5 files changed, 90 insertions, 17 deletions
diff --git a/src/firejail/dbus.c b/src/firejail/dbus.c
index 7acbd338c..241b8fc44 100644
--- a/src/firejail/dbus.c
+++ b/src/firejail/dbus.c
@@ -19,12 +19,7 @@
 */
 #include "firejail.h"
-void dbus_disable(void) {
+static void dbus_block_user(void) {
-        if (!checkcfg(CFG_DBUS)) {
-                fwarning("D-Bus handling is disabled in Firejail configuration file\n");
-                return;
-        }
        char *path;
        if (asprintf(&path, "/run/user/%d/bus", getuid()) == -1)
                errExit("asprintf");
@@ -43,16 +38,32 @@ void dbus_disable(void) {
        free(path);
        free(env_var);
        // blacklist the dbus-launch user directory
        if (asprintf(&path, "%s/.dbus", cfg.homedir) == -1)
                errExit("asprintf");
        disable_file_or_dir(path);
        free(path);
+}
+static void dbus_block_system() {
        // blacklist also system D-Bus socket
        disable_file_or_dir("/run/dbus/system_bus_socket");
+}
+void dbus_apply_policy(void) {
+        if (arg_dbus_user == DBUS_POLICY_ALLOW && arg_dbus_system == DBUS_POLICY_ALLOW)
+                return;
+        if (!checkcfg(CFG_DBUS)) {
+                fwarning("D-Bus handling is disabled in Firejail configuration file\n");
+                return;
+        }
+        if (arg_dbus_user != DBUS_POLICY_ALLOW)
+                dbus_block_user();
+        if (arg_dbus_system != DBUS_POLICY_ALLOW)
+                dbus_block_system();
        // look for a possible abstract unix socket
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 1cb8b2d22..ea4012335 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -340,9 +340,16 @@ extern int arg_memory_deny_write_execute;	// block writable and executable memor
 extern int arg_notv;    // --notv
 extern int arg_nodvd;   // --nodvd
 extern int arg_nou2f;   // --nou2f
-extern int arg_nodbus; // -nodbus
 extern int arg_deterministic_exit_code; // always exit with first child's exit status
+typedef enum {
+        DBUS_POLICY_ALLOW,      // Allow unrestricted access to the bus
+        DBUS_POLICY_FILTER, // Filter with xdg-dbus-proxy
+        DBUS_POLICY_BLOCK   // Block access
+} DbusPolicy;
+extern DbusPolicy arg_dbus_user; // --dbus-user
+extern DbusPolicy arg_dbus_system; // --dbus-system
 extern int login_shell;
 extern int parent_to_child_fds[2];
 extern int child_to_parent_fds[2];
@@ -836,7 +843,7 @@ void set_x11_run_file(pid_t pid, int display);
 void set_profile_run_file(pid_t pid, const char *fname);
 // dbus.c
-void dbus_disable(void);
+void dbus_apply_policy(void);
 // dhcp.c
 extern pid_t dhclient4_pid;
diff --git a/src/firejail/main.c b/src/firejail/main.c
index d01725c95..fd2c6cb62 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -144,9 +144,10 @@ int arg_noprofile = 0; // use default.profile if none other found/specified
 int arg_memory_deny_write_execute = 0;          // block writable and executable memory
 int arg_notv = 0;       // --notv
 int arg_nodvd = 0; // --nodvd
-int arg_nodbus = 0; // -nodbus
 int arg_nou2f = 0; // --nou2f
 int arg_deterministic_exit_code = 0;    // always exit with first child's exit status
+DbusPolicy arg_dbus_user = DBUS_POLICY_ALLOW;   // --dbus-user
+DbusPolicy arg_dbus_system = DBUS_POLICY_ALLOW; // --dbus-system
 int login_shell = 0;
 //**********************************************************************************
@@ -2053,8 +2054,34 @@ int main(int argc, char **argv, char **envp) {
                        arg_nodvd = 1;
                else if (strcmp(argv[i], "--nou2f") == 0)
                        arg_nou2f = 1;
-                else if (strcmp(argv[i], "--nodbus") == 0)
+                else if (strcmp(argv[i], "--nodbus") == 0) {
-                        arg_nodbus = 1;
+                        arg_dbus_user = DBUS_POLICY_BLOCK;
+                        arg_dbus_system = DBUS_POLICY_BLOCK;
+                }
+                else if (strncmp("--dbus-user=", argv[i], 12) == 0) {
+                        if (strcmp("allow", argv[i] + 12) == 0) {
+                                arg_dbus_user = DBUS_POLICY_ALLOW;
+                        } else if (strcmp("filter", argv[i] + 12) == 0) {
+                                arg_dbus_user = DBUS_POLICY_FILTER;
+                        } else if (strcmp("none", argv[i] + 12) == 0) {
+                                arg_dbus_user = DBUS_POLICY_BLOCK;
+                        } else {
+                                fprintf(stderr, "Unknown dbus-user policy: %s\n", argv[i] + 12);
+                                exit(1);
+                        }
+                }
+                else if (strncmp("--dbus-system=", argv[i], 14) == 0) {
+                        if (strcmp("allow", argv[i] + 14) == 0) {
+                                arg_dbus_system = DBUS_POLICY_ALLOW;
+                        } else if (strcmp("filter", argv[i] + 14) == 0) {
+                                arg_dbus_system = DBUS_POLICY_FILTER;
+                        } else if (strcmp("none", argv[i] + 14) == 0) {
+                                arg_dbus_system = DBUS_POLICY_BLOCK;
+                        } else {
+                                fprintf(stderr, "Unknown dbus-system policy: %s\n", argv[i] + 14);
+                                exit(1);
+                        }
+                }
                //*************************************
                // network
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index d709a7951..14533ce08 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -150,7 +150,7 @@ static int check_netoptions(void) {
 }
 static int check_nodbus(void) {
-        return arg_nodbus != 0;
+        return arg_dbus_user != DBUS_POLICY_ALLOW || arg_dbus_system != DBUS_POLICY_ALLOW;
 }
 static int check_nosound(void) {
@@ -432,11 +432,40 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                return 0;
        }
        else if (strcmp(ptr, "nodbus") == 0) {
-                arg_nodbus = 1;
+                arg_dbus_user = DBUS_POLICY_BLOCK;
+                arg_dbus_system = DBUS_POLICY_BLOCK;
+                return 0;
+        }
+        else if (strncmp("dbus-user ", ptr, 10) == 0) {
+                ptr += 10;
+                if (strcmp("allow", ptr) == 0) {
+                        arg_dbus_user = DBUS_POLICY_ALLOW;
+                } else if (strcmp("filter", ptr) == 0) {
+                        arg_dbus_user = DBUS_POLICY_FILTER;
+                } else if (strcmp("none", ptr) == 0) {
+                        arg_dbus_user = DBUS_POLICY_BLOCK;
+                } else {
+                        fprintf(stderr, "Unknown dbus-user policy: %s\n", ptr);
+                        exit(1);
+                }
+                return 0;
+        }
+        else if (strncmp("dbus-system ", ptr, 12) == 0) {
+                ptr += 12;
+                if (strcmp("allow", ptr) == 0) {
+                        arg_dbus_system = DBUS_POLICY_ALLOW;
+                } else if (strcmp("filter", ptr) == 0) {
+                        arg_dbus_system = DBUS_POLICY_FILTER;
+                } else if (strcmp("none", ptr) == 0) {
+                        arg_dbus_system = DBUS_POLICY_BLOCK;
+                } else {
+                        fprintf(stderr, "Unknown dbus-system policy: %s\n", ptr);
+                        exit(1);
+                }
                return 0;
        }
        else if (strcmp(ptr, "nou2f") == 0) {
-                arg_nou2f = 1;
+                arg_nou2f = 1;
                return 0;
        }
        else if (strcmp(ptr, "netfilter") == 0) {
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index e20ec603c..37d108750 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -932,8 +932,7 @@ int sandbox(void* sandbox_arg) {
        //****************************
        // Session D-BUS
        //****************************
-        if (arg_nodbus)
+        dbus_apply_policy();
-                dbus_disable();
        //****************************