diff options
author | 2020-02-28 20:59:15 +0100 | |
---|---|---|
committer | 2020-04-06 21:26:41 +0200 | |
commit | 31df60f61d2c286674d7a062797fba494d1fd47c (patch) | |
tree | 2f85182069cff035bf73aeff0338e8fa6643897f /src/firejail/profile.c | |
parent | Add xdg-dbus-proxy support (diff) | |
download | firejail-31df60f61d2c286674d7a062797fba494d1fd47c.tar.gz firejail-31df60f61d2c286674d7a062797fba494d1fd47c.tar.zst firejail-31df60f61d2c286674d7a062797fba494d1fd47c.zip |
Add dbus filter options
The options --dbus-user.talk, --dbus-user.own, --dbus-system.talk, and
--dbus-system.own control which names can be accessed and owned on the user and
system buses.
Diffstat (limited to 'src/firejail/profile.c')
-rw-r--r-- | src/firejail/profile.c | 68 |
1 files changed, 62 insertions, 6 deletions
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 14533ce08..9bfd2ff1c 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -438,9 +438,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
438 | } | 438 | } |
439 | else if (strncmp("dbus-user ", ptr, 10) == 0) { | 439 | else if (strncmp("dbus-user ", ptr, 10) == 0) { |
440 | ptr += 10; | 440 | ptr += 10; |
441 | if (strcmp("allow", ptr) == 0) { | 441 | if (strcmp("filter", ptr) == 0) { |
442 | arg_dbus_user = DBUS_POLICY_ALLOW; | 442 | if (arg_dbus_user == DBUS_POLICY_BLOCK) { |
443 | } else if (strcmp("filter", ptr) == 0) { | 443 | fprintf(stderr, "Error: Cannot relax dbus-user policy, it is already set to block\n"); |
444 | exit(1); | ||
445 | } | ||
444 | arg_dbus_user = DBUS_POLICY_FILTER; | 446 | arg_dbus_user = DBUS_POLICY_FILTER; |
445 | } else if (strcmp("none", ptr) == 0) { | 447 | } else if (strcmp("none", ptr) == 0) { |
446 | arg_dbus_user = DBUS_POLICY_BLOCK; | 448 | arg_dbus_user = DBUS_POLICY_BLOCK; |
@@ -450,11 +452,39 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
450 | } | 452 | } |
451 | return 0; | 453 | return 0; |
452 | } | 454 | } |
455 | else if (strncmp(ptr, "dbus-user.talk ", 15) == 0) { | ||
456 | if (arg_dbus_user == DBUS_POLICY_ALLOW) { | ||
457 | fprintf(stderr, "Session DBus filtering (dbus-user filter) is " | ||
458 | "required for dbus-user.talk rules\n"); | ||
459 | exit(1); | ||
460 | } | ||
461 | |||
462 | if (!dbus_check_name(ptr + 15)) { | ||
463 | printf("Invalid dbus-user.talk name: %s\n", ptr + 15); | ||
464 | exit(1); | ||
465 | } | ||
466 | return 1; | ||
467 | } | ||
468 | else if (strncmp(ptr, "dbus-user.own ", 14) == 0) { | ||
469 | if (arg_dbus_user == DBUS_POLICY_ALLOW) { | ||
470 | fprintf(stderr, "Session DBus filtering (dbus-user filter) is " | ||
471 | "required for dbus-user.own rules\n"); | ||
472 | exit(1); | ||
473 | } | ||
474 | |||
475 | if (!dbus_check_name(ptr + 14)) { | ||
476 | fprintf(stderr, "Invalid dbus-user.own name: %s\n", ptr + 14); | ||
477 | exit(1); | ||
478 | } | ||
479 | return 1; | ||
480 | } | ||
453 | else if (strncmp("dbus-system ", ptr, 12) == 0) { | 481 | else if (strncmp("dbus-system ", ptr, 12) == 0) { |
454 | ptr += 12; | 482 | ptr += 12; |
455 | if (strcmp("allow", ptr) == 0) { | 483 | if (strcmp("filter", ptr) == 0) { |
456 | arg_dbus_system = DBUS_POLICY_ALLOW; | 484 | if (arg_dbus_system == DBUS_POLICY_BLOCK) { |
457 | } else if (strcmp("filter", ptr) == 0) { | 485 | fprintf(stderr, "Error: Cannot relax dbus-system policy, it is already set to block\n"); |
486 | exit(1); | ||
487 | } | ||
458 | arg_dbus_system = DBUS_POLICY_FILTER; | 488 | arg_dbus_system = DBUS_POLICY_FILTER; |
459 | } else if (strcmp("none", ptr) == 0) { | 489 | } else if (strcmp("none", ptr) == 0) { |
460 | arg_dbus_system = DBUS_POLICY_BLOCK; | 490 | arg_dbus_system = DBUS_POLICY_BLOCK; |
@@ -464,6 +494,32 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
464 | } | 494 | } |
465 | return 0; | 495 | return 0; |
466 | } | 496 | } |
497 | else if (strncmp(ptr, "dbus-system.talk ", 17) == 0) { | ||
498 | if (arg_dbus_system == DBUS_POLICY_ALLOW) { | ||
499 | fprintf(stderr, "System DBus filtering (dbus-system filter) is " | ||
500 | "required for dbus-system.talk rules\n"); | ||
501 | exit(1); | ||
502 | } | ||
503 | |||
504 | if (!dbus_check_name(ptr + 17)) { | ||
505 | fprintf(stderr, "Invalid dbus-system.talk name: %s\n", ptr + 17); | ||
506 | exit(1); | ||
507 | } | ||
508 | return 1; | ||
509 | } | ||
510 | else if (strncmp(ptr, "dbus-system.own ", 16) == 0) { | ||
511 | if (arg_dbus_system == DBUS_POLICY_ALLOW) { | ||
512 | fprintf(stderr, "System DBus filtering (dbus-system filter) is " | ||
513 | "required for dbus-system.own rules\n"); | ||
514 | exit(1); | ||
515 | } | ||
516 | |||
517 | if (!dbus_check_name(ptr + 16)) { | ||
518 | fprintf(stderr, "Invalid dbus-system.own name: %s\n", ptr + 16); | ||
519 | exit(1); | ||
520 | } | ||
521 | return 1; | ||
522 | } | ||
467 | else if (strcmp(ptr, "nou2f") == 0) { | 523 | else if (strcmp(ptr, "nou2f") == 0) { |
468 | arg_nou2f = 1; | 524 | arg_nou2f = 1; |
469 | return 0; | 525 | return 0; |