From 72de7345179b18014e7003096055a005390d3b1c Mon Sep 17 00:00:00 2001 From: smitsohu Date: Sat, 18 Jul 2020 14:51:59 +0200 Subject: integrate join(-or-start) with dbus options update D-Bus environment variables during join, so that a joining process is able to use D-Bus, too --- src/firejail/dbus.c | 38 ++++++++++++++++++++++++-------------- src/firejail/firejail.h | 2 ++ src/firejail/join.c | 7 +++++++ 3 files changed, 33 insertions(+), 14 deletions(-) (limited to 'src') diff --git a/src/firejail/dbus.c b/src/firejail/dbus.c index 18576612d..6609e48bd 100644 --- a/src/firejail/dbus.c +++ b/src/firejail/dbus.c @@ -444,6 +444,24 @@ static char *get_socket_env(const char *name) { return NULL; } +void dbus_set_session_bus_env(void) { + if (setenv(DBUS_SESSION_BUS_ADDRESS_ENV, + DBUS_SOCKET_PATH_PREFIX RUN_DBUS_USER_SOCKET, 1) == -1) { + fprintf(stderr, "Error: cannot modify " DBUS_SESSION_BUS_ADDRESS_ENV + " required by --dbus-user\n"); + exit(1); + } +} + +void dbus_set_system_bus_env(void) { + if (setenv(DBUS_SYSTEM_BUS_ADDRESS_ENV, + DBUS_SOCKET_PATH_PREFIX RUN_DBUS_SYSTEM_SOCKET, 1) == -1) { + fprintf(stderr, "Error: cannot modify " DBUS_SYSTEM_BUS_ADDRESS_ENV + " required by --dbus-system\n"); + exit(1); + } +} + static void disable_socket_dir(void) { struct stat s; if (stat(RUN_FIREJAIL_DBUS_DIR, &s) == 0) @@ -465,10 +483,10 @@ void dbus_apply_policy(void) { } create_empty_dir_as_root(RUN_DBUS_DIR, 0755); - create_empty_file_as_root(RUN_DBUS_USER_SOCKET, 0700); - create_empty_file_as_root(RUN_DBUS_SYSTEM_SOCKET, 0700); if (arg_dbus_user != DBUS_POLICY_ALLOW) { + create_empty_file_as_root(RUN_DBUS_USER_SOCKET, 0700); + if (arg_dbus_user == DBUS_POLICY_FILTER) { assert(dbus_user_proxy_socket != NULL); socket_overlay(RUN_DBUS_USER_SOCKET, dbus_user_proxy_socket); @@ -495,12 +513,7 @@ void dbus_apply_policy(void) { free(dbus_user_socket); free(dbus_user_socket2); - if (setenv(DBUS_SESSION_BUS_ADDRESS_ENV, - DBUS_SOCKET_PATH_PREFIX RUN_DBUS_USER_SOCKET, 1) == -1) { - fprintf(stderr, "Error: cannot modify " DBUS_SESSION_BUS_ADDRESS_ENV - " required by --dbus-user\n"); - exit(1); - } + dbus_set_session_bus_env(); // blacklist the dbus-launch user directory char *path; @@ -511,6 +524,8 @@ void dbus_apply_policy(void) { } if (arg_dbus_system != DBUS_POLICY_ALLOW) { + create_empty_file_as_root(RUN_DBUS_SYSTEM_SOCKET, 0700); + if (arg_dbus_system == DBUS_POLICY_FILTER) { assert(dbus_system_proxy_socket != NULL); socket_overlay(RUN_DBUS_SYSTEM_SOCKET, dbus_system_proxy_socket); @@ -523,12 +538,7 @@ void dbus_apply_policy(void) { if (system_env != NULL && strcmp(system_env, DBUS_SYSTEM_SOCKET) != 0) disable_file_or_dir(system_env); - if (setenv(DBUS_SYSTEM_BUS_ADDRESS_ENV, - DBUS_SOCKET_PATH_PREFIX RUN_DBUS_SYSTEM_SOCKET, 1) == -1) { - fprintf(stderr, "Error: cannot modify " DBUS_SYSTEM_BUS_ADDRESS_ENV - " required by --dbus-system\n"); - exit(1); - } + dbus_set_system_bus_env(); } // Only disable access to /run/firejail/dbus here, when the sockets have been bind-mounted. diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 1ef4887ea..54a1023ab 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -854,6 +854,8 @@ int dbus_check_call_rule(const char *name); void dbus_check_profile(void); void dbus_proxy_start(void); void dbus_proxy_stop(void); +void dbus_set_session_bus_env(void); +void dbus_set_system_bus_env(void); void dbus_apply_policy(void); // dhcp.c diff --git a/src/firejail/join.c b/src/firejail/join.c index fa1f64333..4c8555f29 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c @@ -579,6 +579,13 @@ void join(pid_t pid, int argc, char **argv, int index) { free(display_str); } + // set D-Bus environment variables + struct stat s; + if (stat(RUN_DBUS_USER_SOCKET, &s) == 0) + dbus_set_session_bus_env(); + if (stat(RUN_DBUS_SYSTEM_SOCKET, &s) == 0) + dbus_set_system_bus_env(); + start_application(0, NULL); // it will never get here!!! -- cgit v1.2.3-54-g00ecf