diff options
author | smitsohu <smitsohu@gmail.com> | 2020-08-17 16:40:52 +0200 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2020-08-17 16:40:52 +0200 |
commit | 7d0800682ab3a74e3d463836cd2ca5cd697d542c (patch) | |
tree | c1099688e259a1d03ffc633778de2ce836f03db4 /src/include/rundefs.h | |
parent | hardening: run plugins with dumpable flag cleared (diff) | |
download | firejail-7d0800682ab3a74e3d463836cd2ca5cd697d542c.tar.gz firejail-7d0800682ab3a74e3d463836cd2ca5cd697d542c.tar.zst firejail-7d0800682ab3a74e3d463836cd2ca5cd697d542c.zip |
various x11 xorg enhancements
1) copy xauth binary into the sandbox and set mode to 0711, so it runs
with cleared dumpable flag for unprivileged users
2) run xauth in an sbox sandbox
3) generate Xauthority file in runtime directory instead of /tmp;
this way xauth is able to connect to the X11 socket even if the
abstract socket doesn't exist, for example because a new network
namespace was instantiated
Diffstat (limited to 'src/include/rundefs.h')
-rw-r--r-- | src/include/rundefs.h | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/src/include/rundefs.h b/src/include/rundefs.h index f8bcdec52..d56623907 100644 --- a/src/include/rundefs.h +++ b/src/include/rundefs.h | |||
@@ -99,8 +99,9 @@ | |||
99 | #define RUN_WHITELIST_SHARE_DIR RUN_MNT_DIR "/orig-share" | 99 | #define RUN_WHITELIST_SHARE_DIR RUN_MNT_DIR "/orig-share" |
100 | #define RUN_WHITELIST_MODULE_DIR RUN_MNT_DIR "/orig-module" | 100 | #define RUN_WHITELIST_MODULE_DIR RUN_MNT_DIR "/orig-module" |
101 | 101 | ||
102 | #define RUN_XAUTHORITY_FILE RUN_MNT_DIR "/.Xauthority" | 102 | #define RUN_XAUTHORITY_FILE RUN_MNT_DIR "/.Xauthority" // private options |
103 | #define RUN_XAUTHORITY_SEC_FILE RUN_MNT_DIR "/sec.Xauthority" | 103 | #define RUN_XAUTH_FILE RUN_MNT_DIR "/xauth" // x11=xorg |
104 | #define RUN_XAUTHORITY_SEC_DIR RUN_MNT_DIR "/.sec.Xauthority" // x11=xorg | ||
104 | #define RUN_ASOUNDRC_FILE RUN_MNT_DIR "/.asoundrc" | 105 | #define RUN_ASOUNDRC_FILE RUN_MNT_DIR "/.asoundrc" |
105 | #define RUN_HOSTNAME_FILE RUN_MNT_DIR "/hostname" | 106 | #define RUN_HOSTNAME_FILE RUN_MNT_DIR "/hostname" |
106 | #define RUN_HOSTS_FILE RUN_MNT_DIR "/hosts" | 107 | #define RUN_HOSTS_FILE RUN_MNT_DIR "/hosts" |