diff options
-rwxr-xr-x | configure | 17 | ||||
-rw-r--r-- | configure.ac | 9 | ||||
-rw-r--r-- | src/common.mk.in | 3 | ||||
-rw-r--r-- | src/firejail/checkcfg.c | 8 | ||||
-rw-r--r-- | src/firejail/dbus.c | 2 | ||||
-rw-r--r-- | src/firejail/join.c | 2 | ||||
-rw-r--r-- | src/firejail/main.c | 10 | ||||
-rw-r--r-- | src/firejail/profile.c | 26 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 3 |
9 files changed, 78 insertions, 2 deletions
@@ -643,6 +643,7 @@ HAVE_CHROOT | |||
643 | HAVE_PRIVATE_HOME | 643 | HAVE_PRIVATE_HOME |
644 | HAVE_FIRETUNNEL | 644 | HAVE_FIRETUNNEL |
645 | HAVE_OVERLAYFS | 645 | HAVE_OVERLAYFS |
646 | HAVE_DBUSPROXY | ||
646 | EXTRA_LDFLAGS | 647 | EXTRA_LDFLAGS |
647 | EXTRA_CFLAGS | 648 | EXTRA_CFLAGS |
648 | HAVE_APPARMOR | 649 | HAVE_APPARMOR |
@@ -705,6 +706,7 @@ ac_subst_files='' | |||
705 | ac_user_opts=' | 706 | ac_user_opts=' |
706 | enable_option_checking | 707 | enable_option_checking |
707 | enable_apparmor | 708 | enable_apparmor |
709 | enable_dbusproxy | ||
708 | enable_overlayfs | 710 | enable_overlayfs |
709 | enable_firetunnel | 711 | enable_firetunnel |
710 | enable_private_home | 712 | enable_private_home |
@@ -1357,6 +1359,7 @@ Optional Features: | |||
1357 | --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no) | 1359 | --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no) |
1358 | --enable-FEATURE[=ARG] include FEATURE [ARG=yes] | 1360 | --enable-FEATURE[=ARG] include FEATURE [ARG=yes] |
1359 | --enable-apparmor enable apparmor | 1361 | --enable-apparmor enable apparmor |
1362 | --disable-dbusproxy disable dbus proxy | ||
1360 | --disable-overlayfs disable overlayfs | 1363 | --disable-overlayfs disable overlayfs |
1361 | --disable-firetunnel disable firetunnel | 1364 | --disable-firetunnel disable firetunnel |
1362 | --disable-private-home disable private home feature | 1365 | --disable-private-home disable private home feature |
@@ -3494,6 +3497,19 @@ fi | |||
3494 | 3497 | ||
3495 | 3498 | ||
3496 | 3499 | ||
3500 | HAVE_DBUSPROXY="" | ||
3501 | # Check whether --enable-dbusproxy was given. | ||
3502 | if test "${enable_dbusproxy+set}" = set; then : | ||
3503 | enableval=$enable_dbusproxy; | ||
3504 | fi | ||
3505 | |||
3506 | if test "x$enable_dbusproxy" != "xno"; then : | ||
3507 | |||
3508 | HAVE_DBUSPROXY="-DHAVE_DBUSPROXY" | ||
3509 | |||
3510 | |||
3511 | fi | ||
3512 | |||
3497 | HAVE_OVERLAYFS="" | 3513 | HAVE_OVERLAYFS="" |
3498 | # Check whether --enable-overlayfs was given. | 3514 | # Check whether --enable-overlayfs was given. |
3499 | if test "${enable_overlayfs+set}" = set; then : | 3515 | if test "${enable_overlayfs+set}" = set; then : |
@@ -5375,6 +5391,7 @@ echo " whitelisting: $HAVE_WHITELIST" | |||
5375 | echo " private home support: $HAVE_PRIVATE_HOME" | 5391 | echo " private home support: $HAVE_PRIVATE_HOME" |
5376 | echo " file transfer support: $HAVE_FILE_TRANSFER" | 5392 | echo " file transfer support: $HAVE_FILE_TRANSFER" |
5377 | echo " overlayfs support: $HAVE_OVERLAYFS" | 5393 | echo " overlayfs support: $HAVE_OVERLAYFS" |
5394 | echo " DBUS proxy support: $HAVE_DBUSPROXY" | ||
5378 | echo " firetunnel support: $HAVE_FIRETUNNEL" | 5395 | echo " firetunnel support: $HAVE_FIRETUNNEL" |
5379 | echo " busybox workaround: $BUSYBOX_WORKAROUND" | 5396 | echo " busybox workaround: $BUSYBOX_WORKAROUND" |
5380 | echo " Spectre compiler patch: $HAVE_SPECTRE" | 5397 | echo " Spectre compiler patch: $HAVE_SPECTRE" |
diff --git a/configure.ac b/configure.ac index 241865968..60dc5f42c 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -52,6 +52,14 @@ AC_SUBST([EXTRA_CFLAGS]) | |||
52 | AC_SUBST([EXTRA_LDFLAGS]) | 52 | AC_SUBST([EXTRA_LDFLAGS]) |
53 | 53 | ||
54 | 54 | ||
55 | HAVE_DBUSPROXY="" | ||
56 | AC_ARG_ENABLE([dbusproxy], | ||
57 | AS_HELP_STRING([--disable-dbusproxy], [disable dbus proxy])) | ||
58 | AS_IF([test "x$enable_dbusproxy" != "xno"], [ | ||
59 | HAVE_DBUSPROXY="-DHAVE_DBUSPROXY" | ||
60 | AC_SUBST(HAVE_DBUSPROXY) | ||
61 | ]) | ||
62 | |||
55 | HAVE_OVERLAYFS="" | 63 | HAVE_OVERLAYFS="" |
56 | AC_ARG_ENABLE([overlayfs], | 64 | AC_ARG_ENABLE([overlayfs], |
57 | AS_HELP_STRING([--disable-overlayfs], [disable overlayfs])) | 65 | AS_HELP_STRING([--disable-overlayfs], [disable overlayfs])) |
@@ -215,6 +223,7 @@ echo " whitelisting: $HAVE_WHITELIST" | |||
215 | echo " private home support: $HAVE_PRIVATE_HOME" | 223 | echo " private home support: $HAVE_PRIVATE_HOME" |
216 | echo " file transfer support: $HAVE_FILE_TRANSFER" | 224 | echo " file transfer support: $HAVE_FILE_TRANSFER" |
217 | echo " overlayfs support: $HAVE_OVERLAYFS" | 225 | echo " overlayfs support: $HAVE_OVERLAYFS" |
226 | echo " DBUS proxy support: $HAVE_DBUSPROXY" | ||
218 | echo " firetunnel support: $HAVE_FIRETUNNEL" | 227 | echo " firetunnel support: $HAVE_FIRETUNNEL" |
219 | echo " busybox workaround: $BUSYBOX_WORKAROUND" | 228 | echo " busybox workaround: $BUSYBOX_WORKAROUND" |
220 | echo " Spectre compiler patch: $HAVE_SPECTRE" | 229 | echo " Spectre compiler patch: $HAVE_SPECTRE" |
diff --git a/src/common.mk.in b/src/common.mk.in index 22c25c6aa..52820848a 100644 --- a/src/common.mk.in +++ b/src/common.mk.in | |||
@@ -23,6 +23,7 @@ HAVE_FIRETUNNEL=@HAVE_FIRETUNNEL@ | |||
23 | HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@ | 23 | HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@ |
24 | HAVE_GCOV=@HAVE_GCOV@ | 24 | HAVE_GCOV=@HAVE_GCOV@ |
25 | HAVE_SELINUX=@HAVE_SELINUX@ | 25 | HAVE_SELINUX=@HAVE_SELINUX@ |
26 | HAVE_DBUSPROXY=@HAVE_DBUSPROXY@ | ||
26 | 27 | ||
27 | H_FILE_LIST = $(sort $(wildcard *.[h])) | 28 | H_FILE_LIST = $(sort $(wildcard *.[h])) |
28 | C_FILE_LIST = $(sort $(wildcard *.c)) | 29 | C_FILE_LIST = $(sort $(wildcard *.c)) |
@@ -32,7 +33,7 @@ BINOBJS = $(foreach file, $(OBJS), $file) | |||
32 | CFLAGS = @CFLAGS@ | 33 | CFLAGS = @CFLAGS@ |
33 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) | 34 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) |
34 | CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' | 35 | CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' |
35 | MANFLAGS = $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX) | 36 | MANFLAGS = $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX) |
36 | CFLAGS += $(MANFLAGS) | 37 | CFLAGS += $(MANFLAGS) |
37 | CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security | 38 | CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security |
38 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread | 39 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread |
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index fb19e8f5a..a0aa3138a 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -295,6 +295,14 @@ void print_compiletime_support(void) { | |||
295 | #endif | 295 | #endif |
296 | ); | 296 | ); |
297 | 297 | ||
298 | printf("\t- D-BUS proxy support is %s\n", | ||
299 | #ifdef HAVE_DBUSPROXY | ||
300 | "enabled" | ||
301 | #else | ||
302 | "disabled" | ||
303 | #endif | ||
304 | ); | ||
305 | |||
298 | printf("\t- file and directory whitelisting support is %s\n", | 306 | printf("\t- file and directory whitelisting support is %s\n", |
299 | #ifdef HAVE_WHITELIST | 307 | #ifdef HAVE_WHITELIST |
300 | "enabled" | 308 | "enabled" |
diff --git a/src/firejail/dbus.c b/src/firejail/dbus.c index f0ba10afc..3cf75ed84 100644 --- a/src/firejail/dbus.c +++ b/src/firejail/dbus.c | |||
@@ -17,6 +17,7 @@ | |||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | 17 | * with this program; if not, write to the Free Software Foundation, Inc., |
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | 18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
19 | */ | 19 | */ |
20 | #ifdef HAVE_DBUSPROXY | ||
20 | #include "firejail.h" | 21 | #include "firejail.h" |
21 | #include <sys/mount.h> | 22 | #include <sys/mount.h> |
22 | #include <sys/stat.h> | 23 | #include <sys/stat.h> |
@@ -560,3 +561,4 @@ void dbus_apply_policy(void) { | |||
560 | 561 | ||
561 | fwarning("An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.\n"); | 562 | fwarning("An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.\n"); |
562 | } | 563 | } |
564 | #endif // HAVE_DBUSPROXY \ No newline at end of file | ||
diff --git a/src/firejail/join.c b/src/firejail/join.c index 7fd5ec3d3..ca8b8c4bf 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -545,12 +545,14 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
545 | free(display_str); | 545 | free(display_str); |
546 | } | 546 | } |
547 | 547 | ||
548 | #ifdef HAVE_DBUSPROXY | ||
548 | // set D-Bus environment variables | 549 | // set D-Bus environment variables |
549 | struct stat s; | 550 | struct stat s; |
550 | if (stat(RUN_DBUS_USER_SOCKET, &s) == 0) | 551 | if (stat(RUN_DBUS_USER_SOCKET, &s) == 0) |
551 | dbus_set_session_bus_env(); | 552 | dbus_set_session_bus_env(); |
552 | if (stat(RUN_DBUS_SYSTEM_SOCKET, &s) == 0) | 553 | if (stat(RUN_DBUS_SYSTEM_SOCKET, &s) == 0) |
553 | dbus_set_system_bus_env(); | 554 | dbus_set_system_bus_env(); |
555 | #endif | ||
554 | 556 | ||
555 | start_application(0, NULL); | 557 | start_application(0, NULL); |
556 | 558 | ||
diff --git a/src/firejail/main.c b/src/firejail/main.c index 75324b66a..790b0731c 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -175,7 +175,9 @@ static void myexit(int rv) { | |||
175 | 175 | ||
176 | 176 | ||
177 | // delete sandbox files in shared memory | 177 | // delete sandbox files in shared memory |
178 | #ifdef HAVE_DBUSPROXY | ||
178 | dbus_proxy_stop(); | 179 | dbus_proxy_stop(); |
180 | #endif | ||
179 | EUID_ROOT(); | 181 | EUID_ROOT(); |
180 | delete_run_files(sandbox_pid); | 182 | delete_run_files(sandbox_pid); |
181 | appimage_clear(); | 183 | appimage_clear(); |
@@ -2023,6 +2025,11 @@ int main(int argc, char **argv, char **envp) { | |||
2023 | arg_dbus_user = DBUS_POLICY_BLOCK; | 2025 | arg_dbus_user = DBUS_POLICY_BLOCK; |
2024 | arg_dbus_system = DBUS_POLICY_BLOCK; | 2026 | arg_dbus_system = DBUS_POLICY_BLOCK; |
2025 | } | 2027 | } |
2028 | |||
2029 | //************************************* | ||
2030 | // D-BUS proxy | ||
2031 | //************************************* | ||
2032 | #ifdef HAVE_DBUSPROXY | ||
2026 | else if (strncmp("--dbus-user=", argv[i], 12) == 0) { | 2033 | else if (strncmp("--dbus-user=", argv[i], 12) == 0) { |
2027 | if (strcmp("filter", argv[i] + 12) == 0) { | 2034 | if (strcmp("filter", argv[i] + 12) == 0) { |
2028 | if (arg_dbus_user == DBUS_POLICY_BLOCK) { | 2035 | if (arg_dbus_user == DBUS_POLICY_BLOCK) { |
@@ -2160,6 +2167,7 @@ int main(int argc, char **argv, char **envp) { | |||
2160 | } | 2167 | } |
2161 | arg_dbus_log_system = 1; | 2168 | arg_dbus_log_system = 1; |
2162 | } | 2169 | } |
2170 | #endif | ||
2163 | 2171 | ||
2164 | //************************************* | 2172 | //************************************* |
2165 | // network | 2173 | // network |
@@ -2844,6 +2852,7 @@ int main(int argc, char **argv, char **envp) { | |||
2844 | } | 2852 | } |
2845 | EUID_USER(); | 2853 | EUID_USER(); |
2846 | 2854 | ||
2855 | #ifdef HAVE_DBUSPROXY | ||
2847 | if (checkcfg(CFG_DBUS)) { | 2856 | if (checkcfg(CFG_DBUS)) { |
2848 | dbus_check_profile(); | 2857 | dbus_check_profile(); |
2849 | if (arg_dbus_user == DBUS_POLICY_FILTER || | 2858 | if (arg_dbus_user == DBUS_POLICY_FILTER || |
@@ -2853,6 +2862,7 @@ int main(int argc, char **argv, char **envp) { | |||
2853 | EUID_USER(); | 2862 | EUID_USER(); |
2854 | } | 2863 | } |
2855 | } | 2864 | } |
2865 | #endif | ||
2856 | 2866 | ||
2857 | // clone environment | 2867 | // clone environment |
2858 | int flags = CLONE_NEWNS | CLONE_NEWPID | CLONE_NEWUTS | SIGCHLD; | 2868 | int flags = CLONE_NEWNS | CLONE_NEWPID | CLONE_NEWUTS | SIGCHLD; |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 8eaae9a30..f6ef934db 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -430,11 +430,14 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
430 | return 0; | 430 | return 0; |
431 | } | 431 | } |
432 | else if (strcmp(ptr, "nodbus") == 0) { | 432 | else if (strcmp(ptr, "nodbus") == 0) { |
433 | #ifdef HAVE_DBUSPROXY | ||
433 | arg_dbus_user = DBUS_POLICY_BLOCK; | 434 | arg_dbus_user = DBUS_POLICY_BLOCK; |
434 | arg_dbus_system = DBUS_POLICY_BLOCK; | 435 | arg_dbus_system = DBUS_POLICY_BLOCK; |
436 | #endif | ||
435 | return 0; | 437 | return 0; |
436 | } | 438 | } |
437 | else if (strncmp("dbus-user ", ptr, 10) == 0) { | 439 | else if (strncmp("dbus-user ", ptr, 10) == 0) { |
440 | #ifdef HAVE_DBUSPROXY | ||
438 | ptr += 10; | 441 | ptr += 10; |
439 | if (strcmp("filter", ptr) == 0) { | 442 | if (strcmp("filter", ptr) == 0) { |
440 | if (arg_dbus_user == DBUS_POLICY_BLOCK) { | 443 | if (arg_dbus_user == DBUS_POLICY_BLOCK) { |
@@ -452,44 +455,56 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
452 | fprintf(stderr, "Unknown dbus-user policy: %s\n", ptr); | 455 | fprintf(stderr, "Unknown dbus-user policy: %s\n", ptr); |
453 | exit(1); | 456 | exit(1); |
454 | } | 457 | } |
458 | #endif | ||
455 | return 0; | 459 | return 0; |
456 | } | 460 | } |
457 | else if (strncmp(ptr, "dbus-user.see ", 14) == 0) { | 461 | else if (strncmp(ptr, "dbus-user.see ", 14) == 0) { |
462 | #ifdef HAVE_DBUSPROXY | ||
458 | if (!dbus_check_name(ptr + 14)) { | 463 | if (!dbus_check_name(ptr + 14)) { |
459 | printf("Invalid dbus-user.see name: %s\n", ptr + 15); | 464 | printf("Invalid dbus-user.see name: %s\n", ptr + 15); |
460 | exit(1); | 465 | exit(1); |
461 | } | 466 | } |
467 | #endif | ||
462 | return 1; | 468 | return 1; |
463 | } | 469 | } |
464 | else if (strncmp(ptr, "dbus-user.talk ", 15) == 0) { | 470 | else if (strncmp(ptr, "dbus-user.talk ", 15) == 0) { |
471 | #ifdef HAVE_DBUSPROXY | ||
465 | if (!dbus_check_name(ptr + 15)) { | 472 | if (!dbus_check_name(ptr + 15)) { |
466 | printf("Invalid dbus-user.talk name: %s\n", ptr + 15); | 473 | printf("Invalid dbus-user.talk name: %s\n", ptr + 15); |
467 | exit(1); | 474 | exit(1); |
468 | } | 475 | } |
476 | #endif | ||
469 | return 1; | 477 | return 1; |
470 | } | 478 | } |
471 | else if (strncmp(ptr, "dbus-user.own ", 14) == 0) { | 479 | else if (strncmp(ptr, "dbus-user.own ", 14) == 0) { |
480 | #ifdef HAVE_DBUSPROXY | ||
472 | if (!dbus_check_name(ptr + 14)) { | 481 | if (!dbus_check_name(ptr + 14)) { |
473 | fprintf(stderr, "Invalid dbus-user.own name: %s\n", ptr + 14); | 482 | fprintf(stderr, "Invalid dbus-user.own name: %s\n", ptr + 14); |
474 | exit(1); | 483 | exit(1); |
475 | } | 484 | } |
485 | #endif | ||
476 | return 1; | 486 | return 1; |
477 | } | 487 | } |
478 | else if (strncmp(ptr, "dbus-user.call ", 15) == 0) { | 488 | else if (strncmp(ptr, "dbus-user.call ", 15) == 0) { |
489 | #ifdef HAVE_DBUSPROXY | ||
479 | if (!dbus_check_call_rule(ptr + 15)) { | 490 | if (!dbus_check_call_rule(ptr + 15)) { |
480 | fprintf(stderr, "Invalid dbus-user.call rule: %s\n", ptr + 15); | 491 | fprintf(stderr, "Invalid dbus-user.call rule: %s\n", ptr + 15); |
481 | exit(1); | 492 | exit(1); |
482 | } | 493 | } |
494 | #endif | ||
483 | return 1; | 495 | return 1; |
484 | } | 496 | } |
485 | else if (strncmp(ptr, "dbus-user.broadcast ", 20) == 0) { | 497 | else if (strncmp(ptr, "dbus-user.broadcast ", 20) == 0) { |
498 | #ifdef HAVE_DBUSPROXY | ||
486 | if (!dbus_check_call_rule(ptr + 20)) { | 499 | if (!dbus_check_call_rule(ptr + 20)) { |
487 | fprintf(stderr, "Invalid dbus-user.broadcast rule: %s\n", ptr + 20); | 500 | fprintf(stderr, "Invalid dbus-user.broadcast rule: %s\n", ptr + 20); |
488 | exit(1); | 501 | exit(1); |
489 | } | 502 | } |
503 | #endif | ||
490 | return 1; | 504 | return 1; |
491 | } | 505 | } |
492 | else if (strncmp("dbus-system ", ptr, 12) == 0) { | 506 | else if (strncmp("dbus-system ", ptr, 12) == 0) { |
507 | #ifdef HAVE_DBUSPROXY | ||
493 | ptr += 12; | 508 | ptr += 12; |
494 | if (strcmp("filter", ptr) == 0) { | 509 | if (strcmp("filter", ptr) == 0) { |
495 | if (arg_dbus_system == DBUS_POLICY_BLOCK) { | 510 | if (arg_dbus_system == DBUS_POLICY_BLOCK) { |
@@ -507,41 +522,52 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
507 | fprintf(stderr, "Unknown dbus-system policy: %s\n", ptr); | 522 | fprintf(stderr, "Unknown dbus-system policy: %s\n", ptr); |
508 | exit(1); | 523 | exit(1); |
509 | } | 524 | } |
525 | #endif | ||
510 | return 0; | 526 | return 0; |
511 | } | 527 | } |
512 | else if (strncmp(ptr, "dbus-system.see ", 16) == 0) { | 528 | else if (strncmp(ptr, "dbus-system.see ", 16) == 0) { |
529 | #ifdef HAVE_DBUSPROXY | ||
513 | if (!dbus_check_name(ptr + 16)) { | 530 | if (!dbus_check_name(ptr + 16)) { |
514 | fprintf(stderr, "Invalid dbus-system.see name: %s\n", ptr + 17); | 531 | fprintf(stderr, "Invalid dbus-system.see name: %s\n", ptr + 17); |
515 | exit(1); | 532 | exit(1); |
516 | } | 533 | } |
534 | #endif | ||
517 | return 1; | 535 | return 1; |
518 | } | 536 | } |
519 | else if (strncmp(ptr, "dbus-system.talk ", 17) == 0) { | 537 | else if (strncmp(ptr, "dbus-system.talk ", 17) == 0) { |
538 | #ifdef HAVE_DBUSPROXY | ||
520 | if (!dbus_check_name(ptr + 17)) { | 539 | if (!dbus_check_name(ptr + 17)) { |
521 | fprintf(stderr, "Invalid dbus-system.talk name: %s\n", ptr + 17); | 540 | fprintf(stderr, "Invalid dbus-system.talk name: %s\n", ptr + 17); |
522 | exit(1); | 541 | exit(1); |
523 | } | 542 | } |
543 | #endif | ||
524 | return 1; | 544 | return 1; |
525 | } | 545 | } |
526 | else if (strncmp(ptr, "dbus-system.own ", 16) == 0) { | 546 | else if (strncmp(ptr, "dbus-system.own ", 16) == 0) { |
547 | #ifdef HAVE_DBUSPROXY | ||
527 | if (!dbus_check_name(ptr + 16)) { | 548 | if (!dbus_check_name(ptr + 16)) { |
528 | fprintf(stderr, "Invalid dbus-system.own name: %s\n", ptr + 16); | 549 | fprintf(stderr, "Invalid dbus-system.own name: %s\n", ptr + 16); |
529 | exit(1); | 550 | exit(1); |
530 | } | 551 | } |
552 | #endif | ||
531 | return 1; | 553 | return 1; |
532 | } | 554 | } |
533 | else if (strncmp(ptr, "dbus-system.call ", 17) == 0) { | 555 | else if (strncmp(ptr, "dbus-system.call ", 17) == 0) { |
556 | #ifdef HAVE_DBUSPROXY | ||
534 | if (!dbus_check_call_rule(ptr + 17)) { | 557 | if (!dbus_check_call_rule(ptr + 17)) { |
535 | fprintf(stderr, "Invalid dbus-system.call rule: %s\n", ptr + 17); | 558 | fprintf(stderr, "Invalid dbus-system.call rule: %s\n", ptr + 17); |
536 | exit(1); | 559 | exit(1); |
537 | } | 560 | } |
561 | #endif | ||
538 | return 1; | 562 | return 1; |
539 | } | 563 | } |
540 | else if (strncmp(ptr, "dbus-system.broadcast ", 22) == 0) { | 564 | else if (strncmp(ptr, "dbus-system.broadcast ", 22) == 0) { |
565 | #ifdef HAVE_DBUSPROXY | ||
541 | if (!dbus_check_call_rule(ptr + 22)) { | 566 | if (!dbus_check_call_rule(ptr + 22)) { |
542 | fprintf(stderr, "Invalid dbus-system.broadcast rule: %s\n", ptr + 22); | 567 | fprintf(stderr, "Invalid dbus-system.broadcast rule: %s\n", ptr + 22); |
543 | exit(1); | 568 | exit(1); |
544 | } | 569 | } |
570 | #endif | ||
545 | return 1; | 571 | return 1; |
546 | } | 572 | } |
547 | else if (strcmp(ptr, "nou2f") == 0) { | 573 | else if (strcmp(ptr, "nou2f") == 0) { |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 3bb4858c9..ff6be986f 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -938,8 +938,9 @@ int sandbox(void* sandbox_arg) { | |||
938 | //**************************** | 938 | //**************************** |
939 | // Session D-BUS | 939 | // Session D-BUS |
940 | //**************************** | 940 | //**************************** |
941 | #ifdef HAVE_DBUSPROXY | ||
941 | dbus_apply_policy(); | 942 | dbus_apply_policy(); |
942 | 943 | #endif | |
943 | 944 | ||
944 | //**************************** | 945 | //**************************** |
945 | // hosts and hostname | 946 | // hosts and hostname |