Merge branch 'master' into nodbus-enhancements

author: netblue30 <netblue30@yahoo.com> 2019-05-17 10:53:37 -0500
committer: GitHub <noreply@github.com> 2019-05-17 10:53:37 -0500
commit: 0347e4d7efd4b0331bcb6ffef0f4e6f0af8af7e2 (patch)
tree: 31f79cd173b668b30443e3be848a36d0ce22501e /src
parent: Fix overridden DBUS_SESSION_BUS_ADDRESS with nodbus (diff)
parent: Merge pull request #2694 from laomaiweng/propagate-quiet (diff)
download: firejail-0347e4d7efd4b0331bcb6ffef0f4e6f0af8af7e2.tar.gz
firejail-0347e4d7efd4b0331bcb6ffef0f4e6f0af8af7e2.tar.zst
firejail-0347e4d7efd4b0331bcb6ffef0f4e6f0af8af7e2.zip
14 files changed, 51 insertions, 9 deletions
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 2d4902b91..aba0e9f60 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -92,6 +92,7 @@ calligraplanwork
 calligrasheets
 calligrastage
 calligrawords
+cantata
 catfish
 celluloid
 checkbashisms
diff --git a/src/firejail/dbus.c b/src/firejail/dbus.c
index 94d872ca5..b856ff809 100644
--- a/src/firejail/dbus.c
+++ b/src/firejail/dbus.c
@@ -19,7 +19,7 @@
 */
 #include "firejail.h"
-void dbus_session_disable(void) {
+void dbus_disable(void) {
        if (!checkcfg(CFG_DBUS)) {
                fwarning("D-Bus handling is disabled in Firejail configuration file\n");
                return;
@@ -43,12 +43,17 @@ void dbus_session_disable(void) {
        free(path);
        free(env_var);
        // blacklist the dbus-launch user directory
        if (asprintf(&path, "%s/.dbus", cfg.homedir) == -1)
                errExit("asprintf");
        disable_file_or_dir(path);
        free(path);
+        // blacklist also system D-Bus socket
+        disable_file_or_dir("/run/dbus/system_bus_socket");
        // look for a possible abstract unix socket
        // --net=none
diff --git a/src/firejail/env.c b/src/firejail/env.c
index 2e9f516ba..f15e1362f 100644
--- a/src/firejail/env.c
+++ b/src/firejail/env.c
@@ -160,6 +160,11 @@ void env_defaults(void) {
        // set the window title
        if (!arg_quiet)
                printf("\033]0;firejail %s\007", cfg.window_title);
+        // pass --quiet as an environment variable, in case the command calls further firejailed commands
+        if (arg_quiet)
+                setenv("FIREJAIL_QUIET", "yes", 1);
        fflush(0);
 }
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 2e04084e3..e0f3a6a16 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -782,6 +782,6 @@ void set_x11_run_file(pid_t pid, int display);
 void set_profile_run_file(pid_t pid, const char *fname);
 // dbus.c
-void dbus_session_disable(void);
+void dbus_disable(void);
 #endif
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index f9d968427..bf7c0a4b2 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -27,7 +27,11 @@
 #include <glob.h>
 #include <dirent.h>
 #include <errno.h>
 #include <fcntl.h>
+#ifndef O_PATH
+# define O_PATH 010000000
+#endif
 #define MAX_BUF 4096
 #define EMPTY_STRING ("")
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index e35bf073d..b44d09acc 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -22,7 +22,6 @@
 #include <linux/limits.h>
 #include <glob.h>
 #include <dirent.h>
-#include <fcntl.h>
 #include <errno.h>
 #include <sys/stat.h>
 #include <sys/types.h>
@@ -31,6 +30,11 @@
 #include <grp.h>
 //#include <ftw.h>
+#include <fcntl.h>
+#ifndef O_PATH
+# define O_PATH 010000000
+#endif
 static void skel(const char *homedir, uid_t u, gid_t g) {
        char *fname;
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index d128065d3..bce44b9e5 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -24,9 +24,13 @@
 #include <fnmatch.h>
 #include <glob.h>
 #include <dirent.h>
-#include <fcntl.h>
 #include <errno.h>
+#include <fcntl.h>
+#ifndef O_PATH
+# define O_PATH 010000000
+#endif
 // mountinfo functionality test;
 // 1. enable TEST_MOUNTINFO definition
 // 2. run firejail --whitelist=/any/directory
diff --git a/src/firejail/main.c b/src/firejail/main.c
index ece4c2cb5..f3dc72944 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -907,7 +907,8 @@ int main(int argc, char **argv) {
        // get starting timestamp, process --quiet
        start_timestamp = getticks();
-        if (check_arg(argc, argv, "--quiet", 1))
+        char *env_quiet = getenv("FIREJAIL_QUIET");
+        if (check_arg(argc, argv, "--quiet", 1) || (env_quiet && strcmp(env_quiet, "yes") == 0))
                arg_quiet = 1;
        // cleanup at exit
diff --git a/src/firejail/mountinfo.c b/src/firejail/mountinfo.c
index 0717b2044..7369ad247 100644
--- a/src/firejail/mountinfo.c
+++ b/src/firejail/mountinfo.c
@@ -19,7 +19,11 @@
 */
 #include "firejail.h"
 #include <fcntl.h>
+#ifndef O_PATH
+# define O_PATH 010000000
+#endif
 #define MAX_BUF 4096
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c
index 26beaf35a..e3f237b8e 100644
--- a/src/firejail/pulseaudio.c
+++ b/src/firejail/pulseaudio.c
@@ -24,7 +24,11 @@
 #include <sys/mount.h>
 #include <dirent.h>
 #include <sys/wait.h>
 #include <fcntl.h>
+#ifndef O_PATH
+# define O_PATH 010000000
+#endif
 // disable pulseaudio socket
 void pulseaudio_disable(void) {
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 101a16d00..9f0a5f25c 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -923,7 +923,7 @@ int sandbox(void* sandbox_arg) {
        // Session D-BUS
        //****************************
        if (arg_nodbus)
-                dbus_session_disable();
+                dbus_disable();
        //****************************
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 3e2cd13d5..fff0bbf2f 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -29,7 +29,11 @@
 #include <sys/ioctl.h>
 #include <termios.h>
 #include <sys/wait.h>
 #include <fcntl.h>
+#ifndef O_PATH
+# define O_PATH 010000000
+#endif
 #define MAX_GROUPS 1024
 #define MAXBUF 4098
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index b0ed10b30..9d821d980 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -31,7 +31,11 @@
 #include <sys/wait.h>
 #include <errno.h>
 #include <limits.h>
 #include <fcntl.h>
+#ifndef O_PATH
+# define O_PATH 010000000
+#endif
 // Parse the DISPLAY environment variable and return a display number.
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 1b56dedcd..8f6948ef4 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1107,9 +1107,11 @@ $ nc dict.org 2628
 .br
 .TP
 \fB\-\-nodbus
-Disable D-Bus access. Only the regular UNIX socket is handled by this command. To
+Disable D-Bus access (both system and session buses). Only the regular
-disable the abstract socket you would need to request a new network namespace using
+UNIX sockets are handled by this command. To disable the abstract
-\-\-net command. Another option is to remove unix from \-\-protocol set.
+sockets you would need to request a new network namespace using
+\-\-net command. Another option is to remove unix from \-\-protocol
+set.
 .br
 .br
author	netblue30 <netblue30@yahoo.com>	2019-05-17 10:53:37 -0500
committer	GitHub <noreply@github.com>	2019-05-17 10:53:37 -0500
commit	0347e4d7efd4b0331bcb6ffef0f4e6f0af8af7e2 (patch)
tree	31f79cd173b668b30443e3be848a36d0ce22501e /src
parent	Fix overridden DBUS_SESSION_BUS_ADDRESS with nodbus (diff)
parent	Merge pull request #2694 from laomaiweng/propagate-quiet (diff)
download	firejail-0347e4d7efd4b0331bcb6ffef0f4e6f0af8af7e2.tar.gz firejail-0347e4d7efd4b0331bcb6ffef0f4e6f0af8af7e2.tar.zst firejail-0347e4d7efd4b0331bcb6ffef0f4e6f0af8af7e2.zip