mirror of
https://github.com/netblue30/firejail.git
synced 2026-05-21 06:45:29 -06:00
--nodbus, first draft for #1825
This commit is contained in:
startx2017
parent
6baa64f2b5
commit
ae008e5fa9
7 changed files with 57 additions and 55 deletions
|
|
@ -382,6 +382,7 @@ extern int arg_noprofile; // use default.profile if none other found/specified
|
|||
extern int arg_memory_deny_write_execute; // block writable and executable memory
|
||||
extern int arg_notv; // --notv
|
||||
extern int arg_nodvd; // --nodvd
|
||||
extern int arg_nodbus; // -nodbus
|
||||
|
||||
extern int login_shell;
|
||||
extern int parent_to_child_fds[2];
|
||||
|
|
@ -520,6 +521,8 @@ void create_empty_file_as_root(const char *dir, mode_t mode);
|
|||
int set_perms(const char *fname, uid_t uid, gid_t gid, mode_t mode);
|
||||
void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid);
|
||||
unsigned extract_timeout(const char *str);
|
||||
void disable_file_or_dir(const char *fname);
|
||||
void disable_file_path(const char *path, const char *file);
|
||||
|
||||
// fs_var.c
|
||||
void fs_var_log(void); // mounting /var/log
|
||||
|
|
@ -800,4 +803,7 @@ void set_name_run_file(pid_t pid);
|
|||
void set_x11_run_file(pid_t pid, int display);
|
||||
void set_profile_run_file(pid_t pid, const char *fname);
|
||||
|
||||
// dbus.c
|
||||
void dbus_session_disable(void);
|
||||
|
||||
#endif
|
||||
|
|
|
|||
|
|
@ -297,26 +297,6 @@ void fs_private_dev(void){
|
|||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
static void disable_file_or_dir(const char *fname) {
|
||||
if (arg_debug)
|
||||
printf("disable %s\n", fname);
|
||||
struct stat s;
|
||||
if (stat(fname, &s) != -1) {
|
||||
if (is_dir(fname)) {
|
||||
if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
|
||||
errExit("disable directory");
|
||||
}
|
||||
else {
|
||||
if (mount(RUN_RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
|
||||
errExit("disable file");
|
||||
}
|
||||
}
|
||||
fs_logger2("blacklist", fname);
|
||||
|
||||
}
|
||||
|
||||
void fs_dev_disable_sound(void) {
|
||||
unsigned i = 0;
|
||||
while (dev[i].dev_fname != NULL) {
|
||||
|
|
|
|||
|
|
@ -120,6 +120,7 @@ int arg_noprofile = 0; // use default.profile if none other found/specified
|
|||
int arg_memory_deny_write_execute = 0; // block writable and executable memory
|
||||
int arg_notv = 0; // --notv
|
||||
int arg_nodvd = 0; // --nodvd
|
||||
int arg_nodbus = 0; // -nodbus
|
||||
int login_shell = 0;
|
||||
|
||||
|
||||
|
|
@ -1111,7 +1112,7 @@ int main(int argc, char **argv) {
|
|||
else if (strncmp(argv[i], "--protocol=", 11) == 0) {
|
||||
if (checkcfg(CFG_SECCOMP)) {
|
||||
if (cfg.protocol) {
|
||||
fwarning("a protocol list is present, the new list \"%s\" will not be installed\n", argv[i] + 11);
|
||||
fwarning("two protocol lists are present, \"%s\" will be installed\n", cfg.protocol);
|
||||
}
|
||||
else {
|
||||
// store list
|
||||
|
|
@ -1734,6 +1735,8 @@ int main(int argc, char **argv) {
|
|||
arg_notv = 1;
|
||||
else if (strcmp(argv[i], "--nodvd") == 0)
|
||||
arg_nodvd = 1;
|
||||
else if (strcmp(argv[i], "--nodbus") == 0)
|
||||
arg_nodbus = 1;
|
||||
|
||||
//*************************************
|
||||
// network
|
||||
|
|
|
|||
|
|
@ -249,6 +249,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
|
|||
arg_no3d = 1;
|
||||
return 0;
|
||||
}
|
||||
else if (strcmp(ptr, "nodbus") == 0) {
|
||||
arg_nodbus = 1;
|
||||
return 0;
|
||||
}
|
||||
else if (strcmp(ptr, "allow-private-blacklist") == 0) {
|
||||
fmessage("--allow-private-blacklist was deprecated\n");
|
||||
return 0;
|
||||
|
|
@ -549,7 +553,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
|
|||
#ifdef HAVE_SECCOMP
|
||||
if (checkcfg(CFG_SECCOMP)) {
|
||||
if (cfg.protocol) {
|
||||
fwarning("a protocol list is present, the new list \"%s\" will not be installed\n", ptr + 9);
|
||||
fwarning("two protocol lists are present, \"%s\" will be installed\n", cfg.protocol);
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -24,52 +24,24 @@
|
|||
#include <dirent.h>
|
||||
#include <sys/wait.h>
|
||||
|
||||
static void disable_file(const char *path, const char *file) {
|
||||
assert(file);
|
||||
assert(path);
|
||||
|
||||
struct stat s;
|
||||
char *fname;
|
||||
if (asprintf(&fname, "%s/%s", path, file) == -1)
|
||||
errExit("asprintf");
|
||||
if (stat(fname, &s) == -1)
|
||||
goto doexit;
|
||||
|
||||
if (arg_debug)
|
||||
printf("Disable%s\n", fname);
|
||||
|
||||
if (S_ISDIR(s.st_mode)) {
|
||||
if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
|
||||
errExit("disable file");
|
||||
}
|
||||
else {
|
||||
if (mount(RUN_RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
|
||||
errExit("disable file");
|
||||
}
|
||||
fs_logger2("blacklist", fname);
|
||||
|
||||
doexit:
|
||||
free(fname);
|
||||
}
|
||||
|
||||
// disable pulseaudio socket
|
||||
void pulseaudio_disable(void) {
|
||||
if (arg_debug)
|
||||
printf("disable pulseaudio\n");
|
||||
// blacklist user config directory
|
||||
disable_file(cfg.homedir, ".config/pulse");
|
||||
disable_file_path(cfg.homedir, ".config/pulse");
|
||||
|
||||
|
||||
// blacklist pulseaudio socket in XDG_RUNTIME_DIR
|
||||
char *name = getenv("XDG_RUNTIME_DIR");
|
||||
if (name)
|
||||
disable_file(name, "pulse/native");
|
||||
disable_file_path(name, "pulse/native");
|
||||
|
||||
// try the default location anyway
|
||||
char *path;
|
||||
if (asprintf(&path, "/run/user/%d", getuid()) == -1)
|
||||
errExit("asprintf");
|
||||
disable_file(path, "pulse/native");
|
||||
disable_file_path(path, "pulse/native");
|
||||
free(path);
|
||||
|
||||
|
||||
|
|
@ -87,12 +59,11 @@ void pulseaudio_disable(void) {
|
|||
struct dirent *entry;
|
||||
while ((entry = readdir(dir))) {
|
||||
if (strncmp(entry->d_name, "pulse-", 6) == 0) {
|
||||
disable_file("/tmp", entry->d_name);
|
||||
disable_file_path("/tmp", entry->d_name);
|
||||
}
|
||||
}
|
||||
|
||||
closedir(dir);
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -837,6 +837,13 @@ int sandbox(void* sandbox_arg) {
|
|||
EUID_ROOT();
|
||||
}
|
||||
|
||||
//****************************
|
||||
// Session D-BUS
|
||||
//****************************
|
||||
if (arg_nodbus)
|
||||
dbus_session_disable();
|
||||
|
||||
|
||||
//****************************
|
||||
// hosts and hostname
|
||||
//****************************
|
||||
|
|
|
|||
|
|
@ -21,6 +21,7 @@
|
|||
#include "firejail.h"
|
||||
#include <ftw.h>
|
||||
#include <sys/stat.h>
|
||||
#include <sys/mount.h>
|
||||
#include <fcntl.h>
|
||||
#include <syslog.h>
|
||||
#include <errno.h>
|
||||
|
|
@ -964,3 +965,33 @@ unsigned extract_timeout(const char *str) {
|
|||
|
||||
return h * 3600 + m * 60 + s;
|
||||
}
|
||||
|
||||
void disable_file_or_dir(const char *fname) {
|
||||
if (arg_debug)
|
||||
printf("blacklist %s\n", fname);
|
||||
struct stat s;
|
||||
if (stat(fname, &s) != -1) {
|
||||
if (is_dir(fname)) {
|
||||
if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
|
||||
errExit("disable directory");
|
||||
}
|
||||
else {
|
||||
if (mount(RUN_RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
|
||||
errExit("disable file");
|
||||
}
|
||||
}
|
||||
fs_logger2("blacklist", fname);
|
||||
}
|
||||
|
||||
void disable_file_path(const char *path, const char *file) {
|
||||
assert(file);
|
||||
assert(path);
|
||||
|
||||
char *fname;
|
||||
if (asprintf(&fname, "%s/%s", path, file) == -1)
|
||||
errExit("asprintf");
|
||||
|
||||
disable_file_or_dir(fname);
|
||||
free(fname);
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue