1 files changed, 42 insertions, 26 deletions
diff --git a/src/firejail/dbus.c b/src/firejail/dbus.c
index e358aaa49..0f4f18c57 100644
--- a/src/firejail/dbus.c
+++ b/src/firejail/dbus.c
@@ -41,6 +41,7 @@
 #define DBUS_USER_PROXY_SOCKET_FORMAT DBUS_USER_DIR_FORMAT "/%d-user"
 #define DBUS_SYSTEM_PROXY_SOCKET_FORMAT DBUS_USER_DIR_FORMAT "/%d-system"
 #define DBUS_MAX_NAME_LENGTH 255
+#define XDG_DBUS_PROXY_PATH "/usr/bin/xdg-dbus-proxy"
 static pid_t dbus_proxy_pid = 0;
 static int dbus_proxy_status_fd = -1;
@@ -78,42 +79,57 @@ int dbus_check_name(const char *name) {
        return in_segment && segments >= 2;
 }
-static void dbus_check_bus_profile(char const *prefix, DbusPolicy policy) {
+static void dbus_check_bus_profile(char const *prefix, DbusPolicy *policy) {
+        if (*policy == DBUS_POLICY_FILTER) {
+                struct stat s;
+                if (stat(XDG_DBUS_PROXY_PATH, &s) == -1) {
+                        if (errno == ENOENT) {
+                                fprintf(stderr,
+                                                "Warning: " XDG_DBUS_PROXY_PATH
+                                                " was not found, downgrading %s policy to allow.\n"
+                                                "To enable DBus filtering, install the xdg-dbus-proxy "
+                                                "program.\n", prefix);
+                                *policy = DBUS_POLICY_ALLOW;
+                        } else {
+                                errExit("stat");
+                        }
+                } else {
+                        // No need to warn on profile entries.
+                        return;
+                }
+        }
        size_t prefix_length = strlen(prefix);
        ProfileEntry *it = cfg.profile;
+        int num_matches = 0;
+        const char *first_match = NULL;
        while (it) {
                char *data = it->data;
                it = it->next;
                if (strncmp(prefix, data, prefix_length) == 0) {
-                        switch (policy) {
+                        ++num_matches;
-                        case DBUS_POLICY_ALLOW:
+                        if (first_match == NULL)
-                                // We should never get here, because profile parsing will fail earlier.
+                                first_match = data;
-                                fprintf(stderr,
+                }
-                                                "Error: %s filter rule configured, but the bus is not "
+        }
-                                                "set to filter.\n",
-                                                prefix);
+        if (num_matches > 0) {
-                                exit(1);
+                assert(first_match != NULL);
-                                break;
+                if (num_matches == 1) {
-                        case DBUS_POLICY_FILTER:
+                        fprintf(stderr, "Ignoring \"%s\".\n", first_match);
-                                // All good.
+                } else if (num_matches == 2) {
-                                break;
+                        fprintf(stderr, "Ignoring \"%s\" and 1 other %s filter rule.\n",
-                        case DBUS_POLICY_BLOCK:
+                                        first_match, prefix);
-                                fwarning("%s filter rule configured, but the bus is blocked.\n", prefix);
+                } else {
-                                fwarning("Ignoring \"%s\" and any other %s filter rules.\n", data, prefix);
+                        fprintf(stderr, "Ignoring \"%s\" and %d other %s filter rules.\n",
-                                break;
+                                        first_match, num_matches - 1, prefix);
-                        default:
-                                fprintf(stderr, "Error: Unknown %s policy.\n", prefix);
-                                exit(1);
-                                break;
-                        }
-                        break;
                }
        }
 }
 void dbus_check_profile(void) {
-        dbus_check_bus_profile("dbus-user", arg_dbus_user);
+        dbus_check_bus_profile("dbus-user", &arg_dbus_user);
-        dbus_check_bus_profile("dbus-system", arg_dbus_system);
+        dbus_check_bus_profile("dbus-system", &arg_dbus_system);
 }
 static void write_arg(int fd, char const *format, ...) {
@@ -221,7 +237,7 @@ void dbus_proxy_start(void) {
                        if (i != status_pipe[1] && i != args_pipe[0])
                                close(i); // close open files
                }
-                char *args[4] = {"/usr/bin/xdg-dbus-proxy", NULL, NULL, NULL};
+                char *args[4] = {XDG_DBUS_PROXY_PATH, NULL, NULL, NULL};
                if (asprintf(&args[1], "--fd=%d", status_pipe[1]) == -1
                        || asprintf(&args[2], "--args=%d", args_pipe[0]) == -1)
                        errExit("asprintf");

diff --git a/src/firejail/dbus.c b/src/firejail/dbus.c index e358aaa49..0f4f18c57 100644 --- a/src/firejail/dbus.c +++ b/src/firejail/dbus.c
@@ -41,6 +41,7 @@
41	#define DBUS_USER_PROXY_SOCKET_FORMAT DBUS_USER_DIR_FORMAT "/%d-user"	41	#define DBUS_USER_PROXY_SOCKET_FORMAT DBUS_USER_DIR_FORMAT "/%d-user"
42	#define DBUS_SYSTEM_PROXY_SOCKET_FORMAT DBUS_USER_DIR_FORMAT "/%d-system"	42	#define DBUS_SYSTEM_PROXY_SOCKET_FORMAT DBUS_USER_DIR_FORMAT "/%d-system"
43	#define DBUS_MAX_NAME_LENGTH 255	43	#define DBUS_MAX_NAME_LENGTH 255
		44	#define XDG_DBUS_PROXY_PATH "/usr/bin/xdg-dbus-proxy"
44		45
45	static pid_t dbus_proxy_pid = 0;	46	static pid_t dbus_proxy_pid = 0;
46	static int dbus_proxy_status_fd = -1;	47	static int dbus_proxy_status_fd = -1;
@@ -78,42 +79,57 @@ int dbus_check_name(const char *name) {
78	return in_segment && segments >= 2;	79	return in_segment && segments >= 2;
79	}	80	}
80		81
81	static void dbus_check_bus_profile(char const *prefix, DbusPolicy policy) {	82	static void dbus_check_bus_profile(char const prefix, DbusPolicy policy) {
		83	if (*policy == DBUS_POLICY_FILTER) {
		84	struct stat s;
		85	if (stat(XDG_DBUS_PROXY_PATH, &s) == -1) {
		86	if (errno == ENOENT) {
		87	fprintf(stderr,
		88	"Warning: " XDG_DBUS_PROXY_PATH
		89	" was not found, downgrading %s policy to allow.\n"
		90	"To enable DBus filtering, install the xdg-dbus-proxy "
		91	"program.\n", prefix);
		92	*policy = DBUS_POLICY_ALLOW;
		93	} else {
		94	errExit("stat");
		95	}
		96	} else {
		97	// No need to warn on profile entries.
		98	return;
		99	}
		100	}
		101
82	size_t prefix_length = strlen(prefix);	102	size_t prefix_length = strlen(prefix);
83	ProfileEntry *it = cfg.profile;	103	ProfileEntry *it = cfg.profile;
		104	int num_matches = 0;
		105	const char *first_match = NULL;
84	while (it) {	106	while (it) {
85	char *data = it->data;	107	char *data = it->data;
86	it = it->next;	108	it = it->next;
87	if (strncmp(prefix, data, prefix_length) == 0) {	109	if (strncmp(prefix, data, prefix_length) == 0) {
88	switch (policy) {	110	++num_matches;
89	case DBUS_POLICY_ALLOW:	111	if (first_match == NULL)
90	// We should never get here, because profile parsing will fail earlier.	112	first_match = data;
91	fprintf(stderr,	113	}
92	"Error: %s filter rule configured, but the bus is not "	114	}
93	"set to filter.\n",	115
94	prefix);	116	if (num_matches > 0) {
95	exit(1);	117	assert(first_match != NULL);
96	break;	118	if (num_matches == 1) {
97	case DBUS_POLICY_FILTER:	119	fprintf(stderr, "Ignoring \"%s\".\n", first_match);
98	// All good.	120	} else if (num_matches == 2) {
99	break;	121	fprintf(stderr, "Ignoring \"%s\" and 1 other %s filter rule.\n",
100	case DBUS_POLICY_BLOCK:	122	first_match, prefix);
101	fwarning("%s filter rule configured, but the bus is blocked.\n", prefix);	123	} else {
102	fwarning("Ignoring \"%s\" and any other %s filter rules.\n", data, prefix);	124	fprintf(stderr, "Ignoring \"%s\" and %d other %s filter rules.\n",
103	break;	125	first_match, num_matches - 1, prefix);
104	default:
105	fprintf(stderr, "Error: Unknown %s policy.\n", prefix);
106	exit(1);
107	break;
108	}
109	break;
110	}	126	}
111	}	127	}
112	}	128	}
113		129
114	void dbus_check_profile(void) {	130	void dbus_check_profile(void) {
115	dbus_check_bus_profile("dbus-user", arg_dbus_user);	131	dbus_check_bus_profile("dbus-user", &arg_dbus_user);
116	dbus_check_bus_profile("dbus-system", arg_dbus_system);	132	dbus_check_bus_profile("dbus-system", &arg_dbus_system);
117	}	133	}
118		134
119	static void write_arg(int fd, char const *format, ...) {	135	static void write_arg(int fd, char const *format, ...) {
@@ -221,7 +237,7 @@ void dbus_proxy_start(void) {
221	if (i != status_pipe[1] && i != args_pipe[0])	237	if (i != status_pipe[1] && i != args_pipe[0])
222	close(i); // close open files	238	close(i); // close open files
223	}	239	}
224	char *args[4] = {"/usr/bin/xdg-dbus-proxy", NULL, NULL, NULL};	240	char *args[4] = {XDG_DBUS_PROXY_PATH, NULL, NULL, NULL};
225	if (asprintf(&args[1], "--fd=%d", status_pipe[1]) == -1	241	if (asprintf(&args[1], "--fd=%d", status_pipe[1]) == -1
226	\|\| asprintf(&args[2], "--args=%d", args_pipe[0]) == -1)	242	\|\| asprintf(&args[2], "--args=%d", args_pipe[0]) == -1)
227	errExit("asprintf");	243	errExit("asprintf");