diff options
author | Topi Miettinen <toiwoton@gmail.com> | 2020-04-06 21:24:16 +0300 |
---|---|---|
committer | Topi Miettinen <toiwoton@gmail.com> | 2021-02-08 19:19:09 +0200 |
commit | 1c7ea15b30d49d32a0e3cb79152514f1aeb19397 (patch) | |
tree | 73d5d0f553e08d6d9a64f85c29a5c6df5433cda7 /src/firejail/dbus.c | |
parent | use ${DOWNLOADS} in lutris.profile (#3955) (diff) | |
download | firejail-1c7ea15b30d49d32a0e3cb79152514f1aeb19397.tar.gz firejail-1c7ea15b30d49d32a0e3cb79152514f1aeb19397.tar.zst firejail-1c7ea15b30d49d32a0e3cb79152514f1aeb19397.zip |
Filter environment variables
Save all environment variables for later use in the application, clear
environment and re-apply only whitelisted variables for the main
firejail process. The whitelisted environment is only used by C
library. Sandboxed tools will get further variables used
internally (FIREJAIL_*).
All variables will be reapplied for the firejailed application.
This also lifts the length restriction for environment variables,
except for the variables used by Firejail itself or the sandboxed
tools.
Diffstat (limited to 'src/firejail/dbus.c')
-rw-r--r-- | src/firejail/dbus.c | 30 |
1 files changed, 11 insertions, 19 deletions
diff --git a/src/firejail/dbus.c b/src/firejail/dbus.c index 3cf75ed84..1d0f07089 100644 --- a/src/firejail/dbus.c +++ b/src/firejail/dbus.c | |||
@@ -329,7 +329,7 @@ void dbus_proxy_start(void) { | |||
329 | errExit("close"); | 329 | errExit("close"); |
330 | 330 | ||
331 | if (arg_dbus_user == DBUS_POLICY_FILTER) { | 331 | if (arg_dbus_user == DBUS_POLICY_FILTER) { |
332 | char *user_env = getenv(DBUS_SESSION_BUS_ADDRESS_ENV); | 332 | const char *user_env = env_get(DBUS_SESSION_BUS_ADDRESS_ENV); |
333 | if (user_env == NULL) { | 333 | if (user_env == NULL) { |
334 | char *dbus_user_socket = find_user_socket(); | 334 | char *dbus_user_socket = find_user_socket(); |
335 | write_arg(args_pipe[1], DBUS_SOCKET_PATH_PREFIX "%s", | 335 | write_arg(args_pipe[1], DBUS_SOCKET_PATH_PREFIX "%s", |
@@ -350,7 +350,7 @@ void dbus_proxy_start(void) { | |||
350 | } | 350 | } |
351 | 351 | ||
352 | if (arg_dbus_system == DBUS_POLICY_FILTER) { | 352 | if (arg_dbus_system == DBUS_POLICY_FILTER) { |
353 | char *system_env = getenv(DBUS_SYSTEM_BUS_ADDRESS_ENV); | 353 | const char *system_env = env_get(DBUS_SYSTEM_BUS_ADDRESS_ENV); |
354 | if (system_env == NULL) { | 354 | if (system_env == NULL) { |
355 | write_arg(args_pipe[1], | 355 | write_arg(args_pipe[1], |
356 | DBUS_SOCKET_PATH_PREFIX DBUS_SYSTEM_SOCKET); | 356 | DBUS_SOCKET_PATH_PREFIX DBUS_SYSTEM_SOCKET); |
@@ -435,8 +435,8 @@ static void socket_overlay(char *socket_path, char *proxy_path) { | |||
435 | close(fd); | 435 | close(fd); |
436 | } | 436 | } |
437 | 437 | ||
438 | static char *get_socket_env(const char *name) { | 438 | static const char *get_socket_env(const char *name) { |
439 | char *value = getenv(name); | 439 | const char *value = env_get(name); |
440 | if (value == NULL) | 440 | if (value == NULL) |
441 | return NULL; | 441 | return NULL; |
442 | if (strncmp(value, DBUS_SOCKET_PATH_PREFIX, | 442 | if (strncmp(value, DBUS_SOCKET_PATH_PREFIX, |
@@ -446,21 +446,13 @@ static char *get_socket_env(const char *name) { | |||
446 | } | 446 | } |
447 | 447 | ||
448 | void dbus_set_session_bus_env(void) { | 448 | void dbus_set_session_bus_env(void) { |
449 | if (setenv(DBUS_SESSION_BUS_ADDRESS_ENV, | 449 | env_store_name_val(DBUS_SESSION_BUS_ADDRESS_ENV, |
450 | DBUS_SOCKET_PATH_PREFIX RUN_DBUS_USER_SOCKET, 1) == -1) { | 450 | DBUS_SOCKET_PATH_PREFIX RUN_DBUS_USER_SOCKET, SETENV); |
451 | fprintf(stderr, "Error: cannot modify " DBUS_SESSION_BUS_ADDRESS_ENV | ||
452 | " required by --dbus-user\n"); | ||
453 | exit(1); | ||
454 | } | ||
455 | } | 451 | } |
456 | 452 | ||
457 | void dbus_set_system_bus_env(void) { | 453 | void dbus_set_system_bus_env(void) { |
458 | if (setenv(DBUS_SYSTEM_BUS_ADDRESS_ENV, | 454 | env_store_name_val(DBUS_SYSTEM_BUS_ADDRESS_ENV, |
459 | DBUS_SOCKET_PATH_PREFIX RUN_DBUS_SYSTEM_SOCKET, 1) == -1) { | 455 | DBUS_SOCKET_PATH_PREFIX RUN_DBUS_SYSTEM_SOCKET, SETENV); |
460 | fprintf(stderr, "Error: cannot modify " DBUS_SYSTEM_BUS_ADDRESS_ENV | ||
461 | " required by --dbus-system\n"); | ||
462 | exit(1); | ||
463 | } | ||
464 | } | 456 | } |
465 | 457 | ||
466 | static void disable_socket_dir(void) { | 458 | static void disable_socket_dir(void) { |
@@ -506,7 +498,7 @@ void dbus_apply_policy(void) { | |||
506 | errExit("asprintf"); | 498 | errExit("asprintf"); |
507 | disable_file_or_dir(dbus_user_socket2); | 499 | disable_file_or_dir(dbus_user_socket2); |
508 | 500 | ||
509 | char *user_env = get_socket_env(DBUS_SESSION_BUS_ADDRESS_ENV); | 501 | const char *user_env = get_socket_env(DBUS_SESSION_BUS_ADDRESS_ENV); |
510 | if (user_env != NULL && strcmp(user_env, dbus_user_socket) != 0 && | 502 | if (user_env != NULL && strcmp(user_env, dbus_user_socket) != 0 && |
511 | strcmp(user_env, dbus_user_socket2) != 0) | 503 | strcmp(user_env, dbus_user_socket2) != 0) |
512 | disable_file_or_dir(user_env); | 504 | disable_file_or_dir(user_env); |
@@ -535,7 +527,7 @@ void dbus_apply_policy(void) { | |||
535 | 527 | ||
536 | disable_file_or_dir(DBUS_SYSTEM_SOCKET); | 528 | disable_file_or_dir(DBUS_SYSTEM_SOCKET); |
537 | 529 | ||
538 | char *system_env = get_socket_env(DBUS_SYSTEM_BUS_ADDRESS_ENV); | 530 | const char *system_env = get_socket_env(DBUS_SYSTEM_BUS_ADDRESS_ENV); |
539 | if (system_env != NULL && strcmp(system_env, DBUS_SYSTEM_SOCKET) != 0) | 531 | if (system_env != NULL && strcmp(system_env, DBUS_SYSTEM_SOCKET) != 0) |
540 | disable_file_or_dir(system_env); | 532 | disable_file_or_dir(system_env); |
541 | 533 | ||
@@ -561,4 +553,4 @@ void dbus_apply_policy(void) { | |||
561 | 553 | ||
562 | fwarning("An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.\n"); | 554 | fwarning("An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.\n"); |
563 | } | 555 | } |
564 | #endif // HAVE_DBUSPROXY \ No newline at end of file | 556 | #endif // HAVE_DBUSPROXY |