x11 work

author: netblue30 <netblue30@yahoo.com> 2016-02-24 12:55:06 -0500
committer: netblue30 <netblue30@yahoo.com> 2016-02-24 12:55:06 -0500
commit: 89535f782c19fd8396fd013d4b38d746f3faed95 (patch)
tree: 255335eea7b669906fe2989a880b0f2ac595999b /src
parent: allow --interface only to root user for --enable-network=restricted (diff)
download: firejail-89535f782c19fd8396fd013d4b38d746f3faed95.tar.gz
firejail-89535f782c19fd8396fd013d4b38d746f3faed95.tar.zst
firejail-89535f782c19fd8396fd013d4b38d746f3faed95.zip
8 files changed, 149 insertions, 4 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index acb49d246..b37c3aba8 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -27,6 +27,7 @@
 #define RUN_FIREJAIL_BASEDIR    "/run"
 #define RUN_FIREJAIL_DIR        "/run/firejail"
 #define RUN_FIREJAIL_NAME_DIR   "/run/firejail/name"
+#define RUN_FIREJAIL_X11_DIR    "/run/firejail/x11"
 #define RUN_FIREJAIL_NETWORK_DIR        "/run/firejail/network"
 #define RUN_FIREJAIL_BANDWIDTH_DIR      "/run/firejail/bandwidth"
 #define RUN_NETWORK_LOCK_FILE   "/run/firejail/firejail.lock"
@@ -524,6 +525,7 @@ void fs_mkdir(const char *name);
 // x11.c
 void fs_x11(void);
 void x11_start(int argc, char **argv);
+int x11_display(void);
 #endif
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index df5e8410b..6505177d0 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -127,6 +127,17 @@ void fs_build_firejail_dir(void) {
                        errExit("chmod");
        }
        
+        if (stat(RUN_FIREJAIL_X11_DIR, &s)) {
+                if (arg_debug)
+                        printf("Creating %s directory\n", RUN_FIREJAIL_X11_DIR);
+                if (mkdir(RUN_FIREJAIL_X11_DIR, 0755) == -1)
+                        errExit("mkdir");
+                if (chown(RUN_FIREJAIL_X11_DIR, 0, 0) < 0)
+                        errExit("chown");
+                if (chmod(RUN_FIREJAIL_X11_DIR, 0755) < 0)
+                        errExit("chmod");
+        }
+        
        create_empty_dir();
        create_empty_file();
 }
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 5a8f564f4..9e0be7bfa 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -106,6 +106,8 @@ pid_t sandbox_pid;
 static void set_name_file(uid_t pid);
 static void delete_name_file(uid_t pid);
+static void set_x11_file(uid_t pid, int display);
+static void delete_x11_file(uid_t pid);
 static void myexit(int rv) {
        logmsg("exiting...");
@@ -116,6 +118,7 @@ static void myexit(int rv) {
        bandwidth_shm_del_file(sandbox_pid);            // bandwidth file
        network_shm_del_file(sandbox_pid);              // network map file
        delete_name_file(sandbox_pid);
+        delete_x11_file(sandbox_pid);
        
        exit(rv); 
 }
@@ -511,6 +514,36 @@ static void delete_name_file(uid_t pid) {
        (void) rv;
 }
+static void set_x11_file(uid_t pid, int display) {
+        char *fname;
+        if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_X11_DIR, pid) == -1)
+                errExit("asprintf");
+        // the file is deleted first
+        FILE *fp = fopen(fname, "w");
+        if (!fp) {
+                fprintf(stderr, "Error: cannot create %s\n", fname);
+                exit(1);
+        }
+        fprintf(fp, "%d\n", display);
+        fclose(fp);
+        
+        // mode and ownership
+        if (chown(fname, 0, 0) == -1)
+                errExit("chown");
+        if (chmod(fname, 0644) == -1)
+                errExit("chmod");
+        
+}
+static void delete_x11_file(uid_t pid) {
+        char *fname;
+        if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_X11_DIR, pid) == -1)
+                errExit("asprintf");
+        int rv = unlink(fname);
+        (void) rv;
+}
 //*******************************************
 // Main program
 //*******************************************
@@ -1554,6 +1587,9 @@ int main(int argc, char **argv) {
        EUID_ROOT();
        if (cfg.name)
                set_name_file(sandbox_pid);
+        int display = x11_display();
+        if (display > 0)
+                set_x11_file(sandbox_pid, display);
        EUID_USER();
        
        // clone environment
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index c3515cc82..980a4dbca 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -26,12 +26,12 @@
 #include <dirent.h>
 #include <sys/mount.h>
-void fs_x11(void) {
+// return display number, -1 if not configured
-#ifdef HAVE_X11
+int x11_display(void) {
        // extract display
        char *d = getenv("DISPLAY");
        if (!d)
-                return;
+                return - 1;
        
        int display;
        int rv = sscanf(d, ":%d", &display);
@@ -39,6 +39,15 @@ void fs_x11(void) {
                return;
        if (arg_debug)
                printf("DISPLAY %s, %d\n", d, display);
+        
+        return display;
+}
+void fs_x11(void) {
+#ifdef HAVE_X11
+        int display = x11_display();
+        if (display <= 0)
+                return;
        char *x11file;
        if (asprintf(&x11file, "/tmp/.X11-unix/X%d", display) == -1)
@@ -48,7 +57,7 @@ void fs_x11(void) {
                return;
        // keep a copy of real /tmp/.X11-unix directory in WHITELIST_TMP_DIR
-        rv = mkdir(RUN_WHITELIST_X11_DIR, 1777);
+        int rv = mkdir(RUN_WHITELIST_X11_DIR, 1777);
        if (rv == -1)
                errExit("mkdir");
        if (chown(RUN_WHITELIST_X11_DIR, 0, 0) < 0)
@@ -178,6 +187,7 @@ void x11_start(int argc, char **argv) {
                exit(1);
        }
        sleep(1);
        if (arg_debug) {
                printf("X11 sockets: "); fflush(0);
                int rv = system("ls /tmp/.X11-unix");
@@ -213,6 +223,7 @@ void x11_start(int argc, char **argv) {
        
        if (!arg_quiet)
                printf("Xpra server pid %d, client pid %d\n", server, client);
        exit(0);
 }
 #endif
diff --git a/src/firemon/firemon.c b/src/firemon/firemon.c
index 679c5a3e9..c19c344b0 100644
--- a/src/firemon/firemon.c
+++ b/src/firemon/firemon.c
@@ -33,6 +33,7 @@ static int arg_seccomp = 0;
 static int arg_caps = 0;
 static int arg_cpu = 0;
 static int arg_cgroup = 0;
+static int arg_x11 = 0;
 int arg_nowrap = 0;
 static struct termios tlocal;   // startup terminal setting
@@ -141,6 +142,9 @@ int main(int argc, char **argv) {
                // cumulative options with or without a pid argument
+                else if (strcmp(argv[i], "--x11") == 0) {
+                        arg_x11 = 1;
+                }
                else if (strcmp(argv[i], "--cgroup") == 0) {
                        arg_cgroup = 1;
                }
@@ -217,6 +221,8 @@ int main(int argc, char **argv) {
                cpu((pid_t) pid);
        if (arg_cgroup)
                cgroup((pid_t) pid);
+        if (arg_x11)
+                x11((pid_t) pid);
        
        if (!arg_route && !arg_arp && !arg_interface && !arg_tree && !arg_caps && !arg_seccomp)
                procevent((pid_t) pid); // never to return
diff --git a/src/firemon/x11.c b/src/firemon/x11.c
new file mode 100644
index 000000000..e30c2d78b
--- /dev/null
+++ b/src/firemon/x11.c
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com)
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "firemon.h"
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <unistd.h>
+                        
+void x11(pid_t pid) {
+        if (getuid() == 0)
+                firemon_drop_privs();
+        
+        pid_read(pid);
+        
+        // print processes
+        int i;
+        for (i = 0; i < max_pids; i++) {
+                if (pids[i].level == 1) {
+                        pid_print_list(i, 0);
+                        
+                        char *x11file;
+                        // todo: use macro from src/firejail/firejail.h for /run/firejail/x11 directory
+                        if (asprintf(&x11file, "/run/firejail/x11/%d", i) == -1)
+                                errExit("asprintf");
+                        struct stat s;
+                        if (stat(x11file, &s) == 0) {
+                                FILE *fp = fopen(x11file, "r");
+                                if (!fp) {
+                                        free(x11file);
+                                        continue;
+                                }
+                                int display;
+                                int rv = fscanf(fp, "%d", &display);
+                                if (rv == 1)
+                                        printf("   DISPLAY :%d\n", display);
+                                fclose(fp);
+                        }
+                        free(x11file);
+                }
+        }
+}
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 681a105af..c6931af12 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1505,6 +1505,20 @@ $ firejail \-\-whitelist=~/.mozilla \-\-whitelist=~/Downloads
 $ firejail \-\-whitelist=/tmp/.X11-unix --whitelist=/dev/null
 .br
 $ firejail "\-\-whitelist=/home/username/My Virtual Machines"
+.TP
+\fB\-\-x11
+Start a new X11 server using Xpra (http://xpra.org) and attach the sandbox to this server.
+Xpra is a persistent remote display server and client for forwarding X11 applications and desktop screens.
+The regular X11 server (display 0) is not visible in the sandbox. This prevents screenshot and keylogger
+applications started in the sandbox from accessing display 0.
+.br
+.br
+Example:
+.br
+$ firejail \-\-x11 firefox
 .TP
 \fB\-\-zsh
 Use /usr/bin/zsh as default user shell.
@@ -1514,6 +1528,7 @@ Use /usr/bin/zsh as default user shell.
 Example:
 .br
 $ firejail \-\-zsh
 .SH TRAFFIC SHAPING
 Network bandwidth is an expensive resource shared among all sandboxes running on a system.
 Traffic shaping allows the user to increase network performance by controlling
diff --git a/src/man/firemon.txt b/src/man/firemon.txt
index 2a69b1de5..88b2ce59f 100644
--- a/src/man/firemon.txt
+++ b/src/man/firemon.txt
@@ -51,6 +51,10 @@ Print a tree of all sandboxed processes.
 \fB\-\-version
 Print program version and exit.
+.TP
+\fB\-\-x11
+Print X11 display number.
 .PP
 Option \-\-list prints a list of all sandboxes. The format
 for each entry is as follows:
author	netblue30 <netblue30@yahoo.com>	2016-02-24 12:55:06 -0500
committer	netblue30 <netblue30@yahoo.com>	2016-02-24 12:55:06 -0500
commit	89535f782c19fd8396fd013d4b38d746f3faed95 (patch)
tree	255335eea7b669906fe2989a880b0f2ac595999b /src
parent	allow --interface only to root user for --enable-network=restricted (diff)
download	firejail-89535f782c19fd8396fd013d4b38d746f3faed95.tar.gz firejail-89535f782c19fd8396fd013d4b38d746f3faed95.tar.zst firejail-89535f782c19fd8396fd013d4b38d746f3faed95.zip

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index acb49d246..b37c3aba8 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -27,6 +27,7 @@
27	#define RUN_FIREJAIL_BASEDIR "/run"	27	#define RUN_FIREJAIL_BASEDIR "/run"
28	#define RUN_FIREJAIL_DIR "/run/firejail"	28	#define RUN_FIREJAIL_DIR "/run/firejail"
29	#define RUN_FIREJAIL_NAME_DIR "/run/firejail/name"	29	#define RUN_FIREJAIL_NAME_DIR "/run/firejail/name"
		30	#define RUN_FIREJAIL_X11_DIR "/run/firejail/x11"
30	#define RUN_FIREJAIL_NETWORK_DIR "/run/firejail/network"	31	#define RUN_FIREJAIL_NETWORK_DIR "/run/firejail/network"
31	#define RUN_FIREJAIL_BANDWIDTH_DIR "/run/firejail/bandwidth"	32	#define RUN_FIREJAIL_BANDWIDTH_DIR "/run/firejail/bandwidth"
32	#define RUN_NETWORK_LOCK_FILE "/run/firejail/firejail.lock"	33	#define RUN_NETWORK_LOCK_FILE "/run/firejail/firejail.lock"
@@ -524,6 +525,7 @@ void fs_mkdir(const char *name);
524	// x11.c	525	// x11.c
525	void fs_x11(void);	526	void fs_x11(void);
526	void x11_start(int argc, char **argv);	527	void x11_start(int argc, char **argv);
		528	int x11_display(void);
527		529
528	#endif	530	#endif
529		531


diff --git a/src/firejail/fs.c b/src/firejail/fs.c index df5e8410b..6505177d0 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c
@@ -127,6 +127,17 @@ void fs_build_firejail_dir(void) {
127	errExit("chmod");	127	errExit("chmod");
128	}	128	}
129		129
		130	if (stat(RUN_FIREJAIL_X11_DIR, &s)) {
		131	if (arg_debug)
		132	printf("Creating %s directory\n", RUN_FIREJAIL_X11_DIR);
		133	if (mkdir(RUN_FIREJAIL_X11_DIR, 0755) == -1)
		134	errExit("mkdir");
		135	if (chown(RUN_FIREJAIL_X11_DIR, 0, 0) < 0)
		136	errExit("chown");
		137	if (chmod(RUN_FIREJAIL_X11_DIR, 0755) < 0)
		138	errExit("chmod");
		139	}
		140
130	create_empty_dir();	141	create_empty_dir();
131	create_empty_file();	142	create_empty_file();
132	}	143	}


diff --git a/src/firejail/main.c b/src/firejail/main.c index 5a8f564f4..9e0be7bfa 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -106,6 +106,8 @@ pid_t sandbox_pid;
106		106
107	static void set_name_file(uid_t pid);	107	static void set_name_file(uid_t pid);
108	static void delete_name_file(uid_t pid);	108	static void delete_name_file(uid_t pid);
		109	static void set_x11_file(uid_t pid, int display);
		110	static void delete_x11_file(uid_t pid);
109		111
110	static void myexit(int rv) {	112	static void myexit(int rv) {
111	logmsg("exiting...");	113	logmsg("exiting...");
@@ -116,6 +118,7 @@ static void myexit(int rv) {
116	bandwidth_shm_del_file(sandbox_pid); // bandwidth file	118	bandwidth_shm_del_file(sandbox_pid); // bandwidth file
117	network_shm_del_file(sandbox_pid); // network map file	119	network_shm_del_file(sandbox_pid); // network map file
118	delete_name_file(sandbox_pid);	120	delete_name_file(sandbox_pid);
		121	delete_x11_file(sandbox_pid);
119		122
120	exit(rv);	123	exit(rv);
121	}	124	}
@@ -511,6 +514,36 @@ static void delete_name_file(uid_t pid) {
511	(void) rv;	514	(void) rv;
512	}	515	}
513		516
		517	static void set_x11_file(uid_t pid, int display) {
		518	char *fname;
		519	if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_X11_DIR, pid) == -1)
		520	errExit("asprintf");
		521
		522	// the file is deleted first
		523	FILE *fp = fopen(fname, "w");
		524	if (!fp) {
		525	fprintf(stderr, "Error: cannot create %s\n", fname);
		526	exit(1);
		527	}
		528	fprintf(fp, "%d\n", display);
		529	fclose(fp);
		530
		531	// mode and ownership
		532	if (chown(fname, 0, 0) == -1)
		533	errExit("chown");
		534	if (chmod(fname, 0644) == -1)
		535	errExit("chmod");
		536
		537	}
		538
		539	static void delete_x11_file(uid_t pid) {
		540	char *fname;
		541	if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_X11_DIR, pid) == -1)
		542	errExit("asprintf");
		543	int rv = unlink(fname);
		544	(void) rv;
		545	}
		546
514	//*******************************************	547	//*******************************************
515	// Main program	548	// Main program
516	//*******************************************	549	//*******************************************
@@ -1554,6 +1587,9 @@ int main(int argc, char **argv) {
1554	EUID_ROOT();	1587	EUID_ROOT();
1555	if (cfg.name)	1588	if (cfg.name)
1556	set_name_file(sandbox_pid);	1589	set_name_file(sandbox_pid);
		1590	int display = x11_display();
		1591	if (display > 0)
		1592	set_x11_file(sandbox_pid, display);
1557	EUID_USER();	1593	EUID_USER();
1558		1594
1559	// clone environment	1595	// clone environment


diff --git a/src/firejail/x11.c b/src/firejail/x11.c index c3515cc82..980a4dbca 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c
@@ -26,12 +26,12 @@
26	#include <dirent.h>	26	#include <dirent.h>
27	#include <sys/mount.h>	27	#include <sys/mount.h>
28		28
29	void fs_x11(void) {	29	// return display number, -1 if not configured
30	#ifdef HAVE_X11	30	int x11_display(void) {
31	// extract display	31	// extract display
32	char *d = getenv("DISPLAY");	32	char *d = getenv("DISPLAY");
33	if (!d)	33	if (!d)
34	return;	34	return - 1;
35		35
36	int display;	36	int display;
37	int rv = sscanf(d, ":%d", &display);	37	int rv = sscanf(d, ":%d", &display);
@@ -39,6 +39,15 @@ void fs_x11(void) {
39	return;	39	return;
40	if (arg_debug)	40	if (arg_debug)
41	printf("DISPLAY %s, %d\n", d, display);	41	printf("DISPLAY %s, %d\n", d, display);
		42
		43	return display;
		44	}
		45
		46	void fs_x11(void) {
		47	#ifdef HAVE_X11
		48	int display = x11_display();
		49	if (display <= 0)
		50	return;
42		51
43	char *x11file;	52	char *x11file;
44	if (asprintf(&x11file, "/tmp/.X11-unix/X%d", display) == -1)	53	if (asprintf(&x11file, "/tmp/.X11-unix/X%d", display) == -1)
@@ -48,7 +57,7 @@ void fs_x11(void) {
48	return;	57	return;
49		58
50	// keep a copy of real /tmp/.X11-unix directory in WHITELIST_TMP_DIR	59	// keep a copy of real /tmp/.X11-unix directory in WHITELIST_TMP_DIR
51	rv = mkdir(RUN_WHITELIST_X11_DIR, 1777);	60	int rv = mkdir(RUN_WHITELIST_X11_DIR, 1777);
52	if (rv == -1)	61	if (rv == -1)
53	errExit("mkdir");	62	errExit("mkdir");
54	if (chown(RUN_WHITELIST_X11_DIR, 0, 0) < 0)	63	if (chown(RUN_WHITELIST_X11_DIR, 0, 0) < 0)
@@ -178,6 +187,7 @@ void x11_start(int argc, char **argv) {
178	exit(1);	187	exit(1);
179	}	188	}
180	sleep(1);	189	sleep(1);
		190
181	if (arg_debug) {	191	if (arg_debug) {
182	printf("X11 sockets: "); fflush(0);	192	printf("X11 sockets: "); fflush(0);
183	int rv = system("ls /tmp/.X11-unix");	193	int rv = system("ls /tmp/.X11-unix");
@@ -213,6 +223,7 @@ void x11_start(int argc, char **argv) {
213		223
214	if (!arg_quiet)	224	if (!arg_quiet)
215	printf("Xpra server pid %d, client pid %d\n", server, client);	225	printf("Xpra server pid %d, client pid %d\n", server, client);
		226
216	exit(0);	227	exit(0);
217	}	228	}
218	#endif	229	#endif


diff --git a/src/firemon/firemon.c b/src/firemon/firemon.c index 679c5a3e9..c19c344b0 100644 --- a/src/firemon/firemon.c +++ b/src/firemon/firemon.c
@@ -33,6 +33,7 @@ static int arg_seccomp = 0;
33	static int arg_caps = 0;	33	static int arg_caps = 0;
34	static int arg_cpu = 0;	34	static int arg_cpu = 0;
35	static int arg_cgroup = 0;	35	static int arg_cgroup = 0;
		36	static int arg_x11 = 0;
36	int arg_nowrap = 0;	37	int arg_nowrap = 0;
37		38
38	static struct termios tlocal; // startup terminal setting	39	static struct termios tlocal; // startup terminal setting
@@ -141,6 +142,9 @@ int main(int argc, char **argv) {
141		142
142		143
143	// cumulative options with or without a pid argument	144	// cumulative options with or without a pid argument
		145	else if (strcmp(argv[i], "--x11") == 0) {
		146	arg_x11 = 1;
		147	}
144	else if (strcmp(argv[i], "--cgroup") == 0) {	148	else if (strcmp(argv[i], "--cgroup") == 0) {
145	arg_cgroup = 1;	149	arg_cgroup = 1;
146	}	150	}
@@ -217,6 +221,8 @@ int main(int argc, char **argv) {
217	cpu((pid_t) pid);	221	cpu((pid_t) pid);
218	if (arg_cgroup)	222	if (arg_cgroup)
219	cgroup((pid_t) pid);	223	cgroup((pid_t) pid);
		224	if (arg_x11)
		225	x11((pid_t) pid);
220		226
221	if (!arg_route && !arg_arp && !arg_interface && !arg_tree && !arg_caps && !arg_seccomp)	227	if (!arg_route && !arg_arp && !arg_interface && !arg_tree && !arg_caps && !arg_seccomp)
222	procevent((pid_t) pid); // never to return	228	procevent((pid_t) pid); // never to return


diff --git a/src/firemon/x11.c b/src/firemon/x11.c new file mode 100644 index 000000000..e30c2d78b --- /dev/null +++ b/src/firemon/x11.c
@@ -0,0 +1,60 @@
		1	/*
		2	* Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com)
		3	*
		4	* This file is part of firejail project
		5	*
		6	* This program is free software; you can redistribute it and/or modify
		7	* it under the terms of the GNU General Public License as published by
		8	* the Free Software Foundation; either version 2 of the License, or
		9	* (at your option) any later version.
		10	*
		11	* This program is distributed in the hope that it will be useful,
		12	* but WITHOUT ANY WARRANTY; without even the implied warranty of
		13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
		14	* GNU General Public License for more details.
		15	*
		16	* You should have received a copy of the GNU General Public License along
		17	* with this program; if not, write to the Free Software Foundation, Inc.,
		18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
		19	*/
		20	#include "firemon.h"
		21	#include <sys/types.h>
		22	#include <sys/stat.h>
		23	#include <unistd.h>
		24
		25	void x11(pid_t pid) {
		26	if (getuid() == 0)
		27	firemon_drop_privs();
		28
		29	pid_read(pid);
		30
		31	// print processes
		32	int i;
		33	for (i = 0; i < max_pids; i++) {
		34	if (pids[i].level == 1) {
		35	pid_print_list(i, 0);
		36
		37	char *x11file;
		38	// todo: use macro from src/firejail/firejail.h for /run/firejail/x11 directory
		39	if (asprintf(&x11file, "/run/firejail/x11/%d", i) == -1)
		40	errExit("asprintf");
		41
		42	struct stat s;
		43	if (stat(x11file, &s) == 0) {
		44	FILE *fp = fopen(x11file, "r");
		45	if (!fp) {
		46	free(x11file);
		47	continue;
		48	}
		49	int display;
		50	int rv = fscanf(fp, "%d", &display);
		51	if (rv == 1)
		52	printf(" DISPLAY :%d\n", display);
		53	fclose(fp);
		54	}
		55
		56	free(x11file);
		57	}
		58	}
		59	}
		60


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 681a105af..c6931af12 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -1505,6 +1505,20 @@ $ firejail \-\-whitelist=~/.mozilla \-\-whitelist=~/Downloads
1505	$ firejail \-\-whitelist=/tmp/.X11-unix --whitelist=/dev/null	1505	$ firejail \-\-whitelist=/tmp/.X11-unix --whitelist=/dev/null
1506	.br	1506	.br
1507	$ firejail "\-\-whitelist=/home/username/My Virtual Machines"	1507	$ firejail "\-\-whitelist=/home/username/My Virtual Machines"
		1508
		1509	.TP
		1510	\fB\-\-x11
		1511	Start a new X11 server using Xpra (http://xpra.org) and attach the sandbox to this server.
		1512	Xpra is a persistent remote display server and client for forwarding X11 applications and desktop screens.
		1513	The regular X11 server (display 0) is not visible in the sandbox. This prevents screenshot and keylogger
		1514	applications started in the sandbox from accessing display 0.
		1515	.br
		1516
		1517	.br
		1518	Example:
		1519	.br
		1520	$ firejail \-\-x11 firefox
		1521
1508	.TP	1522	.TP
1509	\fB\-\-zsh	1523	\fB\-\-zsh
1510	Use /usr/bin/zsh as default user shell.	1524	Use /usr/bin/zsh as default user shell.
@@ -1514,6 +1528,7 @@ Use /usr/bin/zsh as default user shell.
1514	Example:	1528	Example:
1515	.br	1529	.br
1516	$ firejail \-\-zsh	1530	$ firejail \-\-zsh
		1531
1517	.SH TRAFFIC SHAPING	1532	.SH TRAFFIC SHAPING
1518	Network bandwidth is an expensive resource shared among all sandboxes running on a system.	1533	Network bandwidth is an expensive resource shared among all sandboxes running on a system.
1519	Traffic shaping allows the user to increase network performance by controlling	1534	Traffic shaping allows the user to increase network performance by controlling


diff --git a/src/man/firemon.txt b/src/man/firemon.txt index 2a69b1de5..88b2ce59f 100644 --- a/src/man/firemon.txt +++ b/src/man/firemon.txt
@@ -51,6 +51,10 @@ Print a tree of all sandboxed processes.
51	\fB\-\-version	51	\fB\-\-version
52	Print program version and exit.	52	Print program version and exit.
53		53
		54	.TP
		55	\fB\-\-x11
		56	Print X11 display number.
		57
54	.PP	58	.PP
55	Option \-\-list prints a list of all sandboxes. The format	59	Option \-\-list prints a list of all sandboxes. The format
56	for each entry is as follows:	60	for each entry is as follows: