diff options
author | smitsohu <smitsohu@gmail.com> | 2019-10-08 15:38:47 +0200 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2019-10-08 15:38:47 +0200 |
commit | 8e62cb50dd7e4477e57c3daafa418c8b8034803b (patch) | |
tree | d88b28260396e738e41610b655ecabcc53648c01 | |
parent | little tweaks (diff) | |
download | firejail-8e62cb50dd7e4477e57c3daafa418c8b8034803b.tar.gz firejail-8e62cb50dd7e4477e57c3daafa418c8b8034803b.tar.zst firejail-8e62cb50dd7e4477e57c3daafa418c8b8034803b.zip |
add HAS_X11 conditional, disconnect session manager - #2205
-rw-r--r-- | etc/disable-common.inc | 4 | ||||
-rw-r--r-- | src/firejail/profile.c | 5 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 3 |
3 files changed, 11 insertions, 1 deletions
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 68176e9e0..35789df2e 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -62,6 +62,10 @@ blacklist /etc/X11/Xsession.d | |||
62 | blacklist /etc/xdg/autostart | 62 | blacklist /etc/xdg/autostart |
63 | read-only ${HOME}/.Xauthority | 63 | read-only ${HOME}/.Xauthority |
64 | 64 | ||
65 | # Session manager | ||
66 | ?HAS_X11: blacklist ${HOME}/.ICEauthority | ||
67 | ?HAS_X11: blacklist /tmp/.ICE-unix | ||
68 | |||
65 | # KDE config | 69 | # KDE config |
66 | blacklist ${HOME}/.config/khotkeysrc | 70 | blacklist ${HOME}/.config/khotkeysrc |
67 | blacklist ${HOME}/.config/krunnerrc | 71 | blacklist ${HOME}/.config/krunnerrc |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 7303d30f8..40f3c3be7 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -147,6 +147,10 @@ static int check_nodbus(void) { | |||
147 | return arg_nodbus != 0; | 147 | return arg_nodbus != 0; |
148 | } | 148 | } |
149 | 149 | ||
150 | static int check_x11(void) { | ||
151 | return (arg_x11_block || getenv("FIREJAIL_X11")); | ||
152 | } | ||
153 | |||
150 | static int check_disable_u2f(void) { | 154 | static int check_disable_u2f(void) { |
151 | return checkcfg(CFG_BROWSER_DISABLE_U2F) != 0; | 155 | return checkcfg(CFG_BROWSER_DISABLE_U2F) != 0; |
152 | } | 156 | } |
@@ -158,6 +162,7 @@ static int check_allow_drm(void) { | |||
158 | Cond conditionals[] = { | 162 | Cond conditionals[] = { |
159 | {"HAS_APPIMAGE", check_appimage}, | 163 | {"HAS_APPIMAGE", check_appimage}, |
160 | {"HAS_NODBUS", check_nodbus}, | 164 | {"HAS_NODBUS", check_nodbus}, |
165 | {"HAS_X11", check_x11}, | ||
161 | {"BROWSER_DISABLE_U2F", check_disable_u2f}, | 166 | {"BROWSER_DISABLE_U2F", check_disable_u2f}, |
162 | {"BROWSER_ALLOW_DRM", check_allow_drm}, | 167 | {"BROWSER_ALLOW_DRM", check_allow_drm}, |
163 | { NULL, NULL } | 168 | { NULL, NULL } |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 82ca103c9..4a84cc828 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -103,7 +103,8 @@ Example: "?HAS_APPIMAGE: whitelist ${HOME}/special/appimage/dir" | |||
103 | 103 | ||
104 | This example will load the whitelist profile line only if the \-\-appimage option has been specified on the command line. | 104 | This example will load the whitelist profile line only if the \-\-appimage option has been specified on the command line. |
105 | 105 | ||
106 | Currently the only conditionals supported are HAS_APPIMAGE, HAS_NODBUS, BROWSER_DISABLE_U2F, and BROWSER_ALLOW_DRM. | 106 | Currently the only conditionals supported this way are HAS_APPIMAGE, HAS_NODBUS and HAS_X11. The conditionals BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM |
107 | can be enabled or disabled globally in Firejail's configuration file. | ||
107 | 108 | ||
108 | The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines. | 109 | The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines. |
109 | 110 | ||