Add dbus filter options

The options --dbus-user.talk, --dbus-user.own, --dbus-system.talk, and --dbus-system.own control which names can be accessed and owned on the user and system buses.
author: Kristóf Marussy <kris7topher@gmail.com> 2020-02-28 20:59:15 +0100
committer: Kristóf Marussy <kris7topher@gmail.com> 2020-04-06 21:26:41 +0200
commit: 31df60f61d2c286674d7a062797fba494d1fd47c (patch)
tree: 2f85182069cff035bf73aeff0338e8fa6643897f /src/firejail/profile.c
parent: Add xdg-dbus-proxy support (diff)
download: firejail-31df60f61d2c286674d7a062797fba494d1fd47c.tar.gz
firejail-31df60f61d2c286674d7a062797fba494d1fd47c.tar.zst
firejail-31df60f61d2c286674d7a062797fba494d1fd47c.zip
1 files changed, 62 insertions, 6 deletions
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 14533ce08..9bfd2ff1c 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -438,9 +438,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
        }
        else if (strncmp("dbus-user ", ptr, 10) == 0) {
                ptr += 10;
-                if (strcmp("allow", ptr) == 0) {
+                if (strcmp("filter", ptr) == 0) {
-                        arg_dbus_user = DBUS_POLICY_ALLOW;
+                        if (arg_dbus_user == DBUS_POLICY_BLOCK) {
-                } else if (strcmp("filter", ptr) == 0) {
+                                fprintf(stderr, "Error: Cannot relax dbus-user policy, it is already set to block\n");
+                                exit(1);
+                        }
                        arg_dbus_user = DBUS_POLICY_FILTER;
                } else if (strcmp("none", ptr) == 0) {
                        arg_dbus_user = DBUS_POLICY_BLOCK;
@@ -450,11 +452,39 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                }
                return 0;
        }
+        else if (strncmp(ptr, "dbus-user.talk ", 15) == 0) {
+                if (arg_dbus_user == DBUS_POLICY_ALLOW) {
+                        fprintf(stderr, "Session DBus filtering (dbus-user filter) is "
+                                                        "required for dbus-user.talk rules\n");
+                        exit(1);
+                }
+                if (!dbus_check_name(ptr + 15)) {
+                        printf("Invalid dbus-user.talk name: %s\n", ptr + 15);
+                        exit(1);
+                }
+                return 1;
+        }
+        else if (strncmp(ptr, "dbus-user.own ", 14) == 0) {
+                if (arg_dbus_user == DBUS_POLICY_ALLOW) {
+                        fprintf(stderr, "Session DBus filtering (dbus-user filter) is "
+                                                        "required for dbus-user.own rules\n");
+                        exit(1);
+                }
+                if (!dbus_check_name(ptr + 14)) {
+                        fprintf(stderr, "Invalid dbus-user.own name: %s\n", ptr + 14);
+                        exit(1);
+                }
+                return 1;
+        }
        else if (strncmp("dbus-system ", ptr, 12) == 0) {
                ptr += 12;
-                if (strcmp("allow", ptr) == 0) {
+                if (strcmp("filter", ptr) == 0) {
-                        arg_dbus_system = DBUS_POLICY_ALLOW;
+                        if (arg_dbus_system == DBUS_POLICY_BLOCK) {
-                } else if (strcmp("filter", ptr) == 0) {
+                                fprintf(stderr, "Error: Cannot relax dbus-system policy, it is already set to block\n");
+                                exit(1);
+                        }
                        arg_dbus_system = DBUS_POLICY_FILTER;
                } else if (strcmp("none", ptr) == 0) {
                        arg_dbus_system = DBUS_POLICY_BLOCK;
@@ -464,6 +494,32 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                }
                return 0;
        }
+        else if (strncmp(ptr, "dbus-system.talk ", 17) == 0) {
+                if (arg_dbus_system == DBUS_POLICY_ALLOW) {
+                        fprintf(stderr, "System DBus filtering (dbus-system filter) is "
+                                                        "required for dbus-system.talk rules\n");
+                        exit(1);
+                }
+                if (!dbus_check_name(ptr + 17)) {
+                        fprintf(stderr, "Invalid dbus-system.talk name: %s\n", ptr + 17);
+                        exit(1);
+                }
+                return 1;
+        }
+        else if (strncmp(ptr, "dbus-system.own ", 16) == 0) {
+                if (arg_dbus_system == DBUS_POLICY_ALLOW) {
+                        fprintf(stderr, "System DBus filtering (dbus-system filter) is "
+                                                        "required for dbus-system.own rules\n");
+                        exit(1);
+                }
+                if (!dbus_check_name(ptr + 16)) {
+                        fprintf(stderr, "Invalid dbus-system.own name: %s\n", ptr + 16);
+                        exit(1);
+                }
+                return 1;
+        }
        else if (strcmp(ptr, "nou2f") == 0) {
                arg_nou2f = 1;
                return 0;
author	Kristóf Marussy <kris7topher@gmail.com>	2020-02-28 20:59:15 +0100
committer	Kristóf Marussy <kris7topher@gmail.com>	2020-04-06 21:26:41 +0200
commit	31df60f61d2c286674d7a062797fba494d1fd47c (patch)
tree	2f85182069cff035bf73aeff0338e8fa6643897f /src/firejail/profile.c
parent	Add xdg-dbus-proxy support (diff)
download	firejail-31df60f61d2c286674d7a062797fba494d1fd47c.tar.gz firejail-31df60f61d2c286674d7a062797fba494d1fd47c.tar.zst firejail-31df60f61d2c286674d7a062797fba494d1fd47c.zip

diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 14533ce08..9bfd2ff1c 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c
@@ -438,9 +438,11 @@ int profile_check_line(char ptr, int lineno, const char fname) {
438	}	438	}
439	else if (strncmp("dbus-user ", ptr, 10) == 0) {	439	else if (strncmp("dbus-user ", ptr, 10) == 0) {
440	ptr += 10;	440	ptr += 10;
441	if (strcmp("allow", ptr) == 0) {	441	if (strcmp("filter", ptr) == 0) {
442	arg_dbus_user = DBUS_POLICY_ALLOW;	442	if (arg_dbus_user == DBUS_POLICY_BLOCK) {
443	} else if (strcmp("filter", ptr) == 0) {	443	fprintf(stderr, "Error: Cannot relax dbus-user policy, it is already set to block\n");
		444	exit(1);
		445	}
444	arg_dbus_user = DBUS_POLICY_FILTER;	446	arg_dbus_user = DBUS_POLICY_FILTER;
445	} else if (strcmp("none", ptr) == 0) {	447	} else if (strcmp("none", ptr) == 0) {
446	arg_dbus_user = DBUS_POLICY_BLOCK;	448	arg_dbus_user = DBUS_POLICY_BLOCK;
@@ -450,11 +452,39 @@ int profile_check_line(char ptr, int lineno, const char fname) {
450	}	452	}
451	return 0;	453	return 0;
452	}	454	}
		455	else if (strncmp(ptr, "dbus-user.talk ", 15) == 0) {
		456	if (arg_dbus_user == DBUS_POLICY_ALLOW) {
		457	fprintf(stderr, "Session DBus filtering (dbus-user filter) is "
		458	"required for dbus-user.talk rules\n");
		459	exit(1);
		460	}
		461
		462	if (!dbus_check_name(ptr + 15)) {
		463	printf("Invalid dbus-user.talk name: %s\n", ptr + 15);
		464	exit(1);
		465	}
		466	return 1;
		467	}
		468	else if (strncmp(ptr, "dbus-user.own ", 14) == 0) {
		469	if (arg_dbus_user == DBUS_POLICY_ALLOW) {
		470	fprintf(stderr, "Session DBus filtering (dbus-user filter) is "
		471	"required for dbus-user.own rules\n");
		472	exit(1);
		473	}
		474
		475	if (!dbus_check_name(ptr + 14)) {
		476	fprintf(stderr, "Invalid dbus-user.own name: %s\n", ptr + 14);
		477	exit(1);
		478	}
		479	return 1;
		480	}
453	else if (strncmp("dbus-system ", ptr, 12) == 0) {	481	else if (strncmp("dbus-system ", ptr, 12) == 0) {
454	ptr += 12;	482	ptr += 12;
455	if (strcmp("allow", ptr) == 0) {	483	if (strcmp("filter", ptr) == 0) {
456	arg_dbus_system = DBUS_POLICY_ALLOW;	484	if (arg_dbus_system == DBUS_POLICY_BLOCK) {
457	} else if (strcmp("filter", ptr) == 0) {	485	fprintf(stderr, "Error: Cannot relax dbus-system policy, it is already set to block\n");
		486	exit(1);
		487	}
458	arg_dbus_system = DBUS_POLICY_FILTER;	488	arg_dbus_system = DBUS_POLICY_FILTER;
459	} else if (strcmp("none", ptr) == 0) {	489	} else if (strcmp("none", ptr) == 0) {
460	arg_dbus_system = DBUS_POLICY_BLOCK;	490	arg_dbus_system = DBUS_POLICY_BLOCK;
@@ -464,6 +494,32 @@ int profile_check_line(char ptr, int lineno, const char fname) {
464	}	494	}
465	return 0;	495	return 0;
466	}	496	}
		497	else if (strncmp(ptr, "dbus-system.talk ", 17) == 0) {
		498	if (arg_dbus_system == DBUS_POLICY_ALLOW) {
		499	fprintf(stderr, "System DBus filtering (dbus-system filter) is "
		500	"required for dbus-system.talk rules\n");
		501	exit(1);
		502	}
		503
		504	if (!dbus_check_name(ptr + 17)) {
		505	fprintf(stderr, "Invalid dbus-system.talk name: %s\n", ptr + 17);
		506	exit(1);
		507	}
		508	return 1;
		509	}
		510	else if (strncmp(ptr, "dbus-system.own ", 16) == 0) {
		511	if (arg_dbus_system == DBUS_POLICY_ALLOW) {
		512	fprintf(stderr, "System DBus filtering (dbus-system filter) is "
		513	"required for dbus-system.own rules\n");
		514	exit(1);
		515	}
		516
		517	if (!dbus_check_name(ptr + 16)) {
		518	fprintf(stderr, "Invalid dbus-system.own name: %s\n", ptr + 16);
		519	exit(1);
		520	}
		521	return 1;
		522	}
467	else if (strcmp(ptr, "nou2f") == 0) {	523	else if (strcmp(ptr, "nou2f") == 0) {
468	arg_nou2f = 1;	524	arg_nou2f = 1;
469	return 0;	525	return 0;