disable DBus activation in firecfg

author: netblue30 <netblue30@yahoo.com> 2017-09-25 07:38:01 -0400
committer: netblue30 <netblue30@yahoo.com> 2017-09-25 07:38:01 -0400
commit: a6341b904c08b1feb51e264ab487d1f125222a10 (patch)
tree: 35ea50b8c8e561b710272a0e8ae9418541a32925 /src/firecfg/desktop_files.c
parent: Remove whitelist from pinta (diff)
download: firejail-a6341b904c08b1feb51e264ab487d1f125222a10.tar.gz
firejail-a6341b904c08b1feb51e264ab487d1f125222a10.tar.zst
firejail-a6341b904c08b1feb51e264ab487d1f125222a10.zip
1 files changed, 265 insertions, 0 deletions
diff --git a/src/firecfg/desktop_files.c b/src/firecfg/desktop_files.c
new file mode 100644
index 000000000..eaedc4b64
--- /dev/null
+++ b/src/firecfg/desktop_files.c
@@ -0,0 +1,265 @@
+/*
+ * Copyright (C) 2014-2017 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "firecfg.h"
+// look for a profile file in /etc/firejail diectory and in homedir/.config/firejail directory
+static int have_profile(const char *filename, const char *homedir) {
+        assert(filename);
+        assert(homedir);
+        if (arg_debug)
+                printf("checking profile for %s\n", filename);
+        // remove .desktop extension; if file name starts with org.gnome... remove it
+        char *f1;
+        if (strncmp(filename, "org.gnome.", 10) == 0)
+                f1 = strdup(filename + 10);
+        else
+                f1 = strdup(filename);
+        if (!f1)
+                errExit("strdup");
+        f1[strlen(f1) - 8] = '\0';
+        if (arg_debug)
+                printf("looking for a profile for %s - %s\n", filename, f1);
+        // build profile name
+        char *profname1;
+        char *profname2;
+        if (asprintf(&profname1, "%s/%s.profile", SYSCONFDIR, f1) == -1)
+                errExit("asprintf");
+        if (asprintf(&profname2, "%s/.config/firejail/%s.profile", homedir, f1) == -1)
+                errExit("asprintf");
+        int rv = 0;
+        if (access(profname1, R_OK) == 0) {
+                if (arg_debug)
+                        printf("found %s\n", profname1);
+                rv = 1;
+        }
+        else if (access(profname2, R_OK) == 0) {
+                if (arg_debug)
+                        printf("found %s\n", profname2);
+                rv = 1;
+        }
+                
+        if (arg_debug)
+                printf("Profile for %s %s\n", f1, (rv)? "found": "not found");
+        free(f1);
+        free(profname1);
+        free(profname2);
+        return rv;
+}
+void fix_desktop_files(char *homedir) {
+        assert(homedir);
+        struct stat sb;
+        // check user
+        if (getuid() == 0) {
+                fprintf(stderr, "Error: this option is not supported for root user; please run as a regular user.\n");
+                exit(1);
+        }
+        // destination
+        // create ~/.local/share/applications directory if necessary
+        char *user_apps_dir;
+        if (asprintf(&user_apps_dir, "%s/.local/share/applications", homedir) == -1)
+                errExit("asprintf");
+        if (stat(user_apps_dir, &sb) == -1) {
+                int rv = mkdir(user_apps_dir, 0700);
+                if (rv) {
+                        fprintf(stderr, "Error: cannot create ~/.local/application directory\n");
+                        perror("mkdir");
+                        exit(1);
+                }
+                rv = chmod(user_apps_dir, 0700);
+                (void) rv;
+        }
+        // source
+        DIR *dir = opendir("/usr/share/applications");
+        if (!dir) {
+                perror("Error: cannot open /usr/share/applications directory");
+                exit(1);
+        }
+        if (chdir("/usr/share/applications")) {
+                perror("Error: cannot chdir to /usr/share/applications");
+                exit(1);
+        }
+        printf("\nFixing desktop files in %s\n", user_apps_dir);
+        // copy
+        struct dirent *entry;
+        while ((entry = readdir(dir)) != NULL) {
+                if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0)
+                        continue;
+                // skip if not regular file or link
+                // d_type is not available on some file systems
+                if (entry->d_type != DT_REG && entry->d_type != DT_LNK && entry->d_type != DT_UNKNOWN)
+                        continue;
+                // skip if not .desktop file
+                if (strstr(entry->d_name,".desktop") != (entry->d_name+strlen(entry->d_name)-8))
+                        continue;
+                char *filename = entry->d_name;
+                // skip links
+                if (is_link(filename))
+                        continue;
+                if (stat(filename, &sb) == -1)
+                        errExit("stat");
+                // no profile in /etc/firejail, no desktop file fixing
+                if (!have_profile(filename, homedir))
+                        continue;
+                //****************************************************
+                // load the file in memory and do some basic checking
+                //****************************************************
+                /* coverity[toctou] */
+                int fd = open(filename, O_RDONLY);
+                if (fd == -1) {
+                        fprintf(stderr, "Error: cannot open /usr/share/applications/%s\n", filename);
+                        continue;
+                }
+                char *buf = mmap(NULL, sb.st_size + 1, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
+                if (buf == MAP_FAILED)
+                        errExit("mmap");
+                close(fd);
+                // check format
+                if (strstr(buf, "[Desktop Entry]\n") == NULL) {
+                        if (arg_debug)
+                                printf("   %s - skipped: wrong format?\n", filename);
+                        munmap(buf, sb.st_size + 1);
+                        continue;
+                }
+                // get executable name
+                char *ptr = strstr(buf,"\nExec=");
+                if (!ptr || strlen(ptr) < 7) {
+                        if (arg_debug)
+                                printf("   %s - skipped: wrong format?\n", filename);
+                        munmap(buf, sb.st_size + 1);
+                        continue;
+                }
+                char *execname = ptr + 6;
+                // executable name can be quoted, this is rare and currently unsupported, TODO
+                if (execname[0] == '"') {
+                        if (arg_debug)
+                                printf("   %s - skipped: path quoting unsupported\n", filename);
+                        munmap(buf, sb.st_size + 1);
+                        continue;
+                }
+                // try to decide if we need to covert this file
+                char *change_exec = NULL;
+                int change_dbus = 0;
+                // https://specifications.freedesktop.org/desktop-entry-spec/latest/ar01s06.html
+                // The executable program can either be specified with its full path
+                // or with the name of the executable only
+                if (execname[0] == '/') {
+                        char *end_name = strchr(execname, ' ');
+                        if (end_name) {
+                                *end_name = '\0';
+                                char *start_name = strrchr(execname, '/');
+                                if (start_name) {
+                                        start_name++;
+                                        // check if we have the executable on the regular path
+                                        if (which(start_name)) {
+                                                change_exec = strdup(start_name);
+                                                if (!change_exec)
+                                                        errExit("strdup");
+                                        }
+                                }
+                        }
+                }
+                
+                if (strstr(buf, "\nDBusActivatable=true"))
+                        change_dbus = 1;
+                
+                if (change_exec == NULL && change_dbus == 0) {
+                        munmap(buf, sb.st_size + 1);
+                        continue;
+                }
+                
+                munmap(buf, sb.st_size + 1);
+                //****************************************************
+                // generate output file
+                //****************************************************
+                char *outname;
+                if (asprintf(&outname ,"%s/%s", user_apps_dir, filename) == -1)
+                        errExit("asprintf");
+                if (stat(outname, &sb) == 0) {
+                        printf("   %s skipped: file exists\n", filename);
+                        continue;
+                }
+                
+                FILE *fpin = fopen(filename, "r");
+                if (!fpin) {
+                        fprintf(stderr, "Error: cannot open /usr/share/applications/%s\n", filename);
+                        continue;
+                }
+                
+                FILE *fpout = fopen(outname, "w");
+                if (!fpout) {
+                        fprintf(stderr, "Error: cannot open ~/.local/share/applications/%s\n", outname);
+                        fclose(fpin);
+                        continue;
+                }
+                fprintf(fpout, "# converted by firecfg\n");
+                free(outname);
+                char fbuf[MAX_BUF];
+                while (fgets(fbuf, MAX_BUF, fpin)) {
+                        if (change_dbus && strcmp(fbuf, "DBusActivatable=true\n") == 0)
+                                fprintf(fpout, "DBusActivatable=false\n");
+                        else if (change_exec && strncmp(fbuf, "Exec=", 5) == 0) {
+                                char *start_params = strchr(fbuf + 5, ' ');
+                                assert(start_params);
+                                start_params++;
+                                fprintf(fpout, "Exec=%s %s", change_exec, start_params);
+                        }
+                        else
+                                fprintf(fpout, "%s", fbuf);     
+                }
+                
+                if (change_exec)
+                        free(change_exec);
+                fclose(fpin);
+                fclose(fpout);
+                printf("   %s created\n", filename);
+        }
+        closedir(dir);
+        free(user_apps_dir);
+}
author	netblue30 <netblue30@yahoo.com>	2017-09-25 07:38:01 -0400
committer	netblue30 <netblue30@yahoo.com>	2017-09-25 07:38:01 -0400
commit	a6341b904c08b1feb51e264ab487d1f125222a10 (patch)
tree	35ea50b8c8e561b710272a0e8ae9418541a32925 /src/firecfg/desktop_files.c
parent	Remove whitelist from pinta (diff)
download	firejail-a6341b904c08b1feb51e264ab487d1f125222a10.tar.gz firejail-a6341b904c08b1feb51e264ab487d1f125222a10.tar.zst firejail-a6341b904c08b1feb51e264ab487d1f125222a10.zip

diff --git a/src/firecfg/desktop_files.c b/src/firecfg/desktop_files.c new file mode 100644 index 000000000..eaedc4b64 --- /dev/null +++ b/src/firecfg/desktop_files.c
@@ -0,0 +1,265 @@
	1	/*
	2	* Copyright (C) 2014-2017 Firejail Authors
	3	*
	4	* This file is part of firejail project
	5	*
	6	* This program is free software; you can redistribute it and/or modify
	7	* it under the terms of the GNU General Public License as published by
	8	* the Free Software Foundation; either version 2 of the License, or
	9	* (at your option) any later version.
	10	*
	11	* This program is distributed in the hope that it will be useful,
	12	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	14	* GNU General Public License for more details.
	15	*
	16	* You should have received a copy of the GNU General Public License along
	17	* with this program; if not, write to the Free Software Foundation, Inc.,
	18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
	19	*/
	20
	21	#include "firecfg.h"
	22
	23	// look for a profile file in /etc/firejail diectory and in homedir/.config/firejail directory
	24	static int have_profile(const char filename, const char homedir) {
	25	assert(filename);
	26	assert(homedir);
	27
	28	if (arg_debug)
	29	printf("checking profile for %s\n", filename);
	30
	31	// remove .desktop extension; if file name starts with org.gnome... remove it
	32	char *f1;
	33	if (strncmp(filename, "org.gnome.", 10) == 0)
	34	f1 = strdup(filename + 10);
	35	else
	36	f1 = strdup(filename);
	37	if (!f1)
	38	errExit("strdup");
	39	f1[strlen(f1) - 8] = '\0';
	40	if (arg_debug)
	41	printf("looking for a profile for %s - %s\n", filename, f1);
	42
	43	// build profile name
	44	char *profname1;
	45	char *profname2;
	46	if (asprintf(&profname1, "%s/%s.profile", SYSCONFDIR, f1) == -1)
	47	errExit("asprintf");
	48	if (asprintf(&profname2, "%s/.config/firejail/%s.profile", homedir, f1) == -1)
	49	errExit("asprintf");
	50
	51	int rv = 0;
	52	if (access(profname1, R_OK) == 0) {
	53	if (arg_debug)
	54	printf("found %s\n", profname1);
	55	rv = 1;
	56	}
	57	else if (access(profname2, R_OK) == 0) {
	58	if (arg_debug)
	59	printf("found %s\n", profname2);
	60	rv = 1;
	61	}
	62
	63	if (arg_debug)
	64	printf("Profile for %s %s\n", f1, (rv)? "found": "not found");
	65	free(f1);
	66	free(profname1);
	67	free(profname2);
	68	return rv;
	69	}
	70
	71	void fix_desktop_files(char *homedir) {
	72	assert(homedir);
	73	struct stat sb;
	74
	75	// check user
	76	if (getuid() == 0) {
	77	fprintf(stderr, "Error: this option is not supported for root user; please run as a regular user.\n");
	78	exit(1);
	79	}
	80
	81	// destination
	82	// create ~/.local/share/applications directory if necessary
	83	char *user_apps_dir;
	84	if (asprintf(&user_apps_dir, "%s/.local/share/applications", homedir) == -1)
	85	errExit("asprintf");
	86	if (stat(user_apps_dir, &sb) == -1) {
	87	int rv = mkdir(user_apps_dir, 0700);
	88	if (rv) {
	89	fprintf(stderr, "Error: cannot create ~/.local/application directory\n");
	90	perror("mkdir");
	91	exit(1);
	92	}
	93	rv = chmod(user_apps_dir, 0700);
	94	(void) rv;
	95	}
	96
	97	// source
	98	DIR *dir = opendir("/usr/share/applications");
	99	if (!dir) {
	100	perror("Error: cannot open /usr/share/applications directory");
	101	exit(1);
	102	}
	103	if (chdir("/usr/share/applications")) {
	104	perror("Error: cannot chdir to /usr/share/applications");
	105	exit(1);
	106	}
	107
	108	printf("\nFixing desktop files in %s\n", user_apps_dir);
	109	// copy
	110	struct dirent *entry;
	111	while ((entry = readdir(dir)) != NULL) {
	112	if (strcmp(entry->d_name, ".") == 0 \|\| strcmp(entry->d_name, "..") == 0)
	113	continue;
	114
	115	// skip if not regular file or link
	116	// d_type is not available on some file systems
	117	if (entry->d_type != DT_REG && entry->d_type != DT_LNK && entry->d_type != DT_UNKNOWN)
	118	continue;
	119
	120	// skip if not .desktop file
	121	if (strstr(entry->d_name,".desktop") != (entry->d_name+strlen(entry->d_name)-8))
	122	continue;
	123
	124	char *filename = entry->d_name;
	125
	126	// skip links
	127	if (is_link(filename))
	128	continue;
	129	if (stat(filename, &sb) == -1)
	130	errExit("stat");
	131
	132	// no profile in /etc/firejail, no desktop file fixing
	133	if (!have_profile(filename, homedir))
	134	continue;
	135
	136	//****************************************************
	137	// load the file in memory and do some basic checking
	138	//****************************************************
	139	/* coverity[toctou] */
	140	int fd = open(filename, O_RDONLY);
	141	if (fd == -1) {
	142	fprintf(stderr, "Error: cannot open /usr/share/applications/%s\n", filename);
	143	continue;
	144	}
	145
	146	char *buf = mmap(NULL, sb.st_size + 1, PROT_READ \| PROT_WRITE, MAP_PRIVATE, fd, 0);
	147	if (buf == MAP_FAILED)
	148	errExit("mmap");
	149	close(fd);
	150
	151	// check format
	152	if (strstr(buf, "[Desktop Entry]\n") == NULL) {
	153	if (arg_debug)
	154	printf(" %s - skipped: wrong format?\n", filename);
	155	munmap(buf, sb.st_size + 1);
	156	continue;
	157	}
	158
	159	// get executable name
	160	char *ptr = strstr(buf,"\nExec=");
	161	if (!ptr \|\| strlen(ptr) < 7) {
	162	if (arg_debug)
	163	printf(" %s - skipped: wrong format?\n", filename);
	164	munmap(buf, sb.st_size + 1);
	165	continue;
	166	}
	167
	168	char *execname = ptr + 6;
	169	// executable name can be quoted, this is rare and currently unsupported, TODO
	170	if (execname[0] == '"') {
	171	if (arg_debug)
	172	printf(" %s - skipped: path quoting unsupported\n", filename);
	173	munmap(buf, sb.st_size + 1);
	174	continue;
	175	}
	176
	177
	178	// try to decide if we need to covert this file
	179	char *change_exec = NULL;
	180	int change_dbus = 0;
	181
	182	// https://specifications.freedesktop.org/desktop-entry-spec/latest/ar01s06.html
	183	// The executable program can either be specified with its full path
	184	// or with the name of the executable only
	185	if (execname[0] == '/') {
	186	char *end_name = strchr(execname, ' ');
	187	if (end_name) {
	188	*end_name = '\0';
	189	char *start_name = strrchr(execname, '/');
	190	if (start_name) {
	191	start_name++;
	192	// check if we have the executable on the regular path
	193	if (which(start_name)) {
	194	change_exec = strdup(start_name);
	195	if (!change_exec)
	196	errExit("strdup");
	197	}
	198	}
	199	}
	200	}
	201
	202	if (strstr(buf, "\nDBusActivatable=true"))
	203	change_dbus = 1;
	204
	205	if (change_exec == NULL && change_dbus == 0) {
	206	munmap(buf, sb.st_size + 1);
	207	continue;
	208	}
	209
	210	munmap(buf, sb.st_size + 1);
	211
	212	//****************************************************
	213	// generate output file
	214	//****************************************************
	215	char *outname;
	216	if (asprintf(&outname ,"%s/%s", user_apps_dir, filename) == -1)
	217	errExit("asprintf");
	218
	219	if (stat(outname, &sb) == 0) {
	220	printf(" %s skipped: file exists\n", filename);
	221	continue;
	222	}
	223
	224	FILE *fpin = fopen(filename, "r");
	225	if (!fpin) {
	226	fprintf(stderr, "Error: cannot open /usr/share/applications/%s\n", filename);
	227	continue;
	228	}
	229
	230	FILE *fpout = fopen(outname, "w");
	231	if (!fpout) {
	232	fprintf(stderr, "Error: cannot open ~/.local/share/applications/%s\n", outname);
	233	fclose(fpin);
	234	continue;
	235	}
	236	fprintf(fpout, "# converted by firecfg\n");
	237	free(outname);
	238
	239	char fbuf[MAX_BUF];
	240	while (fgets(fbuf, MAX_BUF, fpin)) {
	241	if (change_dbus && strcmp(fbuf, "DBusActivatable=true\n") == 0)
	242	fprintf(fpout, "DBusActivatable=false\n");
	243	else if (change_exec && strncmp(fbuf, "Exec=", 5) == 0) {
	244	char *start_params = strchr(fbuf + 5, ' ');
	245	assert(start_params);
	246	start_params++;
	247	fprintf(fpout, "Exec=%s %s", change_exec, start_params);
	248	}
	249	else
	250	fprintf(fpout, "%s", fbuf);
	251	}
	252
	253	if (change_exec)
	254	free(change_exec);
	255	fclose(fpin);
	256	fclose(fpout);
	257	printf(" %s created\n", filename);
	258
	259	}
	260
	261	closedir(dir);
	262	free(user_apps_dir);
	263	}
	264
	265