diff options
author | Kristóf Marussy <kristof@marussy.com> | 2020-05-06 14:05:35 +0200 |
---|---|---|
committer | Kristóf Marussy <kristof@marussy.com> | 2020-05-07 01:56:40 +0200 |
commit | d50d1a90d6cb28c6f1757ed853adebb537ebbc59 (patch) | |
tree | 31a7fb87837a3d1a500b291f98c70b1b5ec27403 /src | |
parent | Add options for D-Bus logging (diff) | |
download | firejail-d50d1a90d6cb28c6f1757ed853adebb537ebbc59.tar.gz firejail-d50d1a90d6cb28c6f1757ed853adebb537ebbc59.tar.zst firejail-d50d1a90d6cb28c6f1757ed853adebb537ebbc59.zip |
Update D-Bus audit
D-Bus audit is now more in line with D-Bus filtering settings:
* Checks both the DBUS_SESSION_BUS_ADDRESS and DBUS_SYSTEM_BUS_ADDRESS
environment variables.
* Also checks common paths for fallback sockets in /run.
* Will report GOOD when D-Bus filtering is enabled.
Diffstat (limited to 'src')
-rw-r--r-- | src/faudit/dbus.c | 57 |
1 files changed, 48 insertions, 9 deletions
diff --git a/src/faudit/dbus.c b/src/faudit/dbus.c index 8c26c5271..beaa5ac46 100644 --- a/src/faudit/dbus.c +++ b/src/faudit/dbus.c | |||
@@ -18,6 +18,8 @@ | |||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | 18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
19 | */ | 19 | */ |
20 | #include "faudit.h" | 20 | #include "faudit.h" |
21 | #include "../include/rundefs.h" | ||
22 | #include <stdarg.h> | ||
21 | #include <sys/socket.h> | 23 | #include <sys/socket.h> |
22 | #include <sys/un.h> | 24 | #include <sys/un.h> |
23 | 25 | ||
@@ -46,9 +48,10 @@ int check_unix(const char *sockfile) { | |||
46 | return rv; | 48 | return rv; |
47 | } | 49 | } |
48 | 50 | ||
49 | void dbus_test(void) { | 51 | static char *test_dbus_env(char *env_var_name) { |
50 | // check the session bus | 52 | // check the session bus |
51 | char *str = getenv("DBUS_SESSION_BUS_ADDRESS"); | 53 | char *str = getenv(env_var_name); |
54 | char *found = NULL; | ||
52 | if (str) { | 55 | if (str) { |
53 | int rv = 0; | 56 | int rv = 0; |
54 | char *bus = strdup(str); | 57 | char *bus = strdup(str); |
@@ -74,19 +77,55 @@ void dbus_test(void) { | |||
74 | if (ptr) | 77 | if (ptr) |
75 | *ptr = '\0'; | 78 | *ptr = '\0'; |
76 | rv = check_unix(sockfile); | 79 | rv = check_unix(sockfile); |
77 | if (rv == 0) | 80 | if (rv == 0) { |
78 | printf("MAYBE: D-Bus socket %s is available\n", sockfile); | 81 | if (strcmp(RUN_DBUS_USER_SOCKET, sockfile) == 0 || |
82 | strcmp(RUN_DBUS_SYSTEM_SOCKET, sockfile) == 0) { | ||
83 | printf("GOOD: D-Bus filtering is active on %s\n", sockfile); | ||
84 | } else { | ||
85 | printf("MAYBE: D-Bus socket %s is available\n", sockfile); | ||
86 | } | ||
87 | } | ||
79 | else if (rv == -1) | 88 | else if (rv == -1) |
80 | printf("GOOD: cannot connect to D-Bus socket %s\n", sockfile); | 89 | printf("GOOD: cannot connect to D-Bus socket %s\n", sockfile); |
90 | found = strdup(sockfile); | ||
91 | if (!found) | ||
92 | errExit("strdup"); | ||
81 | } | 93 | } |
82 | else if ((sockfile = strstr(bus, "tcp:host=")) != NULL) | 94 | else if ((sockfile = strstr(bus, "tcp:host=")) != NULL) |
83 | printf("UGLY: session bus configured for TCP communication.\n"); | 95 | printf("UGLY: %s bus configured for TCP communication.\n", env_var_name); |
84 | else | 96 | else |
85 | printf("GOOD: cannot find a D-Bus socket\n"); | 97 | printf("GOOD: cannot find a %s D-Bus socket\n", env_var_name); |
86 | |||
87 | |||
88 | free(bus); | 98 | free(bus); |
89 | } | 99 | } |
90 | else | 100 | else |
91 | printf("GOOD: DBUS_SESSION_BUS_ADDRESS environment variable not configured."); | 101 | printf("MAYBE: %s environment variable not configured.\n", env_var_name); |
102 | return found; | ||
103 | } | ||
104 | |||
105 | static void test_default_socket(const char *found, const char *format, ...) { | ||
106 | va_list ap; | ||
107 | va_start(ap, format); | ||
108 | char *sockfile; | ||
109 | if (vasprintf(&sockfile, format, ap) == -1) | ||
110 | errExit("vasprintf"); | ||
111 | va_end(ap); | ||
112 | if (found != NULL && strcmp(found, sockfile) == 0) | ||
113 | goto end; | ||
114 | int rv = check_unix(sockfile); | ||
115 | if (rv == 0) | ||
116 | printf("MAYBE: D-Bus socket %s is available\n", sockfile); | ||
117 | end: | ||
118 | free(sockfile); | ||
119 | } | ||
120 | |||
121 | void dbus_test(void) { | ||
122 | char *found_user = test_dbus_env("DBUS_SESSION_BUS_ADDRESS"); | ||
123 | test_default_socket(found_user, "/run/user/%d/bus", (int) getuid()); | ||
124 | test_default_socket(found_user, "/run/user/%d/dbus/user_bus_socket", (int) getuid()); | ||
125 | if (found_user != NULL) | ||
126 | free(found_user); | ||
127 | char *found_system = test_dbus_env("DBUS_SYSTEM_BUS_ADDRESS"); | ||
128 | test_default_socket(found_system, "/run/dbus/system_bus_socket"); | ||
129 | if (found_system != NULL) | ||
130 | free(found_system); | ||
92 | } | 131 | } |