From ed80013f4f554a40dff280aad1be0562067db0e8 Mon Sep 17 00:00:00 2001 From: Felix Pehla <74104874+FelixPehla@users.noreply.github.com> Date: Sun, 18 Aug 2024 14:30:09 +0200 Subject: [PATCH] WIP: add support for wayland-security-context-v1 --- src/firejail/checkcfg.c | 6 ++++++ src/firejail/env.c | 3 ++- src/firejail/firejail.h | 1 + src/firejail/main.c | 6 ++++++ src/firejail/wayland.c | 22 ++++++++++++++++++++++ 5 files changed, 37 insertions(+), 1 deletion(-) create mode 100644 src/firejail/wayland.c diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index bab0e819f19..23ce404626d 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -424,6 +424,12 @@ static const char *const compiletime_support = "enabled" #else "disabled" +#endif + "\n\t- wayland security context support is " +#ifdef HAVE_WAYLAND_SECURITY_CONTEXT + "enabled" +#else + "disabled" #endif "\n"; diff --git a/src/firejail/env.c b/src/firejail/env.c index 73be0f5ff6f..386c2c2f16b 100644 --- a/src/firejail/env.c +++ b/src/firejail/env.c @@ -261,7 +261,8 @@ static const char * const env_whitelist[] = { "LANGUAGE", "LC_MESSAGES", // "PATH", - "DISPLAY" // required by X11 + "DISPLAY", // required by X11 + "WAYLAND_DISPLAY" // required by wayland }; static const char * const env_whitelist_sbox[] = { diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 8683e0f77e3..c1bb9693ee3 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -376,6 +376,7 @@ extern int arg_deterministic_shutdown; // shut down the sandbox if first child d extern int arg_keep_fd_all; // inherit all file descriptors to sandbox extern int arg_netlock; // netlocker extern int arg_restrict_namespaces; +extern int arg_wayland; // filter wayland socket typedef enum { DBUS_POLICY_ALLOW, // Allow unrestricted access to the bus diff --git a/src/firejail/main.c b/src/firejail/main.c index 27ae68eb0fe..7ad04022741 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -171,6 +171,7 @@ int login_shell = 0; int just_run_the_shell = 0; int arg_netlock = 0; int arg_restrict_namespaces = 0; +int arg_wayland = 0; int parent_to_child_fds[2]; int child_to_parent_fds[2]; @@ -1646,6 +1647,11 @@ int main(int argc, char **argv, char **envp) { cfg.nice = 0; arg_nice = 1; } +#ifdef HAVE_WAYLAND_SECURITY_CONTEXT + else if (strcmp(argv[1], "--wayland") == 0) { + arg_wayland = 1; + } +#endif //************************************* // filesystem diff --git a/src/firejail/wayland.c b/src/firejail/wayland.c new file mode 100644 index 00000000000..1eea1fd8e89 --- /dev/null +++ b/src/firejail/wayland.c @@ -0,0 +1,22 @@ +/* + * Copyright (C) 2014-2024 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + #include "firejail.h" + + \ No newline at end of file