Merge pull request #960 from valoq/master

block dbus ipc
author: netblue30 <netblue30@yahoo.com> 2016-12-09 08:00:09 -0500
committer: GitHub <noreply@github.com> 2016-12-09 08:00:09 -0500
commit: 434261ee21d50455c7a31d7ada0b88305b9380e3 (patch)
tree: c2b921ff795b411bacd398f4b432d65837fbb0b2 /src
parent: remove konsole from the list of restricted terminals in disable-common.inc (diff)
parent: removed dbus blacklist (diff)
download: firejail-434261ee21d50455c7a31d7ada0b88305b9380e3.tar.gz
firejail-434261ee21d50455c7a31d7ada0b88305b9380e3.tar.zst
firejail-434261ee21d50455c7a31d7ada0b88305b9380e3.zip
1 files changed, 66 insertions, 1 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 53d63a108..905d2903d 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -225,7 +225,7 @@ static void globbing(OPERATION op, const char *pattern, const char *noblacklist[
 }
-// blacklist files or directoies by mounting empty files on top of them
+// blacklist files or directories by mounting empty files on top of them
 void fs_blacklist(void) {
        char *homedir = cfg.homedir;
        assert(homedir);
@@ -530,6 +530,71 @@ void fs_proc_sys_dev_boot(void) {
        
        // disable /dev/port
        disable_file(BLACKLIST_FILE, "/dev/port");
+        // WARNING: this is not reliable. When services like gpg-agent are started after the jail, the sockets are not blacklisted
+        
+        // disable various ipc sockets
+        struct stat s;
+        // breaks too many applications, option needed
+        /* // disable /run/user/{uid}/bus */
+        /* char *fnamebus; */
+        /* if (asprintf(&fnamebus, "/run/user/%d/bus", getuid()) == -1) */
+        /*     errExit("asprintf"); */
+        /* if (stat(fnamebus, &s) == 0) */
+        /*     disable_file(BLACKLIST_FILE, fnamebus); */
+        /* free(fnamebus); */
+        // disable /run/user/{uid}/gnupg
+        char *fnamegpg;
+        if (asprintf(&fnamegpg, "/run/user/%d/gnupg", getuid()) == -1)
+            errExit("asprintf");
+        if (stat(fnamegpg, &s) == 0)
+            disable_file(BLACKLIST_FILE, fnamegpg);
+        free(fnamegpg);
+        // disable /run/user/{uid}/systemd
+        char *fnamesysd;
+        if (asprintf(&fnamesysd, "/run/user/%d/systemd", getuid()) == -1)
+            errExit("asprintf");
+        if (stat(fnamesysd, &s) == 0)
+            disable_file(BLACKLIST_FILE, fnamesysd);
+        free(fnamesysd);
+        // WARNING: not working
+        // disable /run/user/{uid}/kdeinit*
+        //char *fnamekde;
+        //if (asprintf(&fnamekde, "/run/user/%d/kdeinit*", getuid()) == -1)
+        //    errExit("asprintf");
+        //if (stat(fnamekde, &s) == 0)
+        //    disable_file(BLACKLIST_FILE, fnamekde);
+        //free(fnamekde);
+        
+        
+        // disable /run/user/{uid}/pulse
+        /* char *fnamepulse; */
+        /* if (asprintf(&fnamepulse, "/run/user/%d/pulse", getuid()) == -1) */
+        /*     errExit("asprintf"); */
+        /* if (stat(fnamepulse, &s) == 0) */
+        /*     disable_file(BLACKLIST_FILE, fnamepulse); */
+        /* free(fnamepulse); */
+        // disable /run/user/{uid}/dconf
+        /* char *fnamedconf; */
+        /* if (asprintf(&fnamedconf, "/run/user/%d/dconf", getuid()) == -1) */
+        /*     errExit("asprintf"); */
+        /* if (stat(fnamedconf, &s) == 0) */
+        /*     disable_file(BLACKLIST_FILE, fnamedconf); */
+        /* free(fnamedconf); */
+        
+        //more files with sockets to be blacklisted
+        //  /run/dbus /run/systemd /run/udev /run/lvm
+        
        
        if (getuid() != 0) {
                // disable /dev/kmsg and /proc/kmsg
author	netblue30 <netblue30@yahoo.com>	2016-12-09 08:00:09 -0500
committer	GitHub <noreply@github.com>	2016-12-09 08:00:09 -0500
commit	434261ee21d50455c7a31d7ada0b88305b9380e3 (patch)
tree	c2b921ff795b411bacd398f4b432d65837fbb0b2 /src
parent	remove konsole from the list of restricted terminals in disable-common.inc (diff)
parent	removed dbus blacklist (diff)
download	firejail-434261ee21d50455c7a31d7ada0b88305b9380e3.tar.gz firejail-434261ee21d50455c7a31d7ada0b88305b9380e3.tar.zst firejail-434261ee21d50455c7a31d7ada0b88305b9380e3.zip

diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 53d63a108..905d2903d 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c
@@ -225,7 +225,7 @@ static void globbing(OPERATION op, const char pattern, const char noblacklist[
225	}	225	}
226		226
227		227
228	// blacklist files or directoies by mounting empty files on top of them	228	// blacklist files or directories by mounting empty files on top of them
229	void fs_blacklist(void) {	229	void fs_blacklist(void) {
230	char *homedir = cfg.homedir;	230	char *homedir = cfg.homedir;
231	assert(homedir);	231	assert(homedir);
@@ -530,6 +530,71 @@ void fs_proc_sys_dev_boot(void) {
530		530
531	// disable /dev/port	531	// disable /dev/port
532	disable_file(BLACKLIST_FILE, "/dev/port");	532	disable_file(BLACKLIST_FILE, "/dev/port");
		533
		534
		535	// WARNING: this is not reliable. When services like gpg-agent are started after the jail, the sockets are not blacklisted
		536
		537	// disable various ipc sockets
		538	struct stat s;
		539
		540
		541	// breaks too many applications, option needed
		542	/* // disable /run/user/{uid}/bus */
		543	/* char fnamebus; /
		544	/* if (asprintf(&fnamebus, "/run/user/%d/bus", getuid()) == -1) */
		545	/* errExit("asprintf"); */
		546	/* if (stat(fnamebus, &s) == 0) */
		547	/* disable_file(BLACKLIST_FILE, fnamebus); */
		548	/* free(fnamebus); */
		549
		550	// disable /run/user/{uid}/gnupg
		551	char *fnamegpg;
		552	if (asprintf(&fnamegpg, "/run/user/%d/gnupg", getuid()) == -1)
		553	errExit("asprintf");
		554	if (stat(fnamegpg, &s) == 0)
		555	disable_file(BLACKLIST_FILE, fnamegpg);
		556	free(fnamegpg);
		557
		558	// disable /run/user/{uid}/systemd
		559	char *fnamesysd;
		560	if (asprintf(&fnamesysd, "/run/user/%d/systemd", getuid()) == -1)
		561	errExit("asprintf");
		562	if (stat(fnamesysd, &s) == 0)
		563	disable_file(BLACKLIST_FILE, fnamesysd);
		564	free(fnamesysd);
		565
		566
		567	// WARNING: not working
		568	// disable /run/user/{uid}/kdeinit*
		569	//char *fnamekde;
		570	//if (asprintf(&fnamekde, "/run/user/%d/kdeinit*", getuid()) == -1)
		571	// errExit("asprintf");
		572	//if (stat(fnamekde, &s) == 0)
		573	// disable_file(BLACKLIST_FILE, fnamekde);
		574	//free(fnamekde);
		575
		576
		577	// disable /run/user/{uid}/pulse
		578	/* char fnamepulse; /
		579	/* if (asprintf(&fnamepulse, "/run/user/%d/pulse", getuid()) == -1) */
		580	/* errExit("asprintf"); */
		581	/* if (stat(fnamepulse, &s) == 0) */
		582	/* disable_file(BLACKLIST_FILE, fnamepulse); */
		583	/* free(fnamepulse); */
		584
		585	// disable /run/user/{uid}/dconf
		586	/* char fnamedconf; /
		587	/* if (asprintf(&fnamedconf, "/run/user/%d/dconf", getuid()) == -1) */
		588	/* errExit("asprintf"); */
		589	/* if (stat(fnamedconf, &s) == 0) */
		590	/* disable_file(BLACKLIST_FILE, fnamedconf); */
		591	/* free(fnamedconf); */
		592
		593
		594	//more files with sockets to be blacklisted
		595	// /run/dbus /run/systemd /run/udev /run/lvm
		596
		597
533		598
534	if (getuid() != 0) {	599	if (getuid() != 0) {
535	// disable /dev/kmsg and /proc/kmsg	600	// disable /dev/kmsg and /proc/kmsg