From c313cafbae5655f0c401049f294a558a03a2ad6d Mon Sep 17 00:00:00 2001 From: Matthias Clasen Date: Fri, 6 Feb 2015 17:33:09 +0100 Subject: [PATCH 1/2] Add a --forbid option to run This allows to restrict the access that the app gets out of the sandbox. We allow an access if the app requests it (in its metadata) and the user doesn't forbid it (with this option). --- completion/xdg-app | 6 ++--- doc/xdg-app-run.xml | 17 ++++++++++++++ xdg-app-builtins-run.c | 52 ++++++++++++++++++++++++++++++++++-------- 3 files changed, 63 insertions(+), 12 deletions(-) diff --git a/completion/xdg-app b/completion/xdg-app index 1d924cd9..c8b0561c 100755 --- a/completion/xdg-app +++ b/completion/xdg-app @@ -28,12 +28,12 @@ _xdg-app() { [LIST_REMOTES]='--show-urls' [REPO_CONTENTS]='--show-details --runtimes --apps --update' [UNINSTALL]='--keep-ref' - [RUN]='--command --branch --devel' + [RUN]='--command --branch --devel --forbid' [BUILD_INIT]='--arch --var' [BUILD]='--runtime --network --x11' [BUILD_FINISH]='--command --allow' [BUILD_EXPORT]='--subject --body' - [ARG]='--arch --command --branch --var --allow --subject --body' + [ARG]='--arch --command --branch --var --allow --forbid --subject --body' ) if __contains_word "--user" ${COMP_WORDS[*]}; then @@ -53,7 +53,7 @@ _xdg-app() { --var) comps=$(xdg-app $mode list-runtimes) ;; - --allow) + --allow|--forbid) comps='x11 wayland ipc pulseaudio system-dbus session-dbus network host-fs homedir' ;; --branch|--subject|--body) diff --git a/doc/xdg-app-run.xml b/doc/xdg-app-run.xml index 6d3918a2..8ef3db6e 100644 --- a/doc/xdg-app-run.xml +++ b/doc/xdg-app-run.xml @@ -51,6 +51,12 @@ directory at /var, whose content is preserved between application runs. The application itself is mounted at /self. + + The details of the sandboxed environment are controlled by the application + metadata and the --forbid option that are passed to the run command: Access + is allowed if the application requested it in its metadata file and the + user hasn;t forbidden it. + @@ -110,6 +116,17 @@ + + + + + Disallow access to the named facility. KEY must + be one of: x11, wayland, ipc, pulseaudio, system-dbus, + session-dbus, network, host-fs, homedir. + This option can be used multiple times. + + + diff --git a/xdg-app-builtins-run.c b/xdg-app-builtins-run.c index 6433254a..3fae55dc 100644 --- a/xdg-app-builtins-run.c +++ b/xdg-app-builtins-run.c @@ -17,6 +17,7 @@ static char *opt_branch; static char *opt_command; static gboolean opt_devel; static char *opt_runtime; +static char **opt_forbid; static GOptionEntry options[] = { { "arch", 0, 0, G_OPTION_ARG_STRING, &opt_arch, "Arch to use", "ARCH" }, @@ -24,6 +25,7 @@ static GOptionEntry options[] = { { "branch", 0, 0, G_OPTION_ARG_STRING, &opt_branch, "Branch to use", "BRANCH" }, { "devel", 'd', 0, G_OPTION_ARG_NONE, &opt_devel, "Use development runtime", NULL }, { "runtime", 0, 0, G_OPTION_ARG_STRING, &opt_runtime, "Runtime to use", "RUNTIME" }, + { "forbid", 0, 0, G_OPTION_ARG_STRING_ARRAY, &opt_forbid, "Environment options to set to false", "KEY" }, { NULL } }; @@ -259,6 +261,12 @@ xdg_app_builtin_run (int argc, char **argv, GCancellable *cancellable, GError ** const char *command = "/bin/sh"; int i; int rest_argv_start, rest_argc; + const char *environment_keys[] = { + "x11", "wayland", "ipc", "pulseaudio", "system-dbus", "session-dbus", + "network", "host-fs", "homedir", NULL + }; + const char *no_opts[1] = { NULL }; + const char **forbid; context = g_option_context_new ("APP [args...] - Run an app"); @@ -399,33 +407,59 @@ xdg_app_builtin_run (int argc, char **argv, GCancellable *cancellable, GError ** } } - if (g_key_file_get_boolean (metakey, "Environment", "ipc", NULL)) + if (opt_forbid) + forbid = (const char **)opt_forbid; + else + forbid = no_opts; + + for (i = 0; forbid[i]; i++) + { + const char *key; + + key = forbid[i]; + if (!g_strv_contains (environment_keys, key)) + { + g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED, "Unknown Environment key %s", key); + goto out; + } + } + + if (g_key_file_get_boolean (metakey, "Environment", "ipc", NULL) && + !g_strv_contains (forbid, "ipc")) g_ptr_array_add (argv_array, g_strdup ("-i")); - if (g_key_file_get_boolean (metakey, "Environment", "host-fs", NULL)) + if (g_key_file_get_boolean (metakey, "Environment", "host-fs", NULL) && + !g_strv_contains (forbid, "host-fs")) g_ptr_array_add (argv_array, g_strdup ("-f")); - if (g_key_file_get_boolean (metakey, "Environment", "homedir", NULL)) + if (g_key_file_get_boolean (metakey, "Environment", "homedir", NULL) && + !g_strv_contains (forbid, "homedir")) g_ptr_array_add (argv_array, g_strdup ("-H")); - if (g_key_file_get_boolean (metakey, "Environment", "network", NULL)) + if (g_key_file_get_boolean (metakey, "Environment", "network", NULL) && + !g_strv_contains (forbid, "network")) g_ptr_array_add (argv_array, g_strdup ("-n")); - if (g_key_file_get_boolean (metakey, "Environment", "x11", NULL)) + if (g_key_file_get_boolean (metakey, "Environment", "x11", NULL) && + !g_strv_contains (forbid, "x11")) xdg_app_run_add_x11_args (argv_array); else xdg_app_run_add_no_x11_args (argv_array); - if (g_key_file_get_boolean (metakey, "Environment", "wayland", NULL)) + if (g_key_file_get_boolean (metakey, "Environment", "wayland", NULL) && + !g_strv_contains (forbid, "wayland")) xdg_app_run_add_wayland_args (argv_array); - if (g_key_file_get_boolean (metakey, "Environment", "pulseaudio", NULL)) + if (g_key_file_get_boolean (metakey, "Environment", "pulseaudio", NULL) && + !g_strv_contains (forbid, "pulseaudio")) xdg_app_run_add_pulseaudio_args (argv_array); - if (g_key_file_get_boolean (metakey, "Environment", "system-dbus", NULL)) + if (g_key_file_get_boolean (metakey, "Environment", "system-dbus", NULL) && + !g_strv_contains (forbid, "system-dbus")); xdg_app_run_add_system_dbus_args (argv_array); - if (g_key_file_get_boolean (metakey, "Environment", "session-dbus", NULL)) + if (g_key_file_get_boolean (metakey, "Environment", "session-dbus", NULL) && + !g_strv_contains (forbid, "session_dbus")) xdg_app_run_add_session_dbus_args (argv_array); g_ptr_array_add (argv_array, g_strdup ("-a")); From 763b3785903d58104b137feabff2367cfbebd2a1 Mon Sep 17 00:00:00 2001 From: Matthias Clasen Date: Fri, 6 Feb 2015 17:43:53 +0100 Subject: [PATCH 2/2] Add some debug spew Show the access we allow. --- xdg-app-builtins-run.c | 51 +++++++++++++++++++++++++++++++++--------- 1 file changed, 40 insertions(+), 11 deletions(-) diff --git a/xdg-app-builtins-run.c b/xdg-app-builtins-run.c index 3fae55dc..383720b5 100644 --- a/xdg-app-builtins-run.c +++ b/xdg-app-builtins-run.c @@ -426,41 +426,70 @@ xdg_app_builtin_run (int argc, char **argv, GCancellable *cancellable, GError ** if (g_key_file_get_boolean (metakey, "Environment", "ipc", NULL) && !g_strv_contains (forbid, "ipc")) - g_ptr_array_add (argv_array, g_strdup ("-i")); + { + g_debug ("Allowing ipc access"); + g_ptr_array_add (argv_array, g_strdup ("-i")); + } if (g_key_file_get_boolean (metakey, "Environment", "host-fs", NULL) && !g_strv_contains (forbid, "host-fs")) - g_ptr_array_add (argv_array, g_strdup ("-f")); + { + g_debug ("Allowing host-fs access"); + g_ptr_array_add (argv_array, g_strdup ("-f")); + } if (g_key_file_get_boolean (metakey, "Environment", "homedir", NULL) && !g_strv_contains (forbid, "homedir")) - g_ptr_array_add (argv_array, g_strdup ("-H")); + { + g_debug ("Allowing homedir access"); + g_ptr_array_add (argv_array, g_strdup ("-H")); + } if (g_key_file_get_boolean (metakey, "Environment", "network", NULL) && !g_strv_contains (forbid, "network")) - g_ptr_array_add (argv_array, g_strdup ("-n")); + { + g_debug ("Allowing network access"); + g_ptr_array_add (argv_array, g_strdup ("-n")); + } if (g_key_file_get_boolean (metakey, "Environment", "x11", NULL) && !g_strv_contains (forbid, "x11")) - xdg_app_run_add_x11_args (argv_array); + { + g_debug ("Allowing x11 access"); + xdg_app_run_add_x11_args (argv_array); + } else - xdg_app_run_add_no_x11_args (argv_array); + { + xdg_app_run_add_no_x11_args (argv_array); + } if (g_key_file_get_boolean (metakey, "Environment", "wayland", NULL) && !g_strv_contains (forbid, "wayland")) - xdg_app_run_add_wayland_args (argv_array); + { + g_debug ("Allowing wayland access"); + xdg_app_run_add_wayland_args (argv_array); + } if (g_key_file_get_boolean (metakey, "Environment", "pulseaudio", NULL) && !g_strv_contains (forbid, "pulseaudio")) - xdg_app_run_add_pulseaudio_args (argv_array); + { + g_debug ("Allowing pulseaudio access"); + xdg_app_run_add_pulseaudio_args (argv_array); + } if (g_key_file_get_boolean (metakey, "Environment", "system-dbus", NULL) && !g_strv_contains (forbid, "system-dbus")); - xdg_app_run_add_system_dbus_args (argv_array); + { + g_debug ("Allowing system-dbus access"); + xdg_app_run_add_system_dbus_args (argv_array); + } if (g_key_file_get_boolean (metakey, "Environment", "session-dbus", NULL) && - !g_strv_contains (forbid, "session_dbus")) - xdg_app_run_add_session_dbus_args (argv_array); + !g_strv_contains (forbid, "session-dbus")) + { + g_debug ("Allowing session-dbus access"); + xdg_app_run_add_session_dbus_args (argv_array); + } g_ptr_array_add (argv_array, g_strdup ("-a")); g_ptr_array_add (argv_array, g_file_get_path (app_files));