diff options
author | smitsohu <smitsohu@gmail.com> | 2020-03-31 15:07:01 +0200 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2020-08-09 01:13:39 +0200 |
commit | 62a36d08c67df7619375a609c65445947a64549e (patch) | |
tree | 740aa5bf76d25c997cf12859ab791d610c80859b | |
parent | private-home: create directories as the user (diff) | |
download | firejail-62a36d08c67df7619375a609c65445947a64549e.tar.gz firejail-62a36d08c67df7619375a609c65445947a64549e.tar.zst firejail-62a36d08c67df7619375a609c65445947a64549e.zip |
extra x11 hardening
-rw-r--r-- | src/firejail/x11.c | 19 |
1 files changed, 8 insertions, 11 deletions
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index b390ad38e..d80f4df38 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
@@ -1175,16 +1175,15 @@ void x11_xorg(void) { | |||
1175 | 1175 | ||
1176 | // move the temporary file in RUN_XAUTHORITY_SEC_FILE in order to have it deleted | 1176 | // move the temporary file in RUN_XAUTHORITY_SEC_FILE in order to have it deleted |
1177 | // automatically when the sandbox is closed (rename doesn't work) | 1177 | // automatically when the sandbox is closed (rename doesn't work) |
1178 | // root needed | 1178 | if (arg_debug) |
1179 | if (copy_file(tmpfname, RUN_XAUTHORITY_SEC_FILE, getuid(), getgid(), 0600)) { | 1179 | printf("Copying the new .Xauthority file\n"); |
1180 | fprintf(stderr, "Error: cannot create the new .Xauthority file\n"); | 1180 | copy_file_from_user_to_root(tmpfname, RUN_XAUTHORITY_SEC_FILE, getuid(), getgid(), 0600); |
1181 | exit(1); | 1181 | |
1182 | } | ||
1183 | /* coverity[toctou] */ | 1182 | /* coverity[toctou] */ |
1184 | unlink(tmpfname); | 1183 | unlink(tmpfname); |
1185 | umount("/tmp"); | 1184 | umount("/tmp"); |
1186 | 1185 | ||
1187 | // remount RUN_XAUTHORITY_SEC_FILE noexec, nodev, nosuid | 1186 | // mount RUN_XAUTHORITY_SEC_FILE noexec, nodev, nosuid |
1188 | fs_remount(RUN_XAUTHORITY_SEC_FILE, MOUNT_NOEXEC, 0); | 1187 | fs_remount(RUN_XAUTHORITY_SEC_FILE, MOUNT_NOEXEC, 0); |
1189 | 1188 | ||
1190 | // Ensure there is already a file in the usual location, so that bind-mount below will work. | 1189 | // Ensure there is already a file in the usual location, so that bind-mount below will work. |
@@ -1294,19 +1293,17 @@ void fs_x11(void) { | |||
1294 | if (mount("/tmp/.X11-unix", RUN_WHITELIST_X11_DIR, 0, MS_BIND|MS_REC, 0) < 0) | 1293 | if (mount("/tmp/.X11-unix", RUN_WHITELIST_X11_DIR, 0, MS_BIND|MS_REC, 0) < 0) |
1295 | errExit("mount bind"); | 1294 | errExit("mount bind"); |
1296 | 1295 | ||
1297 | // This directory must be mode 1777, or Xlib will barf. | 1296 | // This directory must be mode 1777 |
1298 | if (mount("tmpfs", "/tmp/.X11-unix", "tmpfs", | 1297 | if (mount("tmpfs", "/tmp/.X11-unix", "tmpfs", |
1299 | MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME, | 1298 | MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME, |
1300 | "mode=1777,uid=0,gid=0") < 0) | 1299 | "mode=1777,uid=0,gid=0") < 0) |
1301 | errExit("mounting tmpfs on /tmp/.X11-unix"); | 1300 | errExit("mounting tmpfs on /tmp/.X11-unix"); |
1302 | fs_logger("tmpfs /tmp/.X11-unix"); | 1301 | fs_logger("tmpfs /tmp/.X11-unix"); |
1303 | 1302 | ||
1304 | // create an empty file which will have the desired socket bind-mounted over it | 1303 | // create an empty root-owned file which will have the desired socket bind-mounted over it |
1305 | int fd = open(x11file, O_RDWR|O_CREAT|O_EXCL, x11stat.st_mode & ~S_IFMT); | 1304 | int fd = open(x11file, O_RDONLY|O_CREAT|O_EXCL, S_IRUSR | S_IWUSR); |
1306 | if (fd < 0) | 1305 | if (fd < 0) |
1307 | errExit(x11file); | 1306 | errExit(x11file); |
1308 | if (fchown(fd, x11stat.st_uid, x11stat.st_gid)) | ||
1309 | errExit("fchown"); | ||
1310 | close(fd); | 1307 | close(fd); |
1311 | 1308 | ||
1312 | // the mount source is under control of the user, so be careful and | 1309 | // the mount source is under control of the user, so be careful and |