diff options
author | startx2017 <vradu.startx@yandex.com> | 2017-08-15 09:34:47 -0400 |
---|---|---|
committer | startx2017 <vradu.startx@yandex.com> | 2017-08-15 09:34:47 -0400 |
commit | 369458e299696f7badf7d0d72ec0e90cdd91f201 (patch) | |
tree | e9e572780a6d4299f172abb5cfe1ddfffc362d7d /src | |
parent | update RELNOTES/Readme.md/--help; man page update for #1439 (diff) | |
download | firejail-369458e299696f7badf7d0d72ec0e90cdd91f201.tar.gz firejail-369458e299696f7badf7d0d72ec0e90cdd91f201.tar.zst firejail-369458e299696f7badf7d0d72ec0e90cdd91f201.zip |
fix #1462
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/firejail.h | 9 | ||||
-rw-r--r-- | src/firejail/join.c | 37 | ||||
-rw-r--r-- | src/firejail/x11.c | 6 |
3 files changed, 47 insertions, 5 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 5f16d1a5d..b31d1365c 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -670,6 +670,15 @@ void fs_mkdir(const char *name); | |||
670 | void fs_mkfile(const char *name); | 670 | void fs_mkfile(const char *name); |
671 | 671 | ||
672 | // x11.c | 672 | // x11.c |
673 | |||
674 | // X11 display range as assigned by --x11 options | ||
675 | // We try display numbers in the range 21 through 1000. | ||
676 | // Normal X servers typically use displays in the 0-10 range; | ||
677 | // ssh's X11 forwarding uses 10-20, and login screens | ||
678 | // (e.g. gdm3) may use displays above 1000. | ||
679 | #define X11_DISPLAY_START 21 | ||
680 | #define X11_DISPLAY_END 1000 | ||
681 | |||
673 | void fs_x11(void); | 682 | void fs_x11(void); |
674 | int x11_display(void); | 683 | int x11_display(void); |
675 | void x11_start(int argc, char **argv); | 684 | void x11_start(int argc, char **argv); |
diff --git a/src/firejail/join.c b/src/firejail/join.c index 4c0537413..84bd80364 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -28,6 +28,7 @@ | |||
28 | static int apply_caps = 0; | 28 | static int apply_caps = 0; |
29 | static uint64_t caps = 0; | 29 | static uint64_t caps = 0; |
30 | static int apply_seccomp = 0; | 30 | static int apply_seccomp = 0; |
31 | static unsigned display = 0; | ||
31 | #define BUFLEN 4096 | 32 | #define BUFLEN 4096 |
32 | 33 | ||
33 | static void signal_handler(int sig){ | 34 | static void signal_handler(int sig){ |
@@ -36,6 +37,30 @@ static void signal_handler(int sig){ | |||
36 | exit(sig); | 37 | exit(sig); |
37 | } | 38 | } |
38 | 39 | ||
40 | |||
41 | |||
42 | static void extract_x11_display(pid_t pid) { | ||
43 | char *fname; | ||
44 | if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_X11_DIR, pid) == -1) | ||
45 | errExit("asprintf"); | ||
46 | |||
47 | FILE *fp = fopen(fname, "r"); | ||
48 | free(fname); | ||
49 | if (!fp) | ||
50 | return; | ||
51 | |||
52 | if (1 != fscanf(fp, "%d", &display)) { | ||
53 | fprintf(stderr, "Error: cannot read X11 display file\n"); | ||
54 | return; | ||
55 | } | ||
56 | |||
57 | // check display range | ||
58 | if (display < X11_DISPLAY_START || display > X11_DISPLAY_END) { | ||
59 | fprintf(stderr, "Error: invalid X11 display range\n"); | ||
60 | return; | ||
61 | } | ||
62 | } | ||
63 | |||
39 | static void extract_command(int argc, char **argv, int index) { | 64 | static void extract_command(int argc, char **argv, int index) { |
40 | EUID_ASSERT(); | 65 | EUID_ASSERT(); |
41 | if (index >= argc) | 66 | if (index >= argc) |
@@ -176,6 +201,7 @@ static void extract_user_namespace(pid_t pid) { | |||
176 | void join(pid_t pid, int argc, char **argv, int index) { | 201 | void join(pid_t pid, int argc, char **argv, int index) { |
177 | EUID_ASSERT(); | 202 | EUID_ASSERT(); |
178 | char *homedir = cfg.homedir; | 203 | char *homedir = cfg.homedir; |
204 | pid_t parent = pid; | ||
179 | 205 | ||
180 | extract_command(argc, argv, index); | 206 | extract_command(argc, argv, index); |
181 | signal (SIGTERM, signal_handler); | 207 | signal (SIGTERM, signal_handler); |
@@ -206,6 +232,8 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
206 | } | 232 | } |
207 | } | 233 | } |
208 | 234 | ||
235 | extract_x11_display(parent); | ||
236 | |||
209 | EUID_ROOT(); | 237 | EUID_ROOT(); |
210 | // in user mode set caps seccomp, cpu, cgroup, etc | 238 | // in user mode set caps seccomp, cpu, cgroup, etc |
211 | if (getuid() != 0) { | 239 | if (getuid() != 0) { |
@@ -316,7 +344,16 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
316 | } | 344 | } |
317 | } | 345 | } |
318 | 346 | ||
347 | // set environment, add x11 display | ||
319 | env_defaults(); | 348 | env_defaults(); |
349 | if (display) { | ||
350 | char *display_str; | ||
351 | if (asprintf(&display_str, ":%d", display) == -1) | ||
352 | errExit("asprintf"); | ||
353 | setenv("DISPLAY", display_str, 1); | ||
354 | free(display_str); | ||
355 | } | ||
356 | |||
320 | if (cfg.command_line == NULL) { | 357 | if (cfg.command_line == NULL) { |
321 | assert(cfg.shell); | 358 | assert(cfg.shell); |
322 | cfg.command_line = cfg.shell; | 359 | cfg.command_line = cfg.shell; |
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 74b8d5b5c..d41f46d93 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
@@ -134,11 +134,7 @@ static int random_display_number(void) { | |||
134 | errExit("socket"); | 134 | errExit("socket"); |
135 | 135 | ||
136 | for (i = 0; i < 100; i++) { | 136 | for (i = 0; i < 100; i++) { |
137 | // We try display numbers in the range 21 through 1000. | 137 | display = rand() % (X11_DISPLAY_END - X11_DISPLAY_START) + X11_DISPLAY_START; |
138 | // Normal X servers typically use displays in the 0-10 range; | ||
139 | // ssh's X11 forwarding uses 10-20, and login screens | ||
140 | // (e.g. gdm3) may use displays above 1000. | ||
141 | display = rand() % 979 + 21; | ||
142 | 138 | ||
143 | // The display number might be claimed by a server listening | 139 | // The display number might be claimed by a server listening |
144 | // in _either_ the normal or the abstract namespace; they | 140 | // in _either_ the normal or the abstract namespace; they |