add x11=block option

author: Aleksey Manevich <manevich.aleksey@gmail.com> 2016-09-10 21:16:09 +0300
committer: Aleksey Manevich <manevich.aleksey@gmail.com> 2016-09-10 21:16:09 +0300
commit: 85195f55733b5a369ddbc335393b3a16e10647a5 (patch)
tree: f8d02e95033d6127761155ed8591a604a16150a2 /src
parent: 0.9.42 testing - CentOS 6 (diff)
download: firejail-85195f55733b5a369ddbc335393b3a16e10647a5.tar.gz
firejail-85195f55733b5a369ddbc335393b3a16e10647a5.tar.zst
firejail-85195f55733b5a369ddbc335393b3a16e10647a5.zip
4 files changed, 104 insertions, 0 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 776bfbc74..ed9d901c0 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -315,6 +315,7 @@ extern int arg_audit;		// audit
 extern char *arg_audit_prog;    // audit
 extern int arg_apparmor;        // apparmor
 extern int arg_allow_debuggers; // allow debuggers
+extern int arg_x11_block;       // block X11
 extern int login_shell;
 extern int parent_to_child_fds[2];
@@ -623,6 +624,7 @@ int x11_display(void);
 void x11_start(int argc, char **argv);
 void x11_start_xpra(int argc, char **argv);
 void x11_start_xephyr(int argc, char **argv);
+void x11_block(void);
 // ls.c
 #define SANDBOX_FS_LS 0
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 569fc7add..e171919d1 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -105,6 +105,7 @@ int arg_audit = 0;				// audit
 char *arg_audit_prog = NULL;                    // audit
 int arg_apparmor = 0;                           // apparmor
 int arg_allow_debuggers = 0;                    // allow debuggers
+int arg_x11_block = 0;                          // block X11
 int login_shell = 0;
 int parent_to_child_fds[2];
@@ -2118,6 +2119,9 @@ int main(int argc, char **argv) {
                                return 1;
                        }
                }
+                else if (strcmp(argv[i], "--x11=block") == 0) {
+                        arg_x11_block = 1;
+                }
                else if (strcmp(argv[i], "--") == 0) {
                        // double dash - positional params to follow
                        arg_doubledash = 1;
@@ -2284,6 +2288,10 @@ int main(int argc, char **argv) {
                }
        }
+        // block X11 sockets
+        if (arg_x11_block)
+                x11_block();
        // check network configuration options - it will exit if anything went wrong
        net_check_cfg();
        
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index a516f3216..00301037f 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -625,6 +625,45 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                arg_private = 1;
                return 0;
        }
+        if (strcmp(ptr, "x11 block") == 0) {
+#ifdef HAVE_X11
+                arg_x11_block = 1;
+#endif
+                return 0;
+        }
+        if (strcmp(ptr, "x11 xephyr") == 0) {
+#ifdef HAVE_X11
+                if (checkcfg(CFG_X11)) {
+                        char *x11env = getenv("FIREJAIL_X11");
+                        if (x11env && strcmp(x11env, "yes") == 0)
+                                return 0;
+                        else {
+                                // start x11
+                                x11_start_xephyr(cfg.original_argc, cfg.original_argv);
+                                exit(0);
+                        }
+                }
+#endif
+                return 0;
+        }
+        if (strcmp(ptr, "x11 xpra") == 0) {
+#ifdef HAVE_X11
+                if (checkcfg(CFG_X11)) {
+                        char *x11env = getenv("FIREJAIL_X11");
+                        if (x11env && strcmp(x11env, "yes") == 0)
+                                return 0;
+                        else {
+                                // start x11
+                                x11_start_xpra(cfg.original_argc, cfg.original_argv);
+                                exit(0);
+                        }
+                }
+#endif
+                return 0;
+        }
        
        if (strcmp(ptr, "x11") == 0) {
 #ifdef HAVE_X11
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 5c6f045e7..29111d5ff 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -51,6 +51,27 @@ static int x11_check_xephyr(void) {
        return 1;
 }
+// check for X11 abstract sockets
+static int x11_abstract_sockets_present(void) {
+        char *path;
+        FILE *fp = fopen("/proc/net/unix", "r");
+        if (!fp)
+                errExit("fopen");
+        while (fscanf(fp, "%*s %*s %*s %*s %*s %*s %*s %ms\n", &path) != EOF) {
+                if (path && strncmp(path, "@/tmp/.X11-unix/", 16) == 0) {
+                        free(path);
+                        fclose(fp);
+                        return 1;
+                }
+        }
+        free(path);
+        fclose(fp);
+        return 0;
+}
 static int random_display_number(void) {
        int i;
        int found = 1;
@@ -566,3 +587,37 @@ void x11_start(int argc, char **argv) {
 }
 #endif
+void x11_block(void) {
+#ifdef HAVE_X11
+        // check abstract socket presence and network namespace options
+        if ((!arg_nonetwork && !cfg.bridge0.configured && !cfg.interface0.configured)
+                && x11_abstract_sockets_present()) {
+                fprintf(stderr, "ERROR: --x11=block specified, but abstract X11 socket still accessible.\n"
+                                                "Additional setup required. To block abstract X11 socket you need either:\n"
+                                                " * use network namespace (--net=none, --net=...)\n"
+                                                " * add \"-nolisten local\" to xserver options (eg. /etc/X11/xinit/xserverrc)\n");
+                exit(1);
+        }
+        // blacklist sockets
+        profile_check_line("blacklist /tmp/.X11-unix", 0, NULL);
+        profile_add(strdup("blacklist /tmp/.X11-unix"));
+        // blacklist .Xauthority
+        profile_check_line("blacklist ${HOME}/.Xauthority", 0, NULL);
+        profile_add(strdup("blacklist ${HOME}/.Xauthority"));
+        char *xauthority = getenv("XAUTHORITY");
+        if (xauthority) {
+                char *line;
+                if (asprintf(&line, "blacklist %s", xauthority) == -1)
+                        errExit("asprintf");
+                profile_check_line(line, 0, NULL);
+                profile_add(line);
+        }
+        // clear enviroment
+        env_store("DISPLAY", RMENV);
+        env_store("XAUTHORITY", RMENV);
+#endif
+}
author	Aleksey Manevich <manevich.aleksey@gmail.com>	2016-09-10 21:16:09 +0300
committer	Aleksey Manevich <manevich.aleksey@gmail.com>	2016-09-10 21:16:09 +0300
commit	85195f55733b5a369ddbc335393b3a16e10647a5 (patch)
tree	f8d02e95033d6127761155ed8591a604a16150a2 /src
parent	0.9.42 testing - CentOS 6 (diff)
download	firejail-85195f55733b5a369ddbc335393b3a16e10647a5.tar.gz firejail-85195f55733b5a369ddbc335393b3a16e10647a5.tar.zst firejail-85195f55733b5a369ddbc335393b3a16e10647a5.zip

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 776bfbc74..ed9d901c0 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -315,6 +315,7 @@ extern int arg_audit; // audit
315	extern char *arg_audit_prog; // audit	315	extern char *arg_audit_prog; // audit
316	extern int arg_apparmor; // apparmor	316	extern int arg_apparmor; // apparmor
317	extern int arg_allow_debuggers; // allow debuggers	317	extern int arg_allow_debuggers; // allow debuggers
		318	extern int arg_x11_block; // block X11
318		319
319	extern int login_shell;	320	extern int login_shell;
320	extern int parent_to_child_fds[2];	321	extern int parent_to_child_fds[2];
@@ -623,6 +624,7 @@ int x11_display(void);
623	void x11_start(int argc, char **argv);	624	void x11_start(int argc, char **argv);
624	void x11_start_xpra(int argc, char **argv);	625	void x11_start_xpra(int argc, char **argv);
625	void x11_start_xephyr(int argc, char **argv);	626	void x11_start_xephyr(int argc, char **argv);
		627	void x11_block(void);
626		628
627	// ls.c	629	// ls.c
628	#define SANDBOX_FS_LS 0	630	#define SANDBOX_FS_LS 0


diff --git a/src/firejail/main.c b/src/firejail/main.c index 569fc7add..e171919d1 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -105,6 +105,7 @@ int arg_audit = 0; // audit
105	char *arg_audit_prog = NULL; // audit	105	char *arg_audit_prog = NULL; // audit
106	int arg_apparmor = 0; // apparmor	106	int arg_apparmor = 0; // apparmor
107	int arg_allow_debuggers = 0; // allow debuggers	107	int arg_allow_debuggers = 0; // allow debuggers
		108	int arg_x11_block = 0; // block X11
108	int login_shell = 0;	109	int login_shell = 0;
109		110
110	int parent_to_child_fds[2];	111	int parent_to_child_fds[2];
@@ -2118,6 +2119,9 @@ int main(int argc, char **argv) {
2118	return 1;	2119	return 1;
2119	}	2120	}
2120	}	2121	}
		2122	else if (strcmp(argv[i], "--x11=block") == 0) {
		2123	arg_x11_block = 1;
		2124	}
2121	else if (strcmp(argv[i], "--") == 0) {	2125	else if (strcmp(argv[i], "--") == 0) {
2122	// double dash - positional params to follow	2126	// double dash - positional params to follow
2123	arg_doubledash = 1;	2127	arg_doubledash = 1;
@@ -2284,6 +2288,10 @@ int main(int argc, char **argv) {
2284	}	2288	}
2285	}	2289	}
2286		2290
		2291	// block X11 sockets
		2292	if (arg_x11_block)
		2293	x11_block();
		2294
2287	// check network configuration options - it will exit if anything went wrong	2295	// check network configuration options - it will exit if anything went wrong
2288	net_check_cfg();	2296	net_check_cfg();
2289		2297


diff --git a/src/firejail/profile.c b/src/firejail/profile.c index a516f3216..00301037f 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c
@@ -625,6 +625,45 @@ int profile_check_line(char ptr, int lineno, const char fname) {
625	arg_private = 1;	625	arg_private = 1;
626	return 0;	626	return 0;
627	}	627	}
		628
		629	if (strcmp(ptr, "x11 block") == 0) {
		630	#ifdef HAVE_X11
		631	arg_x11_block = 1;
		632	#endif
		633	return 0;
		634	}
		635
		636	if (strcmp(ptr, "x11 xephyr") == 0) {
		637	#ifdef HAVE_X11
		638	if (checkcfg(CFG_X11)) {
		639	char *x11env = getenv("FIREJAIL_X11");
		640	if (x11env && strcmp(x11env, "yes") == 0)
		641	return 0;
		642	else {
		643	// start x11
		644	x11_start_xephyr(cfg.original_argc, cfg.original_argv);
		645	exit(0);
		646	}
		647	}
		648	#endif
		649	return 0;
		650	}
		651
		652	if (strcmp(ptr, "x11 xpra") == 0) {
		653	#ifdef HAVE_X11
		654	if (checkcfg(CFG_X11)) {
		655	char *x11env = getenv("FIREJAIL_X11");
		656	if (x11env && strcmp(x11env, "yes") == 0)
		657	return 0;
		658	else {
		659	// start x11
		660	x11_start_xpra(cfg.original_argc, cfg.original_argv);
		661	exit(0);
		662	}
		663	}
		664	#endif
		665	return 0;
		666	}
628		667
629	if (strcmp(ptr, "x11") == 0) {	668	if (strcmp(ptr, "x11") == 0) {
630	#ifdef HAVE_X11	669	#ifdef HAVE_X11


diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 5c6f045e7..29111d5ff 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c
@@ -51,6 +51,27 @@ static int x11_check_xephyr(void) {
51	return 1;	51	return 1;
52	}	52	}
53		53
		54	// check for X11 abstract sockets
		55	static int x11_abstract_sockets_present(void) {
		56	char *path;
		57	FILE *fp = fopen("/proc/net/unix", "r");
		58	if (!fp)
		59	errExit("fopen");
		60
		61	while (fscanf(fp, "%s %s %s %s %s %s %*s %ms\n", &path) != EOF) {
		62	if (path && strncmp(path, "@/tmp/.X11-unix/", 16) == 0) {
		63	free(path);
		64	fclose(fp);
		65	return 1;
		66	}
		67	}
		68
		69	free(path);
		70	fclose(fp);
		71
		72	return 0;
		73	}
		74
54	static int random_display_number(void) {	75	static int random_display_number(void) {
55	int i;	76	int i;
56	int found = 1;	77	int found = 1;
@@ -566,3 +587,37 @@ void x11_start(int argc, char **argv) {
566	}	587	}
567		588
568	#endif	589	#endif
		590
		591	void x11_block(void) {
		592	#ifdef HAVE_X11
		593	// check abstract socket presence and network namespace options
		594	if ((!arg_nonetwork && !cfg.bridge0.configured && !cfg.interface0.configured)
		595	&& x11_abstract_sockets_present()) {
		596	fprintf(stderr, "ERROR: --x11=block specified, but abstract X11 socket still accessible.\n"
		597	"Additional setup required. To block abstract X11 socket you need either:\n"
		598	" * use network namespace (--net=none, --net=...)\n"
		599	" * add \"-nolisten local\" to xserver options (eg. /etc/X11/xinit/xserverrc)\n");
		600	exit(1);
		601	}
		602
		603	// blacklist sockets
		604	profile_check_line("blacklist /tmp/.X11-unix", 0, NULL);
		605	profile_add(strdup("blacklist /tmp/.X11-unix"));
		606
		607	// blacklist .Xauthority
		608	profile_check_line("blacklist ${HOME}/.Xauthority", 0, NULL);
		609	profile_add(strdup("blacklist ${HOME}/.Xauthority"));
		610	char *xauthority = getenv("XAUTHORITY");
		611	if (xauthority) {
		612	char *line;
		613	if (asprintf(&line, "blacklist %s", xauthority) == -1)
		614	errExit("asprintf");
		615	profile_check_line(line, 0, NULL);
		616	profile_add(line);
		617	}
		618
		619	// clear enviroment
		620	env_store("DISPLAY", RMENV);
		621	env_store("XAUTHORITY", RMENV);
		622	#endif
		623	}