From 416d385ea749d59529d5624de87a0c5c1b44cdb6 Mon Sep 17 00:00:00 2001 From: Kristóf Marussy Date: Mon, 4 May 2020 19:11:54 +0200 Subject: Add options for D-Bus logging --dbus-user.log and --dbus-system.log instruct xdg-dbus-proxy to log interactions with the session and system buses, respectively. --dbus-log= can specify the location of the log file. If no location is specified, log output is written to stdout. --- src/firejail/dbus.c | 21 ++++++++++++++++++++- src/firejail/firejail.h | 3 +++ src/firejail/main.c | 32 ++++++++++++++++++++++++++++++++ src/firejail/profile.c | 8 ++++++++ 4 files changed, 63 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/firejail/dbus.c b/src/firejail/dbus.c index 5b47567e2..18576612d 100644 --- a/src/firejail/dbus.c +++ b/src/firejail/dbus.c @@ -285,6 +285,8 @@ static char *find_user_socket(void) { void dbus_proxy_start(void) { dbus_create_user_dir(); + EUID_USER(); + int status_pipe[2]; if (pipe(status_pipe) == -1) errExit("pipe"); @@ -299,10 +301,21 @@ void dbus_proxy_start(void) { errExit("fork"); if (dbus_proxy_pid == 0) { int i; - for (i = 3; i < FIREJAIL_MAX_FD; i++) { + for (i = STDERR_FILENO + 1; i < FIREJAIL_MAX_FD; i++) { if (i != status_pipe[1] && i != args_pipe[0]) close(i); // close open files } + if (arg_dbus_log_file != NULL) { + int output_fd = creat(arg_dbus_log_file, 0666); + if (output_fd < 0) + errExit("creat"); + if (output_fd != STDOUT_FILENO) { + if (dup2(output_fd, STDOUT_FILENO) != STDOUT_FILENO) + errExit("dup2"); + close(output_fd); + } + } + close(STDIN_FILENO); char *args[4] = {XDG_DBUS_PROXY_PATH, NULL, NULL, NULL}; if (asprintf(&args[1], "--fd=%d", status_pipe[1]) == -1 || asprintf(&args[2], "--args=%d", args_pipe[0]) == -1) @@ -328,6 +341,9 @@ void dbus_proxy_start(void) { (int) getuid(), (int) getpid()) == -1) errExit("asprintf"); write_arg(args_pipe[1], "%s", dbus_user_proxy_socket); + if (arg_dbus_log_user) { + write_arg(args_pipe[1], "--log"); + } write_arg(args_pipe[1], "--filter"); write_profile(args_pipe[1], "dbus-user."); } @@ -344,6 +360,9 @@ void dbus_proxy_start(void) { (int) getuid(), (int) getpid()) == -1) errExit("asprintf"); write_arg(args_pipe[1], "%s", dbus_system_proxy_socket); + if (arg_dbus_log_system) { + write_arg(args_pipe[1], "--log"); + } write_arg(args_pipe[1], "--filter"); write_profile(args_pipe[1], "dbus-system."); } diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 19ec2762c..1ef4887ea 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -349,6 +349,9 @@ typedef enum { } DbusPolicy; extern DbusPolicy arg_dbus_user; // --dbus-user extern DbusPolicy arg_dbus_system; // --dbus-system +extern int arg_dbus_log_user; +extern int arg_dbus_log_system; +extern const char *arg_dbus_log_file; extern int login_shell; extern int parent_to_child_fds[2]; diff --git a/src/firejail/main.c b/src/firejail/main.c index 8d60d3790..e458d16f4 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -148,6 +148,9 @@ int arg_nou2f = 0; // --nou2f int arg_deterministic_exit_code = 0; // always exit with first child's exit status DbusPolicy arg_dbus_user = DBUS_POLICY_ALLOW; // --dbus-user DbusPolicy arg_dbus_system = DBUS_POLICY_ALLOW; // --dbus-system +const char *arg_dbus_log_file = NULL; +int arg_dbus_log_user = 0; +int arg_dbus_log_system = 0; int login_shell = 0; //********************************************************************************** @@ -2067,6 +2070,10 @@ int main(int argc, char **argv, char **envp) { } arg_dbus_user = DBUS_POLICY_FILTER; } else if (strcmp("none", argv[i] + 12) == 0) { + if (arg_dbus_log_user) { + fprintf(stderr, "Error: --dbus-user.log requires --dbus-user=filter\n"); + exit(1); + } arg_dbus_user = DBUS_POLICY_BLOCK; } else { fprintf(stderr, "Unknown dbus-user policy: %s\n", argv[i] + 12); @@ -2121,6 +2128,10 @@ int main(int argc, char **argv, char **envp) { } arg_dbus_system = DBUS_POLICY_FILTER; } else if (strcmp("none", argv[i] + 14) == 0) { + if (arg_dbus_log_system) { + fprintf(stderr, "Error: --dbus-system.log requires --dbus-system=filter\n"); + exit(1); + } arg_dbus_system = DBUS_POLICY_BLOCK; } else { fprintf(stderr, "Unknown dbus-system policy: %s\n", argv[i] + 14); @@ -2167,6 +2178,27 @@ int main(int argc, char **argv, char **envp) { profile_check_line(line, 0, NULL); // will exit if something wrong profile_add(line); } + else if (strncmp(argv[i], "--dbus-log=", 11) == 0) { + if (arg_dbus_log_file != NULL) { + fprintf(stderr, "Error: --dbus-log option already specified\n"); + exit(1); + } + arg_dbus_log_file = argv[i] + 11; + } + else if (strcmp(argv[i], "--dbus-user.log") == 0) { + if (arg_dbus_user != DBUS_POLICY_FILTER) { + fprintf(stderr, "Error: --dbus-user.log requires --dbus-user=filter\n"); + exit(1); + } + arg_dbus_log_user = 1; + } + else if (strcmp(argv[i], "--dbus-system.log") == 0) { + if (arg_dbus_system != DBUS_POLICY_FILTER) { + fprintf(stderr, "Error: --dbus-system.log requires --dbus-system=filter\n"); + exit(1); + } + arg_dbus_log_system = 1; + } //************************************* // network diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 699ca4bea..749006487 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -445,6 +445,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { } arg_dbus_user = DBUS_POLICY_FILTER; } else if (strcmp("none", ptr) == 0) { + if (arg_dbus_log_user) { + fprintf(stderr, "Error: --dbus-user.log requires --dbus-user=filter\n"); + exit(1); + } arg_dbus_user = DBUS_POLICY_BLOCK; } else { fprintf(stderr, "Unknown dbus-user policy: %s\n", ptr); @@ -496,6 +500,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { } arg_dbus_system = DBUS_POLICY_FILTER; } else if (strcmp("none", ptr) == 0) { + if (arg_dbus_log_system) { + fprintf(stderr, "Error: --dbus-system.log requires --dbus-system=filter\n"); + exit(1); + } arg_dbus_system = DBUS_POLICY_BLOCK; } else { fprintf(stderr, "Unknown dbus-system policy: %s\n", ptr); -- cgit v1.2.3-54-g00ecf