renamed --x11=block to --x11=none, brought back the requirement for network namespaces for x11 sandboxing

author: netblue30 <netblue30@yahoo.com> 2016-10-02 10:23:29 -0400
committer: netblue30 <netblue30@yahoo.com> 2016-10-02 10:23:29 -0400
commit: b7d5d68ae43edb1cd2da60762a9e297934f76b5b (patch)
tree: e67378bea9dba366dd2fd6901af30a756b49e252
parent: Merge pull request #829 from reinerh/master (diff)
download: firejail-b7d5d68ae43edb1cd2da60762a9e297934f76b5b.tar.gz
firejail-b7d5d68ae43edb1cd2da60762a9e297934f76b5b.tar.zst
firejail-b7d5d68ae43edb1cd2da60762a9e297934f76b5b.zip
6 files changed, 8 insertions, 12 deletions
diff --git a/README b/README
index e98352913..325ef2aa5 100644
--- a/README
+++ b/README
@@ -43,7 +43,7 @@ Aleksey Manevich (https://github.com/manevich)
        - added --fix option to firecfg utility
        - read_pid fix
        - added --x11=block options
-        - x11 xpra, xphyr, block profile commands
+        - x11 xpra, xphyr, none profile commands
        - added --join-or-start command
        - CVE-2016-7545
 Fred-Barclay (https://github.com/Fred-Barclay)
@@ -79,6 +79,7 @@ Fred-Barclay (https://github.com/Fred-Barclay)
        - evince profile enhancement
 vismir2 (https://github.com/vismir2)
        - feh, ranger and zathura profiles
+        - lots of profile fixes
 graywolf (https://github.com/graywolf)
        - spelling fix
 Dara Adib (https://github.com/daradib)
diff --git a/README.md b/README.md
index b6f80a52f..a8075cc1e 100644
--- a/README.md
+++ b/README.md
@@ -47,7 +47,7 @@ If you keep your Firejail profiles in a public repository, please give us a link
 ## New command line options
 `````
-      --x11=block
+      --x11=none
              Blacklist  /tmp/.X11-unix  directory,  ${HOME}/.Xauthority  and  file
              specified in ${XAUTHORITY} environment variable.  Remove  DISPLAY  and
              XAUTHORITY  environment  variables.   Stop  with  error message if X11
@@ -84,7 +84,7 @@ If you keep your Firejail profiles in a public repository, please give us a link
 ## New profile commands
-x11 xpra, x11 xephyr, x11 block, allusers, join-or-start
+x11 xpra, x11 xephyr, x11 none, allusers, join-or-start
 ## New profiles
diff --git a/RELNOTES b/RELNOTES
index ad4c750b5..4ae23c2f3 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -4,8 +4,6 @@ firejail (0.9.43) baseline; urgency=low
  * modifs: removed man firejail-config
  * modifs: --private-tmp whitelists /tmp/.X11-unix directory
  * modifs: Nvidia drivers added to --private-dev
-  * modifs: dropping requirement for network namespace when 
-     using a --x11
  * feature: support starting/joining sandbox is a single command
    (--join-or-start)
  * feature: X11 detection support for --audit
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 91ea523ab..c4b7ce4dc 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -2208,7 +2208,7 @@ int main(int argc, char **argv) {
                                return 1;
                        }
                }
-                else if (strcmp(argv[i], "--x11=block") == 0) {
+                else if (strcmp(argv[i], "--x11=none") == 0) {
                        arg_x11_block = 1;
                }
                else if (strncmp(argv[i], "--join-or-start=", 16) == 0) {
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 36023e067..def1dd324 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -52,7 +52,6 @@ static int x11_check_xephyr(void) {
        return 1;
 }
-#if 0
 // check for X11 abstract sockets
 static int x11_abstract_sockets_present(void) {
        char *path;
@@ -77,7 +76,6 @@ static int x11_abstract_sockets_present(void) {
        return 0;
 }
-#endif
 static int random_display_number(void) {
        int i;
@@ -598,18 +596,17 @@ void x11_start(int argc, char **argv) {
 void x11_block(void) {
 #ifdef HAVE_X11
        mask_x11_abstract_socket = 1;
-#if 0
        // check abstract socket presence and network namespace options
        if ((!arg_nonetwork && !cfg.bridge0.configured && !cfg.interface0.configured)
                && x11_abstract_sockets_present()) {
-                fprintf(stderr, "ERROR: --x11=block specified, but abstract X11 socket still accessible.\n"
+                fprintf(stderr, "ERROR: --x11=none specified, but abstract X11 socket still accessible.\n"
                                                "Additional setup required. To block abstract X11 socket you can either:\n"
                                                " * use network namespace in firejail (--net=none, --net=...)\n"
                                                " * add \"-nolisten local\" to xserver options\n"
                                                "   (eg. to your display manager config, or /etc/X11/xinit/xserverrc)\n");
                exit(1);
        }
-#endif
        // blacklist sockets
        profile_check_line("blacklist /tmp/.X11-unix", 0, NULL);
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 3ceb21e78..aadc54677 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1713,7 +1713,7 @@ Example:
 $ firejail \-\-x11=xephyr --net=eth0 openbox
 .TP
-\fB\-\-x11=block
+\fB\-\-x11=none
 Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} environment variable.
 Remove DISPLAY and XAUTHORITY environment variables.
 Stop with error message if X11 abstract socket will be accessible in jail.
author	netblue30 <netblue30@yahoo.com>	2016-10-02 10:23:29 -0400
committer	netblue30 <netblue30@yahoo.com>	2016-10-02 10:23:29 -0400
commit	b7d5d68ae43edb1cd2da60762a9e297934f76b5b (patch)
tree	e67378bea9dba366dd2fd6901af30a756b49e252
parent	Merge pull request #829 from reinerh/master (diff)
download	firejail-b7d5d68ae43edb1cd2da60762a9e297934f76b5b.tar.gz firejail-b7d5d68ae43edb1cd2da60762a9e297934f76b5b.tar.zst firejail-b7d5d68ae43edb1cd2da60762a9e297934f76b5b.zip

diff --git a/README b/README index e98352913..325ef2aa5 100644 --- a/README +++ b/README
@@ -43,7 +43,7 @@ Aleksey Manevich (https://github.com/manevich)
43	- added --fix option to firecfg utility	43	- added --fix option to firecfg utility
44	- read_pid fix	44	- read_pid fix
45	- added --x11=block options	45	- added --x11=block options
46	- x11 xpra, xphyr, block profile commands	46	- x11 xpra, xphyr, none profile commands
47	- added --join-or-start command	47	- added --join-or-start command
48	- CVE-2016-7545	48	- CVE-2016-7545
49	Fred-Barclay (https://github.com/Fred-Barclay)	49	Fred-Barclay (https://github.com/Fred-Barclay)
@@ -79,6 +79,7 @@ Fred-Barclay (https://github.com/Fred-Barclay)
79	- evince profile enhancement	79	- evince profile enhancement
80	vismir2 (https://github.com/vismir2)	80	vismir2 (https://github.com/vismir2)
81	- feh, ranger and zathura profiles	81	- feh, ranger and zathura profiles
		82	- lots of profile fixes
82	graywolf (https://github.com/graywolf)	83	graywolf (https://github.com/graywolf)
83	- spelling fix	84	- spelling fix
84	Dara Adib (https://github.com/daradib)	85	Dara Adib (https://github.com/daradib)


diff --git a/README.md b/README.md index b6f80a52f..a8075cc1e 100644 --- a/README.md +++ b/README.md
@@ -47,7 +47,7 @@ If you keep your Firejail profiles in a public repository, please give us a link
47		47
48	## New command line options	48	## New command line options
49	`````	49	`````
50	--x11=block	50	--x11=none
51	Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file	51	Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file
52	specified in ${XAUTHORITY} environment variable. Remove DISPLAY and	52	specified in ${XAUTHORITY} environment variable. Remove DISPLAY and
53	XAUTHORITY environment variables. Stop with error message if X11	53	XAUTHORITY environment variables. Stop with error message if X11
@@ -84,7 +84,7 @@ If you keep your Firejail profiles in a public repository, please give us a link
84		84
85	## New profile commands	85	## New profile commands
86		86
87	x11 xpra, x11 xephyr, x11 block, allusers, join-or-start	87	x11 xpra, x11 xephyr, x11 none, allusers, join-or-start
88		88
89	## New profiles	89	## New profiles
90		90


diff --git a/RELNOTES b/RELNOTES index ad4c750b5..4ae23c2f3 100644 --- a/RELNOTES +++ b/RELNOTES
@@ -4,8 +4,6 @@ firejail (0.9.43) baseline; urgency=low
4	* modifs: removed man firejail-config	4	* modifs: removed man firejail-config
5	* modifs: --private-tmp whitelists /tmp/.X11-unix directory	5	* modifs: --private-tmp whitelists /tmp/.X11-unix directory
6	* modifs: Nvidia drivers added to --private-dev	6	* modifs: Nvidia drivers added to --private-dev
7	* modifs: dropping requirement for network namespace when
8	using a --x11
9	* feature: support starting/joining sandbox is a single command	7	* feature: support starting/joining sandbox is a single command
10	(--join-or-start)	8	(--join-or-start)
11	* feature: X11 detection support for --audit	9	* feature: X11 detection support for --audit


diff --git a/src/firejail/main.c b/src/firejail/main.c index 91ea523ab..c4b7ce4dc 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -2208,7 +2208,7 @@ int main(int argc, char **argv) {
2208	return 1;	2208	return 1;
2209	}	2209	}
2210	}	2210	}
2211	else if (strcmp(argv[i], "--x11=block") == 0) {	2211	else if (strcmp(argv[i], "--x11=none") == 0) {
2212	arg_x11_block = 1;	2212	arg_x11_block = 1;
2213	}	2213	}
2214	else if (strncmp(argv[i], "--join-or-start=", 16) == 0) {	2214	else if (strncmp(argv[i], "--join-or-start=", 16) == 0) {


diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 36023e067..def1dd324 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c
@@ -52,7 +52,6 @@ static int x11_check_xephyr(void) {
52	return 1;	52	return 1;
53	}	53	}
54		54
55	#if 0
56	// check for X11 abstract sockets	55	// check for X11 abstract sockets
57	static int x11_abstract_sockets_present(void) {	56	static int x11_abstract_sockets_present(void) {
58	char *path;	57	char *path;
@@ -77,7 +76,6 @@ static int x11_abstract_sockets_present(void) {
77		76
78	return 0;	77	return 0;
79	}	78	}
80	#endif
81		79
82	static int random_display_number(void) {	80	static int random_display_number(void) {
83	int i;	81	int i;
@@ -598,18 +596,17 @@ void x11_start(int argc, char **argv) {
598	void x11_block(void) {	596	void x11_block(void) {
599	#ifdef HAVE_X11	597	#ifdef HAVE_X11
600	mask_x11_abstract_socket = 1;	598	mask_x11_abstract_socket = 1;
601	#if 0	599
602	// check abstract socket presence and network namespace options	600	// check abstract socket presence and network namespace options
603	if ((!arg_nonetwork && !cfg.bridge0.configured && !cfg.interface0.configured)	601	if ((!arg_nonetwork && !cfg.bridge0.configured && !cfg.interface0.configured)
604	&& x11_abstract_sockets_present()) {	602	&& x11_abstract_sockets_present()) {
605	fprintf(stderr, "ERROR: --x11=block specified, but abstract X11 socket still accessible.\n"	603	fprintf(stderr, "ERROR: --x11=none specified, but abstract X11 socket still accessible.\n"
606	"Additional setup required. To block abstract X11 socket you can either:\n"	604	"Additional setup required. To block abstract X11 socket you can either:\n"
607	" * use network namespace in firejail (--net=none, --net=...)\n"	605	" * use network namespace in firejail (--net=none, --net=...)\n"
608	" * add \"-nolisten local\" to xserver options\n"	606	" * add \"-nolisten local\" to xserver options\n"
609	" (eg. to your display manager config, or /etc/X11/xinit/xserverrc)\n");	607	" (eg. to your display manager config, or /etc/X11/xinit/xserverrc)\n");
610	exit(1);	608	exit(1);
611	}	609	}
612	#endif
613		610
614	// blacklist sockets	611	// blacklist sockets
615	profile_check_line("blacklist /tmp/.X11-unix", 0, NULL);	612	profile_check_line("blacklist /tmp/.X11-unix", 0, NULL);


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 3ceb21e78..aadc54677 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -1713,7 +1713,7 @@ Example:
1713	$ firejail \-\-x11=xephyr --net=eth0 openbox	1713	$ firejail \-\-x11=xephyr --net=eth0 openbox
1714		1714
1715	.TP	1715	.TP
1716	\fB\-\-x11=block	1716	\fB\-\-x11=none
1717	Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} environment variable.	1717	Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} environment variable.
1718	Remove DISPLAY and XAUTHORITY environment variables.	1718	Remove DISPLAY and XAUTHORITY environment variables.
1719	Stop with error message if X11 abstract socket will be accessible in jail.	1719	Stop with error message if X11 abstract socket will be accessible in jail.