Expose /tmp/.X11-unix as read-only as per Issue #2269

author: ಚಿರಾಗ್ ನಟರಾಜ್ <chiraag.nataraj@gmail.com> 2019-05-19 22:56:36 +0000
committer: ಚಿರಾಗ್ ನಟರಾಜ್ <chiraag.nataraj@gmail.com> 2019-05-19 22:56:36 +0000
commit: feae44c4ff406f6191426762cc2edec000bed0af (patch)
tree: 1f5a64630180d9a00428c9e7f770154570894b98
parent: Refactor eog and eom profiles with common redirect (#2708) (diff)
download: firejail-feae44c4ff406f6191426762cc2edec000bed0af.tar.gz
firejail-feae44c4ff406f6191426762cc2edec000bed0af.tar.zst
firejail-feae44c4ff406f6191426762cc2edec000bed0af.zip
1 files changed, 2 insertions, 0 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index bf7c0a4b2..f3ef97aeb 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -1519,6 +1519,8 @@ void fs_private_tmp(void) {
        // whitelist x11 directory
        profile_add("whitelist /tmp/.X11-unix");
+        // read-only x11 directory
+        profile_add("read-only /tmp/.X11-unix");
        // whitelist any pulse* file in /tmp directory
        // some distros use PulseAudio sockets under /tmp instead of the socket in /urn/user
author	ಚಿರಾಗ್ ನಟರಾಜ್ <chiraag.nataraj@gmail.com>	2019-05-19 22:56:36 +0000
committer	ಚಿರಾಗ್ ನಟರಾಜ್ <chiraag.nataraj@gmail.com>	2019-05-19 22:56:36 +0000
commit	feae44c4ff406f6191426762cc2edec000bed0af (patch)
tree	1f5a64630180d9a00428c9e7f770154570894b98
parent	Refactor eog and eom profiles with common redirect (#2708) (diff)
download	firejail-feae44c4ff406f6191426762cc2edec000bed0af.tar.gz firejail-feae44c4ff406f6191426762cc2edec000bed0af.tar.zst firejail-feae44c4ff406f6191426762cc2edec000bed0af.zip

diff --git a/src/firejail/fs.c b/src/firejail/fs.c index bf7c0a4b2..f3ef97aeb 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c
@@ -1519,6 +1519,8 @@ void fs_private_tmp(void) {
1519		1519
1520	// whitelist x11 directory	1520	// whitelist x11 directory
1521	profile_add("whitelist /tmp/.X11-unix");	1521	profile_add("whitelist /tmp/.X11-unix");
		1522	// read-only x11 directory
		1523	profile_add("read-only /tmp/.X11-unix");
1522		1524
1523	// whitelist any pulse* file in /tmp directory	1525	// whitelist any pulse* file in /tmp directory
1524	// some distros use PulseAudio sockets under /tmp instead of the socket in /urn/user	1526	// some distros use PulseAudio sockets under /tmp instead of the socket in /urn/user