From ae008e5fa9e8a901fbf255664f3de775415a39a3 Mon Sep 17 00:00:00 2001 From: startx2017 Date: Mon, 26 Mar 2018 10:37:02 -0400 Subject: --nodbus, first draft for #1825 --- src/firejail/firejail.h | 6 ++++++ src/firejail/fs_dev.c | 20 -------------------- src/firejail/main.c | 5 ++++- src/firejail/profile.c | 6 +++++- src/firejail/pulseaudio.c | 37 ++++--------------------------------- src/firejail/sandbox.c | 7 +++++++ src/firejail/util.c | 31 +++++++++++++++++++++++++++++++ 7 files changed, 57 insertions(+), 55 deletions(-) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 5af141289..6141d6223 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -382,6 +382,7 @@ extern int arg_noprofile; // use default.profile if none other found/specified extern int arg_memory_deny_write_execute; // block writable and executable memory extern int arg_notv; // --notv extern int arg_nodvd; // --nodvd +extern int arg_nodbus; // -nodbus extern int login_shell; extern int parent_to_child_fds[2]; @@ -520,6 +521,8 @@ void create_empty_file_as_root(const char *dir, mode_t mode); int set_perms(const char *fname, uid_t uid, gid_t gid, mode_t mode); void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid); unsigned extract_timeout(const char *str); +void disable_file_or_dir(const char *fname); +void disable_file_path(const char *path, const char *file); // fs_var.c void fs_var_log(void); // mounting /var/log @@ -800,4 +803,7 @@ void set_name_run_file(pid_t pid); void set_x11_run_file(pid_t pid, int display); void set_profile_run_file(pid_t pid, const char *fname); +// dbus.c +void dbus_session_disable(void); + #endif diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index 6eac78d96..152ddf5f7 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c @@ -297,26 +297,6 @@ void fs_private_dev(void){ } } - - -static void disable_file_or_dir(const char *fname) { - if (arg_debug) - printf("disable %s\n", fname); - struct stat s; - if (stat(fname, &s) != -1) { - if (is_dir(fname)) { - if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0) - errExit("disable directory"); - } - else { - if (mount(RUN_RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0) - errExit("disable file"); - } - } - fs_logger2("blacklist", fname); - -} - void fs_dev_disable_sound(void) { unsigned i = 0; while (dev[i].dev_fname != NULL) { diff --git a/src/firejail/main.c b/src/firejail/main.c index 38db165e8..6dc19abdd 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -120,6 +120,7 @@ int arg_noprofile = 0; // use default.profile if none other found/specified int arg_memory_deny_write_execute = 0; // block writable and executable memory int arg_notv = 0; // --notv int arg_nodvd = 0; // --nodvd +int arg_nodbus = 0; // -nodbus int login_shell = 0; @@ -1111,7 +1112,7 @@ int main(int argc, char **argv) { else if (strncmp(argv[i], "--protocol=", 11) == 0) { if (checkcfg(CFG_SECCOMP)) { if (cfg.protocol) { - fwarning("a protocol list is present, the new list \"%s\" will not be installed\n", argv[i] + 11); + fwarning("two protocol lists are present, \"%s\" will be installed\n", cfg.protocol); } else { // store list @@ -1734,6 +1735,8 @@ int main(int argc, char **argv) { arg_notv = 1; else if (strcmp(argv[i], "--nodvd") == 0) arg_nodvd = 1; + else if (strcmp(argv[i], "--nodbus") == 0) + arg_nodbus = 1; //************************************* // network diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 5566b9860..2cb91964a 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -249,6 +249,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { arg_no3d = 1; return 0; } + else if (strcmp(ptr, "nodbus") == 0) { + arg_nodbus = 1; + return 0; + } else if (strcmp(ptr, "allow-private-blacklist") == 0) { fmessage("--allow-private-blacklist was deprecated\n"); return 0; @@ -549,7 +553,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { #ifdef HAVE_SECCOMP if (checkcfg(CFG_SECCOMP)) { if (cfg.protocol) { - fwarning("a protocol list is present, the new list \"%s\" will not be installed\n", ptr + 9); + fwarning("two protocol lists are present, \"%s\" will be installed\n", cfg.protocol); return 0; } diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c index ef674fb4a..9109a6865 100644 --- a/src/firejail/pulseaudio.c +++ b/src/firejail/pulseaudio.c @@ -24,52 +24,24 @@ #include #include -static void disable_file(const char *path, const char *file) { - assert(file); - assert(path); - - struct stat s; - char *fname; - if (asprintf(&fname, "%s/%s", path, file) == -1) - errExit("asprintf"); - if (stat(fname, &s) == -1) - goto doexit; - - if (arg_debug) - printf("Disable%s\n", fname); - - if (S_ISDIR(s.st_mode)) { - if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0) - errExit("disable file"); - } - else { - if (mount(RUN_RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0) - errExit("disable file"); - } - fs_logger2("blacklist", fname); - -doexit: - free(fname); -} - // disable pulseaudio socket void pulseaudio_disable(void) { if (arg_debug) printf("disable pulseaudio\n"); // blacklist user config directory - disable_file(cfg.homedir, ".config/pulse"); + disable_file_path(cfg.homedir, ".config/pulse"); // blacklist pulseaudio socket in XDG_RUNTIME_DIR char *name = getenv("XDG_RUNTIME_DIR"); if (name) - disable_file(name, "pulse/native"); + disable_file_path(name, "pulse/native"); // try the default location anyway char *path; if (asprintf(&path, "/run/user/%d", getuid()) == -1) errExit("asprintf"); - disable_file(path, "pulse/native"); + disable_file_path(path, "pulse/native"); free(path); @@ -87,12 +59,11 @@ void pulseaudio_disable(void) { struct dirent *entry; while ((entry = readdir(dir))) { if (strncmp(entry->d_name, "pulse-", 6) == 0) { - disable_file("/tmp", entry->d_name); + disable_file_path("/tmp", entry->d_name); } } closedir(dir); - } diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 96b7b267b..75dbc976d 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -837,6 +837,13 @@ int sandbox(void* sandbox_arg) { EUID_ROOT(); } + //**************************** + // Session D-BUS + //**************************** + if (arg_nodbus) + dbus_session_disable(); + + //**************************** // hosts and hostname //**************************** diff --git a/src/firejail/util.c b/src/firejail/util.c index 0adca5e33..c644f83a8 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c @@ -21,6 +21,7 @@ #include "firejail.h" #include #include +#include #include #include #include @@ -964,3 +965,33 @@ unsigned extract_timeout(const char *str) { return h * 3600 + m * 60 + s; } + +void disable_file_or_dir(const char *fname) { + if (arg_debug) + printf("blacklist %s\n", fname); + struct stat s; + if (stat(fname, &s) != -1) { + if (is_dir(fname)) { + if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0) + errExit("disable directory"); + } + else { + if (mount(RUN_RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0) + errExit("disable file"); + } + } + fs_logger2("blacklist", fname); +} + +void disable_file_path(const char *path, const char *file) { + assert(file); + assert(path); + + char *fname; + if (asprintf(&fname, "%s/%s", path, file) == -1) + errExit("asprintf"); + + disable_file_or_dir(fname); + free(fname); +} + -- cgit v1.2.3-70-g09d2