9 files changed, 78 insertions, 2 deletions
diff --git a/configure b/configure
index 5a80402b1..2ca71d3e2 100755
--- a/configure
+++ b/configure
@@ -643,6 +643,7 @@ HAVE_CHROOT
 HAVE_PRIVATE_HOME
 HAVE_FIRETUNNEL
 HAVE_OVERLAYFS
+HAVE_DBUSPROXY
 EXTRA_LDFLAGS
 EXTRA_CFLAGS
 HAVE_APPARMOR
@@ -705,6 +706,7 @@ ac_subst_files=''
 ac_user_opts='
 enable_option_checking
 enable_apparmor
+enable_dbusproxy
 enable_overlayfs
 enable_firetunnel
 enable_private_home
@@ -1357,6 +1359,7 @@ Optional Features:
  --disable-FEATURE       do not include FEATURE (same as --enable-FEATURE=no)
  --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
  --enable-apparmor       enable apparmor
+  --disable-dbusproxy     disable dbus proxy
  --disable-overlayfs     disable overlayfs
  --disable-firetunnel    disable firetunnel
  --disable-private-home  disable private home feature
@@ -3494,6 +3497,19 @@ fi
+HAVE_DBUSPROXY=""
+# Check whether --enable-dbusproxy was given.
+if test "${enable_dbusproxy+set}" = set; then :
+  enableval=$enable_dbusproxy;
+fi
+if test "x$enable_dbusproxy" != "xno"; then :
+        HAVE_DBUSPROXY="-DHAVE_DBUSPROXY"
+fi
 HAVE_OVERLAYFS=""
 # Check whether --enable-overlayfs was given.
 if test "${enable_overlayfs+set}" = set; then :
@@ -5375,6 +5391,7 @@ echo "   whitelisting: $HAVE_WHITELIST"
 echo "   private home support: $HAVE_PRIVATE_HOME"
 echo "   file transfer support: $HAVE_FILE_TRANSFER"
 echo "   overlayfs support: $HAVE_OVERLAYFS"
+echo "   DBUS proxy support: $HAVE_DBUSPROXY"
 echo "   firetunnel support: $HAVE_FIRETUNNEL"
 echo "   busybox workaround: $BUSYBOX_WORKAROUND"
 echo "   Spectre compiler patch: $HAVE_SPECTRE"
diff --git a/configure.ac b/configure.ac
index 241865968..60dc5f42c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -52,6 +52,14 @@ AC_SUBST([EXTRA_CFLAGS])
 AC_SUBST([EXTRA_LDFLAGS])
+HAVE_DBUSPROXY=""
+AC_ARG_ENABLE([dbusproxy],
+    AS_HELP_STRING([--disable-dbusproxy], [disable dbus proxy]))
+AS_IF([test "x$enable_dbusproxy" != "xno"], [
+        HAVE_DBUSPROXY="-DHAVE_DBUSPROXY"
+        AC_SUBST(HAVE_DBUSPROXY)
+])
 HAVE_OVERLAYFS=""
 AC_ARG_ENABLE([overlayfs],
    AS_HELP_STRING([--disable-overlayfs], [disable overlayfs]))
@@ -215,6 +223,7 @@ echo "   whitelisting: $HAVE_WHITELIST"
 echo "   private home support: $HAVE_PRIVATE_HOME"
 echo "   file transfer support: $HAVE_FILE_TRANSFER"
 echo "   overlayfs support: $HAVE_OVERLAYFS"
+echo "   DBUS proxy support: $HAVE_DBUSPROXY"
 echo "   firetunnel support: $HAVE_FIRETUNNEL"
 echo "   busybox workaround: $BUSYBOX_WORKAROUND"
 echo "   Spectre compiler patch: $HAVE_SPECTRE"
diff --git a/src/common.mk.in b/src/common.mk.in
index 22c25c6aa..52820848a 100644
--- a/src/common.mk.in
+++ b/src/common.mk.in
@@ -23,6 +23,7 @@ HAVE_FIRETUNNEL=@HAVE_FIRETUNNEL@
 HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
 HAVE_GCOV=@HAVE_GCOV@
 HAVE_SELINUX=@HAVE_SELINUX@
+HAVE_DBUSPROXY=@HAVE_DBUSPROXY@
 H_FILE_LIST       = $(sort $(wildcard *.[h]))
 C_FILE_LIST       = $(sort $(wildcard *.c))
@@ -32,7 +33,7 @@ BINOBJS =  $(foreach file, $(OBJS), $file)
 CFLAGS = @CFLAGS@
 CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV)
 CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"'
-MANFLAGS = $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX)
+MANFLAGS = $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX)
 CFLAGS += $(MANFLAGS)
 CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
 LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index fb19e8f5a..a0aa3138a 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -295,6 +295,14 @@ void print_compiletime_support(void) {
 #endif
                );
+        printf("\t- D-BUS proxy support is %s\n",
+#ifdef HAVE_DBUSPROXY
+                "enabled"
+#else
+                "disabled"
+#endif
+                );
        printf("\t- file and directory whitelisting support is %s\n",
 #ifdef HAVE_WHITELIST
                "enabled"
diff --git a/src/firejail/dbus.c b/src/firejail/dbus.c
index f0ba10afc..3cf75ed84 100644
--- a/src/firejail/dbus.c
+++ b/src/firejail/dbus.c
@@ -17,6 +17,7 @@
 * with this program; if not, write to the Free Software Foundation, Inc.,
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
+#ifdef HAVE_DBUSPROXY
 #include "firejail.h"
 #include <sys/mount.h>
 #include <sys/stat.h>
@@ -560,3 +561,4 @@ void dbus_apply_policy(void) {
        fwarning("An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.\n");
 }
+#endif // HAVE_DBUSPROXY
+\ No newline at end of file
diff --git a/src/firejail/join.c b/src/firejail/join.c
index 7fd5ec3d3..ca8b8c4bf 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -545,12 +545,14 @@ void join(pid_t pid, int argc, char **argv, int index) {
                        free(display_str);
                }
+#ifdef HAVE_DBUSPROXY
                // set D-Bus environment variables
                struct stat s;
                if (stat(RUN_DBUS_USER_SOCKET, &s) == 0)
                        dbus_set_session_bus_env();
                if (stat(RUN_DBUS_SYSTEM_SOCKET, &s) == 0)
                        dbus_set_system_bus_env();
+#endif
                start_application(0, NULL);
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 75324b66a..790b0731c 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -175,7 +175,9 @@ static void myexit(int rv) {
        // delete sandbox files in shared memory
+#ifdef HAVE_DBUSPROXY
        dbus_proxy_stop();
+#endif
        EUID_ROOT();
        delete_run_files(sandbox_pid);
        appimage_clear();
@@ -2023,6 +2025,11 @@ int main(int argc, char **argv, char **envp) {
                        arg_dbus_user = DBUS_POLICY_BLOCK;
                        arg_dbus_system = DBUS_POLICY_BLOCK;
                }
+                //*************************************
+                // D-BUS proxy
+                //*************************************
+#ifdef HAVE_DBUSPROXY
                else if (strncmp("--dbus-user=", argv[i], 12) == 0) {
                        if (strcmp("filter", argv[i] + 12) == 0) {
                                if (arg_dbus_user == DBUS_POLICY_BLOCK) {
@@ -2160,6 +2167,7 @@ int main(int argc, char **argv, char **envp) {
                        }
                        arg_dbus_log_system = 1;
                }
+#endif
                //*************************************
                // network
@@ -2844,6 +2852,7 @@ int main(int argc, char **argv, char **envp) {
        }
        EUID_USER();
+#ifdef HAVE_DBUSPROXY
        if (checkcfg(CFG_DBUS)) {
                dbus_check_profile();
                if (arg_dbus_user == DBUS_POLICY_FILTER ||
@@ -2853,6 +2862,7 @@ int main(int argc, char **argv, char **envp) {
                        EUID_USER();
                }
        }
+#endif
        // clone environment
        int flags = CLONE_NEWNS | CLONE_NEWPID | CLONE_NEWUTS | SIGCHLD;
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 8eaae9a30..f6ef934db 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -430,11 +430,14 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                return 0;
        }
        else if (strcmp(ptr, "nodbus") == 0) {
+#ifdef HAVE_DBUSPROXY
                arg_dbus_user = DBUS_POLICY_BLOCK;
                arg_dbus_system = DBUS_POLICY_BLOCK;
+#endif
                return 0;
        }
        else if (strncmp("dbus-user ", ptr, 10) == 0) {
+#ifdef HAVE_DBUSPROXY
                ptr += 10;
                if (strcmp("filter", ptr) == 0) {
                        if (arg_dbus_user == DBUS_POLICY_BLOCK) {
@@ -452,44 +455,56 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                        fprintf(stderr, "Unknown dbus-user policy: %s\n", ptr);
                        exit(1);
                }
+#endif
                return 0;
        }
        else if (strncmp(ptr, "dbus-user.see ", 14) == 0) {
+#ifdef HAVE_DBUSPROXY
                if (!dbus_check_name(ptr + 14)) {
                        printf("Invalid dbus-user.see name: %s\n", ptr + 15);
                        exit(1);
                }
+#endif
                return 1;
        }
        else if (strncmp(ptr, "dbus-user.talk ", 15) == 0) {
+#ifdef HAVE_DBUSPROXY
                if (!dbus_check_name(ptr + 15)) {
                        printf("Invalid dbus-user.talk name: %s\n", ptr + 15);
                        exit(1);
                }
+#endif
                return 1;
        }
        else if (strncmp(ptr, "dbus-user.own ", 14) == 0) {
+#ifdef HAVE_DBUSPROXY
                if (!dbus_check_name(ptr + 14)) {
                        fprintf(stderr, "Invalid dbus-user.own name: %s\n", ptr + 14);
                        exit(1);
                }
+#endif
                return 1;
        }
        else if (strncmp(ptr, "dbus-user.call ", 15) == 0) {
+#ifdef HAVE_DBUSPROXY
                if (!dbus_check_call_rule(ptr + 15)) {
                        fprintf(stderr, "Invalid dbus-user.call rule: %s\n", ptr + 15);
                        exit(1);
                }
+#endif
                return 1;
        }
        else if (strncmp(ptr, "dbus-user.broadcast ", 20) == 0) {
+#ifdef HAVE_DBUSPROXY
                if (!dbus_check_call_rule(ptr + 20)) {
                        fprintf(stderr, "Invalid dbus-user.broadcast rule: %s\n", ptr + 20);
                        exit(1);
                }
+#endif
                return 1;
        }
        else if (strncmp("dbus-system ", ptr, 12) == 0) {
+#ifdef HAVE_DBUSPROXY
                ptr += 12;
                if (strcmp("filter", ptr) == 0) {
                        if (arg_dbus_system == DBUS_POLICY_BLOCK) {
@@ -507,41 +522,52 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                        fprintf(stderr, "Unknown dbus-system policy: %s\n", ptr);
                        exit(1);
                }
+#endif
                return 0;
        }
        else if (strncmp(ptr, "dbus-system.see ", 16) == 0) {
+#ifdef HAVE_DBUSPROXY
                if (!dbus_check_name(ptr + 16)) {
                        fprintf(stderr, "Invalid dbus-system.see name: %s\n", ptr + 17);
                        exit(1);
                }
+#endif
                return 1;
        }
        else if (strncmp(ptr, "dbus-system.talk ", 17) == 0) {
+#ifdef HAVE_DBUSPROXY
                if (!dbus_check_name(ptr + 17)) {
                        fprintf(stderr, "Invalid dbus-system.talk name: %s\n", ptr + 17);
                        exit(1);
                }
+#endif
                return 1;
        }
        else if (strncmp(ptr, "dbus-system.own ", 16) == 0) {
+#ifdef HAVE_DBUSPROXY
                if (!dbus_check_name(ptr + 16)) {
                        fprintf(stderr, "Invalid dbus-system.own name: %s\n", ptr + 16);
                        exit(1);
                }
+#endif
                return 1;
        }
        else if (strncmp(ptr, "dbus-system.call ", 17) == 0) {
+#ifdef HAVE_DBUSPROXY
                if (!dbus_check_call_rule(ptr + 17)) {
                        fprintf(stderr, "Invalid dbus-system.call rule: %s\n", ptr + 17);
                        exit(1);
                }
+#endif
                return 1;
        }
        else if (strncmp(ptr, "dbus-system.broadcast ", 22) == 0) {
+#ifdef HAVE_DBUSPROXY
                if (!dbus_check_call_rule(ptr + 22)) {
                        fprintf(stderr, "Invalid dbus-system.broadcast rule: %s\n", ptr + 22);
                        exit(1);
                }
+#endif
                return 1;
        }
        else if (strcmp(ptr, "nou2f") == 0) {
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 3bb4858c9..ff6be986f 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -938,8 +938,9 @@ int sandbox(void* sandbox_arg) {
        //****************************
        // Session D-BUS
        //****************************
+#ifdef HAVE_DBUSPROXY
        dbus_apply_policy();
+#endif
        //****************************
        // hosts and hostname

diff --git a/configure b/configure index 5a80402b1..2ca71d3e2 100755 --- a/configure +++ b/configure
@@ -643,6 +643,7 @@ HAVE_CHROOT
643	HAVE_PRIVATE_HOME	643	HAVE_PRIVATE_HOME
644	HAVE_FIRETUNNEL	644	HAVE_FIRETUNNEL
645	HAVE_OVERLAYFS	645	HAVE_OVERLAYFS
		646	HAVE_DBUSPROXY
646	EXTRA_LDFLAGS	647	EXTRA_LDFLAGS
647	EXTRA_CFLAGS	648	EXTRA_CFLAGS
648	HAVE_APPARMOR	649	HAVE_APPARMOR
@@ -705,6 +706,7 @@ ac_subst_files=''
705	ac_user_opts='	706	ac_user_opts='
706	enable_option_checking	707	enable_option_checking
707	enable_apparmor	708	enable_apparmor
		709	enable_dbusproxy
708	enable_overlayfs	710	enable_overlayfs
709	enable_firetunnel	711	enable_firetunnel
710	enable_private_home	712	enable_private_home
@@ -1357,6 +1359,7 @@ Optional Features:
1357	--disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no)	1359	--disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no)
1358	--enable-FEATURE[=ARG] include FEATURE [ARG=yes]	1360	--enable-FEATURE[=ARG] include FEATURE [ARG=yes]
1359	--enable-apparmor enable apparmor	1361	--enable-apparmor enable apparmor
		1362	--disable-dbusproxy disable dbus proxy
1360	--disable-overlayfs disable overlayfs	1363	--disable-overlayfs disable overlayfs
1361	--disable-firetunnel disable firetunnel	1364	--disable-firetunnel disable firetunnel
1362	--disable-private-home disable private home feature	1365	--disable-private-home disable private home feature
@@ -3494,6 +3497,19 @@ fi
3494		3497
3495		3498
3496		3499
		3500	HAVE_DBUSPROXY=""
		3501	# Check whether --enable-dbusproxy was given.
		3502	if test "${enable_dbusproxy+set}" = set; then :
		3503	enableval=$enable_dbusproxy;
		3504	fi
		3505
		3506	if test "x$enable_dbusproxy" != "xno"; then :
		3507
		3508	HAVE_DBUSPROXY="-DHAVE_DBUSPROXY"
		3509
		3510
		3511	fi
		3512
3497	HAVE_OVERLAYFS=""	3513	HAVE_OVERLAYFS=""
3498	# Check whether --enable-overlayfs was given.	3514	# Check whether --enable-overlayfs was given.
3499	if test "${enable_overlayfs+set}" = set; then :	3515	if test "${enable_overlayfs+set}" = set; then :
@@ -5375,6 +5391,7 @@ echo " whitelisting: $HAVE_WHITELIST"
5375	echo " private home support: $HAVE_PRIVATE_HOME"	5391	echo " private home support: $HAVE_PRIVATE_HOME"
5376	echo " file transfer support: $HAVE_FILE_TRANSFER"	5392	echo " file transfer support: $HAVE_FILE_TRANSFER"
5377	echo " overlayfs support: $HAVE_OVERLAYFS"	5393	echo " overlayfs support: $HAVE_OVERLAYFS"
		5394	echo " DBUS proxy support: $HAVE_DBUSPROXY"
5378	echo " firetunnel support: $HAVE_FIRETUNNEL"	5395	echo " firetunnel support: $HAVE_FIRETUNNEL"
5379	echo " busybox workaround: $BUSYBOX_WORKAROUND"	5396	echo " busybox workaround: $BUSYBOX_WORKAROUND"
5380	echo " Spectre compiler patch: $HAVE_SPECTRE"	5397	echo " Spectre compiler patch: $HAVE_SPECTRE"


diff --git a/configure.ac b/configure.ac index 241865968..60dc5f42c 100644 --- a/configure.ac +++ b/configure.ac
@@ -52,6 +52,14 @@ AC_SUBST([EXTRA_CFLAGS])
52	AC_SUBST([EXTRA_LDFLAGS])	52	AC_SUBST([EXTRA_LDFLAGS])
53		53
54		54
		55	HAVE_DBUSPROXY=""
		56	AC_ARG_ENABLE([dbusproxy],
		57	AS_HELP_STRING([--disable-dbusproxy], [disable dbus proxy]))
		58	AS_IF([test "x$enable_dbusproxy" != "xno"], [
		59	HAVE_DBUSPROXY="-DHAVE_DBUSPROXY"
		60	AC_SUBST(HAVE_DBUSPROXY)
		61	])
		62
55	HAVE_OVERLAYFS=""	63	HAVE_OVERLAYFS=""
56	AC_ARG_ENABLE([overlayfs],	64	AC_ARG_ENABLE([overlayfs],
57	AS_HELP_STRING([--disable-overlayfs], [disable overlayfs]))	65	AS_HELP_STRING([--disable-overlayfs], [disable overlayfs]))
@@ -215,6 +223,7 @@ echo " whitelisting: $HAVE_WHITELIST"
215	echo " private home support: $HAVE_PRIVATE_HOME"	223	echo " private home support: $HAVE_PRIVATE_HOME"
216	echo " file transfer support: $HAVE_FILE_TRANSFER"	224	echo " file transfer support: $HAVE_FILE_TRANSFER"
217	echo " overlayfs support: $HAVE_OVERLAYFS"	225	echo " overlayfs support: $HAVE_OVERLAYFS"
		226	echo " DBUS proxy support: $HAVE_DBUSPROXY"
218	echo " firetunnel support: $HAVE_FIRETUNNEL"	227	echo " firetunnel support: $HAVE_FIRETUNNEL"
219	echo " busybox workaround: $BUSYBOX_WORKAROUND"	228	echo " busybox workaround: $BUSYBOX_WORKAROUND"
220	echo " Spectre compiler patch: $HAVE_SPECTRE"	229	echo " Spectre compiler patch: $HAVE_SPECTRE"


diff --git a/src/common.mk.in b/src/common.mk.in index 22c25c6aa..52820848a 100644 --- a/src/common.mk.in +++ b/src/common.mk.in
@@ -23,6 +23,7 @@ HAVE_FIRETUNNEL=@HAVE_FIRETUNNEL@
23	HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@	23	HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
24	HAVE_GCOV=@HAVE_GCOV@	24	HAVE_GCOV=@HAVE_GCOV@
25	HAVE_SELINUX=@HAVE_SELINUX@	25	HAVE_SELINUX=@HAVE_SELINUX@
		26	HAVE_DBUSPROXY=@HAVE_DBUSPROXY@
26		27
27	H_FILE_LIST = $(sort $(wildcard *.[h]))	28	H_FILE_LIST = $(sort $(wildcard *.[h]))
28	C_FILE_LIST = $(sort $(wildcard *.c))	29	C_FILE_LIST = $(sort $(wildcard *.c))
@@ -32,7 +33,7 @@ BINOBJS = $(foreach file, $(OBJS), $file)
32	CFLAGS = @CFLAGS@	33	CFLAGS = @CFLAGS@
33	CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV)	34	CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV)
34	CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"'	35	CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"'
35	MANFLAGS = $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX)	36	MANFLAGS = $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX)
36	CFLAGS += $(MANFLAGS)	37	CFLAGS += $(MANFLAGS)
37	CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security	38	CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
38	LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread	39	LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread


diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index fb19e8f5a..a0aa3138a 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c
@@ -295,6 +295,14 @@ void print_compiletime_support(void) {
295	#endif	295	#endif
296	);	296	);
297		297
		298	printf("\t- D-BUS proxy support is %s\n",
		299	#ifdef HAVE_DBUSPROXY
		300	"enabled"
		301	#else
		302	"disabled"
		303	#endif
		304	);
		305
298	printf("\t- file and directory whitelisting support is %s\n",	306	printf("\t- file and directory whitelisting support is %s\n",
299	#ifdef HAVE_WHITELIST	307	#ifdef HAVE_WHITELIST
300	"enabled"	308	"enabled"


diff --git a/src/firejail/dbus.c b/src/firejail/dbus.c index f0ba10afc..3cf75ed84 100644 --- a/src/firejail/dbus.c +++ b/src/firejail/dbus.c
@@ -17,6 +17,7 @@
17	* with this program; if not, write to the Free Software Foundation, Inc.,	17	* with this program; if not, write to the Free Software Foundation, Inc.,
18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.	18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
19	*/	19	*/
		20	#ifdef HAVE_DBUSPROXY
20	#include "firejail.h"	21	#include "firejail.h"
21	#include <sys/mount.h>	22	#include <sys/mount.h>
22	#include <sys/stat.h>	23	#include <sys/stat.h>
@@ -560,3 +561,4 @@ void dbus_apply_policy(void) {
560		561
561	fwarning("An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.\n");	562	fwarning("An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.\n");
562	}	563	}
		564	#endif // HAVE_DBUSPROXY \ No newline at end of file


diff --git a/src/firejail/join.c b/src/firejail/join.c index 7fd5ec3d3..ca8b8c4bf 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c
@@ -545,12 +545,14 @@ void join(pid_t pid, int argc, char **argv, int index) {
545	free(display_str);	545	free(display_str);
546	}	546	}
547		547
		548	#ifdef HAVE_DBUSPROXY
548	// set D-Bus environment variables	549	// set D-Bus environment variables
549	struct stat s;	550	struct stat s;
550	if (stat(RUN_DBUS_USER_SOCKET, &s) == 0)	551	if (stat(RUN_DBUS_USER_SOCKET, &s) == 0)
551	dbus_set_session_bus_env();	552	dbus_set_session_bus_env();
552	if (stat(RUN_DBUS_SYSTEM_SOCKET, &s) == 0)	553	if (stat(RUN_DBUS_SYSTEM_SOCKET, &s) == 0)
553	dbus_set_system_bus_env();	554	dbus_set_system_bus_env();
		555	#endif
554		556
555	start_application(0, NULL);	557	start_application(0, NULL);
556		558


diff --git a/src/firejail/main.c b/src/firejail/main.c index 75324b66a..790b0731c 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -175,7 +175,9 @@ static void myexit(int rv) {
175		175
176		176
177	// delete sandbox files in shared memory	177	// delete sandbox files in shared memory
		178	#ifdef HAVE_DBUSPROXY
178	dbus_proxy_stop();	179	dbus_proxy_stop();
		180	#endif
179	EUID_ROOT();	181	EUID_ROOT();
180	delete_run_files(sandbox_pid);	182	delete_run_files(sandbox_pid);
181	appimage_clear();	183	appimage_clear();
@@ -2023,6 +2025,11 @@ int main(int argc, char argv, char envp) {
2023	arg_dbus_user = DBUS_POLICY_BLOCK;	2025	arg_dbus_user = DBUS_POLICY_BLOCK;
2024	arg_dbus_system = DBUS_POLICY_BLOCK;	2026	arg_dbus_system = DBUS_POLICY_BLOCK;
2025	}	2027	}
		2028
		2029	//*************************************
		2030	// D-BUS proxy
		2031	//*************************************
		2032	#ifdef HAVE_DBUSPROXY
2026	else if (strncmp("--dbus-user=", argv[i], 12) == 0) {	2033	else if (strncmp("--dbus-user=", argv[i], 12) == 0) {
2027	if (strcmp("filter", argv[i] + 12) == 0) {	2034	if (strcmp("filter", argv[i] + 12) == 0) {
2028	if (arg_dbus_user == DBUS_POLICY_BLOCK) {	2035	if (arg_dbus_user == DBUS_POLICY_BLOCK) {
@@ -2160,6 +2167,7 @@ int main(int argc, char argv, char envp) {
2160	}	2167	}
2161	arg_dbus_log_system = 1;	2168	arg_dbus_log_system = 1;
2162	}	2169	}
		2170	#endif
2163		2171
2164	//*************************************	2172	//*************************************
2165	// network	2173	// network
@@ -2844,6 +2852,7 @@ int main(int argc, char argv, char envp) {
2844	}	2852	}
2845	EUID_USER();	2853	EUID_USER();
2846		2854
		2855	#ifdef HAVE_DBUSPROXY
2847	if (checkcfg(CFG_DBUS)) {	2856	if (checkcfg(CFG_DBUS)) {
2848	dbus_check_profile();	2857	dbus_check_profile();
2849	if (arg_dbus_user == DBUS_POLICY_FILTER \|\|	2858	if (arg_dbus_user == DBUS_POLICY_FILTER \|\|
@@ -2853,6 +2862,7 @@ int main(int argc, char argv, char envp) {
2853	EUID_USER();	2862	EUID_USER();
2854	}	2863	}
2855	}	2864	}
		2865	#endif
2856		2866
2857	// clone environment	2867	// clone environment
2858	int flags = CLONE_NEWNS \| CLONE_NEWPID \| CLONE_NEWUTS \| SIGCHLD;	2868	int flags = CLONE_NEWNS \| CLONE_NEWPID \| CLONE_NEWUTS \| SIGCHLD;


diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 8eaae9a30..f6ef934db 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c
@@ -430,11 +430,14 @@ int profile_check_line(char ptr, int lineno, const char fname) {
430	return 0;	430	return 0;
431	}	431	}
432	else if (strcmp(ptr, "nodbus") == 0) {	432	else if (strcmp(ptr, "nodbus") == 0) {
		433	#ifdef HAVE_DBUSPROXY
433	arg_dbus_user = DBUS_POLICY_BLOCK;	434	arg_dbus_user = DBUS_POLICY_BLOCK;
434	arg_dbus_system = DBUS_POLICY_BLOCK;	435	arg_dbus_system = DBUS_POLICY_BLOCK;
		436	#endif
435	return 0;	437	return 0;
436	}	438	}
437	else if (strncmp("dbus-user ", ptr, 10) == 0) {	439	else if (strncmp("dbus-user ", ptr, 10) == 0) {
		440	#ifdef HAVE_DBUSPROXY
438	ptr += 10;	441	ptr += 10;
439	if (strcmp("filter", ptr) == 0) {	442	if (strcmp("filter", ptr) == 0) {
440	if (arg_dbus_user == DBUS_POLICY_BLOCK) {	443	if (arg_dbus_user == DBUS_POLICY_BLOCK) {
@@ -452,44 +455,56 @@ int profile_check_line(char ptr, int lineno, const char fname) {
452	fprintf(stderr, "Unknown dbus-user policy: %s\n", ptr);	455	fprintf(stderr, "Unknown dbus-user policy: %s\n", ptr);
453	exit(1);	456	exit(1);
454	}	457	}
		458	#endif
455	return 0;	459	return 0;
456	}	460	}
457	else if (strncmp(ptr, "dbus-user.see ", 14) == 0) {	461	else if (strncmp(ptr, "dbus-user.see ", 14) == 0) {
		462	#ifdef HAVE_DBUSPROXY
458	if (!dbus_check_name(ptr + 14)) {	463	if (!dbus_check_name(ptr + 14)) {
459	printf("Invalid dbus-user.see name: %s\n", ptr + 15);	464	printf("Invalid dbus-user.see name: %s\n", ptr + 15);
460	exit(1);	465	exit(1);
461	}	466	}
		467	#endif
462	return 1;	468	return 1;
463	}	469	}
464	else if (strncmp(ptr, "dbus-user.talk ", 15) == 0) {	470	else if (strncmp(ptr, "dbus-user.talk ", 15) == 0) {
		471	#ifdef HAVE_DBUSPROXY
465	if (!dbus_check_name(ptr + 15)) {	472	if (!dbus_check_name(ptr + 15)) {
466	printf("Invalid dbus-user.talk name: %s\n", ptr + 15);	473	printf("Invalid dbus-user.talk name: %s\n", ptr + 15);
467	exit(1);	474	exit(1);
468	}	475	}
		476	#endif
469	return 1;	477	return 1;
470	}	478	}
471	else if (strncmp(ptr, "dbus-user.own ", 14) == 0) {	479	else if (strncmp(ptr, "dbus-user.own ", 14) == 0) {
		480	#ifdef HAVE_DBUSPROXY
472	if (!dbus_check_name(ptr + 14)) {	481	if (!dbus_check_name(ptr + 14)) {
473	fprintf(stderr, "Invalid dbus-user.own name: %s\n", ptr + 14);	482	fprintf(stderr, "Invalid dbus-user.own name: %s\n", ptr + 14);
474	exit(1);	483	exit(1);
475	}	484	}
		485	#endif
476	return 1;	486	return 1;
477	}	487	}
478	else if (strncmp(ptr, "dbus-user.call ", 15) == 0) {	488	else if (strncmp(ptr, "dbus-user.call ", 15) == 0) {
		489	#ifdef HAVE_DBUSPROXY
479	if (!dbus_check_call_rule(ptr + 15)) {	490	if (!dbus_check_call_rule(ptr + 15)) {
480	fprintf(stderr, "Invalid dbus-user.call rule: %s\n", ptr + 15);	491	fprintf(stderr, "Invalid dbus-user.call rule: %s\n", ptr + 15);
481	exit(1);	492	exit(1);
482	}	493	}
		494	#endif
483	return 1;	495	return 1;
484	}	496	}
485	else if (strncmp(ptr, "dbus-user.broadcast ", 20) == 0) {	497	else if (strncmp(ptr, "dbus-user.broadcast ", 20) == 0) {
		498	#ifdef HAVE_DBUSPROXY
486	if (!dbus_check_call_rule(ptr + 20)) {	499	if (!dbus_check_call_rule(ptr + 20)) {
487	fprintf(stderr, "Invalid dbus-user.broadcast rule: %s\n", ptr + 20);	500	fprintf(stderr, "Invalid dbus-user.broadcast rule: %s\n", ptr + 20);
488	exit(1);	501	exit(1);
489	}	502	}
		503	#endif
490	return 1;	504	return 1;
491	}	505	}
492	else if (strncmp("dbus-system ", ptr, 12) == 0) {	506	else if (strncmp("dbus-system ", ptr, 12) == 0) {
		507	#ifdef HAVE_DBUSPROXY
493	ptr += 12;	508	ptr += 12;
494	if (strcmp("filter", ptr) == 0) {	509	if (strcmp("filter", ptr) == 0) {
495	if (arg_dbus_system == DBUS_POLICY_BLOCK) {	510	if (arg_dbus_system == DBUS_POLICY_BLOCK) {
@@ -507,41 +522,52 @@ int profile_check_line(char ptr, int lineno, const char fname) {
507	fprintf(stderr, "Unknown dbus-system policy: %s\n", ptr);	522	fprintf(stderr, "Unknown dbus-system policy: %s\n", ptr);
508	exit(1);	523	exit(1);
509	}	524	}
		525	#endif
510	return 0;	526	return 0;
511	}	527	}
512	else if (strncmp(ptr, "dbus-system.see ", 16) == 0) {	528	else if (strncmp(ptr, "dbus-system.see ", 16) == 0) {
		529	#ifdef HAVE_DBUSPROXY
513	if (!dbus_check_name(ptr + 16)) {	530	if (!dbus_check_name(ptr + 16)) {
514	fprintf(stderr, "Invalid dbus-system.see name: %s\n", ptr + 17);	531	fprintf(stderr, "Invalid dbus-system.see name: %s\n", ptr + 17);
515	exit(1);	532	exit(1);
516	}	533	}
		534	#endif
517	return 1;	535	return 1;
518	}	536	}
519	else if (strncmp(ptr, "dbus-system.talk ", 17) == 0) {	537	else if (strncmp(ptr, "dbus-system.talk ", 17) == 0) {
		538	#ifdef HAVE_DBUSPROXY
520	if (!dbus_check_name(ptr + 17)) {	539	if (!dbus_check_name(ptr + 17)) {
521	fprintf(stderr, "Invalid dbus-system.talk name: %s\n", ptr + 17);	540	fprintf(stderr, "Invalid dbus-system.talk name: %s\n", ptr + 17);
522	exit(1);	541	exit(1);
523	}	542	}
		543	#endif
524	return 1;	544	return 1;
525	}	545	}
526	else if (strncmp(ptr, "dbus-system.own ", 16) == 0) {	546	else if (strncmp(ptr, "dbus-system.own ", 16) == 0) {
		547	#ifdef HAVE_DBUSPROXY
527	if (!dbus_check_name(ptr + 16)) {	548	if (!dbus_check_name(ptr + 16)) {
528	fprintf(stderr, "Invalid dbus-system.own name: %s\n", ptr + 16);	549	fprintf(stderr, "Invalid dbus-system.own name: %s\n", ptr + 16);
529	exit(1);	550	exit(1);
530	}	551	}
		552	#endif
531	return 1;	553	return 1;
532	}	554	}
533	else if (strncmp(ptr, "dbus-system.call ", 17) == 0) {	555	else if (strncmp(ptr, "dbus-system.call ", 17) == 0) {
		556	#ifdef HAVE_DBUSPROXY
534	if (!dbus_check_call_rule(ptr + 17)) {	557	if (!dbus_check_call_rule(ptr + 17)) {
535	fprintf(stderr, "Invalid dbus-system.call rule: %s\n", ptr + 17);	558	fprintf(stderr, "Invalid dbus-system.call rule: %s\n", ptr + 17);
536	exit(1);	559	exit(1);
537	}	560	}
		561	#endif
538	return 1;	562	return 1;
539	}	563	}
540	else if (strncmp(ptr, "dbus-system.broadcast ", 22) == 0) {	564	else if (strncmp(ptr, "dbus-system.broadcast ", 22) == 0) {
		565	#ifdef HAVE_DBUSPROXY
541	if (!dbus_check_call_rule(ptr + 22)) {	566	if (!dbus_check_call_rule(ptr + 22)) {
542	fprintf(stderr, "Invalid dbus-system.broadcast rule: %s\n", ptr + 22);	567	fprintf(stderr, "Invalid dbus-system.broadcast rule: %s\n", ptr + 22);
543	exit(1);	568	exit(1);
544	}	569	}
		570	#endif
545	return 1;	571	return 1;
546	}	572	}
547	else if (strcmp(ptr, "nou2f") == 0) {	573	else if (strcmp(ptr, "nou2f") == 0) {


diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 3bb4858c9..ff6be986f 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c
@@ -938,8 +938,9 @@ int sandbox(void* sandbox_arg) {
938	//****************************	938	//****************************
939	// Session D-BUS	939	// Session D-BUS
940	//****************************	940	//****************************
		941	#ifdef HAVE_DBUSPROXY
941	dbus_apply_policy();	942	dbus_apply_policy();
942		943	#endif
943		944
944	//****************************	945	//****************************
945	// hosts and hostname	946	// hosts and hostname