fixed private-tmp problem on KDE systems

2 files changed, 15 insertions, 1 deletions

diff --git a/etc/firefox.profile b/etc/firefox.profile
index dec44ca67..20acde62a 100644
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@@ -51,4 +51,4 @@ include /etc/firejail/whitelist-common.inc
 #private-bin firefox,which,sh,dbus-launch,dbus-send,env
 #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse
 private-dev 
-#private-tmp
+private-tmp
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index f26f8b06a..d1557e8b2 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -742,6 +742,20 @@ int sandbox(void* sandbox_arg) {
                 else {
                         // private-tmp is implemented as a whitelist
                         EUID_USER();
+                        // check XAUTHORITY file, KDE keeps it under /tmp
+                        char *xauth = getenv("XAUTHORITY");
+                        if (xauth) {
+                                char *rp = realpath(xauth, NULL);
+                                if (rp && strncmp(rp, "/tmp/", 5) == 0) {
+                                        char *cmd;
+                                        if (asprintf(&cmd, "whitelist %s", rp) == -1)
+                                                errExit("asprintf");
+                                        profile_add(cmd); // profile_add does not duplicate the string
+                                }
+                                if (rp)
+                                        free(rp);
+                        }
+                        // whitelist x11 directory
                         profile_add("whitelist /tmp/.X11-unix");
                         EUID_ROOT();
                 }