diff options
author | netblue30 <netblue30@yahoo.com> | 2017-04-30 11:51:30 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2017-04-30 11:51:30 -0400 |
commit | a2e9b0709309f81050cbba8dd8e9b970fd361e91 (patch) | |
tree | bf33918d801f8d2bddaf778994863d9f10b4821a /src | |
parent | Added galculator profile (diff) | |
download | firejail-a2e9b0709309f81050cbba8dd8e9b970fd361e91.tar.gz firejail-a2e9b0709309f81050cbba8dd8e9b970fd361e91.tar.zst firejail-a2e9b0709309f81050cbba8dd8e9b970fd361e91.zip |
allow PulseAudio sockets in --private-tmp
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/fs.c | 42 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 16 | ||||
-rw-r--r-- | src/man/firejail.txt | 14 |
4 files changed, 57 insertions, 16 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 8831d07f0..09fadcf34 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -408,6 +408,7 @@ void fs_overlayfs(void); | |||
408 | // chroot into an existing directory; mount exiting /dev and update /etc/resolv.conf | 408 | // chroot into an existing directory; mount exiting /dev and update /etc/resolv.conf |
409 | void fs_chroot(const char *rootdir); | 409 | void fs_chroot(const char *rootdir); |
410 | void fs_check_chroot_dir(const char *rootdir); | 410 | void fs_check_chroot_dir(const char *rootdir); |
411 | void fs_private_tmp(void); | ||
411 | 412 | ||
412 | // profile.c | 413 | // profile.c |
413 | // find and read the profile specified by name from dir directory | 414 | // find and read the profile specified by name from dir directory |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 025e715e6..ac68e7738 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -1214,4 +1214,46 @@ void fs_chroot(const char *rootdir) { | |||
1214 | } | 1214 | } |
1215 | #endif | 1215 | #endif |
1216 | 1216 | ||
1217 | // this function is called from sandbox.c before blacklist/whitelist functions | ||
1218 | void fs_private_tmp(void) { | ||
1219 | // check XAUTHORITY file, KDE keeps it under /tmp | ||
1220 | char *xauth = getenv("XAUTHORITY"); | ||
1221 | if (xauth) { | ||
1222 | char *rp = realpath(xauth, NULL); | ||
1223 | if (rp && strncmp(rp, "/tmp/", 5) == 0) { | ||
1224 | char *cmd; | ||
1225 | if (asprintf(&cmd, "whitelist %s", rp) == -1) | ||
1226 | errExit("asprintf"); | ||
1227 | profile_add(cmd); // profile_add does not duplicate the string | ||
1228 | } | ||
1229 | if (rp) | ||
1230 | free(rp); | ||
1231 | } | ||
1232 | |||
1233 | // whitelist x11 directory | ||
1234 | profile_add("whitelist /tmp/.X11-unix"); | ||
1235 | |||
1236 | // whitelist any pulse* file in /tmp directory | ||
1237 | // some distros use PulseAudio sockets under /tmp instead of the socket in /urn/user | ||
1238 | DIR *dir; | ||
1239 | if (!(dir = opendir("/tmp"))) { | ||
1240 | // sleep 2 seconds and try again | ||
1241 | sleep(2); | ||
1242 | if (!(dir = opendir("/tmp"))) { | ||
1243 | return; | ||
1244 | } | ||
1245 | } | ||
1217 | 1246 | ||
1247 | struct dirent *entry; | ||
1248 | while ((entry = readdir(dir))) { | ||
1249 | if (strncmp(entry->d_name, "pulse-", 6) == 0) { | ||
1250 | char *cmd; | ||
1251 | if (asprintf(&cmd, "whitelist /tmp/%s", entry->d_name) == -1) | ||
1252 | errExit("asprintf"); | ||
1253 | profile_add(cmd); // profile_add does not duplicate the string | ||
1254 | } | ||
1255 | } | ||
1256 | closedir(dir); | ||
1257 | |||
1258 | |||
1259 | } | ||
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 35ca4ff2d..e6deddac5 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -741,21 +741,7 @@ int sandbox(void* sandbox_arg) { | |||
741 | else { | 741 | else { |
742 | // private-tmp is implemented as a whitelist | 742 | // private-tmp is implemented as a whitelist |
743 | EUID_USER(); | 743 | EUID_USER(); |
744 | // check XAUTHORITY file, KDE keeps it under /tmp | 744 | fs_private_tmp(); |
745 | char *xauth = getenv("XAUTHORITY"); | ||
746 | if (xauth) { | ||
747 | char *rp = realpath(xauth, NULL); | ||
748 | if (rp && strncmp(rp, "/tmp/", 5) == 0) { | ||
749 | char *cmd; | ||
750 | if (asprintf(&cmd, "whitelist %s", rp) == -1) | ||
751 | errExit("asprintf"); | ||
752 | profile_add(cmd); // profile_add does not duplicate the string | ||
753 | } | ||
754 | if (rp) | ||
755 | free(rp); | ||
756 | } | ||
757 | // whitelist x11 directory | ||
758 | profile_add("whitelist /tmp/.X11-unix"); | ||
759 | EUID_ROOT(); | 745 | EUID_ROOT(); |
760 | } | 746 | } |
761 | } | 747 | } |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index c481da8d2..bc4c3f19a 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1278,13 +1278,25 @@ Example: | |||
1278 | 1278 | ||
1279 | .TP | 1279 | .TP |
1280 | \fB\-\-private-tmp | 1280 | \fB\-\-private-tmp |
1281 | Mount an empty temporary filesystem on top of /tmp directory whitelisting /tmp/.X11-unix. | 1281 | Mount an empty temporary filesystem on top of /tmp directory whitelisting X11 and PulseAudio sockets. |
1282 | .br | 1282 | .br |
1283 | 1283 | ||
1284 | .br | 1284 | .br |
1285 | Example: | 1285 | Example: |
1286 | .br | 1286 | .br |
1287 | $ firejail \-\-private-tmp | 1287 | $ firejail \-\-private-tmp |
1288 | .br | ||
1289 | $ ls -al /tmp | ||
1290 | .br | ||
1291 | drwxrwxrwt 4 nobody nogroup 80 Apr 30 11:46 . | ||
1292 | .br | ||
1293 | drwxr-xr-x 30 nobody nogroup 4096 Apr 26 22:18 .. | ||
1294 | .br | ||
1295 | drwx------ 2 nobody nogroup 4096 Apr 30 10:52 pulse-PKdhtXMmr18n | ||
1296 | .br | ||
1297 | drwxrwxrwt 2 nobody nogroup 4096 Apr 30 10:52 .X11-unix | ||
1298 | .br | ||
1299 | |||
1288 | 1300 | ||
1289 | .TP | 1301 | .TP |
1290 | \fB\-\-profile=filename | 1302 | \fB\-\-profile=filename |