diff options
-rw-r--r-- | src/firejail/dbus.c | 21 | ||||
-rw-r--r-- | src/firejail/firejail.h | 3 | ||||
-rw-r--r-- | src/firejail/main.c | 32 | ||||
-rw-r--r-- | src/firejail/profile.c | 8 |
4 files changed, 63 insertions, 1 deletions
diff --git a/src/firejail/dbus.c b/src/firejail/dbus.c index 5b47567e2..18576612d 100644 --- a/src/firejail/dbus.c +++ b/src/firejail/dbus.c | |||
@@ -285,6 +285,8 @@ static char *find_user_socket(void) { | |||
285 | void dbus_proxy_start(void) { | 285 | void dbus_proxy_start(void) { |
286 | dbus_create_user_dir(); | 286 | dbus_create_user_dir(); |
287 | 287 | ||
288 | EUID_USER(); | ||
289 | |||
288 | int status_pipe[2]; | 290 | int status_pipe[2]; |
289 | if (pipe(status_pipe) == -1) | 291 | if (pipe(status_pipe) == -1) |
290 | errExit("pipe"); | 292 | errExit("pipe"); |
@@ -299,10 +301,21 @@ void dbus_proxy_start(void) { | |||
299 | errExit("fork"); | 301 | errExit("fork"); |
300 | if (dbus_proxy_pid == 0) { | 302 | if (dbus_proxy_pid == 0) { |
301 | int i; | 303 | int i; |
302 | for (i = 3; i < FIREJAIL_MAX_FD; i++) { | 304 | for (i = STDERR_FILENO + 1; i < FIREJAIL_MAX_FD; i++) { |
303 | if (i != status_pipe[1] && i != args_pipe[0]) | 305 | if (i != status_pipe[1] && i != args_pipe[0]) |
304 | close(i); // close open files | 306 | close(i); // close open files |
305 | } | 307 | } |
308 | if (arg_dbus_log_file != NULL) { | ||
309 | int output_fd = creat(arg_dbus_log_file, 0666); | ||
310 | if (output_fd < 0) | ||
311 | errExit("creat"); | ||
312 | if (output_fd != STDOUT_FILENO) { | ||
313 | if (dup2(output_fd, STDOUT_FILENO) != STDOUT_FILENO) | ||
314 | errExit("dup2"); | ||
315 | close(output_fd); | ||
316 | } | ||
317 | } | ||
318 | close(STDIN_FILENO); | ||
306 | char *args[4] = {XDG_DBUS_PROXY_PATH, NULL, NULL, NULL}; | 319 | char *args[4] = {XDG_DBUS_PROXY_PATH, NULL, NULL, NULL}; |
307 | if (asprintf(&args[1], "--fd=%d", status_pipe[1]) == -1 | 320 | if (asprintf(&args[1], "--fd=%d", status_pipe[1]) == -1 |
308 | || asprintf(&args[2], "--args=%d", args_pipe[0]) == -1) | 321 | || asprintf(&args[2], "--args=%d", args_pipe[0]) == -1) |
@@ -328,6 +341,9 @@ void dbus_proxy_start(void) { | |||
328 | (int) getuid(), (int) getpid()) == -1) | 341 | (int) getuid(), (int) getpid()) == -1) |
329 | errExit("asprintf"); | 342 | errExit("asprintf"); |
330 | write_arg(args_pipe[1], "%s", dbus_user_proxy_socket); | 343 | write_arg(args_pipe[1], "%s", dbus_user_proxy_socket); |
344 | if (arg_dbus_log_user) { | ||
345 | write_arg(args_pipe[1], "--log"); | ||
346 | } | ||
331 | write_arg(args_pipe[1], "--filter"); | 347 | write_arg(args_pipe[1], "--filter"); |
332 | write_profile(args_pipe[1], "dbus-user."); | 348 | write_profile(args_pipe[1], "dbus-user."); |
333 | } | 349 | } |
@@ -344,6 +360,9 @@ void dbus_proxy_start(void) { | |||
344 | (int) getuid(), (int) getpid()) == -1) | 360 | (int) getuid(), (int) getpid()) == -1) |
345 | errExit("asprintf"); | 361 | errExit("asprintf"); |
346 | write_arg(args_pipe[1], "%s", dbus_system_proxy_socket); | 362 | write_arg(args_pipe[1], "%s", dbus_system_proxy_socket); |
363 | if (arg_dbus_log_system) { | ||
364 | write_arg(args_pipe[1], "--log"); | ||
365 | } | ||
347 | write_arg(args_pipe[1], "--filter"); | 366 | write_arg(args_pipe[1], "--filter"); |
348 | write_profile(args_pipe[1], "dbus-system."); | 367 | write_profile(args_pipe[1], "dbus-system."); |
349 | } | 368 | } |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 19ec2762c..1ef4887ea 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -349,6 +349,9 @@ typedef enum { | |||
349 | } DbusPolicy; | 349 | } DbusPolicy; |
350 | extern DbusPolicy arg_dbus_user; // --dbus-user | 350 | extern DbusPolicy arg_dbus_user; // --dbus-user |
351 | extern DbusPolicy arg_dbus_system; // --dbus-system | 351 | extern DbusPolicy arg_dbus_system; // --dbus-system |
352 | extern int arg_dbus_log_user; | ||
353 | extern int arg_dbus_log_system; | ||
354 | extern const char *arg_dbus_log_file; | ||
352 | 355 | ||
353 | extern int login_shell; | 356 | extern int login_shell; |
354 | extern int parent_to_child_fds[2]; | 357 | extern int parent_to_child_fds[2]; |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 8d60d3790..e458d16f4 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -148,6 +148,9 @@ int arg_nou2f = 0; // --nou2f | |||
148 | int arg_deterministic_exit_code = 0; // always exit with first child's exit status | 148 | int arg_deterministic_exit_code = 0; // always exit with first child's exit status |
149 | DbusPolicy arg_dbus_user = DBUS_POLICY_ALLOW; // --dbus-user | 149 | DbusPolicy arg_dbus_user = DBUS_POLICY_ALLOW; // --dbus-user |
150 | DbusPolicy arg_dbus_system = DBUS_POLICY_ALLOW; // --dbus-system | 150 | DbusPolicy arg_dbus_system = DBUS_POLICY_ALLOW; // --dbus-system |
151 | const char *arg_dbus_log_file = NULL; | ||
152 | int arg_dbus_log_user = 0; | ||
153 | int arg_dbus_log_system = 0; | ||
151 | int login_shell = 0; | 154 | int login_shell = 0; |
152 | 155 | ||
153 | //********************************************************************************** | 156 | //********************************************************************************** |
@@ -2067,6 +2070,10 @@ int main(int argc, char **argv, char **envp) { | |||
2067 | } | 2070 | } |
2068 | arg_dbus_user = DBUS_POLICY_FILTER; | 2071 | arg_dbus_user = DBUS_POLICY_FILTER; |
2069 | } else if (strcmp("none", argv[i] + 12) == 0) { | 2072 | } else if (strcmp("none", argv[i] + 12) == 0) { |
2073 | if (arg_dbus_log_user) { | ||
2074 | fprintf(stderr, "Error: --dbus-user.log requires --dbus-user=filter\n"); | ||
2075 | exit(1); | ||
2076 | } | ||
2070 | arg_dbus_user = DBUS_POLICY_BLOCK; | 2077 | arg_dbus_user = DBUS_POLICY_BLOCK; |
2071 | } else { | 2078 | } else { |
2072 | fprintf(stderr, "Unknown dbus-user policy: %s\n", argv[i] + 12); | 2079 | fprintf(stderr, "Unknown dbus-user policy: %s\n", argv[i] + 12); |
@@ -2121,6 +2128,10 @@ int main(int argc, char **argv, char **envp) { | |||
2121 | } | 2128 | } |
2122 | arg_dbus_system = DBUS_POLICY_FILTER; | 2129 | arg_dbus_system = DBUS_POLICY_FILTER; |
2123 | } else if (strcmp("none", argv[i] + 14) == 0) { | 2130 | } else if (strcmp("none", argv[i] + 14) == 0) { |
2131 | if (arg_dbus_log_system) { | ||
2132 | fprintf(stderr, "Error: --dbus-system.log requires --dbus-system=filter\n"); | ||
2133 | exit(1); | ||
2134 | } | ||
2124 | arg_dbus_system = DBUS_POLICY_BLOCK; | 2135 | arg_dbus_system = DBUS_POLICY_BLOCK; |
2125 | } else { | 2136 | } else { |
2126 | fprintf(stderr, "Unknown dbus-system policy: %s\n", argv[i] + 14); | 2137 | fprintf(stderr, "Unknown dbus-system policy: %s\n", argv[i] + 14); |
@@ -2167,6 +2178,27 @@ int main(int argc, char **argv, char **envp) { | |||
2167 | profile_check_line(line, 0, NULL); // will exit if something wrong | 2178 | profile_check_line(line, 0, NULL); // will exit if something wrong |
2168 | profile_add(line); | 2179 | profile_add(line); |
2169 | } | 2180 | } |
2181 | else if (strncmp(argv[i], "--dbus-log=", 11) == 0) { | ||
2182 | if (arg_dbus_log_file != NULL) { | ||
2183 | fprintf(stderr, "Error: --dbus-log option already specified\n"); | ||
2184 | exit(1); | ||
2185 | } | ||
2186 | arg_dbus_log_file = argv[i] + 11; | ||
2187 | } | ||
2188 | else if (strcmp(argv[i], "--dbus-user.log") == 0) { | ||
2189 | if (arg_dbus_user != DBUS_POLICY_FILTER) { | ||
2190 | fprintf(stderr, "Error: --dbus-user.log requires --dbus-user=filter\n"); | ||
2191 | exit(1); | ||
2192 | } | ||
2193 | arg_dbus_log_user = 1; | ||
2194 | } | ||
2195 | else if (strcmp(argv[i], "--dbus-system.log") == 0) { | ||
2196 | if (arg_dbus_system != DBUS_POLICY_FILTER) { | ||
2197 | fprintf(stderr, "Error: --dbus-system.log requires --dbus-system=filter\n"); | ||
2198 | exit(1); | ||
2199 | } | ||
2200 | arg_dbus_log_system = 1; | ||
2201 | } | ||
2170 | 2202 | ||
2171 | //************************************* | 2203 | //************************************* |
2172 | // network | 2204 | // network |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 699ca4bea..749006487 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -445,6 +445,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
445 | } | 445 | } |
446 | arg_dbus_user = DBUS_POLICY_FILTER; | 446 | arg_dbus_user = DBUS_POLICY_FILTER; |
447 | } else if (strcmp("none", ptr) == 0) { | 447 | } else if (strcmp("none", ptr) == 0) { |
448 | if (arg_dbus_log_user) { | ||
449 | fprintf(stderr, "Error: --dbus-user.log requires --dbus-user=filter\n"); | ||
450 | exit(1); | ||
451 | } | ||
448 | arg_dbus_user = DBUS_POLICY_BLOCK; | 452 | arg_dbus_user = DBUS_POLICY_BLOCK; |
449 | } else { | 453 | } else { |
450 | fprintf(stderr, "Unknown dbus-user policy: %s\n", ptr); | 454 | fprintf(stderr, "Unknown dbus-user policy: %s\n", ptr); |
@@ -496,6 +500,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
496 | } | 500 | } |
497 | arg_dbus_system = DBUS_POLICY_FILTER; | 501 | arg_dbus_system = DBUS_POLICY_FILTER; |
498 | } else if (strcmp("none", ptr) == 0) { | 502 | } else if (strcmp("none", ptr) == 0) { |
503 | if (arg_dbus_log_system) { | ||
504 | fprintf(stderr, "Error: --dbus-system.log requires --dbus-system=filter\n"); | ||
505 | exit(1); | ||
506 | } | ||
499 | arg_dbus_system = DBUS_POLICY_BLOCK; | 507 | arg_dbus_system = DBUS_POLICY_BLOCK; |
500 | } else { | 508 | } else { |
501 | fprintf(stderr, "Unknown dbus-system policy: %s\n", ptr); | 509 | fprintf(stderr, "Unknown dbus-system policy: %s\n", ptr); |