Add xdg-dbus-proxy support

* The proxy is forked off outside the sandbox namespace to protect the fds of the original buses from the sandboxed process. * The /run/firejail/dbus directory (with the sticky bit set) holds the proxy sockets. The sockets are <parent pid>-user and <parent pid>-system for the user and system buses, respectively. Each socket is owned by the sandbox user. * The sockets are bind-mounted over their expected locations and the /run/firejail/dbus directory is subsequently hidden from the sandbox. * Upon sandbox exit, the xdg-dbus-proxy instance is terminated and the sockets are cleaned up. * Filter rules will be added in a future commit.
author: Kristóf Marussy <kris7topher@gmail.com> 2020-02-27 19:55:52 +0100
committer: Kristóf Marussy <kris7topher@gmail.com> 2020-04-06 21:26:41 +0200
commit: 0afb43a5607574fa946fdfd65f3a4cfa25cfa018 (patch)
tree: a09eb41b57cbecfccf6e284817d0043f0bbe0ab4 /src/include
parent: Add sbox_exec_v and SBOX_KEEP_FDS (diff)
download: firejail-0afb43a5607574fa946fdfd65f3a4cfa25cfa018.tar.gz
firejail-0afb43a5607574fa946fdfd65f3a4cfa25cfa018.tar.zst
firejail-0afb43a5607574fa946fdfd65f3a4cfa25cfa018.zip
1 files changed, 1 insertions, 0 deletions
diff --git a/src/include/rundefs.h b/src/include/rundefs.h
index 32f5ff12c..528d9e901 100644
--- a/src/include/rundefs.h
+++ b/src/include/rundefs.h
@@ -30,6 +30,7 @@
 #define RUN_FIREJAIL_NETWORK_DIR        RUN_FIREJAIL_DIR "/network"
 #define RUN_FIREJAIL_BANDWIDTH_DIR      RUN_FIREJAIL_DIR "/bandwidth"
 #define RUN_FIREJAIL_PROFILE_DIR        RUN_FIREJAIL_DIR "/profile"
+#define RUN_FIREJAIL_DBUS_DIR RUN_FIREJAIL_DIR "/dbus"
 #define RUN_NETWORK_LOCK_FILE           RUN_FIREJAIL_DIR "/firejail-network.lock"
 #define RUN_DIRECTORY_LOCK_FILE         RUN_FIREJAIL_DIR "/firejail-run.lock"
 #define RUN_RO_DIR                      RUN_FIREJAIL_DIR "/firejail.ro.dir"
author	Kristóf Marussy <kris7topher@gmail.com>	2020-02-27 19:55:52 +0100
committer	Kristóf Marussy <kris7topher@gmail.com>	2020-04-06 21:26:41 +0200
commit	0afb43a5607574fa946fdfd65f3a4cfa25cfa018 (patch)
tree	a09eb41b57cbecfccf6e284817d0043f0bbe0ab4 /src/include
parent	Add sbox_exec_v and SBOX_KEEP_FDS (diff)
download	firejail-0afb43a5607574fa946fdfd65f3a4cfa25cfa018.tar.gz firejail-0afb43a5607574fa946fdfd65f3a4cfa25cfa018.tar.zst firejail-0afb43a5607574fa946fdfd65f3a4cfa25cfa018.zip

diff --git a/src/include/rundefs.h b/src/include/rundefs.h index 32f5ff12c..528d9e901 100644 --- a/src/include/rundefs.h +++ b/src/include/rundefs.h
@@ -30,6 +30,7 @@
30	#define RUN_FIREJAIL_NETWORK_DIR RUN_FIREJAIL_DIR "/network"	30	#define RUN_FIREJAIL_NETWORK_DIR RUN_FIREJAIL_DIR "/network"
31	#define RUN_FIREJAIL_BANDWIDTH_DIR RUN_FIREJAIL_DIR "/bandwidth"	31	#define RUN_FIREJAIL_BANDWIDTH_DIR RUN_FIREJAIL_DIR "/bandwidth"
32	#define RUN_FIREJAIL_PROFILE_DIR RUN_FIREJAIL_DIR "/profile"	32	#define RUN_FIREJAIL_PROFILE_DIR RUN_FIREJAIL_DIR "/profile"
		33	#define RUN_FIREJAIL_DBUS_DIR RUN_FIREJAIL_DIR "/dbus"
33	#define RUN_NETWORK_LOCK_FILE RUN_FIREJAIL_DIR "/firejail-network.lock"	34	#define RUN_NETWORK_LOCK_FILE RUN_FIREJAIL_DIR "/firejail-network.lock"
34	#define RUN_DIRECTORY_LOCK_FILE RUN_FIREJAIL_DIR "/firejail-run.lock"	35	#define RUN_DIRECTORY_LOCK_FILE RUN_FIREJAIL_DIR "/firejail-run.lock"
35	#define RUN_RO_DIR RUN_FIREJAIL_DIR "/firejail.ro.dir"	36	#define RUN_RO_DIR RUN_FIREJAIL_DIR "/firejail.ro.dir"