Add --dbus-user and --dbus-system options

Allow setting a separate policy for the user and system buses. For now, the filter policy is equivalent to the none (block) policy. Future commits will add more configuration options and filters.
author: Kristóf Marussy <kris7topher@gmail.com> 2020-02-23 22:57:17 +0100
committer: Kristóf Marussy <kris7topher@gmail.com> 2020-04-06 20:36:12 +0200
commit: 6fc8a559ded2cc8cf263288ef111d8876673e2fb (patch)
tree: ba607f654b20ab7036767441103c95a448e4f88c /src/firejail/profile.c
parent: Allow changing error action in seccomp filters (diff)
download: firejail-6fc8a559ded2cc8cf263288ef111d8876673e2fb.tar.gz
firejail-6fc8a559ded2cc8cf263288ef111d8876673e2fb.tar.zst
firejail-6fc8a559ded2cc8cf263288ef111d8876673e2fb.zip
1 files changed, 32 insertions, 3 deletions
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index d709a7951..14533ce08 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -150,7 +150,7 @@ static int check_netoptions(void) {
 }
 static int check_nodbus(void) {
-        return arg_nodbus != 0;
+        return arg_dbus_user != DBUS_POLICY_ALLOW || arg_dbus_system != DBUS_POLICY_ALLOW;
 }
 static int check_nosound(void) {
@@ -432,11 +432,40 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                return 0;
        }
        else if (strcmp(ptr, "nodbus") == 0) {
-                arg_nodbus = 1;
+                arg_dbus_user = DBUS_POLICY_BLOCK;
+                arg_dbus_system = DBUS_POLICY_BLOCK;
+                return 0;
+        }
+        else if (strncmp("dbus-user ", ptr, 10) == 0) {
+                ptr += 10;
+                if (strcmp("allow", ptr) == 0) {
+                        arg_dbus_user = DBUS_POLICY_ALLOW;
+                } else if (strcmp("filter", ptr) == 0) {
+                        arg_dbus_user = DBUS_POLICY_FILTER;
+                } else if (strcmp("none", ptr) == 0) {
+                        arg_dbus_user = DBUS_POLICY_BLOCK;
+                } else {
+                        fprintf(stderr, "Unknown dbus-user policy: %s\n", ptr);
+                        exit(1);
+                }
+                return 0;
+        }
+        else if (strncmp("dbus-system ", ptr, 12) == 0) {
+                ptr += 12;
+                if (strcmp("allow", ptr) == 0) {
+                        arg_dbus_system = DBUS_POLICY_ALLOW;
+                } else if (strcmp("filter", ptr) == 0) {
+                        arg_dbus_system = DBUS_POLICY_FILTER;
+                } else if (strcmp("none", ptr) == 0) {
+                        arg_dbus_system = DBUS_POLICY_BLOCK;
+                } else {
+                        fprintf(stderr, "Unknown dbus-system policy: %s\n", ptr);
+                        exit(1);
+                }
                return 0;
        }
        else if (strcmp(ptr, "nou2f") == 0) {
-                arg_nou2f = 1;
+                arg_nou2f = 1;
                return 0;
        }
        else if (strcmp(ptr, "netfilter") == 0) {
author	Kristóf Marussy <kris7topher@gmail.com>	2020-02-23 22:57:17 +0100
committer	Kristóf Marussy <kris7topher@gmail.com>	2020-04-06 20:36:12 +0200
commit	6fc8a559ded2cc8cf263288ef111d8876673e2fb (patch)
tree	ba607f654b20ab7036767441103c95a448e4f88c /src/firejail/profile.c
parent	Allow changing error action in seccomp filters (diff)
download	firejail-6fc8a559ded2cc8cf263288ef111d8876673e2fb.tar.gz firejail-6fc8a559ded2cc8cf263288ef111d8876673e2fb.tar.zst firejail-6fc8a559ded2cc8cf263288ef111d8876673e2fb.zip

diff --git a/src/firejail/profile.c b/src/firejail/profile.c index d709a7951..14533ce08 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c
@@ -150,7 +150,7 @@ static int check_netoptions(void) {
150	}	150	}
151		151
152	static int check_nodbus(void) {	152	static int check_nodbus(void) {
153	return arg_nodbus != 0;	153	return arg_dbus_user != DBUS_POLICY_ALLOW \|\| arg_dbus_system != DBUS_POLICY_ALLOW;
154	}	154	}
155		155
156	static int check_nosound(void) {	156	static int check_nosound(void) {
@@ -432,11 +432,40 @@ int profile_check_line(char ptr, int lineno, const char fname) {
432	return 0;	432	return 0;
433	}	433	}
434	else if (strcmp(ptr, "nodbus") == 0) {	434	else if (strcmp(ptr, "nodbus") == 0) {
435	arg_nodbus = 1;	435	arg_dbus_user = DBUS_POLICY_BLOCK;
		436	arg_dbus_system = DBUS_POLICY_BLOCK;
		437	return 0;
		438	}
		439	else if (strncmp("dbus-user ", ptr, 10) == 0) {
		440	ptr += 10;
		441	if (strcmp("allow", ptr) == 0) {
		442	arg_dbus_user = DBUS_POLICY_ALLOW;
		443	} else if (strcmp("filter", ptr) == 0) {
		444	arg_dbus_user = DBUS_POLICY_FILTER;
		445	} else if (strcmp("none", ptr) == 0) {
		446	arg_dbus_user = DBUS_POLICY_BLOCK;
		447	} else {
		448	fprintf(stderr, "Unknown dbus-user policy: %s\n", ptr);
		449	exit(1);
		450	}
		451	return 0;
		452	}
		453	else if (strncmp("dbus-system ", ptr, 12) == 0) {
		454	ptr += 12;
		455	if (strcmp("allow", ptr) == 0) {
		456	arg_dbus_system = DBUS_POLICY_ALLOW;
		457	} else if (strcmp("filter", ptr) == 0) {
		458	arg_dbus_system = DBUS_POLICY_FILTER;
		459	} else if (strcmp("none", ptr) == 0) {
		460	arg_dbus_system = DBUS_POLICY_BLOCK;
		461	} else {
		462	fprintf(stderr, "Unknown dbus-system policy: %s\n", ptr);
		463	exit(1);
		464	}
436	return 0;	465	return 0;
437	}	466	}
438	else if (strcmp(ptr, "nou2f") == 0) {	467	else if (strcmp(ptr, "nou2f") == 0) {
439	arg_nou2f = 1;	468	arg_nou2f = 1;
440	return 0;	469	return 0;
441	}	470	}
442	else if (strcmp(ptr, "netfilter") == 0) {	471	else if (strcmp(ptr, "netfilter") == 0) {