Merge pull request #776 from manevich/x11

small --x11=block fixes

1 files changed, 8 insertions, 3 deletions

diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 29111d5ff..774294ff1 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -54,7 +54,11 @@ static int x11_check_xephyr(void) {
 // check for X11 abstract sockets
 static int x11_abstract_sockets_present(void) {
         char *path;
+
+        EUID_ROOT(); // grsecurity fix
         FILE *fp = fopen("/proc/net/unix", "r");
+        EUID_USER();
+
         if (!fp)
                 errExit("fopen");
 
@@ -594,9 +598,10 @@ void x11_block(void) {
         if ((!arg_nonetwork && !cfg.bridge0.configured && !cfg.interface0.configured)
                 && x11_abstract_sockets_present()) {
                 fprintf(stderr, "ERROR: --x11=block specified, but abstract X11 socket still accessible.\n"
-                                                "Additional setup required. To block abstract X11 socket you need either:\n"
-                                                " * use network namespace (--net=none, --net=...)\n"
-                                                " * add \"-nolisten local\" to xserver options (eg. /etc/X11/xinit/xserverrc)\n");
+                                                "Additional setup required. To block abstract X11 socket you can either:\n"
+                                                " * use network namespace in firejail (--net=none, --net=...)\n"
+                                                " * add \"-nolisten local\" to xserver options\n"
+                                                "   (eg. to your display manager config, or /etc/X11/xinit/xserverrc)\n");
                 exit(1);
         }