diff options
author | netblue30 <netblue30@yahoo.com> | 2016-06-23 08:42:00 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-06-23 08:42:00 -0400 |
commit | fbf0ca925f15b6e32919cc2fc68be3245f46e9e7 (patch) | |
tree | 0cc25e2e3d396123da66c3bf5ad2232a8bf05686 /src | |
parent | libreoffice fix (diff) | |
download | firejail-fbf0ca925f15b6e32919cc2fc68be3245f46e9e7.tar.gz firejail-fbf0ca925f15b6e32919cc2fc68be3245f46e9e7.tar.zst firejail-fbf0ca925f15b6e32919cc2fc68be3245f46e9e7.zip |
x11/chroot fix
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/fs.c | 32 | ||||
-rw-r--r-- | src/firejail/x11.c | 3 |
2 files changed, 30 insertions, 5 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 7811fd2a2..be77dfa85 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -1006,7 +1006,7 @@ int fs_check_chroot_dir(const char *rootdir) { | |||
1006 | } | 1006 | } |
1007 | free(name); | 1007 | free(name); |
1008 | 1008 | ||
1009 | // check /proc | 1009 | // check /tmp |
1010 | if (asprintf(&name, "%s/tmp", rootdir) == -1) | 1010 | if (asprintf(&name, "%s/tmp", rootdir) == -1) |
1011 | errExit("asprintf"); | 1011 | errExit("asprintf"); |
1012 | if (stat(name, &s) == -1) { | 1012 | if (stat(name, &s) == -1) { |
@@ -1014,7 +1014,7 @@ int fs_check_chroot_dir(const char *rootdir) { | |||
1014 | return 1; | 1014 | return 1; |
1015 | } | 1015 | } |
1016 | free(name); | 1016 | free(name); |
1017 | 1017 | ||
1018 | // check /bin/bash | 1018 | // check /bin/bash |
1019 | if (asprintf(&name, "%s/bin/bash", rootdir) == -1) | 1019 | if (asprintf(&name, "%s/bin/bash", rootdir) == -1) |
1020 | errExit("asprintf"); | 1020 | errExit("asprintf"); |
@@ -1024,6 +1024,18 @@ int fs_check_chroot_dir(const char *rootdir) { | |||
1024 | } | 1024 | } |
1025 | free(name); | 1025 | free(name); |
1026 | 1026 | ||
1027 | // check x11 socket directory | ||
1028 | if (getenv("FIREJAIL_X11")) { | ||
1029 | char *name; | ||
1030 | if (asprintf(&name, "%s/tmp/.X11-unix", rootdir) == -1) | ||
1031 | errExit("asprintf"); | ||
1032 | if (stat(name, &s) == -1) { | ||
1033 | fprintf(stderr, "Error: cannot find /tmp/.X11-unix in chroot directory\n"); | ||
1034 | return 1; | ||
1035 | } | ||
1036 | free(name); | ||
1037 | } | ||
1038 | |||
1027 | return 0; | 1039 | return 0; |
1028 | } | 1040 | } |
1029 | 1041 | ||
@@ -1031,10 +1043,7 @@ int fs_check_chroot_dir(const char *rootdir) { | |||
1031 | void fs_chroot(const char *rootdir) { | 1043 | void fs_chroot(const char *rootdir) { |
1032 | assert(rootdir); | 1044 | assert(rootdir); |
1033 | 1045 | ||
1034 | //*********************************** | ||
1035 | // mount-bind a /dev in rootdir | 1046 | // mount-bind a /dev in rootdir |
1036 | //*********************************** | ||
1037 | // mount /dev | ||
1038 | char *newdev; | 1047 | char *newdev; |
1039 | if (asprintf(&newdev, "%s/dev", rootdir) == -1) | 1048 | if (asprintf(&newdev, "%s/dev", rootdir) == -1) |
1040 | errExit("asprintf"); | 1049 | errExit("asprintf"); |
@@ -1042,6 +1051,19 @@ void fs_chroot(const char *rootdir) { | |||
1042 | printf("Mounting /dev on %s\n", newdev); | 1051 | printf("Mounting /dev on %s\n", newdev); |
1043 | if (mount("/dev", newdev, NULL, MS_BIND|MS_REC, NULL) < 0) | 1052 | if (mount("/dev", newdev, NULL, MS_BIND|MS_REC, NULL) < 0) |
1044 | errExit("mounting /dev"); | 1053 | errExit("mounting /dev"); |
1054 | free(newdev); | ||
1055 | |||
1056 | // x11 | ||
1057 | if (getenv("FIREJAIL_X11")) { | ||
1058 | char *newx11; | ||
1059 | if (asprintf(&newx11, "%s/tmp/.X11-unix", rootdir) == -1) | ||
1060 | errExit("asprintf"); | ||
1061 | if (arg_debug) | ||
1062 | printf("Mounting /tmp/.X11-unix on %s\n", newdev); | ||
1063 | if (mount("/tmp/.X11-unix", newx11, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
1064 | errExit("mounting /tmp/.X11-unix"); | ||
1065 | free(newx11); | ||
1066 | } | ||
1045 | 1067 | ||
1046 | // some older distros don't have a /run directory | 1068 | // some older distros don't have a /run directory |
1047 | // create one by default | 1069 | // create one by default |
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index c742ff567..2accaeb71 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
@@ -168,6 +168,8 @@ void x11_start_xephyr(int argc, char **argv) { | |||
168 | pid_t server = 0; | 168 | pid_t server = 0; |
169 | 169 | ||
170 | 170 | ||
171 | setenv("FIREJAIL_X11", "yes", 1); | ||
172 | |||
171 | // unfortunately, xephyr does a number of weird things when started by root user!!! | 173 | // unfortunately, xephyr does a number of weird things when started by root user!!! |
172 | if (getuid() == 0) { | 174 | if (getuid() == 0) { |
173 | fprintf(stderr, "Error: X11 sandboxing is not available when running as root\n"); | 175 | fprintf(stderr, "Error: X11 sandboxing is not available when running as root\n"); |
@@ -296,6 +298,7 @@ void x11_start_xpra(int argc, char **argv) { | |||
296 | pid_t client = 0; | 298 | pid_t client = 0; |
297 | pid_t server = 0; | 299 | pid_t server = 0; |
298 | 300 | ||
301 | setenv("FIREJAIL_X11", "yes", 1); | ||
299 | 302 | ||
300 | // unfortunately, xpra does a number of weird things when started by root user!!! | 303 | // unfortunately, xpra does a number of weird things when started by root user!!! |
301 | if (getuid() == 0) { | 304 | if (getuid() == 0) { |