From 833db940c6fe8b991906014a92cc5e23a98d1177 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Wed, 9 Sep 2020 08:30:24 -0400
Subject: disable dbus proxy at compile time (default enabled) - part 1

---
 configure               | 17 +++++++++++++++++
 configure.ac            |  9 +++++++++
 src/common.mk.in        |  3 ++-
 src/firejail/checkcfg.c |  8 ++++++++
 src/firejail/dbus.c     |  2 ++
 src/firejail/join.c     |  2 ++
 src/firejail/main.c     | 10 ++++++++++
 src/firejail/profile.c  | 26 ++++++++++++++++++++++++++
 src/firejail/sandbox.c  |  3 ++-
 9 files changed, 78 insertions(+), 2 deletions(-)

diff --git a/configure b/configure
index 5a80402b1..2ca71d3e2 100755
--- a/configure
+++ b/configure
@@ -643,6 +643,7 @@ HAVE_CHROOT
 HAVE_PRIVATE_HOME
 HAVE_FIRETUNNEL
 HAVE_OVERLAYFS
+HAVE_DBUSPROXY
 EXTRA_LDFLAGS
 EXTRA_CFLAGS
 HAVE_APPARMOR
@@ -705,6 +706,7 @@ ac_subst_files=''
 ac_user_opts='
 enable_option_checking
 enable_apparmor
+enable_dbusproxy
 enable_overlayfs
 enable_firetunnel
 enable_private_home
@@ -1357,6 +1359,7 @@ Optional Features:
   --disable-FEATURE       do not include FEATURE (same as --enable-FEATURE=no)
   --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
   --enable-apparmor       enable apparmor
+  --disable-dbusproxy     disable dbus proxy
   --disable-overlayfs     disable overlayfs
   --disable-firetunnel    disable firetunnel
   --disable-private-home  disable private home feature
@@ -3494,6 +3497,19 @@ fi
 
 
 
+HAVE_DBUSPROXY=""
+# Check whether --enable-dbusproxy was given.
+if test "${enable_dbusproxy+set}" = set; then :
+  enableval=$enable_dbusproxy;
+fi
+
+if test "x$enable_dbusproxy" != "xno"; then :
+
+	HAVE_DBUSPROXY="-DHAVE_DBUSPROXY"
+
+
+fi
+
 HAVE_OVERLAYFS=""
 # Check whether --enable-overlayfs was given.
 if test "${enable_overlayfs+set}" = set; then :
@@ -5375,6 +5391,7 @@ echo "   whitelisting: $HAVE_WHITELIST"
 echo "   private home support: $HAVE_PRIVATE_HOME"
 echo "   file transfer support: $HAVE_FILE_TRANSFER"
 echo "   overlayfs support: $HAVE_OVERLAYFS"
+echo "   DBUS proxy support: $HAVE_DBUSPROXY"
 echo "   firetunnel support: $HAVE_FIRETUNNEL"
 echo "   busybox workaround: $BUSYBOX_WORKAROUND"
 echo "   Spectre compiler patch: $HAVE_SPECTRE"
diff --git a/configure.ac b/configure.ac
index 241865968..60dc5f42c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -52,6 +52,14 @@ AC_SUBST([EXTRA_CFLAGS])
 AC_SUBST([EXTRA_LDFLAGS])
 
 
+HAVE_DBUSPROXY=""
+AC_ARG_ENABLE([dbusproxy],
+    AS_HELP_STRING([--disable-dbusproxy], [disable dbus proxy]))
+AS_IF([test "x$enable_dbusproxy" != "xno"], [
+	HAVE_DBUSPROXY="-DHAVE_DBUSPROXY"
+	AC_SUBST(HAVE_DBUSPROXY)
+])
+
 HAVE_OVERLAYFS=""
 AC_ARG_ENABLE([overlayfs],
     AS_HELP_STRING([--disable-overlayfs], [disable overlayfs]))
@@ -215,6 +223,7 @@ echo "   whitelisting: $HAVE_WHITELIST"
 echo "   private home support: $HAVE_PRIVATE_HOME"
 echo "   file transfer support: $HAVE_FILE_TRANSFER"
 echo "   overlayfs support: $HAVE_OVERLAYFS"
+echo "   DBUS proxy support: $HAVE_DBUSPROXY"
 echo "   firetunnel support: $HAVE_FIRETUNNEL"
 echo "   busybox workaround: $BUSYBOX_WORKAROUND"
 echo "   Spectre compiler patch: $HAVE_SPECTRE"
diff --git a/src/common.mk.in b/src/common.mk.in
index 22c25c6aa..52820848a 100644
--- a/src/common.mk.in
+++ b/src/common.mk.in
@@ -23,6 +23,7 @@ HAVE_FIRETUNNEL=@HAVE_FIRETUNNEL@
 HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
 HAVE_GCOV=@HAVE_GCOV@
 HAVE_SELINUX=@HAVE_SELINUX@
+HAVE_DBUSPROXY=@HAVE_DBUSPROXY@
 
 H_FILE_LIST       = $(sort $(wildcard *.[h]))
 C_FILE_LIST       = $(sort $(wildcard *.c))
@@ -32,7 +33,7 @@ BINOBJS =  $(foreach file, $(OBJS), $file)
 CFLAGS = @CFLAGS@
 CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV)
 CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"'
-MANFLAGS = $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX)
+MANFLAGS = $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX)
 CFLAGS += $(MANFLAGS)
 CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
 LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index fb19e8f5a..a0aa3138a 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -295,6 +295,14 @@ void print_compiletime_support(void) {
 #endif
 		);
 
+	printf("\t- D-BUS proxy support is %s\n",
+#ifdef HAVE_DBUSPROXY
+		"enabled"
+#else
+		"disabled"
+#endif
+		);
+
 	printf("\t- file and directory whitelisting support is %s\n",
 #ifdef HAVE_WHITELIST
 		"enabled"
diff --git a/src/firejail/dbus.c b/src/firejail/dbus.c
index f0ba10afc..3cf75ed84 100644
--- a/src/firejail/dbus.c
+++ b/src/firejail/dbus.c
@@ -17,6 +17,7 @@
  * with this program; if not, write to the Free Software Foundation, Inc.,
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
+#ifdef HAVE_DBUSPROXY
 #include "firejail.h"
 #include <sys/mount.h>
 #include <sys/stat.h>
@@ -560,3 +561,4 @@ void dbus_apply_policy(void) {
 
 	fwarning("An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.\n");
 }
+#endif // HAVE_DBUSPROXY
\ No newline at end of file
diff --git a/src/firejail/join.c b/src/firejail/join.c
index 7fd5ec3d3..ca8b8c4bf 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -545,12 +545,14 @@ void join(pid_t pid, int argc, char **argv, int index) {
 			free(display_str);
 		}
 
+#ifdef HAVE_DBUSPROXY
 		// set D-Bus environment variables
 		struct stat s;
 		if (stat(RUN_DBUS_USER_SOCKET, &s) == 0)
 			dbus_set_session_bus_env();
 		if (stat(RUN_DBUS_SYSTEM_SOCKET, &s) == 0)
 			dbus_set_system_bus_env();
+#endif
 
 		start_application(0, NULL);
 
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 75324b66a..790b0731c 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -175,7 +175,9 @@ static void myexit(int rv) {
 
 
 	// delete sandbox files in shared memory
+#ifdef HAVE_DBUSPROXY
 	dbus_proxy_stop();
+#endif
 	EUID_ROOT();
 	delete_run_files(sandbox_pid);
 	appimage_clear();
@@ -2023,6 +2025,11 @@ int main(int argc, char **argv, char **envp) {
 			arg_dbus_user = DBUS_POLICY_BLOCK;
 			arg_dbus_system = DBUS_POLICY_BLOCK;
 		}
+
+		//*************************************
+		// D-BUS proxy
+		//*************************************
+#ifdef HAVE_DBUSPROXY
 		else if (strncmp("--dbus-user=", argv[i], 12) == 0) {
 			if (strcmp("filter", argv[i] + 12) == 0) {
 				if (arg_dbus_user == DBUS_POLICY_BLOCK) {
@@ -2160,6 +2167,7 @@ int main(int argc, char **argv, char **envp) {
 			}
 			arg_dbus_log_system = 1;
 		}
+#endif
 
 		//*************************************
 		// network
@@ -2844,6 +2852,7 @@ int main(int argc, char **argv, char **envp) {
 	}
 	EUID_USER();
 
+#ifdef HAVE_DBUSPROXY
 	if (checkcfg(CFG_DBUS)) {
 		dbus_check_profile();
 		if (arg_dbus_user == DBUS_POLICY_FILTER ||
@@ -2853,6 +2862,7 @@ int main(int argc, char **argv, char **envp) {
 			EUID_USER();
 		}
 	}
+#endif
 
 	// clone environment
 	int flags = CLONE_NEWNS | CLONE_NEWPID | CLONE_NEWUTS | SIGCHLD;
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 8eaae9a30..f6ef934db 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -430,11 +430,14 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 		return 0;
 	}
 	else if (strcmp(ptr, "nodbus") == 0) {
+#ifdef HAVE_DBUSPROXY
 		arg_dbus_user = DBUS_POLICY_BLOCK;
 		arg_dbus_system = DBUS_POLICY_BLOCK;
+#endif
 		return 0;
 	}
 	else if (strncmp("dbus-user ", ptr, 10) == 0) {
+#ifdef HAVE_DBUSPROXY
 		ptr += 10;
 		if (strcmp("filter", ptr) == 0) {
 			if (arg_dbus_user == DBUS_POLICY_BLOCK) {
@@ -452,44 +455,56 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 			fprintf(stderr, "Unknown dbus-user policy: %s\n", ptr);
 			exit(1);
 		}
+#endif
 		return 0;
 	}
 	else if (strncmp(ptr, "dbus-user.see ", 14) == 0) {
+#ifdef HAVE_DBUSPROXY
 		if (!dbus_check_name(ptr + 14)) {
 			printf("Invalid dbus-user.see name: %s\n", ptr + 15);
 			exit(1);
 		}
+#endif
 		return 1;
 	}
 	else if (strncmp(ptr, "dbus-user.talk ", 15) == 0) {
+#ifdef HAVE_DBUSPROXY
 		if (!dbus_check_name(ptr + 15)) {
 			printf("Invalid dbus-user.talk name: %s\n", ptr + 15);
 			exit(1);
 		}
+#endif
 		return 1;
 	}
 	else if (strncmp(ptr, "dbus-user.own ", 14) == 0) {
+#ifdef HAVE_DBUSPROXY
 		if (!dbus_check_name(ptr + 14)) {
 			fprintf(stderr, "Invalid dbus-user.own name: %s\n", ptr + 14);
 			exit(1);
 		}
+#endif
 		return 1;
 	}
 	else if (strncmp(ptr, "dbus-user.call ", 15) == 0) {
+#ifdef HAVE_DBUSPROXY
 		if (!dbus_check_call_rule(ptr + 15)) {
 			fprintf(stderr, "Invalid dbus-user.call rule: %s\n", ptr + 15);
 			exit(1);
 		}
+#endif
 		return 1;
 	}
 	else if (strncmp(ptr, "dbus-user.broadcast ", 20) == 0) {
+#ifdef HAVE_DBUSPROXY
 		if (!dbus_check_call_rule(ptr + 20)) {
 			fprintf(stderr, "Invalid dbus-user.broadcast rule: %s\n", ptr + 20);
 			exit(1);
 		}
+#endif
 		return 1;
 	}
 	else if (strncmp("dbus-system ", ptr, 12) == 0) {
+#ifdef HAVE_DBUSPROXY
 		ptr += 12;
 		if (strcmp("filter", ptr) == 0) {
 			if (arg_dbus_system == DBUS_POLICY_BLOCK) {
@@ -507,41 +522,52 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 			fprintf(stderr, "Unknown dbus-system policy: %s\n", ptr);
 			exit(1);
 		}
+#endif
 		return 0;
 	}
 	else if (strncmp(ptr, "dbus-system.see ", 16) == 0) {
+#ifdef HAVE_DBUSPROXY
 		if (!dbus_check_name(ptr + 16)) {
 			fprintf(stderr, "Invalid dbus-system.see name: %s\n", ptr + 17);
 			exit(1);
 		}
+#endif
 		return 1;
 	}
 	else if (strncmp(ptr, "dbus-system.talk ", 17) == 0) {
+#ifdef HAVE_DBUSPROXY
 		if (!dbus_check_name(ptr + 17)) {
 			fprintf(stderr, "Invalid dbus-system.talk name: %s\n", ptr + 17);
 			exit(1);
 		}
+#endif
 		return 1;
 	}
 	else if (strncmp(ptr, "dbus-system.own ", 16) == 0) {
+#ifdef HAVE_DBUSPROXY
 		if (!dbus_check_name(ptr + 16)) {
 			fprintf(stderr, "Invalid dbus-system.own name: %s\n", ptr + 16);
 			exit(1);
 		}
+#endif
 		return 1;
 	}
 	else if (strncmp(ptr, "dbus-system.call ", 17) == 0) {
+#ifdef HAVE_DBUSPROXY
 		if (!dbus_check_call_rule(ptr + 17)) {
 			fprintf(stderr, "Invalid dbus-system.call rule: %s\n", ptr + 17);
 			exit(1);
 		}
+#endif
 		return 1;
 	}
 	else if (strncmp(ptr, "dbus-system.broadcast ", 22) == 0) {
+#ifdef HAVE_DBUSPROXY
 		if (!dbus_check_call_rule(ptr + 22)) {
 			fprintf(stderr, "Invalid dbus-system.broadcast rule: %s\n", ptr + 22);
 			exit(1);
 		}
+#endif
 		return 1;
 	}
 	else if (strcmp(ptr, "nou2f") == 0) {
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 3bb4858c9..ff6be986f 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -938,8 +938,9 @@ int sandbox(void* sandbox_arg) {
 	//****************************
 	// Session D-BUS
 	//****************************
+#ifdef HAVE_DBUSPROXY
 	dbus_apply_policy();
-
+#endif
 
 	//****************************
 	// hosts and hostname
-- 
cgit v1.2.3-70-g09d2