--nodbus, first draft for #1825

author: startx2017 <vradu.startx@yandex.com> 2018-03-26 10:37:02 -0400
committer: startx2017 <vradu.startx@yandex.com> 2018-03-26 10:37:02 -0400
commit: ae008e5fa9e8a901fbf255664f3de775415a39a3 (patch)
tree: 6a9288e88ada7d9097b292d84422e8ced69d9ec3 /src
parent: Add atril thumbnailer and previewer profiles (diff)
download: firejail-ae008e5fa9e8a901fbf255664f3de775415a39a3.tar.gz
firejail-ae008e5fa9e8a901fbf255664f3de775415a39a3.tar.zst
firejail-ae008e5fa9e8a901fbf255664f3de775415a39a3.zip
7 files changed, 57 insertions, 55 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 5af141289..6141d6223 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -382,6 +382,7 @@ extern int arg_noprofile;	// use default.profile if none other found/specified
 extern int arg_memory_deny_write_execute;       // block writable and executable memory
 extern int arg_notv;    // --notv
 extern int arg_nodvd;   // --nodvd
+extern int arg_nodbus; // -nodbus
 extern int login_shell;
 extern int parent_to_child_fds[2];
@@ -520,6 +521,8 @@ void create_empty_file_as_root(const char *dir, mode_t mode);
 int set_perms(const char *fname, uid_t uid, gid_t gid, mode_t mode);
 void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid);
 unsigned extract_timeout(const char *str);
+void disable_file_or_dir(const char *fname);
+void disable_file_path(const char *path, const char *file);
 // fs_var.c
 void fs_var_log(void);  // mounting /var/log
@@ -800,4 +803,7 @@ void set_name_run_file(pid_t pid);
 void set_x11_run_file(pid_t pid, int display);
 void set_profile_run_file(pid_t pid, const char *fname);
+// dbus.c
+void dbus_session_disable(void);
 #endif
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index 6eac78d96..152ddf5f7 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -297,26 +297,6 @@ void fs_private_dev(void){
        }
 }
-static void disable_file_or_dir(const char *fname) {
-        if (arg_debug)
-                printf("disable %s\n", fname);
-        struct stat s;
-        if (stat(fname, &s) != -1) {
-                if (is_dir(fname)) {
-                        if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
-                                errExit("disable directory");
-                }
-                else {
-                        if (mount(RUN_RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
-                                errExit("disable file");
-                }
-        }
-        fs_logger2("blacklist", fname);
-}
 void fs_dev_disable_sound(void) {
        unsigned i = 0;
        while (dev[i].dev_fname != NULL) {
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 38db165e8..6dc19abdd 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -120,6 +120,7 @@ int arg_noprofile = 0; // use default.profile if none other found/specified
 int arg_memory_deny_write_execute = 0;          // block writable and executable memory
 int arg_notv = 0;       // --notv
 int arg_nodvd = 0; // --nodvd
+int arg_nodbus = 0; // -nodbus
 int login_shell = 0;
@@ -1111,7 +1112,7 @@ int main(int argc, char **argv) {
                else if (strncmp(argv[i], "--protocol=", 11) == 0) {
                        if (checkcfg(CFG_SECCOMP)) {
                                if (cfg.protocol) {
-                                        fwarning("a protocol list is present, the new list \"%s\" will not be installed\n", argv[i] + 11);
+                                        fwarning("two protocol lists are present, \"%s\" will be installed\n", cfg.protocol);
                                }
                                else {
                                        // store list
@@ -1734,6 +1735,8 @@ int main(int argc, char **argv) {
                        arg_notv = 1;
                else if (strcmp(argv[i], "--nodvd") == 0)
                        arg_nodvd = 1;
+                else if (strcmp(argv[i], "--nodbus") == 0)
+                        arg_nodbus = 1;
                //*************************************
                // network
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 5566b9860..2cb91964a 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -249,6 +249,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                arg_no3d = 1;
                return 0;
        }
+        else if (strcmp(ptr, "nodbus") == 0) {
+                arg_nodbus = 1;
+                return 0;
+        }
        else if (strcmp(ptr, "allow-private-blacklist") == 0) {
                fmessage("--allow-private-blacklist was deprecated\n");
                return 0;
@@ -549,7 +553,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 #ifdef HAVE_SECCOMP
                if (checkcfg(CFG_SECCOMP)) {
                        if (cfg.protocol) {
-                                fwarning("a protocol list is present, the new list \"%s\" will not be installed\n", ptr + 9);
+                                fwarning("two protocol lists are present, \"%s\" will be installed\n", cfg.protocol);
                                return 0;
                        }
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c
index ef674fb4a..9109a6865 100644
--- a/src/firejail/pulseaudio.c
+++ b/src/firejail/pulseaudio.c
@@ -24,52 +24,24 @@
 #include <dirent.h>
 #include <sys/wait.h>
-static void disable_file(const char *path, const char *file) {
-        assert(file);
-        assert(path);
-        struct stat s;
-        char *fname;
-        if (asprintf(&fname, "%s/%s", path, file) == -1)
-                errExit("asprintf");
-        if (stat(fname, &s) == -1)
-                goto doexit;
-        if (arg_debug)
-                printf("Disable%s\n", fname);
-        if (S_ISDIR(s.st_mode)) {
-                if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
-                        errExit("disable file");
-        }
-        else {
-                if (mount(RUN_RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
-                        errExit("disable file");
-        }
-        fs_logger2("blacklist", fname);
-doexit:
-        free(fname);
-}
 // disable pulseaudio socket
 void pulseaudio_disable(void) {
        if (arg_debug)
                printf("disable pulseaudio\n");
        // blacklist user config directory
-        disable_file(cfg.homedir, ".config/pulse");
+        disable_file_path(cfg.homedir, ".config/pulse");
        // blacklist pulseaudio socket in XDG_RUNTIME_DIR
        char *name = getenv("XDG_RUNTIME_DIR");
        if (name)
-                disable_file(name, "pulse/native");
+                disable_file_path(name, "pulse/native");
        // try the default location anyway
        char *path;
        if (asprintf(&path, "/run/user/%d", getuid()) == -1)
                errExit("asprintf");
-        disable_file(path, "pulse/native");
+        disable_file_path(path, "pulse/native");
        free(path);
@@ -87,12 +59,11 @@ void pulseaudio_disable(void) {
        struct dirent *entry;
        while ((entry = readdir(dir))) {
                if (strncmp(entry->d_name, "pulse-", 6) == 0) {
-                        disable_file("/tmp", entry->d_name);
+                        disable_file_path("/tmp", entry->d_name);
                }
        }
        closedir(dir);
 }
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 96b7b267b..75dbc976d 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -838,6 +838,13 @@ int sandbox(void* sandbox_arg) {
        }
        //****************************
+        // Session D-BUS
+        //****************************
+        if (arg_nodbus)
+                dbus_session_disable();
+        //****************************
        // hosts and hostname
        //****************************
        if (cfg.hostname)
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 0adca5e33..c644f83a8 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -21,6 +21,7 @@
 #include "firejail.h"
 #include <ftw.h>
 #include <sys/stat.h>
+#include <sys/mount.h>
 #include <fcntl.h>
 #include <syslog.h>
 #include <errno.h>
@@ -964,3 +965,33 @@ unsigned extract_timeout(const char *str) {
        return h * 3600 + m * 60 + s;
 }
+void disable_file_or_dir(const char *fname) {
+        if (arg_debug)
+                printf("blacklist %s\n", fname);
+        struct stat s;
+        if (stat(fname, &s) != -1) {
+                if (is_dir(fname)) {
+                        if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
+                                errExit("disable directory");
+                }
+                else {
+                        if (mount(RUN_RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
+                                errExit("disable file");
+                }
+        }
+        fs_logger2("blacklist", fname);
+}
+void disable_file_path(const char *path, const char *file) {
+        assert(file);
+        assert(path);
+        char *fname;
+        if (asprintf(&fname, "%s/%s", path, file) == -1)
+                errExit("asprintf");
+        disable_file_or_dir(fname);
+        free(fname);
+}
author	startx2017 <vradu.startx@yandex.com>	2018-03-26 10:37:02 -0400
committer	startx2017 <vradu.startx@yandex.com>	2018-03-26 10:37:02 -0400
commit	ae008e5fa9e8a901fbf255664f3de775415a39a3 (patch)
tree	6a9288e88ada7d9097b292d84422e8ced69d9ec3 /src
parent	Add atril thumbnailer and previewer profiles (diff)
download	firejail-ae008e5fa9e8a901fbf255664f3de775415a39a3.tar.gz firejail-ae008e5fa9e8a901fbf255664f3de775415a39a3.tar.zst firejail-ae008e5fa9e8a901fbf255664f3de775415a39a3.zip