aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorLibravatar Kristóf Marussy <kris7topher@gmail.com>2020-02-23 22:57:17 +0100
committerLibravatar Kristóf Marussy <kris7topher@gmail.com>2020-04-06 20:36:12 +0200
commit6fc8a559ded2cc8cf263288ef111d8876673e2fb (patch)
treeba607f654b20ab7036767441103c95a448e4f88c /src
parentAllow changing error action in seccomp filters (diff)
downloadfirejail-6fc8a559ded2cc8cf263288ef111d8876673e2fb.tar.gz
firejail-6fc8a559ded2cc8cf263288ef111d8876673e2fb.tar.zst
firejail-6fc8a559ded2cc8cf263288ef111d8876673e2fb.zip
Add --dbus-user and --dbus-system options
Allow setting a separate policy for the user and system buses. For now, the filter policy is equivalent to the none (block) policy. Future commits will add more configuration options and filters.
Diffstat (limited to 'src')
-rw-r--r--src/firejail/dbus.c25
-rw-r--r--src/firejail/firejail.h11
-rw-r--r--src/firejail/main.c33
-rw-r--r--src/firejail/profile.c35
-rw-r--r--src/firejail/sandbox.c3
5 files changed, 90 insertions, 17 deletions
diff --git a/src/firejail/dbus.c b/src/firejail/dbus.c
index 7acbd338c..241b8fc44 100644
--- a/src/firejail/dbus.c
+++ b/src/firejail/dbus.c
@@ -19,12 +19,7 @@
19*/ 19*/
20#include "firejail.h" 20#include "firejail.h"
21 21
22void dbus_disable(void) { 22static void dbus_block_user(void) {
23 if (!checkcfg(CFG_DBUS)) {
24 fwarning("D-Bus handling is disabled in Firejail configuration file\n");
25 return;
26 }
27
28 char *path; 23 char *path;
29 if (asprintf(&path, "/run/user/%d/bus", getuid()) == -1) 24 if (asprintf(&path, "/run/user/%d/bus", getuid()) == -1)
30 errExit("asprintf"); 25 errExit("asprintf");
@@ -43,16 +38,32 @@ void dbus_disable(void) {
43 free(path); 38 free(path);
44 free(env_var); 39 free(env_var);
45 40
46
47 // blacklist the dbus-launch user directory 41 // blacklist the dbus-launch user directory
48 if (asprintf(&path, "%s/.dbus", cfg.homedir) == -1) 42 if (asprintf(&path, "%s/.dbus", cfg.homedir) == -1)
49 errExit("asprintf"); 43 errExit("asprintf");
50 disable_file_or_dir(path); 44 disable_file_or_dir(path);
51 free(path); 45 free(path);
46}
52 47
48static void dbus_block_system() {
53 // blacklist also system D-Bus socket 49 // blacklist also system D-Bus socket
54 disable_file_or_dir("/run/dbus/system_bus_socket"); 50 disable_file_or_dir("/run/dbus/system_bus_socket");
51}
52
53void dbus_apply_policy(void) {
54 if (arg_dbus_user == DBUS_POLICY_ALLOW && arg_dbus_system == DBUS_POLICY_ALLOW)
55 return;
56
57 if (!checkcfg(CFG_DBUS)) {
58 fwarning("D-Bus handling is disabled in Firejail configuration file\n");
59 return;
60 }
61
62 if (arg_dbus_user != DBUS_POLICY_ALLOW)
63 dbus_block_user();
55 64
65 if (arg_dbus_system != DBUS_POLICY_ALLOW)
66 dbus_block_system();
56 67
57 // look for a possible abstract unix socket 68 // look for a possible abstract unix socket
58 69
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 1cb8b2d22..ea4012335 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -340,9 +340,16 @@ extern int arg_memory_deny_write_execute; // block writable and executable memor
340extern int arg_notv; // --notv 340extern int arg_notv; // --notv
341extern int arg_nodvd; // --nodvd 341extern int arg_nodvd; // --nodvd
342extern int arg_nou2f; // --nou2f 342extern int arg_nou2f; // --nou2f
343extern int arg_nodbus; // -nodbus
344extern int arg_deterministic_exit_code; // always exit with first child's exit status 343extern int arg_deterministic_exit_code; // always exit with first child's exit status
345 344
345typedef enum {
346 DBUS_POLICY_ALLOW, // Allow unrestricted access to the bus
347 DBUS_POLICY_FILTER, // Filter with xdg-dbus-proxy
348 DBUS_POLICY_BLOCK // Block access
349} DbusPolicy;
350extern DbusPolicy arg_dbus_user; // --dbus-user
351extern DbusPolicy arg_dbus_system; // --dbus-system
352
346extern int login_shell; 353extern int login_shell;
347extern int parent_to_child_fds[2]; 354extern int parent_to_child_fds[2];
348extern int child_to_parent_fds[2]; 355extern int child_to_parent_fds[2];
@@ -836,7 +843,7 @@ void set_x11_run_file(pid_t pid, int display);
836void set_profile_run_file(pid_t pid, const char *fname); 843void set_profile_run_file(pid_t pid, const char *fname);
837 844
838// dbus.c 845// dbus.c
839void dbus_disable(void); 846void dbus_apply_policy(void);
840 847
841// dhcp.c 848// dhcp.c
842extern pid_t dhclient4_pid; 849extern pid_t dhclient4_pid;
diff --git a/src/firejail/main.c b/src/firejail/main.c
index d01725c95..fd2c6cb62 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -144,9 +144,10 @@ int arg_noprofile = 0; // use default.profile if none other found/specified
144int arg_memory_deny_write_execute = 0; // block writable and executable memory 144int arg_memory_deny_write_execute = 0; // block writable and executable memory
145int arg_notv = 0; // --notv 145int arg_notv = 0; // --notv
146int arg_nodvd = 0; // --nodvd 146int arg_nodvd = 0; // --nodvd
147int arg_nodbus = 0; // -nodbus
148int arg_nou2f = 0; // --nou2f 147int arg_nou2f = 0; // --nou2f
149int arg_deterministic_exit_code = 0; // always exit with first child's exit status 148int arg_deterministic_exit_code = 0; // always exit with first child's exit status
149DbusPolicy arg_dbus_user = DBUS_POLICY_ALLOW; // --dbus-user
150DbusPolicy arg_dbus_system = DBUS_POLICY_ALLOW; // --dbus-system
150int login_shell = 0; 151int login_shell = 0;
151 152
152//********************************************************************************** 153//**********************************************************************************
@@ -2053,8 +2054,34 @@ int main(int argc, char **argv, char **envp) {
2053 arg_nodvd = 1; 2054 arg_nodvd = 1;
2054 else if (strcmp(argv[i], "--nou2f") == 0) 2055 else if (strcmp(argv[i], "--nou2f") == 0)
2055 arg_nou2f = 1; 2056 arg_nou2f = 1;
2056 else if (strcmp(argv[i], "--nodbus") == 0) 2057 else if (strcmp(argv[i], "--nodbus") == 0) {
2057 arg_nodbus = 1; 2058 arg_dbus_user = DBUS_POLICY_BLOCK;
2059 arg_dbus_system = DBUS_POLICY_BLOCK;
2060 }
2061 else if (strncmp("--dbus-user=", argv[i], 12) == 0) {
2062 if (strcmp("allow", argv[i] + 12) == 0) {
2063 arg_dbus_user = DBUS_POLICY_ALLOW;
2064 } else if (strcmp("filter", argv[i] + 12) == 0) {
2065 arg_dbus_user = DBUS_POLICY_FILTER;
2066 } else if (strcmp("none", argv[i] + 12) == 0) {
2067 arg_dbus_user = DBUS_POLICY_BLOCK;
2068 } else {
2069 fprintf(stderr, "Unknown dbus-user policy: %s\n", argv[i] + 12);
2070 exit(1);
2071 }
2072 }
2073 else if (strncmp("--dbus-system=", argv[i], 14) == 0) {
2074 if (strcmp("allow", argv[i] + 14) == 0) {
2075 arg_dbus_system = DBUS_POLICY_ALLOW;
2076 } else if (strcmp("filter", argv[i] + 14) == 0) {
2077 arg_dbus_system = DBUS_POLICY_FILTER;
2078 } else if (strcmp("none", argv[i] + 14) == 0) {
2079 arg_dbus_system = DBUS_POLICY_BLOCK;
2080 } else {
2081 fprintf(stderr, "Unknown dbus-system policy: %s\n", argv[i] + 14);
2082 exit(1);
2083 }
2084 }
2058 2085
2059 //************************************* 2086 //*************************************
2060 // network 2087 // network
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index d709a7951..14533ce08 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -150,7 +150,7 @@ static int check_netoptions(void) {
150} 150}
151 151
152static int check_nodbus(void) { 152static int check_nodbus(void) {
153 return arg_nodbus != 0; 153 return arg_dbus_user != DBUS_POLICY_ALLOW || arg_dbus_system != DBUS_POLICY_ALLOW;
154} 154}
155 155
156static int check_nosound(void) { 156static int check_nosound(void) {
@@ -432,11 +432,40 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
432 return 0; 432 return 0;
433 } 433 }
434 else if (strcmp(ptr, "nodbus") == 0) { 434 else if (strcmp(ptr, "nodbus") == 0) {
435 arg_nodbus = 1; 435 arg_dbus_user = DBUS_POLICY_BLOCK;
436 arg_dbus_system = DBUS_POLICY_BLOCK;
437 return 0;
438 }
439 else if (strncmp("dbus-user ", ptr, 10) == 0) {
440 ptr += 10;
441 if (strcmp("allow", ptr) == 0) {
442 arg_dbus_user = DBUS_POLICY_ALLOW;
443 } else if (strcmp("filter", ptr) == 0) {
444 arg_dbus_user = DBUS_POLICY_FILTER;
445 } else if (strcmp("none", ptr) == 0) {
446 arg_dbus_user = DBUS_POLICY_BLOCK;
447 } else {
448 fprintf(stderr, "Unknown dbus-user policy: %s\n", ptr);
449 exit(1);
450 }
451 return 0;
452 }
453 else if (strncmp("dbus-system ", ptr, 12) == 0) {
454 ptr += 12;
455 if (strcmp("allow", ptr) == 0) {
456 arg_dbus_system = DBUS_POLICY_ALLOW;
457 } else if (strcmp("filter", ptr) == 0) {
458 arg_dbus_system = DBUS_POLICY_FILTER;
459 } else if (strcmp("none", ptr) == 0) {
460 arg_dbus_system = DBUS_POLICY_BLOCK;
461 } else {
462 fprintf(stderr, "Unknown dbus-system policy: %s\n", ptr);
463 exit(1);
464 }
436 return 0; 465 return 0;
437 } 466 }
438 else if (strcmp(ptr, "nou2f") == 0) { 467 else if (strcmp(ptr, "nou2f") == 0) {
439 arg_nou2f = 1; 468 arg_nou2f = 1;
440 return 0; 469 return 0;
441 } 470 }
442 else if (strcmp(ptr, "netfilter") == 0) { 471 else if (strcmp(ptr, "netfilter") == 0) {
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index e20ec603c..37d108750 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -932,8 +932,7 @@ int sandbox(void* sandbox_arg) {
932 //**************************** 932 //****************************
933 // Session D-BUS 933 // Session D-BUS
934 //**************************** 934 //****************************
935 if (arg_nodbus) 935 dbus_apply_policy();
936 dbus_disable();
937 936
938 937
939 //**************************** 938 //****************************
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-19 17:23:04 +0000