From 4814096e104f70f4a899894e2aa3e68b33753002 Mon Sep 17 00:00:00 2001 From: Topi Miettinen Date: Wed, 15 May 2019 16:09:40 +0300 Subject: dbus: make --nodbus block also system D-Bus socket Signed-off-by: Topi Miettinen --- src/firejail/dbus.c | 5 ++++- src/firejail/firejail.h | 2 +- src/firejail/sandbox.c | 2 +- src/man/firejail.txt | 8 +++++--- 4 files changed, 11 insertions(+), 6 deletions(-) diff --git a/src/firejail/dbus.c b/src/firejail/dbus.c index baa41e85e..b046b3279 100644 --- a/src/firejail/dbus.c +++ b/src/firejail/dbus.c @@ -19,7 +19,7 @@ */ #include "firejail.h" -void dbus_session_disable(void) { +void dbus_disable(void) { if (!checkcfg(CFG_DBUS)) { fwarning("D-Bus handling is disabled in Firejail configuration file\n"); return; @@ -43,6 +43,9 @@ void dbus_session_disable(void) { free(path); free(env_var); + // blacklist also system D-Bus socket + disable_file_or_dir("/run/dbus/system_bus_socket"); + // look for a possible abstract unix socket // --net=none diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 2e04084e3..e0f3a6a16 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -782,6 +782,6 @@ void set_x11_run_file(pid_t pid, int display); void set_profile_run_file(pid_t pid, const char *fname); // dbus.c -void dbus_session_disable(void); +void dbus_disable(void); #endif diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 101a16d00..9f0a5f25c 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -923,7 +923,7 @@ int sandbox(void* sandbox_arg) { // Session D-BUS //**************************** if (arg_nodbus) - dbus_session_disable(); + dbus_disable(); //**************************** diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 1b56dedcd..8f6948ef4 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1107,9 +1107,11 @@ $ nc dict.org 2628 .br .TP \fB\-\-nodbus -Disable D-Bus access. Only the regular UNIX socket is handled by this command. To -disable the abstract socket you would need to request a new network namespace using -\-\-net command. Another option is to remove unix from \-\-protocol set. +Disable D-Bus access (both system and session buses). Only the regular +UNIX sockets are handled by this command. To disable the abstract +sockets you would need to request a new network namespace using +\-\-net command. Another option is to remove unix from \-\-protocol +set. .br .br -- cgit v1.2.3-54-g00ecf