aboutsummaryrefslogtreecommitdiffstats
path: root/src/firejail/dbus.c
diff options
context:
space:
mode:
authorLibravatar Topi Miettinen <toiwoton@gmail.com>2020-04-06 21:24:16 +0300
committerLibravatar Topi Miettinen <toiwoton@gmail.com>2021-02-08 19:19:09 +0200
commit1c7ea15b30d49d32a0e3cb79152514f1aeb19397 (patch)
tree73d5d0f553e08d6d9a64f85c29a5c6df5433cda7 /src/firejail/dbus.c
parentuse ${DOWNLOADS} in lutris.profile (#3955) (diff)
downloadfirejail-1c7ea15b30d49d32a0e3cb79152514f1aeb19397.tar.gz
firejail-1c7ea15b30d49d32a0e3cb79152514f1aeb19397.tar.zst
firejail-1c7ea15b30d49d32a0e3cb79152514f1aeb19397.zip
Filter environment variables
Save all environment variables for later use in the application, clear environment and re-apply only whitelisted variables for the main firejail process. The whitelisted environment is only used by C library. Sandboxed tools will get further variables used internally (FIREJAIL_*). All variables will be reapplied for the firejailed application. This also lifts the length restriction for environment variables, except for the variables used by Firejail itself or the sandboxed tools.
Diffstat (limited to 'src/firejail/dbus.c')
-rw-r--r--src/firejail/dbus.c30
1 files changed, 11 insertions, 19 deletions
diff --git a/src/firejail/dbus.c b/src/firejail/dbus.c
index 3cf75ed84..1d0f07089 100644
--- a/src/firejail/dbus.c
+++ b/src/firejail/dbus.c
@@ -329,7 +329,7 @@ void dbus_proxy_start(void) {
329 errExit("close"); 329 errExit("close");
330 330
331 if (arg_dbus_user == DBUS_POLICY_FILTER) { 331 if (arg_dbus_user == DBUS_POLICY_FILTER) {
332 char *user_env = getenv(DBUS_SESSION_BUS_ADDRESS_ENV); 332 const char *user_env = env_get(DBUS_SESSION_BUS_ADDRESS_ENV);
333 if (user_env == NULL) { 333 if (user_env == NULL) {
334 char *dbus_user_socket = find_user_socket(); 334 char *dbus_user_socket = find_user_socket();
335 write_arg(args_pipe[1], DBUS_SOCKET_PATH_PREFIX "%s", 335 write_arg(args_pipe[1], DBUS_SOCKET_PATH_PREFIX "%s",
@@ -350,7 +350,7 @@ void dbus_proxy_start(void) {
350 } 350 }
351 351
352 if (arg_dbus_system == DBUS_POLICY_FILTER) { 352 if (arg_dbus_system == DBUS_POLICY_FILTER) {
353 char *system_env = getenv(DBUS_SYSTEM_BUS_ADDRESS_ENV); 353 const char *system_env = env_get(DBUS_SYSTEM_BUS_ADDRESS_ENV);
354 if (system_env == NULL) { 354 if (system_env == NULL) {
355 write_arg(args_pipe[1], 355 write_arg(args_pipe[1],
356 DBUS_SOCKET_PATH_PREFIX DBUS_SYSTEM_SOCKET); 356 DBUS_SOCKET_PATH_PREFIX DBUS_SYSTEM_SOCKET);
@@ -435,8 +435,8 @@ static void socket_overlay(char *socket_path, char *proxy_path) {
435 close(fd); 435 close(fd);
436} 436}
437 437
438static char *get_socket_env(const char *name) { 438static const char *get_socket_env(const char *name) {
439 char *value = getenv(name); 439 const char *value = env_get(name);
440 if (value == NULL) 440 if (value == NULL)
441 return NULL; 441 return NULL;
442 if (strncmp(value, DBUS_SOCKET_PATH_PREFIX, 442 if (strncmp(value, DBUS_SOCKET_PATH_PREFIX,
@@ -446,21 +446,13 @@ static char *get_socket_env(const char *name) {
446} 446}
447 447
448void dbus_set_session_bus_env(void) { 448void dbus_set_session_bus_env(void) {
449 if (setenv(DBUS_SESSION_BUS_ADDRESS_ENV, 449 env_store_name_val(DBUS_SESSION_BUS_ADDRESS_ENV,
450 DBUS_SOCKET_PATH_PREFIX RUN_DBUS_USER_SOCKET, 1) == -1) { 450 DBUS_SOCKET_PATH_PREFIX RUN_DBUS_USER_SOCKET, SETENV);
451 fprintf(stderr, "Error: cannot modify " DBUS_SESSION_BUS_ADDRESS_ENV
452 " required by --dbus-user\n");
453 exit(1);
454 }
455} 451}
456 452
457void dbus_set_system_bus_env(void) { 453void dbus_set_system_bus_env(void) {
458 if (setenv(DBUS_SYSTEM_BUS_ADDRESS_ENV, 454 env_store_name_val(DBUS_SYSTEM_BUS_ADDRESS_ENV,
459 DBUS_SOCKET_PATH_PREFIX RUN_DBUS_SYSTEM_SOCKET, 1) == -1) { 455 DBUS_SOCKET_PATH_PREFIX RUN_DBUS_SYSTEM_SOCKET, SETENV);
460 fprintf(stderr, "Error: cannot modify " DBUS_SYSTEM_BUS_ADDRESS_ENV
461 " required by --dbus-system\n");
462 exit(1);
463 }
464} 456}
465 457
466static void disable_socket_dir(void) { 458static void disable_socket_dir(void) {
@@ -506,7 +498,7 @@ void dbus_apply_policy(void) {
506 errExit("asprintf"); 498 errExit("asprintf");
507 disable_file_or_dir(dbus_user_socket2); 499 disable_file_or_dir(dbus_user_socket2);
508 500
509 char *user_env = get_socket_env(DBUS_SESSION_BUS_ADDRESS_ENV); 501 const char *user_env = get_socket_env(DBUS_SESSION_BUS_ADDRESS_ENV);
510 if (user_env != NULL && strcmp(user_env, dbus_user_socket) != 0 && 502 if (user_env != NULL && strcmp(user_env, dbus_user_socket) != 0 &&
511 strcmp(user_env, dbus_user_socket2) != 0) 503 strcmp(user_env, dbus_user_socket2) != 0)
512 disable_file_or_dir(user_env); 504 disable_file_or_dir(user_env);
@@ -535,7 +527,7 @@ void dbus_apply_policy(void) {
535 527
536 disable_file_or_dir(DBUS_SYSTEM_SOCKET); 528 disable_file_or_dir(DBUS_SYSTEM_SOCKET);
537 529
538 char *system_env = get_socket_env(DBUS_SYSTEM_BUS_ADDRESS_ENV); 530 const char *system_env = get_socket_env(DBUS_SYSTEM_BUS_ADDRESS_ENV);
539 if (system_env != NULL && strcmp(system_env, DBUS_SYSTEM_SOCKET) != 0) 531 if (system_env != NULL && strcmp(system_env, DBUS_SYSTEM_SOCKET) != 0)
540 disable_file_or_dir(system_env); 532 disable_file_or_dir(system_env);
541 533
@@ -561,4 +553,4 @@ void dbus_apply_policy(void) {
561 553
562 fwarning("An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.\n"); 554 fwarning("An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.\n");
563} 555}
564#endif // HAVE_DBUSPROXY \ No newline at end of file 556#endif // HAVE_DBUSPROXY
generated by cgit v1.2.3-54-g00ecf (git 2.45.1) at 2024-06-02 20:56:50 +0000