diff options
| author |  netblue30 <netblue30@yahoo.com> | 2016-06-23 08:42:00 -0400 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2016-06-23 08:42:00 -0400 |
| commit | fbf0ca925f15b6e32919cc2fc68be3245f46e9e7 (patch) | |
| tree | 0cc25e2e3d396123da66c3bf5ad2232a8bf05686 | |
| parent | libreoffice fix (diff) | |
| download | firejail-fbf0ca925f15b6e32919cc2fc68be3245f46e9e7.tar.gz firejail-fbf0ca925f15b6e32919cc2fc68be3245f46e9e7.tar.zst firejail-fbf0ca925f15b6e32919cc2fc68be3245f46e9e7.zip | |
x11/chroot fix
| -rw-r--r-- | src/firejail/fs.c | 32 | ||||
| -rw-r--r-- | src/firejail/x11.c | 3 |
2 files changed, 30 insertions, 5 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 7811fd2a2..be77dfa85 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
| @@ -1006,7 +1006,7 @@ int fs_check_chroot_dir(const char *rootdir) { | |||
| 1006 | } | 1006 | } |
| 1007 | free(name); | 1007 | free(name); |
| 1008 | 1008 | ||
| 1009 | // check /proc | 1009 | // check /tmp |
| 1010 | if (asprintf(&name, "%s/tmp", rootdir) == -1) | 1010 | if (asprintf(&name, "%s/tmp", rootdir) == -1) |
| 1011 | errExit("asprintf"); | 1011 | errExit("asprintf"); |
| 1012 | if (stat(name, &s) == -1) { | 1012 | if (stat(name, &s) == -1) { |
| @@ -1014,7 +1014,7 @@ int fs_check_chroot_dir(const char *rootdir) { | |||
| 1014 | return 1; | 1014 | return 1; |
| 1015 | } | 1015 | } |
| 1016 | free(name); | 1016 | free(name); |
| 1017 | 1017 | ||
| 1018 | // check /bin/bash | 1018 | // check /bin/bash |
| 1019 | if (asprintf(&name, "%s/bin/bash", rootdir) == -1) | 1019 | if (asprintf(&name, "%s/bin/bash", rootdir) == -1) |
| 1020 | errExit("asprintf"); | 1020 | errExit("asprintf"); |
| @@ -1024,6 +1024,18 @@ int fs_check_chroot_dir(const char *rootdir) { | |||
| 1024 | } | 1024 | } |
| 1025 | free(name); | 1025 | free(name); |
| 1026 | 1026 | ||
| 1027 | // check x11 socket directory | ||
| 1028 | if (getenv("FIREJAIL_X11")) { | ||
| 1029 | char *name; | ||
| 1030 | if (asprintf(&name, "%s/tmp/.X11-unix", rootdir) == -1) | ||
| 1031 | errExit("asprintf"); | ||
| 1032 | if (stat(name, &s) == -1) { | ||
| 1033 | fprintf(stderr, "Error: cannot find /tmp/.X11-unix in chroot directory\n"); | ||
| 1034 | return 1; | ||
| 1035 | } | ||
| 1036 | free(name); | ||
| 1037 | } | ||
| 1038 | |||
| 1027 | return 0; | 1039 | return 0; |
| 1028 | } | 1040 | } |
| 1029 | 1041 | ||
| @@ -1031,10 +1043,7 @@ int fs_check_chroot_dir(const char *rootdir) { | |||
| 1031 | void fs_chroot(const char *rootdir) { | 1043 | void fs_chroot(const char *rootdir) { |
| 1032 | assert(rootdir); | 1044 | assert(rootdir); |
| 1033 | 1045 | ||
| 1034 | //*********************************** | ||
| 1035 | // mount-bind a /dev in rootdir | 1046 | // mount-bind a /dev in rootdir |
| 1036 | //*********************************** | ||
| 1037 | // mount /dev | ||
| 1038 | char *newdev; | 1047 | char *newdev; |
| 1039 | if (asprintf(&newdev, "%s/dev", rootdir) == -1) | 1048 | if (asprintf(&newdev, "%s/dev", rootdir) == -1) |
| 1040 | errExit("asprintf"); | 1049 | errExit("asprintf"); |
| @@ -1042,6 +1051,19 @@ void fs_chroot(const char *rootdir) { | |||
| 1042 | printf("Mounting /dev on %s\n", newdev); | 1051 | printf("Mounting /dev on %s\n", newdev); |
| 1043 | if (mount("/dev", newdev, NULL, MS_BIND|MS_REC, NULL) < 0) | 1052 | if (mount("/dev", newdev, NULL, MS_BIND|MS_REC, NULL) < 0) |
| 1044 | errExit("mounting /dev"); | 1053 | errExit("mounting /dev"); |
| 1054 | free(newdev); | ||
| 1055 | |||
| 1056 | // x11 | ||
| 1057 | if (getenv("FIREJAIL_X11")) { | ||
| 1058 | char *newx11; | ||
| 1059 | if (asprintf(&newx11, "%s/tmp/.X11-unix", rootdir) == -1) | ||
| 1060 | errExit("asprintf"); | ||
| 1061 | if (arg_debug) | ||
| 1062 | printf("Mounting /tmp/.X11-unix on %s\n", newdev); | ||
| 1063 | if (mount("/tmp/.X11-unix", newx11, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
| 1064 | errExit("mounting /tmp/.X11-unix"); | ||
| 1065 | free(newx11); | ||
| 1066 | } | ||
| 1045 | 1067 | ||
| 1046 | // some older distros don't have a /run directory | 1068 | // some older distros don't have a /run directory |
| 1047 | // create one by default | 1069 | // create one by default |
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index c742ff567..2accaeb71 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
| @@ -168,6 +168,8 @@ void x11_start_xephyr(int argc, char **argv) { | |||
| 168 | pid_t server = 0; | 168 | pid_t server = 0; |
| 169 | 169 | ||
| 170 | 170 | ||
| 171 | setenv("FIREJAIL_X11", "yes", 1); | ||
| 172 | |||
| 171 | // unfortunately, xephyr does a number of weird things when started by root user!!! | 173 | // unfortunately, xephyr does a number of weird things when started by root user!!! |
| 172 | if (getuid() == 0) { | 174 | if (getuid() == 0) { |
| 173 | fprintf(stderr, "Error: X11 sandboxing is not available when running as root\n"); | 175 | fprintf(stderr, "Error: X11 sandboxing is not available when running as root\n"); |
| @@ -296,6 +298,7 @@ void x11_start_xpra(int argc, char **argv) { | |||
| 296 | pid_t client = 0; | 298 | pid_t client = 0; |
| 297 | pid_t server = 0; | 299 | pid_t server = 0; |
| 298 | 300 | ||
| 301 | setenv("FIREJAIL_X11", "yes", 1); | ||
| 299 | 302 | ||
| 300 | // unfortunately, xpra does a number of weird things when started by root user!!! | 303 | // unfortunately, xpra does a number of weird things when started by root user!!! |
| 301 | if (getuid() == 0) { | 304 | if (getuid() == 0) { |