Merge pull request #773 from manevich/x11

Add option to block X11
author: netblue30 <netblue30@yahoo.com> 2016-09-11 08:33:06 -0400
committer: GitHub <noreply@github.com> 2016-09-11 08:33:06 -0400
commit: ce420f6102b8f4bd6ea932439a676a26b96aa93b (patch)
tree: d7ae78ad40806445b200c98a4a6d99f26bd230f9 /src
parent: starting new development (diff)
parent: update man (diff)
download: firejail-ce420f6102b8f4bd6ea932439a676a26b96aa93b.tar.gz
firejail-ce420f6102b8f4bd6ea932439a676a26b96aa93b.tar.zst
firejail-ce420f6102b8f4bd6ea932439a676a26b96aa93b.zip
6 files changed, 122 insertions, 0 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 776bfbc74..ed9d901c0 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -315,6 +315,7 @@ extern int arg_audit;		// audit
 extern char *arg_audit_prog;    // audit
 extern int arg_apparmor;        // apparmor
 extern int arg_allow_debuggers; // allow debuggers
+extern int arg_x11_block;       // block X11
 extern int login_shell;
 extern int parent_to_child_fds[2];
@@ -623,6 +624,7 @@ int x11_display(void);
 void x11_start(int argc, char **argv);
 void x11_start_xpra(int argc, char **argv);
 void x11_start_xephyr(int argc, char **argv);
+void x11_block(void);
 // ls.c
 #define SANDBOX_FS_LS 0
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 569fc7add..e171919d1 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -105,6 +105,7 @@ int arg_audit = 0;				// audit
 char *arg_audit_prog = NULL;                    // audit
 int arg_apparmor = 0;                           // apparmor
 int arg_allow_debuggers = 0;                    // allow debuggers
+int arg_x11_block = 0;                          // block X11
 int login_shell = 0;
 int parent_to_child_fds[2];
@@ -2118,6 +2119,9 @@ int main(int argc, char **argv) {
                                return 1;
                        }
                }
+                else if (strcmp(argv[i], "--x11=block") == 0) {
+                        arg_x11_block = 1;
+                }
                else if (strcmp(argv[i], "--") == 0) {
                        // double dash - positional params to follow
                        arg_doubledash = 1;
@@ -2284,6 +2288,10 @@ int main(int argc, char **argv) {
                }
        }
+        // block X11 sockets
+        if (arg_x11_block)
+                x11_block();
        // check network configuration options - it will exit if anything went wrong
        net_check_cfg();
        
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index a516f3216..00301037f 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -625,6 +625,45 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                arg_private = 1;
                return 0;
        }
+        if (strcmp(ptr, "x11 block") == 0) {
+#ifdef HAVE_X11
+                arg_x11_block = 1;
+#endif
+                return 0;
+        }
+        if (strcmp(ptr, "x11 xephyr") == 0) {
+#ifdef HAVE_X11
+                if (checkcfg(CFG_X11)) {
+                        char *x11env = getenv("FIREJAIL_X11");
+                        if (x11env && strcmp(x11env, "yes") == 0)
+                                return 0;
+                        else {
+                                // start x11
+                                x11_start_xephyr(cfg.original_argc, cfg.original_argv);
+                                exit(0);
+                        }
+                }
+#endif
+                return 0;
+        }
+        if (strcmp(ptr, "x11 xpra") == 0) {
+#ifdef HAVE_X11
+                if (checkcfg(CFG_X11)) {
+                        char *x11env = getenv("FIREJAIL_X11");
+                        if (x11env && strcmp(x11env, "yes") == 0)
+                                return 0;
+                        else {
+                                // start x11
+                                x11_start_xpra(cfg.original_argc, cfg.original_argv);
+                                exit(0);
+                        }
+                }
+#endif
+                return 0;
+        }
        
        if (strcmp(ptr, "x11") == 0) {
 #ifdef HAVE_X11
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 5c6f045e7..29111d5ff 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -51,6 +51,27 @@ static int x11_check_xephyr(void) {
        return 1;
 }
+// check for X11 abstract sockets
+static int x11_abstract_sockets_present(void) {
+        char *path;
+        FILE *fp = fopen("/proc/net/unix", "r");
+        if (!fp)
+                errExit("fopen");
+        while (fscanf(fp, "%*s %*s %*s %*s %*s %*s %*s %ms\n", &path) != EOF) {
+                if (path && strncmp(path, "@/tmp/.X11-unix/", 16) == 0) {
+                        free(path);
+                        fclose(fp);
+                        return 1;
+                }
+        }
+        free(path);
+        fclose(fp);
+        return 0;
+}
 static int random_display_number(void) {
        int i;
        int found = 1;
@@ -566,3 +587,37 @@ void x11_start(int argc, char **argv) {
 }
 #endif
+void x11_block(void) {
+#ifdef HAVE_X11
+        // check abstract socket presence and network namespace options
+        if ((!arg_nonetwork && !cfg.bridge0.configured && !cfg.interface0.configured)
+                && x11_abstract_sockets_present()) {
+                fprintf(stderr, "ERROR: --x11=block specified, but abstract X11 socket still accessible.\n"
+                                                "Additional setup required. To block abstract X11 socket you need either:\n"
+                                                " * use network namespace (--net=none, --net=...)\n"
+                                                " * add \"-nolisten local\" to xserver options (eg. /etc/X11/xinit/xserverrc)\n");
+                exit(1);
+        }
+        // blacklist sockets
+        profile_check_line("blacklist /tmp/.X11-unix", 0, NULL);
+        profile_add(strdup("blacklist /tmp/.X11-unix"));
+        // blacklist .Xauthority
+        profile_check_line("blacklist ${HOME}/.Xauthority", 0, NULL);
+        profile_add(strdup("blacklist ${HOME}/.Xauthority"));
+        char *xauthority = getenv("XAUTHORITY");
+        if (xauthority) {
+                char *line;
+                if (asprintf(&line, "blacklist %s", xauthority) == -1)
+                        errExit("asprintf");
+                profile_check_line(line, 0, NULL);
+                profile_add(line);
+        }
+        // clear enviroment
+        env_store("DISPLAY", RMENV);
+        env_store("XAUTHORITY", RMENV);
+#endif
+}
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 51b45cd10..d4ab0af55 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -267,6 +267,17 @@ There is no root account (uid 0) defined in the namespace.
 .TP
 \fBx11
 Enable X11 sandboxing.
+.TP
+\fBx11 xpra
+Enable X11 sandboxing with xpra.
+.TP
+\fBx11 xephyr
+Enable X11 sandboxing with xephyr.
+.TP
+\fBx11 block
+Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} enviroment variable.
+Remove DISPLAY and XAUTHORITY enviroment variables.
+Stop with error message if X11 abstract socket will be accessible in jail.
 .SH Resource limits, CPU affinity, Control Groups
 These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox.
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index a5d3623b6..c05c8e201 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1673,6 +1673,13 @@ Example:
 $ firejail \-\-x11=xephyr --net=eth0 openbox
 .TP
+\fB\-\-x11=block
+Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} enviroment variable.
+Remove DISPLAY and XAUTHORITY enviroment variables.
+Stop with error message if X11 abstract socket will be accessible in jail.
+.br
+.TP
 \fB\-\-zsh
 Use /usr/bin/zsh as default user shell.
 .br
author	netblue30 <netblue30@yahoo.com>	2016-09-11 08:33:06 -0400
committer	GitHub <noreply@github.com>	2016-09-11 08:33:06 -0400
commit	ce420f6102b8f4bd6ea932439a676a26b96aa93b (patch)
tree	d7ae78ad40806445b200c98a4a6d99f26bd230f9 /src
parent	starting new development (diff)
parent	update man (diff)
download	firejail-ce420f6102b8f4bd6ea932439a676a26b96aa93b.tar.gz firejail-ce420f6102b8f4bd6ea932439a676a26b96aa93b.tar.zst firejail-ce420f6102b8f4bd6ea932439a676a26b96aa93b.zip

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 776bfbc74..ed9d901c0 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -315,6 +315,7 @@ extern int arg_audit; // audit
315	extern char *arg_audit_prog; // audit	315	extern char *arg_audit_prog; // audit
316	extern int arg_apparmor; // apparmor	316	extern int arg_apparmor; // apparmor
317	extern int arg_allow_debuggers; // allow debuggers	317	extern int arg_allow_debuggers; // allow debuggers
		318	extern int arg_x11_block; // block X11
318		319
319	extern int login_shell;	320	extern int login_shell;
320	extern int parent_to_child_fds[2];	321	extern int parent_to_child_fds[2];
@@ -623,6 +624,7 @@ int x11_display(void);
623	void x11_start(int argc, char **argv);	624	void x11_start(int argc, char **argv);
624	void x11_start_xpra(int argc, char **argv);	625	void x11_start_xpra(int argc, char **argv);
625	void x11_start_xephyr(int argc, char **argv);	626	void x11_start_xephyr(int argc, char **argv);
		627	void x11_block(void);
626		628
627	// ls.c	629	// ls.c
628	#define SANDBOX_FS_LS 0	630	#define SANDBOX_FS_LS 0


diff --git a/src/firejail/main.c b/src/firejail/main.c index 569fc7add..e171919d1 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -105,6 +105,7 @@ int arg_audit = 0; // audit
105	char *arg_audit_prog = NULL; // audit	105	char *arg_audit_prog = NULL; // audit
106	int arg_apparmor = 0; // apparmor	106	int arg_apparmor = 0; // apparmor
107	int arg_allow_debuggers = 0; // allow debuggers	107	int arg_allow_debuggers = 0; // allow debuggers
		108	int arg_x11_block = 0; // block X11
108	int login_shell = 0;	109	int login_shell = 0;
109		110
110	int parent_to_child_fds[2];	111	int parent_to_child_fds[2];
@@ -2118,6 +2119,9 @@ int main(int argc, char **argv) {
2118	return 1;	2119	return 1;
2119	}	2120	}
2120	}	2121	}
		2122	else if (strcmp(argv[i], "--x11=block") == 0) {
		2123	arg_x11_block = 1;
		2124	}
2121	else if (strcmp(argv[i], "--") == 0) {	2125	else if (strcmp(argv[i], "--") == 0) {
2122	// double dash - positional params to follow	2126	// double dash - positional params to follow
2123	arg_doubledash = 1;	2127	arg_doubledash = 1;
@@ -2284,6 +2288,10 @@ int main(int argc, char **argv) {
2284	}	2288	}
2285	}	2289	}
2286		2290
		2291	// block X11 sockets
		2292	if (arg_x11_block)
		2293	x11_block();
		2294
2287	// check network configuration options - it will exit if anything went wrong	2295	// check network configuration options - it will exit if anything went wrong
2288	net_check_cfg();	2296	net_check_cfg();
2289		2297


diff --git a/src/firejail/profile.c b/src/firejail/profile.c index a516f3216..00301037f 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c
@@ -625,6 +625,45 @@ int profile_check_line(char ptr, int lineno, const char fname) {
625	arg_private = 1;	625	arg_private = 1;
626	return 0;	626	return 0;
627	}	627	}
		628
		629	if (strcmp(ptr, "x11 block") == 0) {
		630	#ifdef HAVE_X11
		631	arg_x11_block = 1;
		632	#endif
		633	return 0;
		634	}
		635
		636	if (strcmp(ptr, "x11 xephyr") == 0) {
		637	#ifdef HAVE_X11
		638	if (checkcfg(CFG_X11)) {
		639	char *x11env = getenv("FIREJAIL_X11");
		640	if (x11env && strcmp(x11env, "yes") == 0)
		641	return 0;
		642	else {
		643	// start x11
		644	x11_start_xephyr(cfg.original_argc, cfg.original_argv);
		645	exit(0);
		646	}
		647	}
		648	#endif
		649	return 0;
		650	}
		651
		652	if (strcmp(ptr, "x11 xpra") == 0) {
		653	#ifdef HAVE_X11
		654	if (checkcfg(CFG_X11)) {
		655	char *x11env = getenv("FIREJAIL_X11");
		656	if (x11env && strcmp(x11env, "yes") == 0)
		657	return 0;
		658	else {
		659	// start x11
		660	x11_start_xpra(cfg.original_argc, cfg.original_argv);
		661	exit(0);
		662	}
		663	}
		664	#endif
		665	return 0;
		666	}
628		667
629	if (strcmp(ptr, "x11") == 0) {	668	if (strcmp(ptr, "x11") == 0) {
630	#ifdef HAVE_X11	669	#ifdef HAVE_X11


diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 5c6f045e7..29111d5ff 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c
@@ -51,6 +51,27 @@ static int x11_check_xephyr(void) {
51	return 1;	51	return 1;
52	}	52	}
53		53
		54	// check for X11 abstract sockets
		55	static int x11_abstract_sockets_present(void) {
		56	char *path;
		57	FILE *fp = fopen("/proc/net/unix", "r");
		58	if (!fp)
		59	errExit("fopen");
		60
		61	while (fscanf(fp, "%s %s %s %s %s %s %*s %ms\n", &path) != EOF) {
		62	if (path && strncmp(path, "@/tmp/.X11-unix/", 16) == 0) {
		63	free(path);
		64	fclose(fp);
		65	return 1;
		66	}
		67	}
		68
		69	free(path);
		70	fclose(fp);
		71
		72	return 0;
		73	}
		74
54	static int random_display_number(void) {	75	static int random_display_number(void) {
55	int i;	76	int i;
56	int found = 1;	77	int found = 1;
@@ -566,3 +587,37 @@ void x11_start(int argc, char **argv) {
566	}	587	}
567		588
568	#endif	589	#endif
		590
		591	void x11_block(void) {
		592	#ifdef HAVE_X11
		593	// check abstract socket presence and network namespace options
		594	if ((!arg_nonetwork && !cfg.bridge0.configured && !cfg.interface0.configured)
		595	&& x11_abstract_sockets_present()) {
		596	fprintf(stderr, "ERROR: --x11=block specified, but abstract X11 socket still accessible.\n"
		597	"Additional setup required. To block abstract X11 socket you need either:\n"
		598	" * use network namespace (--net=none, --net=...)\n"
		599	" * add \"-nolisten local\" to xserver options (eg. /etc/X11/xinit/xserverrc)\n");
		600	exit(1);
		601	}
		602
		603	// blacklist sockets
		604	profile_check_line("blacklist /tmp/.X11-unix", 0, NULL);
		605	profile_add(strdup("blacklist /tmp/.X11-unix"));
		606
		607	// blacklist .Xauthority
		608	profile_check_line("blacklist ${HOME}/.Xauthority", 0, NULL);
		609	profile_add(strdup("blacklist ${HOME}/.Xauthority"));
		610	char *xauthority = getenv("XAUTHORITY");
		611	if (xauthority) {
		612	char *line;
		613	if (asprintf(&line, "blacklist %s", xauthority) == -1)
		614	errExit("asprintf");
		615	profile_check_line(line, 0, NULL);
		616	profile_add(line);
		617	}
		618
		619	// clear enviroment
		620	env_store("DISPLAY", RMENV);
		621	env_store("XAUTHORITY", RMENV);
		622	#endif
		623	}


diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 51b45cd10..d4ab0af55 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt
@@ -267,6 +267,17 @@ There is no root account (uid 0) defined in the namespace.
267	.TP	267	.TP
268	\fBx11	268	\fBx11
269	Enable X11 sandboxing.	269	Enable X11 sandboxing.
		270	.TP
		271	\fBx11 xpra
		272	Enable X11 sandboxing with xpra.
		273	.TP
		274	\fBx11 xephyr
		275	Enable X11 sandboxing with xephyr.
		276	.TP
		277	\fBx11 block
		278	Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} enviroment variable.
		279	Remove DISPLAY and XAUTHORITY enviroment variables.
		280	Stop with error message if X11 abstract socket will be accessible in jail.
270		281
271	.SH Resource limits, CPU affinity, Control Groups	282	.SH Resource limits, CPU affinity, Control Groups
272	These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox.	283	These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox.


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index a5d3623b6..c05c8e201 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -1673,6 +1673,13 @@ Example:
1673	$ firejail \-\-x11=xephyr --net=eth0 openbox	1673	$ firejail \-\-x11=xephyr --net=eth0 openbox
1674		1674
1675	.TP	1675	.TP
		1676	\fB\-\-x11=block
		1677	Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} enviroment variable.
		1678	Remove DISPLAY and XAUTHORITY enviroment variables.
		1679	Stop with error message if X11 abstract socket will be accessible in jail.
		1680	.br
		1681
		1682	.TP
1676	\fB\-\-zsh	1683	\fB\-\-zsh
1677	Use /usr/bin/zsh as default user shell.	1684	Use /usr/bin/zsh as default user shell.
1678	.br	1685	.br