block dbus ipc

author: valoq <valoq@mailbox.org> 2016-12-06 15:51:56 +0100
committer: valoq <valoq@mailbox.org> 2016-12-06 15:51:56 +0100
commit: 6c262c3e8746b4460a6a42a6686b89e44018ed99 (patch)
tree: f53c005e49a3e54cbb7ad755089f8d75a1d38dea /src
parent: truecrypt and zuluCrypt support (diff)
download: firejail-6c262c3e8746b4460a6a42a6686b89e44018ed99.tar.gz
firejail-6c262c3e8746b4460a6a42a6686b89e44018ed99.tar.zst
firejail-6c262c3e8746b4460a6a42a6686b89e44018ed99.zip
1 files changed, 64 insertions, 1 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 9a2f4facc..d71478fc0 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -225,7 +225,7 @@ static void globbing(OPERATION op, const char *pattern, const char *noblacklist[
 }
-// blacklist files or directoies by mounting empty files on top of them
+// blacklist files or directories by mounting empty files on top of them
 void fs_blacklist(void) {
        char *homedir = cfg.homedir;
        assert(homedir);
@@ -530,6 +530,69 @@ void fs_proc_sys_dev_boot(void) {
        
        // disable /dev/port
        disable_file(BLACKLIST_FILE, "/dev/port");
+        // WARNING: this is not reliable. When services like gpg-agent are started after the jail, the sockets are not blacklisted
+        
+        // disable various ipc sockets
+        struct stat s;
+        
+        // disable /run/user/{uid}/bus
+        char *fnamebus;
+        if (asprintf(&fnamebus, "/run/user/%d/bus", getuid()) == -1)
+            errExit("asprintf");
+        if (stat(fnamebus, &s) == 0)
+            disable_file(BLACKLIST_FILE, fnamebus);
+        free(fnamebus);
+        // disable /run/user/{uid}/gnupg
+        char *fnamegpg;
+        if (asprintf(&fnamegpg, "/run/user/%d/gnupg", getuid()) == -1)
+            errExit("asprintf");
+        if (stat(fnamegpg, &s) == 0)
+            disable_file(BLACKLIST_FILE, fnamegpg);
+        free(fnamegpg);
+        // disable /run/user/{uid}/systemd
+        char *fnamesysd;
+        if (asprintf(&fnamesysd, "/run/user/%d/systemd", getuid()) == -1)
+            errExit("asprintf");
+        if (stat(fnamesysd, &s) == 0)
+            disable_file(BLACKLIST_FILE, fnamesysd);
+        free(fnamesysd);
+        // WARNING: not working
+        // disable /run/user/{uid}/kdeinit*
+        //char *fnamekde;
+        //if (asprintf(&fnamekde, "/run/user/%d/kdeinit*", getuid()) == -1)
+        //    errExit("asprintf");
+        //if (stat(fnamekde, &s) == 0)
+        //    disable_file(BLACKLIST_FILE, fnamekde);
+        //free(fnamekde);
+        
+        
+        // disable /run/user/{uid}/pulse
+        /* char *fnamepulse; */
+        /* if (asprintf(&fnamepulse, "/run/user/%d/pulse", getuid()) == -1) */
+        /*     errExit("asprintf"); */
+        /* if (stat(fnamepulse, &s) == 0) */
+        /*     disable_file(BLACKLIST_FILE, fnamepulse); */
+        /* free(fnamepulse); */
+        // disable /run/user/{uid}/dconf
+        /* char *fnamedconf; */
+        /* if (asprintf(&fnamedconf, "/run/user/%d/dconf", getuid()) == -1) */
+        /*     errExit("asprintf"); */
+        /* if (stat(fnamedconf, &s) == 0) */
+        /*     disable_file(BLACKLIST_FILE, fnamedconf); */
+        /* free(fnamedconf); */
+        
+        //more files with sockets to be blacklisted
+        //  /run/dbus /run/systemd /run/udev /run/lvm
+        
        
        if (getuid() != 0) {
                // disable /dev/kmsg and /proc/kmsg
author	valoq <valoq@mailbox.org>	2016-12-06 15:51:56 +0100
committer	valoq <valoq@mailbox.org>	2016-12-06 15:51:56 +0100
commit	6c262c3e8746b4460a6a42a6686b89e44018ed99 (patch)
tree	f53c005e49a3e54cbb7ad755089f8d75a1d38dea /src
parent	truecrypt and zuluCrypt support (diff)
download	firejail-6c262c3e8746b4460a6a42a6686b89e44018ed99.tar.gz firejail-6c262c3e8746b4460a6a42a6686b89e44018ed99.tar.zst firejail-6c262c3e8746b4460a6a42a6686b89e44018ed99.zip

diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 9a2f4facc..d71478fc0 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c
@@ -225,7 +225,7 @@ static void globbing(OPERATION op, const char pattern, const char noblacklist[
225	}	225	}
226		226
227		227
228	// blacklist files or directoies by mounting empty files on top of them	228	// blacklist files or directories by mounting empty files on top of them
229	void fs_blacklist(void) {	229	void fs_blacklist(void) {
230	char *homedir = cfg.homedir;	230	char *homedir = cfg.homedir;
231	assert(homedir);	231	assert(homedir);
@@ -530,6 +530,69 @@ void fs_proc_sys_dev_boot(void) {
530		530
531	// disable /dev/port	531	// disable /dev/port
532	disable_file(BLACKLIST_FILE, "/dev/port");	532	disable_file(BLACKLIST_FILE, "/dev/port");
		533
		534
		535	// WARNING: this is not reliable. When services like gpg-agent are started after the jail, the sockets are not blacklisted
		536
		537	// disable various ipc sockets
		538	struct stat s;
		539
		540	// disable /run/user/{uid}/bus
		541	char *fnamebus;
		542	if (asprintf(&fnamebus, "/run/user/%d/bus", getuid()) == -1)
		543	errExit("asprintf");
		544	if (stat(fnamebus, &s) == 0)
		545	disable_file(BLACKLIST_FILE, fnamebus);
		546	free(fnamebus);
		547
		548	// disable /run/user/{uid}/gnupg
		549	char *fnamegpg;
		550	if (asprintf(&fnamegpg, "/run/user/%d/gnupg", getuid()) == -1)
		551	errExit("asprintf");
		552	if (stat(fnamegpg, &s) == 0)
		553	disable_file(BLACKLIST_FILE, fnamegpg);
		554	free(fnamegpg);
		555
		556	// disable /run/user/{uid}/systemd
		557	char *fnamesysd;
		558	if (asprintf(&fnamesysd, "/run/user/%d/systemd", getuid()) == -1)
		559	errExit("asprintf");
		560	if (stat(fnamesysd, &s) == 0)
		561	disable_file(BLACKLIST_FILE, fnamesysd);
		562	free(fnamesysd);
		563
		564
		565	// WARNING: not working
		566	// disable /run/user/{uid}/kdeinit*
		567	//char *fnamekde;
		568	//if (asprintf(&fnamekde, "/run/user/%d/kdeinit*", getuid()) == -1)
		569	// errExit("asprintf");
		570	//if (stat(fnamekde, &s) == 0)
		571	// disable_file(BLACKLIST_FILE, fnamekde);
		572	//free(fnamekde);
		573
		574
		575	// disable /run/user/{uid}/pulse
		576	/* char fnamepulse; /
		577	/* if (asprintf(&fnamepulse, "/run/user/%d/pulse", getuid()) == -1) */
		578	/* errExit("asprintf"); */
		579	/* if (stat(fnamepulse, &s) == 0) */
		580	/* disable_file(BLACKLIST_FILE, fnamepulse); */
		581	/* free(fnamepulse); */
		582
		583	// disable /run/user/{uid}/dconf
		584	/* char fnamedconf; /
		585	/* if (asprintf(&fnamedconf, "/run/user/%d/dconf", getuid()) == -1) */
		586	/* errExit("asprintf"); */
		587	/* if (stat(fnamedconf, &s) == 0) */
		588	/* disable_file(BLACKLIST_FILE, fnamedconf); */
		589	/* free(fnamedconf); */
		590
		591
		592	//more files with sockets to be blacklisted
		593	// /run/dbus /run/systemd /run/udev /run/lvm
		594
		595
533		596
534	if (getuid() != 0) {	597	if (getuid() != 0) {
535	// disable /dev/kmsg and /proc/kmsg	598	// disable /dev/kmsg and /proc/kmsg