x11 hardening

author: smitsohu <smitsohu@gmail.com> 2019-10-13 03:21:27 +0200
committer: smitsohu <smitsohu@gmail.com> 2019-10-13 03:21:27 +0200
commit: 6cec1f7e1bed4c39a26d45e73f0bba6a13980997 (patch)
tree: 9b99d80cd3a05f83f685fd248839505b2c6b5fc7 /src/firejail/x11.c
parent: shorten fedora firefox private-bin (diff)
download: firejail-6cec1f7e1bed4c39a26d45e73f0bba6a13980997.tar.gz
firejail-6cec1f7e1bed4c39a26d45e73f0bba6a13980997.tar.zst
firejail-6cec1f7e1bed4c39a26d45e73f0bba6a13980997.zip
1 files changed, 33 insertions, 11 deletions
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index e707ab8bd..944c24bc7 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -1263,11 +1263,22 @@ void fs_x11(void) {
        if (display <= 0)
                return;
+        struct stat s1, s2;
+        if (stat("/tmp", &s1) != 0 || lstat("/tmp/.X11-unix", &s2) != 0)
+                return;
+        if ((s1.st_mode & S_ISVTX) == 0) {
+                fwarning("cannot mask X11 sockets: sticky bit not set on /tmp directory\n");
+                return;
+        }
+        if (s2.st_uid != 0) {
+                fwarning("cannot mask X11 sockets: /tmp/.X11-unix not owned by root user\n");
+                return;
+        }
        char *x11file;
        if (asprintf(&x11file, "/tmp/.X11-unix/X%d", display) == -1)
                errExit("asprintf");
        struct stat x11stat;
-        if (stat(x11file, &x11stat) == -1 || !S_ISSOCK(x11stat.st_mode)) {
+        if (lstat(x11file, &x11stat) != 0 || !S_ISSOCK(x11stat.st_mode)) {
                free(x11file);
                return;
        }
@@ -1278,12 +1289,8 @@ void fs_x11(void) {
        // Move the real /tmp/.X11-unix to a scratch location
        // so we can still access x11file after we mount a
        // tmpfs over /tmp/.X11-unix.
-        int rv = mkdir(RUN_WHITELIST_X11_DIR, 0700);
+        if (mkdir(RUN_WHITELIST_X11_DIR, 0700) == -1)
-        if (rv == -1)
                errExit("mkdir");
-        if (set_perms(RUN_WHITELIST_X11_DIR, 0, 0, 0700))
-                errExit("set_perms");
        if (mount("/tmp/.X11-unix", RUN_WHITELIST_X11_DIR, 0, MS_BIND|MS_REC, 0) < 0)
                errExit("mount bind");
@@ -1302,21 +1309,36 @@ void fs_x11(void) {
                errExit("fchown");
        close(fd);
-        // do the mount
+        // the mount source is under control of the user, so be careful and
+        // mount without following symbolic links, using a file descriptor
        char *wx11file;
        if (asprintf(&wx11file, "%s/X%d", RUN_WHITELIST_X11_DIR, display) == -1)
                errExit("asprintf");
-        if (mount(wx11file, x11file, NULL, MS_BIND|MS_REC, NULL) < 0)
+        fd = safe_fd(wx11file, O_PATH|O_NOFOLLOW|O_CLOEXEC);
+        if (fd == -1)
+                errExit("opening X11 socket");
+        // confirm once more we are mounting a socket
+        if (fstat(fd, &x11stat) == -1)
+                errExit("fstat");
+        if (!S_ISSOCK(x11stat.st_mode)) {
+                errno = ENOTSOCK;
+                errExit("mounting X11 socket");
+        }
+        char *proc;
+        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
+                errExit("asprintf");
+        if (mount(proc, x11file, NULL, MS_BIND|MS_REC, NULL) < 0)
                errExit("mount bind");
        fs_logger2("whitelist", x11file);
+        close(fd);
-        free(x11file);
+        free(proc);
-        free(wx11file);
        // block access to RUN_WHITELIST_X11_DIR
        if (mount(RUN_RO_DIR, RUN_WHITELIST_X11_DIR, 0, MS_BIND, 0) < 0)
                errExit("mount");
        fs_logger2("blacklist", RUN_WHITELIST_X11_DIR);
+        free(wx11file);
+        free(x11file);
 #endif
 }
author	smitsohu <smitsohu@gmail.com>	2019-10-13 03:21:27 +0200
committer	smitsohu <smitsohu@gmail.com>	2019-10-13 03:21:27 +0200
commit	6cec1f7e1bed4c39a26d45e73f0bba6a13980997 (patch)
tree	9b99d80cd3a05f83f685fd248839505b2c6b5fc7 /src/firejail/x11.c
parent	shorten fedora firefox private-bin (diff)
download	firejail-6cec1f7e1bed4c39a26d45e73f0bba6a13980997.tar.gz firejail-6cec1f7e1bed4c39a26d45e73f0bba6a13980997.tar.zst firejail-6cec1f7e1bed4c39a26d45e73f0bba6a13980997.zip

diff --git a/src/firejail/x11.c b/src/firejail/x11.c index e707ab8bd..944c24bc7 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c
@@ -1263,11 +1263,22 @@ void fs_x11(void) {
1263	if (display <= 0)	1263	if (display <= 0)
1264	return;	1264	return;
1265		1265
		1266	struct stat s1, s2;
		1267	if (stat("/tmp", &s1) != 0 \|\| lstat("/tmp/.X11-unix", &s2) != 0)
		1268	return;
		1269	if ((s1.st_mode & S_ISVTX) == 0) {
		1270	fwarning("cannot mask X11 sockets: sticky bit not set on /tmp directory\n");
		1271	return;
		1272	}
		1273	if (s2.st_uid != 0) {
		1274	fwarning("cannot mask X11 sockets: /tmp/.X11-unix not owned by root user\n");
		1275	return;
		1276	}
1266	char *x11file;	1277	char *x11file;
1267	if (asprintf(&x11file, "/tmp/.X11-unix/X%d", display) == -1)	1278	if (asprintf(&x11file, "/tmp/.X11-unix/X%d", display) == -1)
1268	errExit("asprintf");	1279	errExit("asprintf");
1269	struct stat x11stat;	1280	struct stat x11stat;
1270	if (stat(x11file, &x11stat) == -1 \|\| !S_ISSOCK(x11stat.st_mode)) {	1281	if (lstat(x11file, &x11stat) != 0 \|\| !S_ISSOCK(x11stat.st_mode)) {
1271	free(x11file);	1282	free(x11file);
1272	return;	1283	return;
1273	}	1284	}
@@ -1278,12 +1289,8 @@ void fs_x11(void) {
1278	// Move the real /tmp/.X11-unix to a scratch location	1289	// Move the real /tmp/.X11-unix to a scratch location
1279	// so we can still access x11file after we mount a	1290	// so we can still access x11file after we mount a
1280	// tmpfs over /tmp/.X11-unix.	1291	// tmpfs over /tmp/.X11-unix.
1281	int rv = mkdir(RUN_WHITELIST_X11_DIR, 0700);	1292	if (mkdir(RUN_WHITELIST_X11_DIR, 0700) == -1)
1282	if (rv == -1)
1283	errExit("mkdir");	1293	errExit("mkdir");
1284	if (set_perms(RUN_WHITELIST_X11_DIR, 0, 0, 0700))
1285	errExit("set_perms");
1286
1287	if (mount("/tmp/.X11-unix", RUN_WHITELIST_X11_DIR, 0, MS_BIND\|MS_REC, 0) < 0)	1294	if (mount("/tmp/.X11-unix", RUN_WHITELIST_X11_DIR, 0, MS_BIND\|MS_REC, 0) < 0)
1288	errExit("mount bind");	1295	errExit("mount bind");
1289		1296
@@ -1302,21 +1309,36 @@ void fs_x11(void) {
1302	errExit("fchown");	1309	errExit("fchown");
1303	close(fd);	1310	close(fd);
1304		1311
1305	// do the mount	1312	// the mount source is under control of the user, so be careful and
		1313	// mount without following symbolic links, using a file descriptor
1306	char *wx11file;	1314	char *wx11file;
1307	if (asprintf(&wx11file, "%s/X%d", RUN_WHITELIST_X11_DIR, display) == -1)	1315	if (asprintf(&wx11file, "%s/X%d", RUN_WHITELIST_X11_DIR, display) == -1)
1308	errExit("asprintf");	1316	errExit("asprintf");
1309	if (mount(wx11file, x11file, NULL, MS_BIND\|MS_REC, NULL) < 0)	1317	fd = safe_fd(wx11file, O_PATH\|O_NOFOLLOW\|O_CLOEXEC);
		1318	if (fd == -1)
		1319	errExit("opening X11 socket");
		1320	// confirm once more we are mounting a socket
		1321	if (fstat(fd, &x11stat) == -1)
		1322	errExit("fstat");
		1323	if (!S_ISSOCK(x11stat.st_mode)) {
		1324	errno = ENOTSOCK;
		1325	errExit("mounting X11 socket");
		1326	}
		1327	char *proc;
		1328	if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
		1329	errExit("asprintf");
		1330	if (mount(proc, x11file, NULL, MS_BIND\|MS_REC, NULL) < 0)
1310	errExit("mount bind");	1331	errExit("mount bind");
1311	fs_logger2("whitelist", x11file);	1332	fs_logger2("whitelist", x11file);
1312		1333	close(fd);
1313	free(x11file);	1334	free(proc);
1314	free(wx11file);
1315		1335
1316	// block access to RUN_WHITELIST_X11_DIR	1336	// block access to RUN_WHITELIST_X11_DIR
1317	if (mount(RUN_RO_DIR, RUN_WHITELIST_X11_DIR, 0, MS_BIND, 0) < 0)	1337	if (mount(RUN_RO_DIR, RUN_WHITELIST_X11_DIR, 0, MS_BIND, 0) < 0)
1318	errExit("mount");	1338	errExit("mount");
1319	fs_logger2("blacklist", RUN_WHITELIST_X11_DIR);	1339	fs_logger2("blacklist", RUN_WHITELIST_X11_DIR);
		1340	free(wx11file);
		1341	free(x11file);
1320	#endif	1342	#endif
1321	}	1343	}
1322		1344