diff options
author | Aleksey Manevich <manevich.aleksey@gmail.com> | 2016-09-10 21:16:09 +0300 |
---|---|---|
committer | Aleksey Manevich <manevich.aleksey@gmail.com> | 2016-09-10 21:16:09 +0300 |
commit | 85195f55733b5a369ddbc335393b3a16e10647a5 (patch) | |
tree | f8d02e95033d6127761155ed8591a604a16150a2 | |
parent | 0.9.42 testing - CentOS 6 (diff) | |
download | firejail-85195f55733b5a369ddbc335393b3a16e10647a5.tar.gz firejail-85195f55733b5a369ddbc335393b3a16e10647a5.tar.zst firejail-85195f55733b5a369ddbc335393b3a16e10647a5.zip |
add x11=block option
-rw-r--r-- | src/firejail/firejail.h | 2 | ||||
-rw-r--r-- | src/firejail/main.c | 8 | ||||
-rw-r--r-- | src/firejail/profile.c | 39 | ||||
-rw-r--r-- | src/firejail/x11.c | 55 |
4 files changed, 104 insertions, 0 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 776bfbc74..ed9d901c0 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -315,6 +315,7 @@ extern int arg_audit; // audit | |||
315 | extern char *arg_audit_prog; // audit | 315 | extern char *arg_audit_prog; // audit |
316 | extern int arg_apparmor; // apparmor | 316 | extern int arg_apparmor; // apparmor |
317 | extern int arg_allow_debuggers; // allow debuggers | 317 | extern int arg_allow_debuggers; // allow debuggers |
318 | extern int arg_x11_block; // block X11 | ||
318 | 319 | ||
319 | extern int login_shell; | 320 | extern int login_shell; |
320 | extern int parent_to_child_fds[2]; | 321 | extern int parent_to_child_fds[2]; |
@@ -623,6 +624,7 @@ int x11_display(void); | |||
623 | void x11_start(int argc, char **argv); | 624 | void x11_start(int argc, char **argv); |
624 | void x11_start_xpra(int argc, char **argv); | 625 | void x11_start_xpra(int argc, char **argv); |
625 | void x11_start_xephyr(int argc, char **argv); | 626 | void x11_start_xephyr(int argc, char **argv); |
627 | void x11_block(void); | ||
626 | 628 | ||
627 | // ls.c | 629 | // ls.c |
628 | #define SANDBOX_FS_LS 0 | 630 | #define SANDBOX_FS_LS 0 |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 569fc7add..e171919d1 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -105,6 +105,7 @@ int arg_audit = 0; // audit | |||
105 | char *arg_audit_prog = NULL; // audit | 105 | char *arg_audit_prog = NULL; // audit |
106 | int arg_apparmor = 0; // apparmor | 106 | int arg_apparmor = 0; // apparmor |
107 | int arg_allow_debuggers = 0; // allow debuggers | 107 | int arg_allow_debuggers = 0; // allow debuggers |
108 | int arg_x11_block = 0; // block X11 | ||
108 | int login_shell = 0; | 109 | int login_shell = 0; |
109 | 110 | ||
110 | int parent_to_child_fds[2]; | 111 | int parent_to_child_fds[2]; |
@@ -2118,6 +2119,9 @@ int main(int argc, char **argv) { | |||
2118 | return 1; | 2119 | return 1; |
2119 | } | 2120 | } |
2120 | } | 2121 | } |
2122 | else if (strcmp(argv[i], "--x11=block") == 0) { | ||
2123 | arg_x11_block = 1; | ||
2124 | } | ||
2121 | else if (strcmp(argv[i], "--") == 0) { | 2125 | else if (strcmp(argv[i], "--") == 0) { |
2122 | // double dash - positional params to follow | 2126 | // double dash - positional params to follow |
2123 | arg_doubledash = 1; | 2127 | arg_doubledash = 1; |
@@ -2284,6 +2288,10 @@ int main(int argc, char **argv) { | |||
2284 | } | 2288 | } |
2285 | } | 2289 | } |
2286 | 2290 | ||
2291 | // block X11 sockets | ||
2292 | if (arg_x11_block) | ||
2293 | x11_block(); | ||
2294 | |||
2287 | // check network configuration options - it will exit if anything went wrong | 2295 | // check network configuration options - it will exit if anything went wrong |
2288 | net_check_cfg(); | 2296 | net_check_cfg(); |
2289 | 2297 | ||
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index a516f3216..00301037f 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -625,6 +625,45 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
625 | arg_private = 1; | 625 | arg_private = 1; |
626 | return 0; | 626 | return 0; |
627 | } | 627 | } |
628 | |||
629 | if (strcmp(ptr, "x11 block") == 0) { | ||
630 | #ifdef HAVE_X11 | ||
631 | arg_x11_block = 1; | ||
632 | #endif | ||
633 | return 0; | ||
634 | } | ||
635 | |||
636 | if (strcmp(ptr, "x11 xephyr") == 0) { | ||
637 | #ifdef HAVE_X11 | ||
638 | if (checkcfg(CFG_X11)) { | ||
639 | char *x11env = getenv("FIREJAIL_X11"); | ||
640 | if (x11env && strcmp(x11env, "yes") == 0) | ||
641 | return 0; | ||
642 | else { | ||
643 | // start x11 | ||
644 | x11_start_xephyr(cfg.original_argc, cfg.original_argv); | ||
645 | exit(0); | ||
646 | } | ||
647 | } | ||
648 | #endif | ||
649 | return 0; | ||
650 | } | ||
651 | |||
652 | if (strcmp(ptr, "x11 xpra") == 0) { | ||
653 | #ifdef HAVE_X11 | ||
654 | if (checkcfg(CFG_X11)) { | ||
655 | char *x11env = getenv("FIREJAIL_X11"); | ||
656 | if (x11env && strcmp(x11env, "yes") == 0) | ||
657 | return 0; | ||
658 | else { | ||
659 | // start x11 | ||
660 | x11_start_xpra(cfg.original_argc, cfg.original_argv); | ||
661 | exit(0); | ||
662 | } | ||
663 | } | ||
664 | #endif | ||
665 | return 0; | ||
666 | } | ||
628 | 667 | ||
629 | if (strcmp(ptr, "x11") == 0) { | 668 | if (strcmp(ptr, "x11") == 0) { |
630 | #ifdef HAVE_X11 | 669 | #ifdef HAVE_X11 |
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 5c6f045e7..29111d5ff 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
@@ -51,6 +51,27 @@ static int x11_check_xephyr(void) { | |||
51 | return 1; | 51 | return 1; |
52 | } | 52 | } |
53 | 53 | ||
54 | // check for X11 abstract sockets | ||
55 | static int x11_abstract_sockets_present(void) { | ||
56 | char *path; | ||
57 | FILE *fp = fopen("/proc/net/unix", "r"); | ||
58 | if (!fp) | ||
59 | errExit("fopen"); | ||
60 | |||
61 | while (fscanf(fp, "%*s %*s %*s %*s %*s %*s %*s %ms\n", &path) != EOF) { | ||
62 | if (path && strncmp(path, "@/tmp/.X11-unix/", 16) == 0) { | ||
63 | free(path); | ||
64 | fclose(fp); | ||
65 | return 1; | ||
66 | } | ||
67 | } | ||
68 | |||
69 | free(path); | ||
70 | fclose(fp); | ||
71 | |||
72 | return 0; | ||
73 | } | ||
74 | |||
54 | static int random_display_number(void) { | 75 | static int random_display_number(void) { |
55 | int i; | 76 | int i; |
56 | int found = 1; | 77 | int found = 1; |
@@ -566,3 +587,37 @@ void x11_start(int argc, char **argv) { | |||
566 | } | 587 | } |
567 | 588 | ||
568 | #endif | 589 | #endif |
590 | |||
591 | void x11_block(void) { | ||
592 | #ifdef HAVE_X11 | ||
593 | // check abstract socket presence and network namespace options | ||
594 | if ((!arg_nonetwork && !cfg.bridge0.configured && !cfg.interface0.configured) | ||
595 | && x11_abstract_sockets_present()) { | ||
596 | fprintf(stderr, "ERROR: --x11=block specified, but abstract X11 socket still accessible.\n" | ||
597 | "Additional setup required. To block abstract X11 socket you need either:\n" | ||
598 | " * use network namespace (--net=none, --net=...)\n" | ||
599 | " * add \"-nolisten local\" to xserver options (eg. /etc/X11/xinit/xserverrc)\n"); | ||
600 | exit(1); | ||
601 | } | ||
602 | |||
603 | // blacklist sockets | ||
604 | profile_check_line("blacklist /tmp/.X11-unix", 0, NULL); | ||
605 | profile_add(strdup("blacklist /tmp/.X11-unix")); | ||
606 | |||
607 | // blacklist .Xauthority | ||
608 | profile_check_line("blacklist ${HOME}/.Xauthority", 0, NULL); | ||
609 | profile_add(strdup("blacklist ${HOME}/.Xauthority")); | ||
610 | char *xauthority = getenv("XAUTHORITY"); | ||
611 | if (xauthority) { | ||
612 | char *line; | ||
613 | if (asprintf(&line, "blacklist %s", xauthority) == -1) | ||
614 | errExit("asprintf"); | ||
615 | profile_check_line(line, 0, NULL); | ||
616 | profile_add(line); | ||
617 | } | ||
618 | |||
619 | // clear enviroment | ||
620 | env_store("DISPLAY", RMENV); | ||
621 | env_store("XAUTHORITY", RMENV); | ||
622 | #endif | ||
623 | } | ||