diff options
author | smitsohu <smitsohu@gmail.com> | 2020-07-18 14:51:59 +0200 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2020-07-18 14:51:59 +0200 |
commit | 72de7345179b18014e7003096055a005390d3b1c (patch) | |
tree | 11efb757b9b7371640f90b8411ff80e1567dee64 /src | |
parent | Merge pull request #3516 from smitsohu/busybox (diff) | |
download | firejail-72de7345179b18014e7003096055a005390d3b1c.tar.gz firejail-72de7345179b18014e7003096055a005390d3b1c.tar.zst firejail-72de7345179b18014e7003096055a005390d3b1c.zip |
integrate join(-or-start) with dbus options
update D-Bus environment variables during join, so that
a joining process is able to use D-Bus, too
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/dbus.c | 38 | ||||
-rw-r--r-- | src/firejail/firejail.h | 2 | ||||
-rw-r--r-- | src/firejail/join.c | 7 |
3 files changed, 33 insertions, 14 deletions
diff --git a/src/firejail/dbus.c b/src/firejail/dbus.c index 18576612d..6609e48bd 100644 --- a/src/firejail/dbus.c +++ b/src/firejail/dbus.c | |||
@@ -444,6 +444,24 @@ static char *get_socket_env(const char *name) { | |||
444 | return NULL; | 444 | return NULL; |
445 | } | 445 | } |
446 | 446 | ||
447 | void dbus_set_session_bus_env(void) { | ||
448 | if (setenv(DBUS_SESSION_BUS_ADDRESS_ENV, | ||
449 | DBUS_SOCKET_PATH_PREFIX RUN_DBUS_USER_SOCKET, 1) == -1) { | ||
450 | fprintf(stderr, "Error: cannot modify " DBUS_SESSION_BUS_ADDRESS_ENV | ||
451 | " required by --dbus-user\n"); | ||
452 | exit(1); | ||
453 | } | ||
454 | } | ||
455 | |||
456 | void dbus_set_system_bus_env(void) { | ||
457 | if (setenv(DBUS_SYSTEM_BUS_ADDRESS_ENV, | ||
458 | DBUS_SOCKET_PATH_PREFIX RUN_DBUS_SYSTEM_SOCKET, 1) == -1) { | ||
459 | fprintf(stderr, "Error: cannot modify " DBUS_SYSTEM_BUS_ADDRESS_ENV | ||
460 | " required by --dbus-system\n"); | ||
461 | exit(1); | ||
462 | } | ||
463 | } | ||
464 | |||
447 | static void disable_socket_dir(void) { | 465 | static void disable_socket_dir(void) { |
448 | struct stat s; | 466 | struct stat s; |
449 | if (stat(RUN_FIREJAIL_DBUS_DIR, &s) == 0) | 467 | if (stat(RUN_FIREJAIL_DBUS_DIR, &s) == 0) |
@@ -465,10 +483,10 @@ void dbus_apply_policy(void) { | |||
465 | } | 483 | } |
466 | 484 | ||
467 | create_empty_dir_as_root(RUN_DBUS_DIR, 0755); | 485 | create_empty_dir_as_root(RUN_DBUS_DIR, 0755); |
468 | create_empty_file_as_root(RUN_DBUS_USER_SOCKET, 0700); | ||
469 | create_empty_file_as_root(RUN_DBUS_SYSTEM_SOCKET, 0700); | ||
470 | 486 | ||
471 | if (arg_dbus_user != DBUS_POLICY_ALLOW) { | 487 | if (arg_dbus_user != DBUS_POLICY_ALLOW) { |
488 | create_empty_file_as_root(RUN_DBUS_USER_SOCKET, 0700); | ||
489 | |||
472 | if (arg_dbus_user == DBUS_POLICY_FILTER) { | 490 | if (arg_dbus_user == DBUS_POLICY_FILTER) { |
473 | assert(dbus_user_proxy_socket != NULL); | 491 | assert(dbus_user_proxy_socket != NULL); |
474 | socket_overlay(RUN_DBUS_USER_SOCKET, dbus_user_proxy_socket); | 492 | socket_overlay(RUN_DBUS_USER_SOCKET, dbus_user_proxy_socket); |
@@ -495,12 +513,7 @@ void dbus_apply_policy(void) { | |||
495 | free(dbus_user_socket); | 513 | free(dbus_user_socket); |
496 | free(dbus_user_socket2); | 514 | free(dbus_user_socket2); |
497 | 515 | ||
498 | if (setenv(DBUS_SESSION_BUS_ADDRESS_ENV, | 516 | dbus_set_session_bus_env(); |
499 | DBUS_SOCKET_PATH_PREFIX RUN_DBUS_USER_SOCKET, 1) == -1) { | ||
500 | fprintf(stderr, "Error: cannot modify " DBUS_SESSION_BUS_ADDRESS_ENV | ||
501 | " required by --dbus-user\n"); | ||
502 | exit(1); | ||
503 | } | ||
504 | 517 | ||
505 | // blacklist the dbus-launch user directory | 518 | // blacklist the dbus-launch user directory |
506 | char *path; | 519 | char *path; |
@@ -511,6 +524,8 @@ void dbus_apply_policy(void) { | |||
511 | } | 524 | } |
512 | 525 | ||
513 | if (arg_dbus_system != DBUS_POLICY_ALLOW) { | 526 | if (arg_dbus_system != DBUS_POLICY_ALLOW) { |
527 | create_empty_file_as_root(RUN_DBUS_SYSTEM_SOCKET, 0700); | ||
528 | |||
514 | if (arg_dbus_system == DBUS_POLICY_FILTER) { | 529 | if (arg_dbus_system == DBUS_POLICY_FILTER) { |
515 | assert(dbus_system_proxy_socket != NULL); | 530 | assert(dbus_system_proxy_socket != NULL); |
516 | socket_overlay(RUN_DBUS_SYSTEM_SOCKET, dbus_system_proxy_socket); | 531 | socket_overlay(RUN_DBUS_SYSTEM_SOCKET, dbus_system_proxy_socket); |
@@ -523,12 +538,7 @@ void dbus_apply_policy(void) { | |||
523 | if (system_env != NULL && strcmp(system_env, DBUS_SYSTEM_SOCKET) != 0) | 538 | if (system_env != NULL && strcmp(system_env, DBUS_SYSTEM_SOCKET) != 0) |
524 | disable_file_or_dir(system_env); | 539 | disable_file_or_dir(system_env); |
525 | 540 | ||
526 | if (setenv(DBUS_SYSTEM_BUS_ADDRESS_ENV, | 541 | dbus_set_system_bus_env(); |
527 | DBUS_SOCKET_PATH_PREFIX RUN_DBUS_SYSTEM_SOCKET, 1) == -1) { | ||
528 | fprintf(stderr, "Error: cannot modify " DBUS_SYSTEM_BUS_ADDRESS_ENV | ||
529 | " required by --dbus-system\n"); | ||
530 | exit(1); | ||
531 | } | ||
532 | } | 542 | } |
533 | 543 | ||
534 | // Only disable access to /run/firejail/dbus here, when the sockets have been bind-mounted. | 544 | // Only disable access to /run/firejail/dbus here, when the sockets have been bind-mounted. |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 1ef4887ea..54a1023ab 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -854,6 +854,8 @@ int dbus_check_call_rule(const char *name); | |||
854 | void dbus_check_profile(void); | 854 | void dbus_check_profile(void); |
855 | void dbus_proxy_start(void); | 855 | void dbus_proxy_start(void); |
856 | void dbus_proxy_stop(void); | 856 | void dbus_proxy_stop(void); |
857 | void dbus_set_session_bus_env(void); | ||
858 | void dbus_set_system_bus_env(void); | ||
857 | void dbus_apply_policy(void); | 859 | void dbus_apply_policy(void); |
858 | 860 | ||
859 | // dhcp.c | 861 | // dhcp.c |
diff --git a/src/firejail/join.c b/src/firejail/join.c index fa1f64333..4c8555f29 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -579,6 +579,13 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
579 | free(display_str); | 579 | free(display_str); |
580 | } | 580 | } |
581 | 581 | ||
582 | // set D-Bus environment variables | ||
583 | struct stat s; | ||
584 | if (stat(RUN_DBUS_USER_SOCKET, &s) == 0) | ||
585 | dbus_set_session_bus_env(); | ||
586 | if (stat(RUN_DBUS_SYSTEM_SOCKET, &s) == 0) | ||
587 | dbus_set_system_bus_env(); | ||
588 | |||
582 | start_application(0, NULL); | 589 | start_application(0, NULL); |
583 | 590 | ||
584 | // it will never get here!!! | 591 | // it will never get here!!! |