diff options
-rw-r--r-- | src/firejail/dbus.c | 25 | ||||
-rw-r--r-- | src/firejail/firejail.h | 11 | ||||
-rw-r--r-- | src/firejail/main.c | 33 | ||||
-rw-r--r-- | src/firejail/profile.c | 35 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 3 |
5 files changed, 90 insertions, 17 deletions
diff --git a/src/firejail/dbus.c b/src/firejail/dbus.c index 7acbd338c..241b8fc44 100644 --- a/src/firejail/dbus.c +++ b/src/firejail/dbus.c | |||
@@ -19,12 +19,7 @@ | |||
19 | */ | 19 | */ |
20 | #include "firejail.h" | 20 | #include "firejail.h" |
21 | 21 | ||
22 | void dbus_disable(void) { | 22 | static void dbus_block_user(void) { |
23 | if (!checkcfg(CFG_DBUS)) { | ||
24 | fwarning("D-Bus handling is disabled in Firejail configuration file\n"); | ||
25 | return; | ||
26 | } | ||
27 | |||
28 | char *path; | 23 | char *path; |
29 | if (asprintf(&path, "/run/user/%d/bus", getuid()) == -1) | 24 | if (asprintf(&path, "/run/user/%d/bus", getuid()) == -1) |
30 | errExit("asprintf"); | 25 | errExit("asprintf"); |
@@ -43,16 +38,32 @@ void dbus_disable(void) { | |||
43 | free(path); | 38 | free(path); |
44 | free(env_var); | 39 | free(env_var); |
45 | 40 | ||
46 | |||
47 | // blacklist the dbus-launch user directory | 41 | // blacklist the dbus-launch user directory |
48 | if (asprintf(&path, "%s/.dbus", cfg.homedir) == -1) | 42 | if (asprintf(&path, "%s/.dbus", cfg.homedir) == -1) |
49 | errExit("asprintf"); | 43 | errExit("asprintf"); |
50 | disable_file_or_dir(path); | 44 | disable_file_or_dir(path); |
51 | free(path); | 45 | free(path); |
46 | } | ||
52 | 47 | ||
48 | static void dbus_block_system() { | ||
53 | // blacklist also system D-Bus socket | 49 | // blacklist also system D-Bus socket |
54 | disable_file_or_dir("/run/dbus/system_bus_socket"); | 50 | disable_file_or_dir("/run/dbus/system_bus_socket"); |
51 | } | ||
52 | |||
53 | void dbus_apply_policy(void) { | ||
54 | if (arg_dbus_user == DBUS_POLICY_ALLOW && arg_dbus_system == DBUS_POLICY_ALLOW) | ||
55 | return; | ||
56 | |||
57 | if (!checkcfg(CFG_DBUS)) { | ||
58 | fwarning("D-Bus handling is disabled in Firejail configuration file\n"); | ||
59 | return; | ||
60 | } | ||
61 | |||
62 | if (arg_dbus_user != DBUS_POLICY_ALLOW) | ||
63 | dbus_block_user(); | ||
55 | 64 | ||
65 | if (arg_dbus_system != DBUS_POLICY_ALLOW) | ||
66 | dbus_block_system(); | ||
56 | 67 | ||
57 | // look for a possible abstract unix socket | 68 | // look for a possible abstract unix socket |
58 | 69 | ||
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 1cb8b2d22..ea4012335 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -340,9 +340,16 @@ extern int arg_memory_deny_write_execute; // block writable and executable memor | |||
340 | extern int arg_notv; // --notv | 340 | extern int arg_notv; // --notv |
341 | extern int arg_nodvd; // --nodvd | 341 | extern int arg_nodvd; // --nodvd |
342 | extern int arg_nou2f; // --nou2f | 342 | extern int arg_nou2f; // --nou2f |
343 | extern int arg_nodbus; // -nodbus | ||
344 | extern int arg_deterministic_exit_code; // always exit with first child's exit status | 343 | extern int arg_deterministic_exit_code; // always exit with first child's exit status |
345 | 344 | ||
345 | typedef enum { | ||
346 | DBUS_POLICY_ALLOW, // Allow unrestricted access to the bus | ||
347 | DBUS_POLICY_FILTER, // Filter with xdg-dbus-proxy | ||
348 | DBUS_POLICY_BLOCK // Block access | ||
349 | } DbusPolicy; | ||
350 | extern DbusPolicy arg_dbus_user; // --dbus-user | ||
351 | extern DbusPolicy arg_dbus_system; // --dbus-system | ||
352 | |||
346 | extern int login_shell; | 353 | extern int login_shell; |
347 | extern int parent_to_child_fds[2]; | 354 | extern int parent_to_child_fds[2]; |
348 | extern int child_to_parent_fds[2]; | 355 | extern int child_to_parent_fds[2]; |
@@ -836,7 +843,7 @@ void set_x11_run_file(pid_t pid, int display); | |||
836 | void set_profile_run_file(pid_t pid, const char *fname); | 843 | void set_profile_run_file(pid_t pid, const char *fname); |
837 | 844 | ||
838 | // dbus.c | 845 | // dbus.c |
839 | void dbus_disable(void); | 846 | void dbus_apply_policy(void); |
840 | 847 | ||
841 | // dhcp.c | 848 | // dhcp.c |
842 | extern pid_t dhclient4_pid; | 849 | extern pid_t dhclient4_pid; |
diff --git a/src/firejail/main.c b/src/firejail/main.c index d01725c95..fd2c6cb62 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -144,9 +144,10 @@ int arg_noprofile = 0; // use default.profile if none other found/specified | |||
144 | int arg_memory_deny_write_execute = 0; // block writable and executable memory | 144 | int arg_memory_deny_write_execute = 0; // block writable and executable memory |
145 | int arg_notv = 0; // --notv | 145 | int arg_notv = 0; // --notv |
146 | int arg_nodvd = 0; // --nodvd | 146 | int arg_nodvd = 0; // --nodvd |
147 | int arg_nodbus = 0; // -nodbus | ||
148 | int arg_nou2f = 0; // --nou2f | 147 | int arg_nou2f = 0; // --nou2f |
149 | int arg_deterministic_exit_code = 0; // always exit with first child's exit status | 148 | int arg_deterministic_exit_code = 0; // always exit with first child's exit status |
149 | DbusPolicy arg_dbus_user = DBUS_POLICY_ALLOW; // --dbus-user | ||
150 | DbusPolicy arg_dbus_system = DBUS_POLICY_ALLOW; // --dbus-system | ||
150 | int login_shell = 0; | 151 | int login_shell = 0; |
151 | 152 | ||
152 | //********************************************************************************** | 153 | //********************************************************************************** |
@@ -2053,8 +2054,34 @@ int main(int argc, char **argv, char **envp) { | |||
2053 | arg_nodvd = 1; | 2054 | arg_nodvd = 1; |
2054 | else if (strcmp(argv[i], "--nou2f") == 0) | 2055 | else if (strcmp(argv[i], "--nou2f") == 0) |
2055 | arg_nou2f = 1; | 2056 | arg_nou2f = 1; |
2056 | else if (strcmp(argv[i], "--nodbus") == 0) | 2057 | else if (strcmp(argv[i], "--nodbus") == 0) { |
2057 | arg_nodbus = 1; | 2058 | arg_dbus_user = DBUS_POLICY_BLOCK; |
2059 | arg_dbus_system = DBUS_POLICY_BLOCK; | ||
2060 | } | ||
2061 | else if (strncmp("--dbus-user=", argv[i], 12) == 0) { | ||
2062 | if (strcmp("allow", argv[i] + 12) == 0) { | ||
2063 | arg_dbus_user = DBUS_POLICY_ALLOW; | ||
2064 | } else if (strcmp("filter", argv[i] + 12) == 0) { | ||
2065 | arg_dbus_user = DBUS_POLICY_FILTER; | ||
2066 | } else if (strcmp("none", argv[i] + 12) == 0) { | ||
2067 | arg_dbus_user = DBUS_POLICY_BLOCK; | ||
2068 | } else { | ||
2069 | fprintf(stderr, "Unknown dbus-user policy: %s\n", argv[i] + 12); | ||
2070 | exit(1); | ||
2071 | } | ||
2072 | } | ||
2073 | else if (strncmp("--dbus-system=", argv[i], 14) == 0) { | ||
2074 | if (strcmp("allow", argv[i] + 14) == 0) { | ||
2075 | arg_dbus_system = DBUS_POLICY_ALLOW; | ||
2076 | } else if (strcmp("filter", argv[i] + 14) == 0) { | ||
2077 | arg_dbus_system = DBUS_POLICY_FILTER; | ||
2078 | } else if (strcmp("none", argv[i] + 14) == 0) { | ||
2079 | arg_dbus_system = DBUS_POLICY_BLOCK; | ||
2080 | } else { | ||
2081 | fprintf(stderr, "Unknown dbus-system policy: %s\n", argv[i] + 14); | ||
2082 | exit(1); | ||
2083 | } | ||
2084 | } | ||
2058 | 2085 | ||
2059 | //************************************* | 2086 | //************************************* |
2060 | // network | 2087 | // network |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index d709a7951..14533ce08 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -150,7 +150,7 @@ static int check_netoptions(void) { | |||
150 | } | 150 | } |
151 | 151 | ||
152 | static int check_nodbus(void) { | 152 | static int check_nodbus(void) { |
153 | return arg_nodbus != 0; | 153 | return arg_dbus_user != DBUS_POLICY_ALLOW || arg_dbus_system != DBUS_POLICY_ALLOW; |
154 | } | 154 | } |
155 | 155 | ||
156 | static int check_nosound(void) { | 156 | static int check_nosound(void) { |
@@ -432,11 +432,40 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
432 | return 0; | 432 | return 0; |
433 | } | 433 | } |
434 | else if (strcmp(ptr, "nodbus") == 0) { | 434 | else if (strcmp(ptr, "nodbus") == 0) { |
435 | arg_nodbus = 1; | 435 | arg_dbus_user = DBUS_POLICY_BLOCK; |
436 | arg_dbus_system = DBUS_POLICY_BLOCK; | ||
437 | return 0; | ||
438 | } | ||
439 | else if (strncmp("dbus-user ", ptr, 10) == 0) { | ||
440 | ptr += 10; | ||
441 | if (strcmp("allow", ptr) == 0) { | ||
442 | arg_dbus_user = DBUS_POLICY_ALLOW; | ||
443 | } else if (strcmp("filter", ptr) == 0) { | ||
444 | arg_dbus_user = DBUS_POLICY_FILTER; | ||
445 | } else if (strcmp("none", ptr) == 0) { | ||
446 | arg_dbus_user = DBUS_POLICY_BLOCK; | ||
447 | } else { | ||
448 | fprintf(stderr, "Unknown dbus-user policy: %s\n", ptr); | ||
449 | exit(1); | ||
450 | } | ||
451 | return 0; | ||
452 | } | ||
453 | else if (strncmp("dbus-system ", ptr, 12) == 0) { | ||
454 | ptr += 12; | ||
455 | if (strcmp("allow", ptr) == 0) { | ||
456 | arg_dbus_system = DBUS_POLICY_ALLOW; | ||
457 | } else if (strcmp("filter", ptr) == 0) { | ||
458 | arg_dbus_system = DBUS_POLICY_FILTER; | ||
459 | } else if (strcmp("none", ptr) == 0) { | ||
460 | arg_dbus_system = DBUS_POLICY_BLOCK; | ||
461 | } else { | ||
462 | fprintf(stderr, "Unknown dbus-system policy: %s\n", ptr); | ||
463 | exit(1); | ||
464 | } | ||
436 | return 0; | 465 | return 0; |
437 | } | 466 | } |
438 | else if (strcmp(ptr, "nou2f") == 0) { | 467 | else if (strcmp(ptr, "nou2f") == 0) { |
439 | arg_nou2f = 1; | 468 | arg_nou2f = 1; |
440 | return 0; | 469 | return 0; |
441 | } | 470 | } |
442 | else if (strcmp(ptr, "netfilter") == 0) { | 471 | else if (strcmp(ptr, "netfilter") == 0) { |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index e20ec603c..37d108750 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -932,8 +932,7 @@ int sandbox(void* sandbox_arg) { | |||
932 | //**************************** | 932 | //**************************** |
933 | // Session D-BUS | 933 | // Session D-BUS |
934 | //**************************** | 934 | //**************************** |
935 | if (arg_nodbus) | 935 | dbus_apply_policy(); |
936 | dbus_disable(); | ||
937 | 936 | ||
938 | 937 | ||
939 | //**************************** | 938 | //**************************** |