diff options
author | netblue30 <netblue30@yahoo.com> | 2017-02-15 08:12:41 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2017-02-15 08:12:41 -0500 |
commit | a73a89f3c403d61e8b5588b759e4438b4206e2e3 (patch) | |
tree | b28dcd5b07ec631c573dc4f88027045f64de4605 | |
parent | merge #1100 from zackw: rework DISPLAY environment parsing, rework masking X... (diff) | |
download | firejail-a73a89f3c403d61e8b5588b759e4438b4206e2e3.tar.gz firejail-a73a89f3c403d61e8b5588b759e4438b4206e2e3.tar.zst firejail-a73a89f3c403d61e8b5588b759e4438b4206e2e3.zip |
merge #1100 from zackw: rework xpra and xephyr detection
-rw-r--r-- | src/firejail/x11.c | 78 |
1 files changed, 4 insertions, 74 deletions
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index b551a2d2a..f81a52b70 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
@@ -32,28 +32,6 @@ | |||
32 | int mask_x11_abstract_socket = 0; | 32 | int mask_x11_abstract_socket = 0; |
33 | 33 | ||
34 | #ifdef HAVE_X11 | 34 | #ifdef HAVE_X11 |
35 | // return 1 if xpra is installed on the system | ||
36 | static int x11_check_xpra(void) { | ||
37 | struct stat s; | ||
38 | |||
39 | // check xpra | ||
40 | if (stat("/usr/bin/xpra", &s) == -1) | ||
41 | return 0; | ||
42 | |||
43 | return 1; | ||
44 | } | ||
45 | |||
46 | // return 1 if xephyr is installed on the system | ||
47 | static int x11_check_xephyr(void) { | ||
48 | struct stat s; | ||
49 | |||
50 | // check xephyr | ||
51 | if (stat("/usr/bin/Xephyr", &s) == -1) | ||
52 | return 0; | ||
53 | |||
54 | return 1; | ||
55 | } | ||
56 | |||
57 | // check for X11 abstract sockets | 35 | // check for X11 abstract sockets |
58 | static int x11_abstract_sockets_present(void) { | 36 | static int x11_abstract_sockets_present(void) { |
59 | char *path; | 37 | char *path; |
@@ -205,54 +183,6 @@ void fs_x11(void) { | |||
205 | if (mount(RUN_RO_DIR, RUN_WHITELIST_X11_DIR, 0, MS_BIND, 0) < 0) | 183 | if (mount(RUN_RO_DIR, RUN_WHITELIST_X11_DIR, 0, MS_BIND, 0) < 0) |
206 | errExit("mount"); | 184 | errExit("mount"); |
207 | fs_logger2("blacklist", RUN_WHITELIST_X11_DIR); | 185 | fs_logger2("blacklist", RUN_WHITELIST_X11_DIR); |
208 | |||
209 | |||
210 | #if 0 | ||
211 | // keep a copy of real /tmp/.X11-unix directory in WHITELIST_TMP_DIR | ||
212 | int rv = mkdir(RUN_WHITELIST_X11_DIR, 1777); | ||
213 | if (rv == -1) | ||
214 | errExit("mkdir"); | ||
215 | if (set_perms(RUN_WHITELIST_X11_DIR, 0, 0, 1777)) | ||
216 | errExit("set_perms"); | ||
217 | |||
218 | if (mount("/tmp/.X11-unix", RUN_WHITELIST_X11_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
219 | errExit("mount bind"); | ||
220 | |||
221 | // mount tmpfs on /tmp/.X11-unix | ||
222 | if (arg_debug || arg_debug_whitelists) | ||
223 | printf("Mounting tmpfs on /tmp/.X11-unix directory\n"); | ||
224 | if (mount("tmpfs", "/tmp/.X11-unix", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) | ||
225 | errExit("mounting tmpfs on /tmp"); | ||
226 | fs_logger("tmpfs /tmp/.X11-unix"); | ||
227 | |||
228 | // create an empty file | ||
229 | /* coverity[toctou] */ | ||
230 | FILE *fp = fopen(x11file, "w"); | ||
231 | if (!fp) { | ||
232 | fprintf(stderr, "Error: cannot create empty file in x11 directory\n"); | ||
233 | exit(1); | ||
234 | } | ||
235 | // set file properties | ||
236 | SET_PERMS_STREAM(fp, s.st_uid, s.st_gid, s.st_mode); | ||
237 | fclose(fp); | ||
238 | |||
239 | // mount | ||
240 | char *wx11file; | ||
241 | if (asprintf(&wx11file, "%s/X%d", RUN_WHITELIST_X11_DIR, display) == -1) | ||
242 | errExit("asprintf"); | ||
243 | if (mount(wx11file, x11file, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
244 | errExit("mount bind"); | ||
245 | fs_logger2("whitelist", x11file); | ||
246 | |||
247 | free(x11file); | ||
248 | free(wx11file); | ||
249 | |||
250 | // block access to RUN_WHITELIST_X11_DIR | ||
251 | if (mount(RUN_RO_DIR, RUN_WHITELIST_X11_DIR, "none", MS_BIND, "mode=400,gid=0") == -1) | ||
252 | errExit("mount"); | ||
253 | fs_logger2("blacklist", RUN_WHITELIST_X11_DIR); | ||
254 | #endif | ||
255 | |||
256 | #endif | 186 | #endif |
257 | } | 187 | } |
258 | 188 | ||
@@ -277,7 +207,7 @@ void x11_start_xephyr(int argc, char **argv) { | |||
277 | drop_privs(0); | 207 | drop_privs(0); |
278 | 208 | ||
279 | // check xephyr | 209 | // check xephyr |
280 | if (x11_check_xephyr() == 0) { | 210 | if (!program_in_path("Xephyr")) { |
281 | fprintf(stderr, "\nError: Xephyr program was not found in /usr/bin directory, please install it:\n"); | 211 | fprintf(stderr, "\nError: Xephyr program was not found in /usr/bin directory, please install it:\n"); |
282 | fprintf(stderr, " Debian/Ubuntu/Mint: sudo apt-get install xserver-xephyr\n"); | 212 | fprintf(stderr, " Debian/Ubuntu/Mint: sudo apt-get install xserver-xephyr\n"); |
283 | fprintf(stderr, " Arch: sudo pacman -S xorg-server-xephyr\n"); | 213 | fprintf(stderr, " Arch: sudo pacman -S xorg-server-xephyr\n"); |
@@ -477,7 +407,7 @@ void x11_start_xpra(int argc, char **argv) { | |||
477 | drop_privs(0); | 407 | drop_privs(0); |
478 | 408 | ||
479 | // check xpra | 409 | // check xpra |
480 | if (x11_check_xpra() == 0) { | 410 | if (!program_in_path("xpra")) { |
481 | fprintf(stderr, "\nError: Xpra program was not found in /usr/bin directory, please install it:\n"); | 411 | fprintf(stderr, "\nError: Xpra program was not found in /usr/bin directory, please install it:\n"); |
482 | fprintf(stderr, " Debian/Ubuntu/Mint: sudo apt-get install xpra\n"); | 412 | fprintf(stderr, " Debian/Ubuntu/Mint: sudo apt-get install xpra\n"); |
483 | exit(0); | 413 | exit(0); |
@@ -670,9 +600,9 @@ void x11_start(int argc, char **argv) { | |||
670 | } | 600 | } |
671 | 601 | ||
672 | // check xpra | 602 | // check xpra |
673 | if (x11_check_xpra() == 1) | 603 | if (program_in_path("xpra")) |
674 | x11_start_xpra(argc, argv); | 604 | x11_start_xpra(argc, argv); |
675 | else if (x11_check_xephyr() == 1) | 605 | else if (program_in_path("Xephyr")) |
676 | x11_start_xephyr(argc, argv); | 606 | x11_start_xephyr(argc, argv); |
677 | else { | 607 | else { |
678 | fprintf(stderr, "\nError: Xpra or Xephyr not found in /usr/bin directory, please install one of them:\n"); | 608 | fprintf(stderr, "\nError: Xpra or Xephyr not found in /usr/bin directory, please install one of them:\n"); |