merge #1100 from zackw: rework xpra and xephyr detection

author: netblue30 <netblue30@yahoo.com> 2017-02-15 08:12:41 -0500
committer: netblue30 <netblue30@yahoo.com> 2017-02-15 08:12:41 -0500
commit: a73a89f3c403d61e8b5588b759e4438b4206e2e3 (patch)
tree: b28dcd5b07ec631c573dc4f88027045f64de4605 /src
parent: merge #1100 from zackw: rework DISPLAY environment parsing, rework masking X... (diff)
download: firejail-a73a89f3c403d61e8b5588b759e4438b4206e2e3.tar.gz
firejail-a73a89f3c403d61e8b5588b759e4438b4206e2e3.tar.zst
firejail-a73a89f3c403d61e8b5588b759e4438b4206e2e3.zip
1 files changed, 4 insertions, 74 deletions
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index b551a2d2a..f81a52b70 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -32,28 +32,6 @@
 int mask_x11_abstract_socket = 0;
 #ifdef HAVE_X11
-// return 1 if xpra is installed on the system
-static int x11_check_xpra(void) {
-        struct stat s;
-        
-        // check xpra
-        if (stat("/usr/bin/xpra", &s) == -1)
-                return 0;
-        return 1;
-}
-// return 1 if xephyr is installed on the system
-static int x11_check_xephyr(void) {
-        struct stat s;
-        
-        // check xephyr
-        if (stat("/usr/bin/Xephyr", &s) == -1)
-                return 0;
-        return 1;
-}
 // check for X11 abstract sockets
 static int x11_abstract_sockets_present(void) {
        char *path;
@@ -205,54 +183,6 @@ void fs_x11(void) {
                if (mount(RUN_RO_DIR, RUN_WHITELIST_X11_DIR, 0, MS_BIND, 0) < 0)
                        errExit("mount");
                fs_logger2("blacklist", RUN_WHITELIST_X11_DIR);
-#if 0
-        // keep a copy of real /tmp/.X11-unix directory in WHITELIST_TMP_DIR
-        int rv = mkdir(RUN_WHITELIST_X11_DIR, 1777);
-        if (rv == -1)
-                errExit("mkdir");
-        if (set_perms(RUN_WHITELIST_X11_DIR, 0, 0, 1777))
-                errExit("set_perms");
-        if (mount("/tmp/.X11-unix", RUN_WHITELIST_X11_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
-                errExit("mount bind");
-        // mount tmpfs on /tmp/.X11-unix
-        if (arg_debug || arg_debug_whitelists)
-                printf("Mounting tmpfs on /tmp/.X11-unix directory\n");
-        if (mount("tmpfs", "/tmp/.X11-unix", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=1777,gid=0") < 0)
-                errExit("mounting tmpfs on /tmp");
-        fs_logger("tmpfs /tmp/.X11-unix");
-        // create an empty file
-        /* coverity[toctou] */
-        FILE *fp = fopen(x11file, "w");
-        if (!fp) {
-                fprintf(stderr, "Error: cannot create empty file in x11 directory\n");
-                exit(1);
-        }
-        // set file properties
-        SET_PERMS_STREAM(fp, s.st_uid, s.st_gid, s.st_mode);
-        fclose(fp);
-        // mount
-        char *wx11file;
-        if (asprintf(&wx11file, "%s/X%d", RUN_WHITELIST_X11_DIR, display) == -1)
-                errExit("asprintf");
-        if (mount(wx11file, x11file, NULL, MS_BIND|MS_REC, NULL) < 0)
-                errExit("mount bind");
-         fs_logger2("whitelist", x11file);
-        free(x11file);
-        free(wx11file);
-        
-        // block access to RUN_WHITELIST_X11_DIR
-         if (mount(RUN_RO_DIR, RUN_WHITELIST_X11_DIR, "none", MS_BIND, "mode=400,gid=0") == -1)
-                errExit("mount");
-         fs_logger2("blacklist", RUN_WHITELIST_X11_DIR);
-#endif
 #endif
 }
@@ -277,7 +207,7 @@ void x11_start_xephyr(int argc, char **argv) {
        drop_privs(0);
        // check xephyr
-        if (x11_check_xephyr() == 0) {
+        if (!program_in_path("Xephyr")) {
                fprintf(stderr, "\nError: Xephyr program was not found in /usr/bin directory, please install it:\n");
                fprintf(stderr, "   Debian/Ubuntu/Mint: sudo apt-get install xserver-xephyr\n");
                fprintf(stderr, "   Arch: sudo pacman -S xorg-server-xephyr\n");
@@ -477,7 +407,7 @@ void x11_start_xpra(int argc, char **argv) {
        drop_privs(0);
        // check xpra
-        if (x11_check_xpra() == 0) {
+        if (!program_in_path("xpra")) {
                fprintf(stderr, "\nError: Xpra program was not found in /usr/bin directory, please install it:\n");
                fprintf(stderr, "   Debian/Ubuntu/Mint: sudo apt-get install xpra\n");
                exit(0);
@@ -670,9 +600,9 @@ void x11_start(int argc, char **argv) {
        }
        // check xpra
-        if (x11_check_xpra() == 1)
+        if (program_in_path("xpra"))
                x11_start_xpra(argc, argv);
-        else if (x11_check_xephyr() == 1)
+        else if (program_in_path("Xephyr"))
                x11_start_xephyr(argc, argv);
        else {
                fprintf(stderr, "\nError: Xpra or Xephyr not found in /usr/bin directory, please install one of them:\n");
author	netblue30 <netblue30@yahoo.com>	2017-02-15 08:12:41 -0500
committer	netblue30 <netblue30@yahoo.com>	2017-02-15 08:12:41 -0500
commit	a73a89f3c403d61e8b5588b759e4438b4206e2e3 (patch)
tree	b28dcd5b07ec631c573dc4f88027045f64de4605 /src
parent	merge #1100 from zackw: rework DISPLAY environment parsing, rework masking X... (diff)
download	firejail-a73a89f3c403d61e8b5588b759e4438b4206e2e3.tar.gz firejail-a73a89f3c403d61e8b5588b759e4438b4206e2e3.tar.zst firejail-a73a89f3c403d61e8b5588b759e4438b4206e2e3.zip

diff --git a/src/firejail/x11.c b/src/firejail/x11.c index b551a2d2a..f81a52b70 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c
@@ -32,28 +32,6 @@
32	int mask_x11_abstract_socket = 0;	32	int mask_x11_abstract_socket = 0;
33		33
34	#ifdef HAVE_X11	34	#ifdef HAVE_X11
35	// return 1 if xpra is installed on the system
36	static int x11_check_xpra(void) {
37	struct stat s;
38
39	// check xpra
40	if (stat("/usr/bin/xpra", &s) == -1)
41	return 0;
42
43	return 1;
44	}
45
46	// return 1 if xephyr is installed on the system
47	static int x11_check_xephyr(void) {
48	struct stat s;
49
50	// check xephyr
51	if (stat("/usr/bin/Xephyr", &s) == -1)
52	return 0;
53
54	return 1;
55	}
56
57	// check for X11 abstract sockets	35	// check for X11 abstract sockets
58	static int x11_abstract_sockets_present(void) {	36	static int x11_abstract_sockets_present(void) {
59	char *path;	37	char *path;
@@ -205,54 +183,6 @@ void fs_x11(void) {
205	if (mount(RUN_RO_DIR, RUN_WHITELIST_X11_DIR, 0, MS_BIND, 0) < 0)	183	if (mount(RUN_RO_DIR, RUN_WHITELIST_X11_DIR, 0, MS_BIND, 0) < 0)
206	errExit("mount");	184	errExit("mount");
207	fs_logger2("blacklist", RUN_WHITELIST_X11_DIR);	185	fs_logger2("blacklist", RUN_WHITELIST_X11_DIR);
208
209
210	#if 0
211	// keep a copy of real /tmp/.X11-unix directory in WHITELIST_TMP_DIR
212	int rv = mkdir(RUN_WHITELIST_X11_DIR, 1777);
213	if (rv == -1)
214	errExit("mkdir");
215	if (set_perms(RUN_WHITELIST_X11_DIR, 0, 0, 1777))
216	errExit("set_perms");
217
218	if (mount("/tmp/.X11-unix", RUN_WHITELIST_X11_DIR, NULL, MS_BIND\|MS_REC, NULL) < 0)
219	errExit("mount bind");
220
221	// mount tmpfs on /tmp/.X11-unix
222	if (arg_debug \|\| arg_debug_whitelists)
223	printf("Mounting tmpfs on /tmp/.X11-unix directory\n");
224	if (mount("tmpfs", "/tmp/.X11-unix", "tmpfs", MS_NOSUID \| MS_STRICTATIME \| MS_REC, "mode=1777,gid=0") < 0)
225	errExit("mounting tmpfs on /tmp");
226	fs_logger("tmpfs /tmp/.X11-unix");
227
228	// create an empty file
229	/* coverity[toctou] */
230	FILE *fp = fopen(x11file, "w");
231	if (!fp) {
232	fprintf(stderr, "Error: cannot create empty file in x11 directory\n");
233	exit(1);
234	}
235	// set file properties
236	SET_PERMS_STREAM(fp, s.st_uid, s.st_gid, s.st_mode);
237	fclose(fp);
238
239	// mount
240	char *wx11file;
241	if (asprintf(&wx11file, "%s/X%d", RUN_WHITELIST_X11_DIR, display) == -1)
242	errExit("asprintf");
243	if (mount(wx11file, x11file, NULL, MS_BIND\|MS_REC, NULL) < 0)
244	errExit("mount bind");
245	fs_logger2("whitelist", x11file);
246
247	free(x11file);
248	free(wx11file);
249
250	// block access to RUN_WHITELIST_X11_DIR
251	if (mount(RUN_RO_DIR, RUN_WHITELIST_X11_DIR, "none", MS_BIND, "mode=400,gid=0") == -1)
252	errExit("mount");
253	fs_logger2("blacklist", RUN_WHITELIST_X11_DIR);
254	#endif
255
256	#endif	186	#endif
257	}	187	}
258		188
@@ -277,7 +207,7 @@ void x11_start_xephyr(int argc, char **argv) {
277	drop_privs(0);	207	drop_privs(0);
278		208
279	// check xephyr	209	// check xephyr
280	if (x11_check_xephyr() == 0) {	210	if (!program_in_path("Xephyr")) {
281	fprintf(stderr, "\nError: Xephyr program was not found in /usr/bin directory, please install it:\n");	211	fprintf(stderr, "\nError: Xephyr program was not found in /usr/bin directory, please install it:\n");
282	fprintf(stderr, " Debian/Ubuntu/Mint: sudo apt-get install xserver-xephyr\n");	212	fprintf(stderr, " Debian/Ubuntu/Mint: sudo apt-get install xserver-xephyr\n");
283	fprintf(stderr, " Arch: sudo pacman -S xorg-server-xephyr\n");	213	fprintf(stderr, " Arch: sudo pacman -S xorg-server-xephyr\n");
@@ -477,7 +407,7 @@ void x11_start_xpra(int argc, char **argv) {
477	drop_privs(0);	407	drop_privs(0);
478		408
479	// check xpra	409	// check xpra
480	if (x11_check_xpra() == 0) {	410	if (!program_in_path("xpra")) {
481	fprintf(stderr, "\nError: Xpra program was not found in /usr/bin directory, please install it:\n");	411	fprintf(stderr, "\nError: Xpra program was not found in /usr/bin directory, please install it:\n");
482	fprintf(stderr, " Debian/Ubuntu/Mint: sudo apt-get install xpra\n");	412	fprintf(stderr, " Debian/Ubuntu/Mint: sudo apt-get install xpra\n");
483	exit(0);	413	exit(0);
@@ -670,9 +600,9 @@ void x11_start(int argc, char **argv) {
670	}	600	}
671		601
672	// check xpra	602	// check xpra
673	if (x11_check_xpra() == 1)	603	if (program_in_path("xpra"))
674	x11_start_xpra(argc, argv);	604	x11_start_xpra(argc, argv);
675	else if (x11_check_xephyr() == 1)	605	else if (program_in_path("Xephyr"))
676	x11_start_xephyr(argc, argv);	606	x11_start_xephyr(argc, argv);
677	else {	607	else {
678	fprintf(stderr, "\nError: Xpra or Xephyr not found in /usr/bin directory, please install one of them:\n");	608	fprintf(stderr, "\nError: Xpra or Xephyr not found in /usr/bin directory, please install one of them:\n");