Merge pull request #2697 from topimiettinen/dbus-block-system-bus

dbus: make --nodbus block also system D-Bus socket
author: netblue30 <netblue30@yahoo.com> 2019-05-17 10:32:59 -0500
committer: GitHub <noreply@github.com> 2019-05-17 10:32:59 -0500
commit: 909bc848b8ef719225bf28d0e930470b8782ab9f (patch)
tree: 2a5bab97b36e650528b650ecc3693a17e30e4b05 /src
parent: Merge pull request #2701 from smitsohu/opath (diff)
parent: dbus: make --nodbus block also system D-Bus socket (diff)
download: firejail-909bc848b8ef719225bf28d0e930470b8782ab9f.tar.gz
firejail-909bc848b8ef719225bf28d0e930470b8782ab9f.tar.zst
firejail-909bc848b8ef719225bf28d0e930470b8782ab9f.zip
4 files changed, 11 insertions, 6 deletions
diff --git a/src/firejail/dbus.c b/src/firejail/dbus.c
index baa41e85e..b046b3279 100644
--- a/src/firejail/dbus.c
+++ b/src/firejail/dbus.c
@@ -19,7 +19,7 @@
 */
 #include "firejail.h"
-void dbus_session_disable(void) {
+void dbus_disable(void) {
        if (!checkcfg(CFG_DBUS)) {
                fwarning("D-Bus handling is disabled in Firejail configuration file\n");
                return;
@@ -43,6 +43,9 @@ void dbus_session_disable(void) {
        free(path);
        free(env_var);
+        // blacklist also system D-Bus socket
+        disable_file_or_dir("/run/dbus/system_bus_socket");
        // look for a possible abstract unix socket
        // --net=none
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 2e04084e3..e0f3a6a16 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -782,6 +782,6 @@ void set_x11_run_file(pid_t pid, int display);
 void set_profile_run_file(pid_t pid, const char *fname);
 // dbus.c
-void dbus_session_disable(void);
+void dbus_disable(void);
 #endif
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 101a16d00..9f0a5f25c 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -923,7 +923,7 @@ int sandbox(void* sandbox_arg) {
        // Session D-BUS
        //****************************
        if (arg_nodbus)
-                dbus_session_disable();
+                dbus_disable();
        //****************************
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 1b56dedcd..8f6948ef4 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1107,9 +1107,11 @@ $ nc dict.org 2628
 .br
 .TP
 \fB\-\-nodbus
-Disable D-Bus access. Only the regular UNIX socket is handled by this command. To
+Disable D-Bus access (both system and session buses). Only the regular
-disable the abstract socket you would need to request a new network namespace using
+UNIX sockets are handled by this command. To disable the abstract
-\-\-net command. Another option is to remove unix from \-\-protocol set.
+sockets you would need to request a new network namespace using
+\-\-net command. Another option is to remove unix from \-\-protocol
+set.
 .br
 .br
author	netblue30 <netblue30@yahoo.com>	2019-05-17 10:32:59 -0500
committer	GitHub <noreply@github.com>	2019-05-17 10:32:59 -0500
commit	909bc848b8ef719225bf28d0e930470b8782ab9f (patch)
tree	2a5bab97b36e650528b650ecc3693a17e30e4b05 /src
parent	Merge pull request #2701 from smitsohu/opath (diff)
parent	dbus: make --nodbus block also system D-Bus socket (diff)
download	firejail-909bc848b8ef719225bf28d0e930470b8782ab9f.tar.gz firejail-909bc848b8ef719225bf28d0e930470b8782ab9f.tar.zst firejail-909bc848b8ef719225bf28d0e930470b8782ab9f.zip