aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorLibravatar Kristóf Marussy <kris7topher@gmail.com>2020-05-04 19:11:54 +0200
committerLibravatar Kristóf Marussy <kristof@marussy.com>2020-05-07 01:56:40 +0200
commit416d385ea749d59529d5624de87a0c5c1b44cdb6 (patch)
treeac2ef6934fa84f5088c949594eb6ffd7da6f6b76 /src
parentAdd dbus-*.call and dbus-*.broadcast commands (diff)
downloadfirejail-416d385ea749d59529d5624de87a0c5c1b44cdb6.tar.gz
firejail-416d385ea749d59529d5624de87a0c5c1b44cdb6.tar.zst
firejail-416d385ea749d59529d5624de87a0c5c1b44cdb6.zip
Add options for D-Bus logging
--dbus-user.log and --dbus-system.log instruct xdg-dbus-proxy to log interactions with the session and system buses, respectively. --dbus-log= can specify the location of the log file. If no location is specified, log output is written to stdout.
Diffstat (limited to 'src')
-rw-r--r--src/firejail/dbus.c21
-rw-r--r--src/firejail/firejail.h3
-rw-r--r--src/firejail/main.c32
-rw-r--r--src/firejail/profile.c8
4 files changed, 63 insertions, 1 deletions
diff --git a/src/firejail/dbus.c b/src/firejail/dbus.c
index 5b47567e2..18576612d 100644
--- a/src/firejail/dbus.c
+++ b/src/firejail/dbus.c
@@ -285,6 +285,8 @@ static char *find_user_socket(void) {
285void dbus_proxy_start(void) { 285void dbus_proxy_start(void) {
286 dbus_create_user_dir(); 286 dbus_create_user_dir();
287 287
288 EUID_USER();
289
288 int status_pipe[2]; 290 int status_pipe[2];
289 if (pipe(status_pipe) == -1) 291 if (pipe(status_pipe) == -1)
290 errExit("pipe"); 292 errExit("pipe");
@@ -299,10 +301,21 @@ void dbus_proxy_start(void) {
299 errExit("fork"); 301 errExit("fork");
300 if (dbus_proxy_pid == 0) { 302 if (dbus_proxy_pid == 0) {
301 int i; 303 int i;
302 for (i = 3; i < FIREJAIL_MAX_FD; i++) { 304 for (i = STDERR_FILENO + 1; i < FIREJAIL_MAX_FD; i++) {
303 if (i != status_pipe[1] && i != args_pipe[0]) 305 if (i != status_pipe[1] && i != args_pipe[0])
304 close(i); // close open files 306 close(i); // close open files
305 } 307 }
308 if (arg_dbus_log_file != NULL) {
309 int output_fd = creat(arg_dbus_log_file, 0666);
310 if (output_fd < 0)
311 errExit("creat");
312 if (output_fd != STDOUT_FILENO) {
313 if (dup2(output_fd, STDOUT_FILENO) != STDOUT_FILENO)
314 errExit("dup2");
315 close(output_fd);
316 }
317 }
318 close(STDIN_FILENO);
306 char *args[4] = {XDG_DBUS_PROXY_PATH, NULL, NULL, NULL}; 319 char *args[4] = {XDG_DBUS_PROXY_PATH, NULL, NULL, NULL};
307 if (asprintf(&args[1], "--fd=%d", status_pipe[1]) == -1 320 if (asprintf(&args[1], "--fd=%d", status_pipe[1]) == -1
308 || asprintf(&args[2], "--args=%d", args_pipe[0]) == -1) 321 || asprintf(&args[2], "--args=%d", args_pipe[0]) == -1)
@@ -328,6 +341,9 @@ void dbus_proxy_start(void) {
328 (int) getuid(), (int) getpid()) == -1) 341 (int) getuid(), (int) getpid()) == -1)
329 errExit("asprintf"); 342 errExit("asprintf");
330 write_arg(args_pipe[1], "%s", dbus_user_proxy_socket); 343 write_arg(args_pipe[1], "%s", dbus_user_proxy_socket);
344 if (arg_dbus_log_user) {
345 write_arg(args_pipe[1], "--log");
346 }
331 write_arg(args_pipe[1], "--filter"); 347 write_arg(args_pipe[1], "--filter");
332 write_profile(args_pipe[1], "dbus-user."); 348 write_profile(args_pipe[1], "dbus-user.");
333 } 349 }
@@ -344,6 +360,9 @@ void dbus_proxy_start(void) {
344 (int) getuid(), (int) getpid()) == -1) 360 (int) getuid(), (int) getpid()) == -1)
345 errExit("asprintf"); 361 errExit("asprintf");
346 write_arg(args_pipe[1], "%s", dbus_system_proxy_socket); 362 write_arg(args_pipe[1], "%s", dbus_system_proxy_socket);
363 if (arg_dbus_log_system) {
364 write_arg(args_pipe[1], "--log");
365 }
347 write_arg(args_pipe[1], "--filter"); 366 write_arg(args_pipe[1], "--filter");
348 write_profile(args_pipe[1], "dbus-system."); 367 write_profile(args_pipe[1], "dbus-system.");
349 } 368 }
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 19ec2762c..1ef4887ea 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -349,6 +349,9 @@ typedef enum {
349} DbusPolicy; 349} DbusPolicy;
350extern DbusPolicy arg_dbus_user; // --dbus-user 350extern DbusPolicy arg_dbus_user; // --dbus-user
351extern DbusPolicy arg_dbus_system; // --dbus-system 351extern DbusPolicy arg_dbus_system; // --dbus-system
352extern int arg_dbus_log_user;
353extern int arg_dbus_log_system;
354extern const char *arg_dbus_log_file;
352 355
353extern int login_shell; 356extern int login_shell;
354extern int parent_to_child_fds[2]; 357extern int parent_to_child_fds[2];
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 8d60d3790..e458d16f4 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -148,6 +148,9 @@ int arg_nou2f = 0; // --nou2f
148int arg_deterministic_exit_code = 0; // always exit with first child's exit status 148int arg_deterministic_exit_code = 0; // always exit with first child's exit status
149DbusPolicy arg_dbus_user = DBUS_POLICY_ALLOW; // --dbus-user 149DbusPolicy arg_dbus_user = DBUS_POLICY_ALLOW; // --dbus-user
150DbusPolicy arg_dbus_system = DBUS_POLICY_ALLOW; // --dbus-system 150DbusPolicy arg_dbus_system = DBUS_POLICY_ALLOW; // --dbus-system
151const char *arg_dbus_log_file = NULL;
152int arg_dbus_log_user = 0;
153int arg_dbus_log_system = 0;
151int login_shell = 0; 154int login_shell = 0;
152 155
153//********************************************************************************** 156//**********************************************************************************
@@ -2067,6 +2070,10 @@ int main(int argc, char **argv, char **envp) {
2067 } 2070 }
2068 arg_dbus_user = DBUS_POLICY_FILTER; 2071 arg_dbus_user = DBUS_POLICY_FILTER;
2069 } else if (strcmp("none", argv[i] + 12) == 0) { 2072 } else if (strcmp("none", argv[i] + 12) == 0) {
2073 if (arg_dbus_log_user) {
2074 fprintf(stderr, "Error: --dbus-user.log requires --dbus-user=filter\n");
2075 exit(1);
2076 }
2070 arg_dbus_user = DBUS_POLICY_BLOCK; 2077 arg_dbus_user = DBUS_POLICY_BLOCK;
2071 } else { 2078 } else {
2072 fprintf(stderr, "Unknown dbus-user policy: %s\n", argv[i] + 12); 2079 fprintf(stderr, "Unknown dbus-user policy: %s\n", argv[i] + 12);
@@ -2121,6 +2128,10 @@ int main(int argc, char **argv, char **envp) {
2121 } 2128 }
2122 arg_dbus_system = DBUS_POLICY_FILTER; 2129 arg_dbus_system = DBUS_POLICY_FILTER;
2123 } else if (strcmp("none", argv[i] + 14) == 0) { 2130 } else if (strcmp("none", argv[i] + 14) == 0) {
2131 if (arg_dbus_log_system) {
2132 fprintf(stderr, "Error: --dbus-system.log requires --dbus-system=filter\n");
2133 exit(1);
2134 }
2124 arg_dbus_system = DBUS_POLICY_BLOCK; 2135 arg_dbus_system = DBUS_POLICY_BLOCK;
2125 } else { 2136 } else {
2126 fprintf(stderr, "Unknown dbus-system policy: %s\n", argv[i] + 14); 2137 fprintf(stderr, "Unknown dbus-system policy: %s\n", argv[i] + 14);
@@ -2167,6 +2178,27 @@ int main(int argc, char **argv, char **envp) {
2167 profile_check_line(line, 0, NULL); // will exit if something wrong 2178 profile_check_line(line, 0, NULL); // will exit if something wrong
2168 profile_add(line); 2179 profile_add(line);
2169 } 2180 }
2181 else if (strncmp(argv[i], "--dbus-log=", 11) == 0) {
2182 if (arg_dbus_log_file != NULL) {
2183 fprintf(stderr, "Error: --dbus-log option already specified\n");
2184 exit(1);
2185 }
2186 arg_dbus_log_file = argv[i] + 11;
2187 }
2188 else if (strcmp(argv[i], "--dbus-user.log") == 0) {
2189 if (arg_dbus_user != DBUS_POLICY_FILTER) {
2190 fprintf(stderr, "Error: --dbus-user.log requires --dbus-user=filter\n");
2191 exit(1);
2192 }
2193 arg_dbus_log_user = 1;
2194 }
2195 else if (strcmp(argv[i], "--dbus-system.log") == 0) {
2196 if (arg_dbus_system != DBUS_POLICY_FILTER) {
2197 fprintf(stderr, "Error: --dbus-system.log requires --dbus-system=filter\n");
2198 exit(1);
2199 }
2200 arg_dbus_log_system = 1;
2201 }
2170 2202
2171 //************************************* 2203 //*************************************
2172 // network 2204 // network
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 699ca4bea..749006487 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -445,6 +445,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
445 } 445 }
446 arg_dbus_user = DBUS_POLICY_FILTER; 446 arg_dbus_user = DBUS_POLICY_FILTER;
447 } else if (strcmp("none", ptr) == 0) { 447 } else if (strcmp("none", ptr) == 0) {
448 if (arg_dbus_log_user) {
449 fprintf(stderr, "Error: --dbus-user.log requires --dbus-user=filter\n");
450 exit(1);
451 }
448 arg_dbus_user = DBUS_POLICY_BLOCK; 452 arg_dbus_user = DBUS_POLICY_BLOCK;
449 } else { 453 } else {
450 fprintf(stderr, "Unknown dbus-user policy: %s\n", ptr); 454 fprintf(stderr, "Unknown dbus-user policy: %s\n", ptr);
@@ -496,6 +500,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
496 } 500 }
497 arg_dbus_system = DBUS_POLICY_FILTER; 501 arg_dbus_system = DBUS_POLICY_FILTER;
498 } else if (strcmp("none", ptr) == 0) { 502 } else if (strcmp("none", ptr) == 0) {
503 if (arg_dbus_log_system) {
504 fprintf(stderr, "Error: --dbus-system.log requires --dbus-system=filter\n");
505 exit(1);
506 }
499 arg_dbus_system = DBUS_POLICY_BLOCK; 507 arg_dbus_system = DBUS_POLICY_BLOCK;
500 } else { 508 } else {
501 fprintf(stderr, "Unknown dbus-system policy: %s\n", ptr); 509 fprintf(stderr, "Unknown dbus-system policy: %s\n", ptr);
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-05 10:05:00 +0000