firemon fix for xdg-bus-proxy

src/firejail/dbus.c

@@ -41,7 +41,7 @@
 #define DBUS_USER_PROXY_SOCKET_FORMAT DBUS_USER_DIR_FORMAT "/%d-user"
 #define DBUS_SYSTEM_PROXY_SOCKET_FORMAT DBUS_USER_DIR_FORMAT "/%d-system"
 #define DBUS_MAX_NAME_LENGTH 255
-#define XDG_DBUS_PROXY_PATH "/usr/bin/xdg-dbus-proxy"
+// moved to include/common.h - #define XDG_DBUS_PROXY_PATH "/usr/bin/xdg-dbus-proxy"
 
 static pid_t dbus_proxy_pid = 0;
 static int dbus_proxy_status_fd = -1;

src/firejail/main.c

@@ -523,6 +523,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
  if (checkcfg(CFG_SECCOMP)) {
  // print seccomp filter for a sandbox specified by pid or by name
  pid_t pid = require_pid(argv[i] + 17);
+printf("pid %d\n", pid);
  protocol_print_filter(pid);
  }
  else

src/firemon/firemon.c

@@ -70,6 +70,11 @@ int find_child(int id) {
  // find the first child
  for (i = 0; i < max_pids; i++) {
  if (pids[i].level == 2 && pids[i].parent == id) {
+ // skip /usr/bin/xdg-dbus-proxy (started by firejail for dbus filtering)
+ char *cmdline = pid_proc_cmdline(i);
+ if (strncmp(cmdline, XDG_DBUS_PROXY_PATH, strlen(XDG_DBUS_PROXY_PATH)) == 0)
+ continue;
+
  first_child = i;
  break;
  }
@@ -78,7 +83,7 @@ int find_child(int id) {
  if (first_child == -1)
  return -1;
 
- // find the second child
+ // find the second-level child
  for (i = 0; i < max_pids; i++) {
  if (pids[i].level == 3 && pids[i].parent == first_child)
  return i;

src/include/common.h

@@ -32,6 +32,10 @@
 #include <ctype.h>
 #include <assert.h>
 
+// dbus proxy path used by firejail and firemon
+#define XDG_DBUS_PROXY_PATH "/usr/bin/xdg-dbus-proxy"
+
+
 #define errExit(msg) do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
 
 // check if processes run with dumpable flag set