diff options
author | 2020-02-23 22:57:17 +0100 | |
---|---|---|
committer | 2020-04-06 20:36:12 +0200 | |
commit | 6fc8a559ded2cc8cf263288ef111d8876673e2fb (patch) | |
tree | ba607f654b20ab7036767441103c95a448e4f88c /src | |
parent | Allow changing error action in seccomp filters (diff) | |
download | firejail-6fc8a559ded2cc8cf263288ef111d8876673e2fb.tar.gz firejail-6fc8a559ded2cc8cf263288ef111d8876673e2fb.tar.zst firejail-6fc8a559ded2cc8cf263288ef111d8876673e2fb.zip |
Add --dbus-user and --dbus-system options
Allow setting a separate policy for the user and system buses.
For now, the filter policy is equivalent to the none (block) policy.
Future commits will add more configuration options and filters.
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/dbus.c | 25 | ||||
-rw-r--r-- | src/firejail/firejail.h | 11 | ||||
-rw-r--r-- | src/firejail/main.c | 33 | ||||
-rw-r--r-- | src/firejail/profile.c | 35 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 3 |
5 files changed, 90 insertions, 17 deletions
diff --git a/src/firejail/dbus.c b/src/firejail/dbus.c index 7acbd338c..241b8fc44 100644 --- a/src/firejail/dbus.c +++ b/src/firejail/dbus.c | |||
@@ -19,12 +19,7 @@ | |||
19 | */ | 19 | */ |
20 | #include "firejail.h" | 20 | #include "firejail.h" |
21 | 21 | ||
22 | void dbus_disable(void) { | 22 | static void dbus_block_user(void) { |
23 | if (!checkcfg(CFG_DBUS)) { | ||
24 | fwarning("D-Bus handling is disabled in Firejail configuration file\n"); | ||
25 | return; | ||
26 | } | ||
27 | |||
28 | char *path; | 23 | char *path; |
29 | if (asprintf(&path, "/run/user/%d/bus", getuid()) == -1) | 24 | if (asprintf(&path, "/run/user/%d/bus", getuid()) == -1) |
30 | errExit("asprintf"); | 25 | errExit("asprintf"); |
@@ -43,16 +38,32 @@ void dbus_disable(void) { | |||
43 | free(path); | 38 | free(path); |
44 | free(env_var); | 39 | free(env_var); |
45 | 40 | ||
46 | |||
47 | // blacklist the dbus-launch user directory | 41 | // blacklist the dbus-launch user directory |
48 | if (asprintf(&path, "%s/.dbus", cfg.homedir) == -1) | 42 | if (asprintf(&path, "%s/.dbus", cfg.homedir) == -1) |
49 | errExit("asprintf"); | 43 | errExit("asprintf"); |
50 | disable_file_or_dir(path); | 44 | disable_file_or_dir(path); |
51 | free(path); | 45 | free(path); |
46 | } | ||
52 | 47 | ||
48 | static void dbus_block_system() { | ||
53 | // blacklist also system D-Bus socket | 49 | // blacklist also system D-Bus socket |
54 | disable_file_or_dir("/run/dbus/system_bus_socket"); | 50 | disable_file_or_dir("/run/dbus/system_bus_socket"); |
51 | } | ||
52 | |||
53 | void dbus_apply_policy(void) { | ||
54 | if (arg_dbus_user == DBUS_POLICY_ALLOW && arg_dbus_system == DBUS_POLICY_ALLOW) | ||
55 | return; | ||
56 | |||
57 | if (!checkcfg(CFG_DBUS)) { | ||
58 | fwarning("D-Bus handling is disabled in Firejail configuration file\n"); | ||
59 | return; | ||
60 | } | ||
61 | |||
62 | if (arg_dbus_user != DBUS_POLICY_ALLOW) | ||
63 | dbus_block_user(); | ||
55 | 64 | ||
65 | if (arg_dbus_system != DBUS_POLICY_ALLOW) | ||
66 | dbus_block_system(); | ||
56 | 67 | ||
57 | // look for a possible abstract unix socket | 68 | // look for a possible abstract unix socket |
58 | 69 | ||
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 1cb8b2d22..ea4012335 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -340,9 +340,16 @@ extern int arg_memory_deny_write_execute; // block writable and executable memor | |||
340 | extern int arg_notv; // --notv | 340 | extern int arg_notv; // --notv |
341 | extern int arg_nodvd; // --nodvd | 341 | extern int arg_nodvd; // --nodvd |
342 | extern int arg_nou2f; // --nou2f | 342 | extern int arg_nou2f; // --nou2f |
343 | extern int arg_nodbus; // -nodbus | ||
344 | extern int arg_deterministic_exit_code; // always exit with first child's exit status | 343 | extern int arg_deterministic_exit_code; // always exit with first child's exit status |
345 | 344 | ||
345 | typedef enum { | ||
346 | DBUS_POLICY_ALLOW, // Allow unrestricted access to the bus | ||
347 | DBUS_POLICY_FILTER, // Filter with xdg-dbus-proxy | ||
348 | DBUS_POLICY_BLOCK // Block access | ||
349 | } DbusPolicy; | ||
350 | extern DbusPolicy arg_dbus_user; // --dbus-user | ||
351 | extern DbusPolicy arg_dbus_system; // --dbus-system | ||
352 | |||
346 | extern int login_shell; | 353 | extern int login_shell; |
347 | extern int parent_to_child_fds[2]; | 354 | extern int parent_to_child_fds[2]; |
348 | extern int child_to_parent_fds[2]; | 355 | extern int child_to_parent_fds[2]; |
@@ -836,7 +843,7 @@ void set_x11_run_file(pid_t pid, int display); | |||
836 | void set_profile_run_file(pid_t pid, const char *fname); | 843 | void set_profile_run_file(pid_t pid, const char *fname); |
837 | 844 | ||
838 | // dbus.c | 845 | // dbus.c |
839 | void dbus_disable(void); | 846 | void dbus_apply_policy(void); |
840 | 847 | ||
841 | // dhcp.c | 848 | // dhcp.c |
842 | extern pid_t dhclient4_pid; | 849 | extern pid_t dhclient4_pid; |
diff --git a/src/firejail/main.c b/src/firejail/main.c index d01725c95..fd2c6cb62 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -144,9 +144,10 @@ int arg_noprofile = 0; // use default.profile if none other found/specified | |||
144 | int arg_memory_deny_write_execute = 0; // block writable and executable memory | 144 | int arg_memory_deny_write_execute = 0; // block writable and executable memory |
145 | int arg_notv = 0; // --notv | 145 | int arg_notv = 0; // --notv |
146 | int arg_nodvd = 0; // --nodvd | 146 | int arg_nodvd = 0; // --nodvd |
147 | int arg_nodbus = 0; // -nodbus | ||
148 | int arg_nou2f = 0; // --nou2f | 147 | int arg_nou2f = 0; // --nou2f |
149 | int arg_deterministic_exit_code = 0; // always exit with first child's exit status | 148 | int arg_deterministic_exit_code = 0; // always exit with first child's exit status |
149 | DbusPolicy arg_dbus_user = DBUS_POLICY_ALLOW; // --dbus-user | ||
150 | DbusPolicy arg_dbus_system = DBUS_POLICY_ALLOW; // --dbus-system | ||
150 | int login_shell = 0; | 151 | int login_shell = 0; |
151 | 152 | ||
152 | //********************************************************************************** | 153 | //********************************************************************************** |
@@ -2053,8 +2054,34 @@ int main(int argc, char **argv, char **envp) { | |||
2053 | arg_nodvd = 1; | 2054 | arg_nodvd = 1; |
2054 | else if (strcmp(argv[i], "--nou2f") == 0) | 2055 | else if (strcmp(argv[i], "--nou2f") == 0) |
2055 | arg_nou2f = 1; | 2056 | arg_nou2f = 1; |
2056 | else if (strcmp(argv[i], "--nodbus") == 0) | 2057 | else if (strcmp(argv[i], "--nodbus") == 0) { |
2057 | arg_nodbus = 1; | 2058 | arg_dbus_user = DBUS_POLICY_BLOCK; |
2059 | arg_dbus_system = DBUS_POLICY_BLOCK; | ||
2060 | } | ||
2061 | else if (strncmp("--dbus-user=", argv[i], 12) == 0) { | ||
2062 | if (strcmp("allow", argv[i] + 12) == 0) { | ||
2063 | arg_dbus_user = DBUS_POLICY_ALLOW; | ||
2064 | } else if (strcmp("filter", argv[i] + 12) == 0) { | ||
2065 | arg_dbus_user = DBUS_POLICY_FILTER; | ||
2066 | } else if (strcmp("none", argv[i] + 12) == 0) { | ||
2067 | arg_dbus_user = DBUS_POLICY_BLOCK; | ||
2068 | } else { | ||
2069 | fprintf(stderr, "Unknown dbus-user policy: %s\n", argv[i] + 12); | ||
2070 | exit(1); | ||
2071 | } | ||
2072 | } | ||
2073 | else if (strncmp("--dbus-system=", argv[i], 14) == 0) { | ||
2074 | if (strcmp("allow", argv[i] + 14) == 0) { | ||
2075 | arg_dbus_system = DBUS_POLICY_ALLOW; | ||
2076 | } else if (strcmp("filter", argv[i] + 14) == 0) { | ||
2077 | arg_dbus_system = DBUS_POLICY_FILTER; | ||
2078 | } else if (strcmp("none", argv[i] + 14) == 0) { | ||
2079 | arg_dbus_system = DBUS_POLICY_BLOCK; | ||
2080 | } else { | ||
2081 | fprintf(stderr, "Unknown dbus-system policy: %s\n", argv[i] + 14); | ||
2082 | exit(1); | ||
2083 | } | ||
2084 | } | ||
2058 | 2085 | ||
2059 | //************************************* | 2086 | //************************************* |
2060 | // network | 2087 | // network |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index d709a7951..14533ce08 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -150,7 +150,7 @@ static int check_netoptions(void) { | |||
150 | } | 150 | } |
151 | 151 | ||
152 | static int check_nodbus(void) { | 152 | static int check_nodbus(void) { |
153 | return arg_nodbus != 0; | 153 | return arg_dbus_user != DBUS_POLICY_ALLOW || arg_dbus_system != DBUS_POLICY_ALLOW; |
154 | } | 154 | } |
155 | 155 | ||
156 | static int check_nosound(void) { | 156 | static int check_nosound(void) { |
@@ -432,11 +432,40 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
432 | return 0; | 432 | return 0; |
433 | } | 433 | } |
434 | else if (strcmp(ptr, "nodbus") == 0) { | 434 | else if (strcmp(ptr, "nodbus") == 0) { |
435 | arg_nodbus = 1; | 435 | arg_dbus_user = DBUS_POLICY_BLOCK; |
436 | arg_dbus_system = DBUS_POLICY_BLOCK; | ||
437 | return 0; | ||
438 | } | ||
439 | else if (strncmp("dbus-user ", ptr, 10) == 0) { | ||
440 | ptr += 10; | ||
441 | if (strcmp("allow", ptr) == 0) { | ||
442 | arg_dbus_user = DBUS_POLICY_ALLOW; | ||
443 | } else if (strcmp("filter", ptr) == 0) { | ||
444 | arg_dbus_user = DBUS_POLICY_FILTER; | ||
445 | } else if (strcmp("none", ptr) == 0) { | ||
446 | arg_dbus_user = DBUS_POLICY_BLOCK; | ||
447 | } else { | ||
448 | fprintf(stderr, "Unknown dbus-user policy: %s\n", ptr); | ||
449 | exit(1); | ||
450 | } | ||
451 | return 0; | ||
452 | } | ||
453 | else if (strncmp("dbus-system ", ptr, 12) == 0) { | ||
454 | ptr += 12; | ||
455 | if (strcmp("allow", ptr) == 0) { | ||
456 | arg_dbus_system = DBUS_POLICY_ALLOW; | ||
457 | } else if (strcmp("filter", ptr) == 0) { | ||
458 | arg_dbus_system = DBUS_POLICY_FILTER; | ||
459 | } else if (strcmp("none", ptr) == 0) { | ||
460 | arg_dbus_system = DBUS_POLICY_BLOCK; | ||
461 | } else { | ||
462 | fprintf(stderr, "Unknown dbus-system policy: %s\n", ptr); | ||
463 | exit(1); | ||
464 | } | ||
436 | return 0; | 465 | return 0; |
437 | } | 466 | } |
438 | else if (strcmp(ptr, "nou2f") == 0) { | 467 | else if (strcmp(ptr, "nou2f") == 0) { |
439 | arg_nou2f = 1; | 468 | arg_nou2f = 1; |
440 | return 0; | 469 | return 0; |
441 | } | 470 | } |
442 | else if (strcmp(ptr, "netfilter") == 0) { | 471 | else if (strcmp(ptr, "netfilter") == 0) { |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index e20ec603c..37d108750 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -932,8 +932,7 @@ int sandbox(void* sandbox_arg) { | |||
932 | //**************************** | 932 | //**************************** |
933 | // Session D-BUS | 933 | // Session D-BUS |
934 | //**************************** | 934 | //**************************** |
935 | if (arg_nodbus) | 935 | dbus_apply_policy(); |
936 | dbus_disable(); | ||
937 | 936 | ||
938 | 937 | ||
939 | //**************************** | 938 | //**************************** |