diff options
author | netblue30 <netblue30@yahoo.com> | 2017-07-19 09:00:16 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2017-07-19 09:00:16 -0400 |
commit | 812db2a6f45d3c4ba4a3c5a9716e653d25c52f7a (patch) | |
tree | aae653e85d488f490bf99da9dcdd0f4f79e80491 | |
parent | xvfb fixes (diff) | |
download | firejail-812db2a6f45d3c4ba4a3c5a9716e653d25c52f7a.tar.gz firejail-812db2a6f45d3c4ba4a3c5a9716e653d25c52f7a.tar.zst firejail-812db2a6f45d3c4ba4a3c5a9716e653d25c52f7a.zip |
support for Xephyr screen size
-rw-r--r-- | README.md | 10 | ||||
-rw-r--r-- | RELNOTES | 3 | ||||
-rw-r--r-- | src/firejail/main.c | 13 | ||||
-rw-r--r-- | src/firejail/profile.c | 11 | ||||
-rw-r--r-- | src/firejail/usage.c | 3 | ||||
-rw-r--r-- | src/firejail/x11.c | 26 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 15 | ||||
-rw-r--r-- | src/man/firejail.txt | 10 |
8 files changed, 90 insertions, 1 deletions
@@ -102,6 +102,16 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir | |||
102 | 102 | ||
103 | Example: | 103 | Example: |
104 | $ firejail --disable-mnt firefox | 104 | $ firejail --disable-mnt firefox |
105 | |||
106 | --xephyr-screen=WIDTHxHEIGHT | ||
107 | Set screen size for --x11=xephyr. The setting will overwrite the | ||
108 | default set in /etc/firejail/firejail.config for the current | ||
109 | sandbox. Run xrandr to get a list of supported resolutions on | ||
110 | your computer. | ||
111 | |||
112 | Example: | ||
113 | $ firejail --net=eth0 --x11=xephyr --xephyr-screen=640x480 fire‐ | ||
114 | fox | ||
105 | ````` | 115 | ````` |
106 | 116 | ||
107 | 117 | ||
@@ -1,6 +1,7 @@ | |||
1 | firejail (0.9.49) baseline; urgency=low | 1 | firejail (0.9.49) baseline; urgency=low |
2 | * work in progress! | 2 | * work in progress! |
3 | * feature: per-profile disable-mnt | 3 | * feature: per-profile disable-mnt (--disable-mnt) |
4 | * feature: per-profile support to set X11 Xephyr screen size (--xephyr-screen) | ||
4 | * new profiles: curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite, | 5 | * new profiles: curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite, |
5 | * new profiles: Geary, Liferea, peek, silentarmy, IntelliJ IDEA, | 6 | * new profiles: Geary, Liferea, peek, silentarmy, IntelliJ IDEA, |
6 | * new profiles: Android Studio | 7 | * new profiles: Android Studio |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 7f3f0f248..c055a1537 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1061,6 +1061,19 @@ int main(int argc, char **argv) { | |||
1061 | // already handled | 1061 | // already handled |
1062 | } | 1062 | } |
1063 | 1063 | ||
1064 | |||
1065 | //************************************* | ||
1066 | // x11 | ||
1067 | //************************************* | ||
1068 | |||
1069 | #ifdef HAVE_X11 | ||
1070 | else if (strncmp(argv[i], "--xephyr-screen=", 14) == 0) { | ||
1071 | if (checkcfg(CFG_X11)) | ||
1072 | ; // the processing is done directly in x11.c | ||
1073 | else | ||
1074 | exit_err_feature("x11"); | ||
1075 | } | ||
1076 | #endif | ||
1064 | //************************************* | 1077 | //************************************* |
1065 | // filtering | 1078 | // filtering |
1066 | //************************************* | 1079 | //************************************* |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 88f04f47f..18891ac58 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -20,6 +20,7 @@ | |||
20 | #include "firejail.h" | 20 | #include "firejail.h" |
21 | #include <dirent.h> | 21 | #include <dirent.h> |
22 | #include <sys/stat.h> | 22 | #include <sys/stat.h> |
23 | extern char *xephyr_screen; | ||
23 | 24 | ||
24 | #define MAX_READ 8192 // line buffer for profile files | 25 | #define MAX_READ 8192 // line buffer for profile files |
25 | 26 | ||
@@ -112,6 +113,16 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
112 | return 0; | 113 | return 0; |
113 | } | 114 | } |
114 | 115 | ||
116 | if (strncmp(ptr, "xephyr-screen ", 14) == 0) { | ||
117 | #ifdef HAVE_X11 | ||
118 | if (checkcfg(CFG_X11)) { | ||
119 | xephyr_screen = ptr + 14; | ||
120 | } | ||
121 | else | ||
122 | warning_feature_disabled("x11"); | ||
123 | #endif | ||
124 | return 0; | ||
125 | } | ||
115 | // mkdir | 126 | // mkdir |
116 | if (strncmp(ptr, "mkdir ", 6) == 0) { | 127 | if (strncmp(ptr, "mkdir ", 6) == 0) { |
117 | fs_mkdir(ptr + 6); | 128 | fs_mkdir(ptr + 6); |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 6f8298589..71bb6f24e 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -205,6 +205,7 @@ void usage(void) { | |||
205 | printf(" --writable-etc - /etc directory is mounted read-write.\n"); | 205 | printf(" --writable-etc - /etc directory is mounted read-write.\n"); |
206 | printf(" --writable-var - /var directory is mounted read-write.\n"); | 206 | printf(" --writable-var - /var directory is mounted read-write.\n"); |
207 | printf(" --writable-var-log - use the real /var/log directory, not a clone.\n"); | 207 | printf(" --writable-var-log - use the real /var/log directory, not a clone.\n"); |
208 | #ifdef HAVE_X11 | ||
208 | printf(" --x11 - enable X11 sandboxing. The software checks first if Xpra is\n"); | 209 | printf(" --x11 - enable X11 sandboxing. The software checks first if Xpra is\n"); |
209 | printf("\tinstalled, then it checks if Xephyr is installed. If all fails, it will\n"); | 210 | printf("\tinstalled, then it checks if Xephyr is installed. If all fails, it will\n"); |
210 | printf("\tattempt to use X11 security extension.\n"); | 211 | printf("\tattempt to use X11 security extension.\n"); |
@@ -213,6 +214,8 @@ void usage(void) { | |||
213 | printf(" --x11=xorg - enable X11 security extension.\n"); | 214 | printf(" --x11=xorg - enable X11 security extension.\n"); |
214 | printf(" --x11=xpra - enable Xpra X11 server.\n"); | 215 | printf(" --x11=xpra - enable Xpra X11 server.\n"); |
215 | printf(" --x11=xvfb - enable Xvfb X11 server.\n"); | 216 | printf(" --x11=xvfb - enable Xvfb X11 server.\n"); |
217 | printf(" --xephyr-screen=WIDTHxHEIGHT - set screen size for --x11=xephyr.\n"); | ||
218 | #endif | ||
216 | printf(" --zsh - use /usr/bin/zsh as default shell.\n"); | 219 | printf(" --zsh - use /usr/bin/zsh as default shell.\n"); |
217 | printf("\n"); | 220 | printf("\n"); |
218 | printf("Examples:\n"); | 221 | printf("Examples:\n"); |
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 2e2e3dff2..c6bb7e1e3 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
@@ -398,6 +398,27 @@ void x11_start_xvfb(int argc, char **argv) { | |||
398 | } | 398 | } |
399 | 399 | ||
400 | 400 | ||
401 | |||
402 | static char *extract_setting(int argc, char **argv, const char *argument) { | ||
403 | int i; | ||
404 | int len = strlen(argument); | ||
405 | |||
406 | for (i = 1; i < argc; i++) { | ||
407 | if (strncmp(argv[i], argument, len) == 0) { | ||
408 | return argv[i] + len; | ||
409 | } | ||
410 | |||
411 | // detect end of firejail params | ||
412 | if (strcmp(argv[i], "--") == 0) | ||
413 | break; | ||
414 | if (strncmp(argv[i], "--", 2) != 0) | ||
415 | break; | ||
416 | } | ||
417 | |||
418 | return NULL; | ||
419 | } | ||
420 | |||
421 | |||
401 | //$ Xephyr -ac -br -noreset -screen 800x600 :22 & | 422 | //$ Xephyr -ac -br -noreset -screen 800x600 :22 & |
402 | //$ DISPLAY=:22 firejail --net=eth0 --blacklist=/tmp/.X11-unix/x0 firefox | 423 | //$ DISPLAY=:22 firejail --net=eth0 --blacklist=/tmp/.X11-unix/x0 firefox |
403 | void x11_start_xephyr(int argc, char **argv) { | 424 | void x11_start_xephyr(int argc, char **argv) { |
@@ -407,6 +428,11 @@ void x11_start_xephyr(int argc, char **argv) { | |||
407 | pid_t jail = 0; | 428 | pid_t jail = 0; |
408 | pid_t server = 0; | 429 | pid_t server = 0; |
409 | 430 | ||
431 | // default xephyr screen can be overwriten by a --xephyr-screen= command line option | ||
432 | char *newscreen = extract_setting(argc, argv, "--xephyr-screen="); | ||
433 | if (newscreen) | ||
434 | xephyr_screen = newscreen; | ||
435 | |||
410 | setenv("FIREJAIL_X11", "yes", 1); | 436 | setenv("FIREJAIL_X11", "yes", 1); |
411 | 437 | ||
412 | // unfortunately, xephyr does a number of weird things when started by root user!!! | 438 | // unfortunately, xephyr does a number of weird things when started by root user!!! |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 9f4f4a927..f446f37b8 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -341,6 +341,21 @@ Enable X11 sandboxing with Xpra server. | |||
341 | .TP | 341 | .TP |
342 | \fBx11 xvfb | 342 | \fBx11 xvfb |
343 | Enable X11 sandboxing with Xvfb server. | 343 | Enable X11 sandboxing with Xvfb server. |
344 | .TP | ||
345 | \fBxephyr-screen WIDTHxHEIGHT | ||
346 | Set screen size for x11 xephyr. This command should be included in the profile file before x11 xephyr command. | ||
347 | .br | ||
348 | |||
349 | .br | ||
350 | Example: | ||
351 | .br | ||
352 | |||
353 | .br | ||
354 | xephyr-screen 640x480 | ||
355 | .br | ||
356 | x11 xephyr | ||
357 | |||
358 | |||
344 | 359 | ||
345 | .SH Resource limits, CPU affinity, Control Groups | 360 | .SH Resource limits, CPU affinity, Control Groups |
346 | These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox. | 361 | These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox. |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 6e49fc25f..3253ae8bb 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1980,7 +1980,17 @@ On the client machine we start a VNC viewer and use it to connect to our server: | |||
1980 | $ vncviewer | 1980 | $ vncviewer |
1981 | .br | 1981 | .br |
1982 | 1982 | ||
1983 | .TP | ||
1984 | \fB\-\-xephyr-screen=WIDTHxHEIGHT | ||
1985 | Set screen size for --x11=xephyr. The setting will overwrite the default set in /etc/firejail/firejail.config | ||
1986 | for the current sandbox. Run xrandr to get a list of supported resolutions on your computer. | ||
1987 | .br | ||
1983 | 1988 | ||
1989 | .br | ||
1990 | Example: | ||
1991 | .br | ||
1992 | $ firejail --net=eth0 --x11=xephyr --xephyr-screen=640x480 firefox | ||
1993 | .br | ||
1984 | 1994 | ||
1985 | .TP | 1995 | .TP |
1986 | \fB\-\-zsh | 1996 | \fB\-\-zsh |