fixed private-tmp problem on KDE systems

author: netblue30 <netblue30@yahoo.com> 2017-03-22 11:36:25 -0400
committer: netblue30 <netblue30@yahoo.com> 2017-03-22 11:36:25 -0400
commit: 7310febd4d62eaac54c509244f8c011290e230b0 (patch)
tree: ff95e2cfa33b59faaf725e4856d898013b7a3f7a /src
parent: Edited profile request issue no. (diff)
download: firejail-7310febd4d62eaac54c509244f8c011290e230b0.tar.gz
firejail-7310febd4d62eaac54c509244f8c011290e230b0.tar.zst
firejail-7310febd4d62eaac54c509244f8c011290e230b0.zip
1 files changed, 14 insertions, 0 deletions
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index f26f8b06a..d1557e8b2 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -742,6 +742,20 @@ int sandbox(void* sandbox_arg) {
                else {
                        // private-tmp is implemented as a whitelist
                        EUID_USER();
+                        // check XAUTHORITY file, KDE keeps it under /tmp
+                        char *xauth = getenv("XAUTHORITY");
+                        if (xauth) {
+                                char *rp = realpath(xauth, NULL);
+                                if (rp && strncmp(rp, "/tmp/", 5) == 0) {
+                                        char *cmd;
+                                        if (asprintf(&cmd, "whitelist %s", rp) == -1)
+                                                errExit("asprintf");
+                                        profile_add(cmd); // profile_add does not duplicate the string
+                                }
+                                if (rp)
+                                        free(rp);
+                        }
+                        // whitelist x11 directory
                        profile_add("whitelist /tmp/.X11-unix");
                        EUID_ROOT();
                }
author	netblue30 <netblue30@yahoo.com>	2017-03-22 11:36:25 -0400
committer	netblue30 <netblue30@yahoo.com>	2017-03-22 11:36:25 -0400
commit	7310febd4d62eaac54c509244f8c011290e230b0 (patch)
tree	ff95e2cfa33b59faaf725e4856d898013b7a3f7a /src
parent	Edited profile request issue no. (diff)
download	firejail-7310febd4d62eaac54c509244f8c011290e230b0.tar.gz firejail-7310febd4d62eaac54c509244f8c011290e230b0.tar.zst firejail-7310febd4d62eaac54c509244f8c011290e230b0.zip

diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index f26f8b06a..d1557e8b2 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c
@@ -742,6 +742,20 @@ int sandbox(void* sandbox_arg) {
742	else {	742	else {
743	// private-tmp is implemented as a whitelist	743	// private-tmp is implemented as a whitelist
744	EUID_USER();	744	EUID_USER();
		745	// check XAUTHORITY file, KDE keeps it under /tmp
		746	char *xauth = getenv("XAUTHORITY");
		747	if (xauth) {
		748	char *rp = realpath(xauth, NULL);
		749	if (rp && strncmp(rp, "/tmp/", 5) == 0) {
		750	char *cmd;
		751	if (asprintf(&cmd, "whitelist %s", rp) == -1)
		752	errExit("asprintf");
		753	profile_add(cmd); // profile_add does not duplicate the string
		754	}
		755	if (rp)
		756	free(rp);
		757	}
		758	// whitelist x11 directory
745	profile_add("whitelist /tmp/.X11-unix");	759	profile_add("whitelist /tmp/.X11-unix");
746	EUID_ROOT();	760	EUID_ROOT();
747	}	761	}