diff options
author | netblue30 <netblue30@yahoo.com> | 2020-09-09 08:30:24 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2020-09-09 08:30:24 -0400 |
commit | 833db940c6fe8b991906014a92cc5e23a98d1177 (patch) | |
tree | cee3fd2679fabd155a10449208dc1f86bde41ba3 /src | |
parent | profstats: track dbus-system none (diff) | |
download | firejail-833db940c6fe8b991906014a92cc5e23a98d1177.tar.gz firejail-833db940c6fe8b991906014a92cc5e23a98d1177.tar.zst firejail-833db940c6fe8b991906014a92cc5e23a98d1177.zip |
disable dbus proxy at compile time (default enabled) - part 1
Diffstat (limited to 'src')
-rw-r--r-- | src/common.mk.in | 3 | ||||
-rw-r--r-- | src/firejail/checkcfg.c | 8 | ||||
-rw-r--r-- | src/firejail/dbus.c | 2 | ||||
-rw-r--r-- | src/firejail/join.c | 2 | ||||
-rw-r--r-- | src/firejail/main.c | 10 | ||||
-rw-r--r-- | src/firejail/profile.c | 26 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 3 |
7 files changed, 52 insertions, 2 deletions
diff --git a/src/common.mk.in b/src/common.mk.in index 22c25c6aa..52820848a 100644 --- a/src/common.mk.in +++ b/src/common.mk.in | |||
@@ -23,6 +23,7 @@ HAVE_FIRETUNNEL=@HAVE_FIRETUNNEL@ | |||
23 | HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@ | 23 | HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@ |
24 | HAVE_GCOV=@HAVE_GCOV@ | 24 | HAVE_GCOV=@HAVE_GCOV@ |
25 | HAVE_SELINUX=@HAVE_SELINUX@ | 25 | HAVE_SELINUX=@HAVE_SELINUX@ |
26 | HAVE_DBUSPROXY=@HAVE_DBUSPROXY@ | ||
26 | 27 | ||
27 | H_FILE_LIST = $(sort $(wildcard *.[h])) | 28 | H_FILE_LIST = $(sort $(wildcard *.[h])) |
28 | C_FILE_LIST = $(sort $(wildcard *.c)) | 29 | C_FILE_LIST = $(sort $(wildcard *.c)) |
@@ -32,7 +33,7 @@ BINOBJS = $(foreach file, $(OBJS), $file) | |||
32 | CFLAGS = @CFLAGS@ | 33 | CFLAGS = @CFLAGS@ |
33 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) | 34 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) |
34 | CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' | 35 | CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' |
35 | MANFLAGS = $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX) | 36 | MANFLAGS = $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX) |
36 | CFLAGS += $(MANFLAGS) | 37 | CFLAGS += $(MANFLAGS) |
37 | CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security | 38 | CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security |
38 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread | 39 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread |
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index fb19e8f5a..a0aa3138a 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -295,6 +295,14 @@ void print_compiletime_support(void) { | |||
295 | #endif | 295 | #endif |
296 | ); | 296 | ); |
297 | 297 | ||
298 | printf("\t- D-BUS proxy support is %s\n", | ||
299 | #ifdef HAVE_DBUSPROXY | ||
300 | "enabled" | ||
301 | #else | ||
302 | "disabled" | ||
303 | #endif | ||
304 | ); | ||
305 | |||
298 | printf("\t- file and directory whitelisting support is %s\n", | 306 | printf("\t- file and directory whitelisting support is %s\n", |
299 | #ifdef HAVE_WHITELIST | 307 | #ifdef HAVE_WHITELIST |
300 | "enabled" | 308 | "enabled" |
diff --git a/src/firejail/dbus.c b/src/firejail/dbus.c index f0ba10afc..3cf75ed84 100644 --- a/src/firejail/dbus.c +++ b/src/firejail/dbus.c | |||
@@ -17,6 +17,7 @@ | |||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | 17 | * with this program; if not, write to the Free Software Foundation, Inc., |
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | 18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
19 | */ | 19 | */ |
20 | #ifdef HAVE_DBUSPROXY | ||
20 | #include "firejail.h" | 21 | #include "firejail.h" |
21 | #include <sys/mount.h> | 22 | #include <sys/mount.h> |
22 | #include <sys/stat.h> | 23 | #include <sys/stat.h> |
@@ -560,3 +561,4 @@ void dbus_apply_policy(void) { | |||
560 | 561 | ||
561 | fwarning("An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.\n"); | 562 | fwarning("An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.\n"); |
562 | } | 563 | } |
564 | #endif // HAVE_DBUSPROXY \ No newline at end of file | ||
diff --git a/src/firejail/join.c b/src/firejail/join.c index 7fd5ec3d3..ca8b8c4bf 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -545,12 +545,14 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
545 | free(display_str); | 545 | free(display_str); |
546 | } | 546 | } |
547 | 547 | ||
548 | #ifdef HAVE_DBUSPROXY | ||
548 | // set D-Bus environment variables | 549 | // set D-Bus environment variables |
549 | struct stat s; | 550 | struct stat s; |
550 | if (stat(RUN_DBUS_USER_SOCKET, &s) == 0) | 551 | if (stat(RUN_DBUS_USER_SOCKET, &s) == 0) |
551 | dbus_set_session_bus_env(); | 552 | dbus_set_session_bus_env(); |
552 | if (stat(RUN_DBUS_SYSTEM_SOCKET, &s) == 0) | 553 | if (stat(RUN_DBUS_SYSTEM_SOCKET, &s) == 0) |
553 | dbus_set_system_bus_env(); | 554 | dbus_set_system_bus_env(); |
555 | #endif | ||
554 | 556 | ||
555 | start_application(0, NULL); | 557 | start_application(0, NULL); |
556 | 558 | ||
diff --git a/src/firejail/main.c b/src/firejail/main.c index 75324b66a..790b0731c 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -175,7 +175,9 @@ static void myexit(int rv) { | |||
175 | 175 | ||
176 | 176 | ||
177 | // delete sandbox files in shared memory | 177 | // delete sandbox files in shared memory |
178 | #ifdef HAVE_DBUSPROXY | ||
178 | dbus_proxy_stop(); | 179 | dbus_proxy_stop(); |
180 | #endif | ||
179 | EUID_ROOT(); | 181 | EUID_ROOT(); |
180 | delete_run_files(sandbox_pid); | 182 | delete_run_files(sandbox_pid); |
181 | appimage_clear(); | 183 | appimage_clear(); |
@@ -2023,6 +2025,11 @@ int main(int argc, char **argv, char **envp) { | |||
2023 | arg_dbus_user = DBUS_POLICY_BLOCK; | 2025 | arg_dbus_user = DBUS_POLICY_BLOCK; |
2024 | arg_dbus_system = DBUS_POLICY_BLOCK; | 2026 | arg_dbus_system = DBUS_POLICY_BLOCK; |
2025 | } | 2027 | } |
2028 | |||
2029 | //************************************* | ||
2030 | // D-BUS proxy | ||
2031 | //************************************* | ||
2032 | #ifdef HAVE_DBUSPROXY | ||
2026 | else if (strncmp("--dbus-user=", argv[i], 12) == 0) { | 2033 | else if (strncmp("--dbus-user=", argv[i], 12) == 0) { |
2027 | if (strcmp("filter", argv[i] + 12) == 0) { | 2034 | if (strcmp("filter", argv[i] + 12) == 0) { |
2028 | if (arg_dbus_user == DBUS_POLICY_BLOCK) { | 2035 | if (arg_dbus_user == DBUS_POLICY_BLOCK) { |
@@ -2160,6 +2167,7 @@ int main(int argc, char **argv, char **envp) { | |||
2160 | } | 2167 | } |
2161 | arg_dbus_log_system = 1; | 2168 | arg_dbus_log_system = 1; |
2162 | } | 2169 | } |
2170 | #endif | ||
2163 | 2171 | ||
2164 | //************************************* | 2172 | //************************************* |
2165 | // network | 2173 | // network |
@@ -2844,6 +2852,7 @@ int main(int argc, char **argv, char **envp) { | |||
2844 | } | 2852 | } |
2845 | EUID_USER(); | 2853 | EUID_USER(); |
2846 | 2854 | ||
2855 | #ifdef HAVE_DBUSPROXY | ||
2847 | if (checkcfg(CFG_DBUS)) { | 2856 | if (checkcfg(CFG_DBUS)) { |
2848 | dbus_check_profile(); | 2857 | dbus_check_profile(); |
2849 | if (arg_dbus_user == DBUS_POLICY_FILTER || | 2858 | if (arg_dbus_user == DBUS_POLICY_FILTER || |
@@ -2853,6 +2862,7 @@ int main(int argc, char **argv, char **envp) { | |||
2853 | EUID_USER(); | 2862 | EUID_USER(); |
2854 | } | 2863 | } |
2855 | } | 2864 | } |
2865 | #endif | ||
2856 | 2866 | ||
2857 | // clone environment | 2867 | // clone environment |
2858 | int flags = CLONE_NEWNS | CLONE_NEWPID | CLONE_NEWUTS | SIGCHLD; | 2868 | int flags = CLONE_NEWNS | CLONE_NEWPID | CLONE_NEWUTS | SIGCHLD; |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 8eaae9a30..f6ef934db 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -430,11 +430,14 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
430 | return 0; | 430 | return 0; |
431 | } | 431 | } |
432 | else if (strcmp(ptr, "nodbus") == 0) { | 432 | else if (strcmp(ptr, "nodbus") == 0) { |
433 | #ifdef HAVE_DBUSPROXY | ||
433 | arg_dbus_user = DBUS_POLICY_BLOCK; | 434 | arg_dbus_user = DBUS_POLICY_BLOCK; |
434 | arg_dbus_system = DBUS_POLICY_BLOCK; | 435 | arg_dbus_system = DBUS_POLICY_BLOCK; |
436 | #endif | ||
435 | return 0; | 437 | return 0; |
436 | } | 438 | } |
437 | else if (strncmp("dbus-user ", ptr, 10) == 0) { | 439 | else if (strncmp("dbus-user ", ptr, 10) == 0) { |
440 | #ifdef HAVE_DBUSPROXY | ||
438 | ptr += 10; | 441 | ptr += 10; |
439 | if (strcmp("filter", ptr) == 0) { | 442 | if (strcmp("filter", ptr) == 0) { |
440 | if (arg_dbus_user == DBUS_POLICY_BLOCK) { | 443 | if (arg_dbus_user == DBUS_POLICY_BLOCK) { |
@@ -452,44 +455,56 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
452 | fprintf(stderr, "Unknown dbus-user policy: %s\n", ptr); | 455 | fprintf(stderr, "Unknown dbus-user policy: %s\n", ptr); |
453 | exit(1); | 456 | exit(1); |
454 | } | 457 | } |
458 | #endif | ||
455 | return 0; | 459 | return 0; |
456 | } | 460 | } |
457 | else if (strncmp(ptr, "dbus-user.see ", 14) == 0) { | 461 | else if (strncmp(ptr, "dbus-user.see ", 14) == 0) { |
462 | #ifdef HAVE_DBUSPROXY | ||
458 | if (!dbus_check_name(ptr + 14)) { | 463 | if (!dbus_check_name(ptr + 14)) { |
459 | printf("Invalid dbus-user.see name: %s\n", ptr + 15); | 464 | printf("Invalid dbus-user.see name: %s\n", ptr + 15); |
460 | exit(1); | 465 | exit(1); |
461 | } | 466 | } |
467 | #endif | ||
462 | return 1; | 468 | return 1; |
463 | } | 469 | } |
464 | else if (strncmp(ptr, "dbus-user.talk ", 15) == 0) { | 470 | else if (strncmp(ptr, "dbus-user.talk ", 15) == 0) { |
471 | #ifdef HAVE_DBUSPROXY | ||
465 | if (!dbus_check_name(ptr + 15)) { | 472 | if (!dbus_check_name(ptr + 15)) { |
466 | printf("Invalid dbus-user.talk name: %s\n", ptr + 15); | 473 | printf("Invalid dbus-user.talk name: %s\n", ptr + 15); |
467 | exit(1); | 474 | exit(1); |
468 | } | 475 | } |
476 | #endif | ||
469 | return 1; | 477 | return 1; |
470 | } | 478 | } |
471 | else if (strncmp(ptr, "dbus-user.own ", 14) == 0) { | 479 | else if (strncmp(ptr, "dbus-user.own ", 14) == 0) { |
480 | #ifdef HAVE_DBUSPROXY | ||
472 | if (!dbus_check_name(ptr + 14)) { | 481 | if (!dbus_check_name(ptr + 14)) { |
473 | fprintf(stderr, "Invalid dbus-user.own name: %s\n", ptr + 14); | 482 | fprintf(stderr, "Invalid dbus-user.own name: %s\n", ptr + 14); |
474 | exit(1); | 483 | exit(1); |
475 | } | 484 | } |
485 | #endif | ||
476 | return 1; | 486 | return 1; |
477 | } | 487 | } |
478 | else if (strncmp(ptr, "dbus-user.call ", 15) == 0) { | 488 | else if (strncmp(ptr, "dbus-user.call ", 15) == 0) { |
489 | #ifdef HAVE_DBUSPROXY | ||
479 | if (!dbus_check_call_rule(ptr + 15)) { | 490 | if (!dbus_check_call_rule(ptr + 15)) { |
480 | fprintf(stderr, "Invalid dbus-user.call rule: %s\n", ptr + 15); | 491 | fprintf(stderr, "Invalid dbus-user.call rule: %s\n", ptr + 15); |
481 | exit(1); | 492 | exit(1); |
482 | } | 493 | } |
494 | #endif | ||
483 | return 1; | 495 | return 1; |
484 | } | 496 | } |
485 | else if (strncmp(ptr, "dbus-user.broadcast ", 20) == 0) { | 497 | else if (strncmp(ptr, "dbus-user.broadcast ", 20) == 0) { |
498 | #ifdef HAVE_DBUSPROXY | ||
486 | if (!dbus_check_call_rule(ptr + 20)) { | 499 | if (!dbus_check_call_rule(ptr + 20)) { |
487 | fprintf(stderr, "Invalid dbus-user.broadcast rule: %s\n", ptr + 20); | 500 | fprintf(stderr, "Invalid dbus-user.broadcast rule: %s\n", ptr + 20); |
488 | exit(1); | 501 | exit(1); |
489 | } | 502 | } |
503 | #endif | ||
490 | return 1; | 504 | return 1; |
491 | } | 505 | } |
492 | else if (strncmp("dbus-system ", ptr, 12) == 0) { | 506 | else if (strncmp("dbus-system ", ptr, 12) == 0) { |
507 | #ifdef HAVE_DBUSPROXY | ||
493 | ptr += 12; | 508 | ptr += 12; |
494 | if (strcmp("filter", ptr) == 0) { | 509 | if (strcmp("filter", ptr) == 0) { |
495 | if (arg_dbus_system == DBUS_POLICY_BLOCK) { | 510 | if (arg_dbus_system == DBUS_POLICY_BLOCK) { |
@@ -507,41 +522,52 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
507 | fprintf(stderr, "Unknown dbus-system policy: %s\n", ptr); | 522 | fprintf(stderr, "Unknown dbus-system policy: %s\n", ptr); |
508 | exit(1); | 523 | exit(1); |
509 | } | 524 | } |
525 | #endif | ||
510 | return 0; | 526 | return 0; |
511 | } | 527 | } |
512 | else if (strncmp(ptr, "dbus-system.see ", 16) == 0) { | 528 | else if (strncmp(ptr, "dbus-system.see ", 16) == 0) { |
529 | #ifdef HAVE_DBUSPROXY | ||
513 | if (!dbus_check_name(ptr + 16)) { | 530 | if (!dbus_check_name(ptr + 16)) { |
514 | fprintf(stderr, "Invalid dbus-system.see name: %s\n", ptr + 17); | 531 | fprintf(stderr, "Invalid dbus-system.see name: %s\n", ptr + 17); |
515 | exit(1); | 532 | exit(1); |
516 | } | 533 | } |
534 | #endif | ||
517 | return 1; | 535 | return 1; |
518 | } | 536 | } |
519 | else if (strncmp(ptr, "dbus-system.talk ", 17) == 0) { | 537 | else if (strncmp(ptr, "dbus-system.talk ", 17) == 0) { |
538 | #ifdef HAVE_DBUSPROXY | ||
520 | if (!dbus_check_name(ptr + 17)) { | 539 | if (!dbus_check_name(ptr + 17)) { |
521 | fprintf(stderr, "Invalid dbus-system.talk name: %s\n", ptr + 17); | 540 | fprintf(stderr, "Invalid dbus-system.talk name: %s\n", ptr + 17); |
522 | exit(1); | 541 | exit(1); |
523 | } | 542 | } |
543 | #endif | ||
524 | return 1; | 544 | return 1; |
525 | } | 545 | } |
526 | else if (strncmp(ptr, "dbus-system.own ", 16) == 0) { | 546 | else if (strncmp(ptr, "dbus-system.own ", 16) == 0) { |
547 | #ifdef HAVE_DBUSPROXY | ||
527 | if (!dbus_check_name(ptr + 16)) { | 548 | if (!dbus_check_name(ptr + 16)) { |
528 | fprintf(stderr, "Invalid dbus-system.own name: %s\n", ptr + 16); | 549 | fprintf(stderr, "Invalid dbus-system.own name: %s\n", ptr + 16); |
529 | exit(1); | 550 | exit(1); |
530 | } | 551 | } |
552 | #endif | ||
531 | return 1; | 553 | return 1; |
532 | } | 554 | } |
533 | else if (strncmp(ptr, "dbus-system.call ", 17) == 0) { | 555 | else if (strncmp(ptr, "dbus-system.call ", 17) == 0) { |
556 | #ifdef HAVE_DBUSPROXY | ||
534 | if (!dbus_check_call_rule(ptr + 17)) { | 557 | if (!dbus_check_call_rule(ptr + 17)) { |
535 | fprintf(stderr, "Invalid dbus-system.call rule: %s\n", ptr + 17); | 558 | fprintf(stderr, "Invalid dbus-system.call rule: %s\n", ptr + 17); |
536 | exit(1); | 559 | exit(1); |
537 | } | 560 | } |
561 | #endif | ||
538 | return 1; | 562 | return 1; |
539 | } | 563 | } |
540 | else if (strncmp(ptr, "dbus-system.broadcast ", 22) == 0) { | 564 | else if (strncmp(ptr, "dbus-system.broadcast ", 22) == 0) { |
565 | #ifdef HAVE_DBUSPROXY | ||
541 | if (!dbus_check_call_rule(ptr + 22)) { | 566 | if (!dbus_check_call_rule(ptr + 22)) { |
542 | fprintf(stderr, "Invalid dbus-system.broadcast rule: %s\n", ptr + 22); | 567 | fprintf(stderr, "Invalid dbus-system.broadcast rule: %s\n", ptr + 22); |
543 | exit(1); | 568 | exit(1); |
544 | } | 569 | } |
570 | #endif | ||
545 | return 1; | 571 | return 1; |
546 | } | 572 | } |
547 | else if (strcmp(ptr, "nou2f") == 0) { | 573 | else if (strcmp(ptr, "nou2f") == 0) { |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 3bb4858c9..ff6be986f 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -938,8 +938,9 @@ int sandbox(void* sandbox_arg) { | |||
938 | //**************************** | 938 | //**************************** |
939 | // Session D-BUS | 939 | // Session D-BUS |
940 | //**************************** | 940 | //**************************** |
941 | #ifdef HAVE_DBUSPROXY | ||
941 | dbus_apply_policy(); | 942 | dbus_apply_policy(); |
942 | 943 | #endif | |
943 | 944 | ||
944 | //**************************** | 945 | //**************************** |
945 | // hosts and hostname | 946 | // hosts and hostname |