allow PulseAudio sockets in --private-tmp

author: netblue30 <netblue30@yahoo.com> 2017-04-30 11:51:30 -0400
committer: netblue30 <netblue30@yahoo.com> 2017-04-30 11:51:30 -0400
commit: a2e9b0709309f81050cbba8dd8e9b970fd361e91 (patch)
tree: bf33918d801f8d2bddaf778994863d9f10b4821a /src/firejail
parent: Added galculator profile (diff)
download: firejail-a2e9b0709309f81050cbba8dd8e9b970fd361e91.tar.gz
firejail-a2e9b0709309f81050cbba8dd8e9b970fd361e91.tar.zst
firejail-a2e9b0709309f81050cbba8dd8e9b970fd361e91.zip
3 files changed, 44 insertions, 15 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 8831d07f0..09fadcf34 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -408,6 +408,7 @@ void fs_overlayfs(void);
 // chroot into an existing directory; mount exiting /dev and update /etc/resolv.conf
 void fs_chroot(const char *rootdir);
 void fs_check_chroot_dir(const char *rootdir);
+void fs_private_tmp(void);
 // profile.c
 // find and read the profile specified by name from dir directory
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 025e715e6..ac68e7738 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -1214,4 +1214,46 @@ void fs_chroot(const char *rootdir) {
 }
 #endif
+// this function is called from sandbox.c before blacklist/whitelist functions
+void fs_private_tmp(void) {
+        // check XAUTHORITY file, KDE keeps it under /tmp
+        char *xauth = getenv("XAUTHORITY");
+        if (xauth) {
+                char *rp = realpath(xauth, NULL);
+                if (rp && strncmp(rp, "/tmp/", 5) == 0) {
+                        char *cmd;
+                        if (asprintf(&cmd, "whitelist %s", rp) == -1)
+                                errExit("asprintf");
+                        profile_add(cmd); // profile_add does not duplicate the string
+                }
+                if (rp)
+                        free(rp);
+        }
+        
+        // whitelist x11 directory
+        profile_add("whitelist /tmp/.X11-unix");
+        
+        // whitelist any pulse* file in /tmp directory
+        // some distros use PulseAudio sockets under /tmp instead of the socket in /urn/user
+        DIR *dir;
+        if (!(dir = opendir("/tmp"))) {
+                // sleep 2 seconds and try again
+                sleep(2);
+                if (!(dir = opendir("/tmp"))) {
+                        return;
+                }
+        }
+        struct dirent *entry;
+        while ((entry = readdir(dir))) {
+                if (strncmp(entry->d_name, "pulse-", 6) == 0) {
+                        char *cmd;
+                        if (asprintf(&cmd, "whitelist /tmp/%s", entry->d_name) == -1)
+                                errExit("asprintf");
+                        profile_add(cmd); // profile_add does not duplicate the string
+                }
+        }
+        closedir(dir);
+}
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 35ca4ff2d..e6deddac5 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -741,21 +741,7 @@ int sandbox(void* sandbox_arg) {
                else {
                        // private-tmp is implemented as a whitelist
                        EUID_USER();
-                        // check XAUTHORITY file, KDE keeps it under /tmp
+                        fs_private_tmp();
-                        char *xauth = getenv("XAUTHORITY");
-                        if (xauth) {
-                                char *rp = realpath(xauth, NULL);
-                                if (rp && strncmp(rp, "/tmp/", 5) == 0) {
-                                        char *cmd;
-                                        if (asprintf(&cmd, "whitelist %s", rp) == -1)
-                                                errExit("asprintf");
-                                        profile_add(cmd); // profile_add does not duplicate the string
-                                }
-                                if (rp)
-                                        free(rp);
-                        }
-                        // whitelist x11 directory
-                        profile_add("whitelist /tmp/.X11-unix");
                        EUID_ROOT();
                }
        }
author	netblue30 <netblue30@yahoo.com>	2017-04-30 11:51:30 -0400
committer	netblue30 <netblue30@yahoo.com>	2017-04-30 11:51:30 -0400
commit	a2e9b0709309f81050cbba8dd8e9b970fd361e91 (patch)
tree	bf33918d801f8d2bddaf778994863d9f10b4821a /src/firejail
parent	Added galculator profile (diff)
download	firejail-a2e9b0709309f81050cbba8dd8e9b970fd361e91.tar.gz firejail-a2e9b0709309f81050cbba8dd8e9b970fd361e91.tar.zst firejail-a2e9b0709309f81050cbba8dd8e9b970fd361e91.zip

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 8831d07f0..09fadcf34 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -408,6 +408,7 @@ void fs_overlayfs(void);
408	// chroot into an existing directory; mount exiting /dev and update /etc/resolv.conf	408	// chroot into an existing directory; mount exiting /dev and update /etc/resolv.conf
409	void fs_chroot(const char *rootdir);	409	void fs_chroot(const char *rootdir);
410	void fs_check_chroot_dir(const char *rootdir);	410	void fs_check_chroot_dir(const char *rootdir);
		411	void fs_private_tmp(void);
411		412
412	// profile.c	413	// profile.c
413	// find and read the profile specified by name from dir directory	414	// find and read the profile specified by name from dir directory


diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 025e715e6..ac68e7738 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c
@@ -1214,4 +1214,46 @@ void fs_chroot(const char *rootdir) {
1214	}	1214	}
1215	#endif	1215	#endif
1216		1216
		1217	// this function is called from sandbox.c before blacklist/whitelist functions
		1218	void fs_private_tmp(void) {
		1219	// check XAUTHORITY file, KDE keeps it under /tmp
		1220	char *xauth = getenv("XAUTHORITY");
		1221	if (xauth) {
		1222	char *rp = realpath(xauth, NULL);
		1223	if (rp && strncmp(rp, "/tmp/", 5) == 0) {
		1224	char *cmd;
		1225	if (asprintf(&cmd, "whitelist %s", rp) == -1)
		1226	errExit("asprintf");
		1227	profile_add(cmd); // profile_add does not duplicate the string
		1228	}
		1229	if (rp)
		1230	free(rp);
		1231	}
		1232
		1233	// whitelist x11 directory
		1234	profile_add("whitelist /tmp/.X11-unix");
		1235
		1236	// whitelist any pulse* file in /tmp directory
		1237	// some distros use PulseAudio sockets under /tmp instead of the socket in /urn/user
		1238	DIR *dir;
		1239	if (!(dir = opendir("/tmp"))) {
		1240	// sleep 2 seconds and try again
		1241	sleep(2);
		1242	if (!(dir = opendir("/tmp"))) {
		1243	return;
		1244	}
		1245	}
1217		1246
		1247	struct dirent *entry;
		1248	while ((entry = readdir(dir))) {
		1249	if (strncmp(entry->d_name, "pulse-", 6) == 0) {
		1250	char *cmd;
		1251	if (asprintf(&cmd, "whitelist /tmp/%s", entry->d_name) == -1)
		1252	errExit("asprintf");
		1253	profile_add(cmd); // profile_add does not duplicate the string
		1254	}
		1255	}
		1256	closedir(dir);
		1257
		1258
		1259	}


diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 35ca4ff2d..e6deddac5 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c
@@ -741,21 +741,7 @@ int sandbox(void* sandbox_arg) {
741	else {	741	else {
742	// private-tmp is implemented as a whitelist	742	// private-tmp is implemented as a whitelist
743	EUID_USER();	743	EUID_USER();
744	// check XAUTHORITY file, KDE keeps it under /tmp	744	fs_private_tmp();
745	char *xauth = getenv("XAUTHORITY");
746	if (xauth) {
747	char *rp = realpath(xauth, NULL);
748	if (rp && strncmp(rp, "/tmp/", 5) == 0) {
749	char *cmd;
750	if (asprintf(&cmd, "whitelist %s", rp) == -1)
751	errExit("asprintf");
752	profile_add(cmd); // profile_add does not duplicate the string
753	}
754	if (rp)
755	free(rp);
756	}
757	// whitelist x11 directory
758	profile_add("whitelist /tmp/.X11-unix");
759	EUID_ROOT();	745	EUID_ROOT();
760	}	746	}
761	}	747	}