
24 | #include <sys/mount.h> | ||
24 | #include <fcntl.h> | 25 | #include <fcntl.h> |
25 | #include <syslog.h> | 26 | #include <syslog.h> |
26 | #include <errno.h> | 27 | #include <errno.h> |
@@ -964,3 +965,33 @@ unsigned extract_timeout(const char *str) { | |||
964 | 965 | ||
965 | return h * 3600 + m * 60 + s; | 966 | return h * 3600 + m * 60 + s; |
966 | } | 967 | } |
968 | |||
969 | void disable_file_or_dir(const char *fname) { | ||
970 | if (arg_debug) | ||
971 | printf("blacklist %s\n", fname); | ||
972 | struct stat s; | ||
973 | if (stat(fname, &s) != -1) { | ||
974 | if (is_dir(fname)) { | ||
975 | if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0) | ||
976 | errExit("disable directory"); | ||
977 | } | ||
978 | else { | ||
979 | if (mount(RUN_RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0) | ||
980 | errExit("disable file"); | ||
981 | } | ||
982 | } | ||
983 | fs_logger2("blacklist", fname); | ||
984 | } | ||
985 | |||
986 | void disable_file_path(const char *path, const char *file) { | ||
987 | assert(file); | ||
988 | assert(path); | ||
989 | |||
990 | char *fname; | ||
991 | if (asprintf(&fname, "%s/%s", path, file) == -1) | ||
992 | errExit("asprintf"); | ||
993 | |||
994 | disable_file_or_dir(fname); | ||
995 | free(fname); | ||
996 | } | ||
997 | |||