From 6c262c3e8746b4460a6a42a6686b89e44018ed99 Mon Sep 17 00:00:00 2001
From: valoq <valoq@mailbox.org>
Date: Tue, 6 Dec 2016 15:51:56 +0100
Subject: block dbus ipc

---
 src/firejail/fs.c | 65 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 64 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 9a2f4facc..d71478fc0 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -225,7 +225,7 @@ static void globbing(OPERATION op, const char *pattern, const char *noblacklist[
 }
 
 
-// blacklist files or directoies by mounting empty files on top of them
+// blacklist files or directories by mounting empty files on top of them
 void fs_blacklist(void) {
 	char *homedir = cfg.homedir;
 	assert(homedir);
@@ -530,6 +530,69 @@ void fs_proc_sys_dev_boot(void) {
 	
 	// disable /dev/port
 	disable_file(BLACKLIST_FILE, "/dev/port");
+
+
+	// WARNING: this is not reliable. When services like gpg-agent are started after the jail, the sockets are not blacklisted
+	
+	// disable various ipc sockets
+	struct stat s;
+	
+	// disable /run/user/{uid}/bus
+	char *fnamebus;
+	if (asprintf(&fnamebus, "/run/user/%d/bus", getuid()) == -1)
+	    errExit("asprintf");
+	if (stat(fnamebus, &s) == 0)
+	    disable_file(BLACKLIST_FILE, fnamebus);
+	free(fnamebus);
+
+	// disable /run/user/{uid}/gnupg
+	char *fnamegpg;
+	if (asprintf(&fnamegpg, "/run/user/%d/gnupg", getuid()) == -1)
+	    errExit("asprintf");
+	if (stat(fnamegpg, &s) == 0)
+	    disable_file(BLACKLIST_FILE, fnamegpg);
+	free(fnamegpg);
+
+	// disable /run/user/{uid}/systemd
+	char *fnamesysd;
+	if (asprintf(&fnamesysd, "/run/user/%d/systemd", getuid()) == -1)
+	    errExit("asprintf");
+	if (stat(fnamesysd, &s) == 0)
+	    disable_file(BLACKLIST_FILE, fnamesysd);
+	free(fnamesysd);
+
+
+	// WARNING: not working
+	// disable /run/user/{uid}/kdeinit*
+	//char *fnamekde;
+	//if (asprintf(&fnamekde, "/run/user/%d/kdeinit*", getuid()) == -1)
+	//    errExit("asprintf");
+	//if (stat(fnamekde, &s) == 0)
+	//    disable_file(BLACKLIST_FILE, fnamekde);
+	//free(fnamekde);
+	
+	
+	// disable /run/user/{uid}/pulse
+	/* char *fnamepulse; */
+	/* if (asprintf(&fnamepulse, "/run/user/%d/pulse", getuid()) == -1) */
+	/*     errExit("asprintf"); */
+	/* if (stat(fnamepulse, &s) == 0) */
+	/*     disable_file(BLACKLIST_FILE, fnamepulse); */
+	/* free(fnamepulse); */
+
+	// disable /run/user/{uid}/dconf
+	/* char *fnamedconf; */
+	/* if (asprintf(&fnamedconf, "/run/user/%d/dconf", getuid()) == -1) */
+	/*     errExit("asprintf"); */
+	/* if (stat(fnamedconf, &s) == 0) */
+	/*     disable_file(BLACKLIST_FILE, fnamedconf); */
+	/* free(fnamedconf); */
+
+	
+	//more files with sockets to be blacklisted
+	//  /run/dbus /run/systemd /run/udev /run/lvm
+
+	
 	
 	if (getuid() != 0) {
 		// disable /dev/kmsg and /proc/kmsg
-- 
cgit v1.2.3-54-g00ecf


From 8d929a786fec68549d0dbe00ceb4f9c7d3e94217 Mon Sep 17 00:00:00 2001
From: valoq <valoq@mailbox.org>
Date: Wed, 7 Dec 2016 15:06:39 +0100
Subject: removed dbus blacklist

---
 src/firejail/fs.c | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

(limited to 'src')

diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index d71478fc0..ffad961c3 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -536,14 +536,16 @@ void fs_proc_sys_dev_boot(void) {
 	
 	// disable various ipc sockets
 	struct stat s;
-	
-	// disable /run/user/{uid}/bus
-	char *fnamebus;
-	if (asprintf(&fnamebus, "/run/user/%d/bus", getuid()) == -1)
-	    errExit("asprintf");
-	if (stat(fnamebus, &s) == 0)
-	    disable_file(BLACKLIST_FILE, fnamebus);
-	free(fnamebus);
+
+
+	// breaks too many applications, option needed
+	/* // disable /run/user/{uid}/bus */
+	/* char *fnamebus; */
+	/* if (asprintf(&fnamebus, "/run/user/%d/bus", getuid()) == -1) */
+	/*     errExit("asprintf"); */
+	/* if (stat(fnamebus, &s) == 0) */
+	/*     disable_file(BLACKLIST_FILE, fnamebus); */
+	/* free(fnamebus); */
 
 	// disable /run/user/{uid}/gnupg
 	char *fnamegpg;
-- 
cgit v1.2.3-54-g00ecf