Add --dbus-*.see options

The SEE policy of xdg-dbus-proxy allows clients to see objects and bus names, but not interact with them. The --call and --broadcast can allow interactions with objects that have the SEE policy set. Profile support for these proxy options will be added in a future commit.
author: Kristóf Marussy <kris7topher@gmail.com> 2020-05-03 18:24:53 +0200
committer: Kristóf Marussy <kristof@marussy.com> 2020-05-07 01:56:39 +0200
commit: 8b5cb76fd4f0ae52922a198ab50ad3799aac44a3 (patch)
tree: 4b9f24e63cba0ed328ee7d843772f1ecda7d4e78 /src
parent: add ommitted scripts from contrib (#3405) (diff)
download: firejail-8b5cb76fd4f0ae52922a198ab50ad3799aac44a3.tar.gz
firejail-8b5cb76fd4f0ae52922a198ab50ad3799aac44a3.tar.zst
firejail-8b5cb76fd4f0ae52922a198ab50ad3799aac44a3.zip
2 files changed, 30 insertions, 0 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c
index dc213b988..fa2b0e2e1 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -2073,6 +2073,14 @@ int main(int argc, char **argv, char **envp) {
                                exit(1);
                        }
                }
+                else if (strncmp(argv[i], "--dbus-user.see=", 16) == 0) {
+                        char *line;
+                        if (asprintf(&line, "dbus-user.see %s", argv[i] + 16) == -1)
+                                errExit("asprintf");
+                        profile_check_line(line, 0, NULL); // will exit if something wrong
+                        profile_add(line);
+                }
                else if (strncmp(argv[i], "--dbus-user.talk=", 17) == 0) {
                        char *line;
                        if (asprintf(&line, "dbus-user.talk %s", argv[i] + 17) == -1)
@@ -2103,6 +2111,14 @@ int main(int argc, char **argv, char **envp) {
                                exit(1);
                        }
                }
+                else if (strncmp(argv[i], "--dbus-system.see=", 18) == 0) {
+                        char *line;
+                        if (asprintf(&line, "dbus-system.see %s", argv[i] + 18) == -1)
+                                errExit("asprintf");
+                        profile_check_line(line, 0, NULL); // will exit if something wrong
+                        profile_add(line);
+                }
                else if (strncmp(argv[i], "--dbus-system.talk=", 19) == 0) {
                        char *line;
                        if (asprintf(&line, "dbus-system.talk %s", argv[i] + 19) == -1)
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 0be119903..f2959686a 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -452,6 +452,13 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                }
                return 0;
        }
+        else if (strncmp(ptr, "dbus-user.see ", 14) == 0) {
+                if (!dbus_check_name(ptr + 14)) {
+                        printf("Invalid dbus-user.see name: %s\n", ptr + 15);
+                        exit(1);
+                }
+                return 1;
+        }
        else if (strncmp(ptr, "dbus-user.talk ", 15) == 0) {
                if (!dbus_check_name(ptr + 15)) {
                        printf("Invalid dbus-user.talk name: %s\n", ptr + 15);
@@ -482,6 +489,13 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                }
                return 0;
        }
+        else if (strncmp(ptr, "dbus-system.see ", 16) == 0) {
+                if (!dbus_check_name(ptr + 16)) {
+                        fprintf(stderr, "Invalid dbus-system.see name: %s\n", ptr + 17);
+                        exit(1);
+                }
+                return 1;
+        }
        else if (strncmp(ptr, "dbus-system.talk ", 17) == 0) {
                if (!dbus_check_name(ptr + 17)) {
                        fprintf(stderr, "Invalid dbus-system.talk name: %s\n", ptr + 17);
author	Kristóf Marussy <kris7topher@gmail.com>	2020-05-03 18:24:53 +0200
committer	Kristóf Marussy <kristof@marussy.com>	2020-05-07 01:56:39 +0200
commit	8b5cb76fd4f0ae52922a198ab50ad3799aac44a3 (patch)
tree	4b9f24e63cba0ed328ee7d843772f1ecda7d4e78 /src
parent	add ommitted scripts from contrib (#3405) (diff)
download	firejail-8b5cb76fd4f0ae52922a198ab50ad3799aac44a3.tar.gz firejail-8b5cb76fd4f0ae52922a198ab50ad3799aac44a3.tar.zst firejail-8b5cb76fd4f0ae52922a198ab50ad3799aac44a3.zip

diff --git a/src/firejail/main.c b/src/firejail/main.c index dc213b988..fa2b0e2e1 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -2073,6 +2073,14 @@ int main(int argc, char argv, char envp) {
2073	exit(1);	2073	exit(1);
2074	}	2074	}
2075	}	2075	}
		2076	else if (strncmp(argv[i], "--dbus-user.see=", 16) == 0) {
		2077	char *line;
		2078	if (asprintf(&line, "dbus-user.see %s", argv[i] + 16) == -1)
		2079	errExit("asprintf");
		2080
		2081	profile_check_line(line, 0, NULL); // will exit if something wrong
		2082	profile_add(line);
		2083	}
2076	else if (strncmp(argv[i], "--dbus-user.talk=", 17) == 0) {	2084	else if (strncmp(argv[i], "--dbus-user.talk=", 17) == 0) {
2077	char *line;	2085	char *line;
2078	if (asprintf(&line, "dbus-user.talk %s", argv[i] + 17) == -1)	2086	if (asprintf(&line, "dbus-user.talk %s", argv[i] + 17) == -1)
@@ -2103,6 +2111,14 @@ int main(int argc, char argv, char envp) {
2103	exit(1);	2111	exit(1);
2104	}	2112	}
2105	}	2113	}
		2114	else if (strncmp(argv[i], "--dbus-system.see=", 18) == 0) {
		2115	char *line;
		2116	if (asprintf(&line, "dbus-system.see %s", argv[i] + 18) == -1)
		2117	errExit("asprintf");
		2118
		2119	profile_check_line(line, 0, NULL); // will exit if something wrong
		2120	profile_add(line);
		2121	}
2106	else if (strncmp(argv[i], "--dbus-system.talk=", 19) == 0) {	2122	else if (strncmp(argv[i], "--dbus-system.talk=", 19) == 0) {
2107	char *line;	2123	char *line;
2108	if (asprintf(&line, "dbus-system.talk %s", argv[i] + 19) == -1)	2124	if (asprintf(&line, "dbus-system.talk %s", argv[i] + 19) == -1)


diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 0be119903..f2959686a 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c
@@ -452,6 +452,13 @@ int profile_check_line(char ptr, int lineno, const char fname) {
452	}	452	}
453	return 0;	453	return 0;
454	}	454	}
		455	else if (strncmp(ptr, "dbus-user.see ", 14) == 0) {
		456	if (!dbus_check_name(ptr + 14)) {
		457	printf("Invalid dbus-user.see name: %s\n", ptr + 15);
		458	exit(1);
		459	}
		460	return 1;
		461	}
455	else if (strncmp(ptr, "dbus-user.talk ", 15) == 0) {	462	else if (strncmp(ptr, "dbus-user.talk ", 15) == 0) {
456	if (!dbus_check_name(ptr + 15)) {	463	if (!dbus_check_name(ptr + 15)) {
457	printf("Invalid dbus-user.talk name: %s\n", ptr + 15);	464	printf("Invalid dbus-user.talk name: %s\n", ptr + 15);
@@ -482,6 +489,13 @@ int profile_check_line(char ptr, int lineno, const char fname) {
482	}	489	}
483	return 0;	490	return 0;
484	}	491	}
		492	else if (strncmp(ptr, "dbus-system.see ", 16) == 0) {
		493	if (!dbus_check_name(ptr + 16)) {
		494	fprintf(stderr, "Invalid dbus-system.see name: %s\n", ptr + 17);
		495	exit(1);
		496	}
		497	return 1;
		498	}
485	else if (strncmp(ptr, "dbus-system.talk ", 17) == 0) {	499	else if (strncmp(ptr, "dbus-system.talk ", 17) == 0) {
486	if (!dbus_check_name(ptr + 17)) {	500	if (!dbus_check_name(ptr + 17)) {
487	fprintf(stderr, "Invalid dbus-system.talk name: %s\n", ptr + 17);	501	fprintf(stderr, "Invalid dbus-system.talk name: %s\n", ptr + 17);