diff options
| author |  smitsohu <smitsohu@gmail.com> | 2020-03-31 15:07:01 +0200 |
|---|---|---|
| committer |  GitHub <noreply@github.com> | 2020-03-31 15:07:01 +0200 |
| commit | 34e5973bcd3b6e5a81410173c5fc70a1f24570b1 (patch) | |
| tree | 507fae60b92c5b6a5bb6dc82eda4cf9dabd9df31 /src | |
| parent | abiword and more gnome-games (diff) | |
| download | firejail-34e5973bcd3b6e5a81410173c5fc70a1f24570b1.tar.gz firejail-34e5973bcd3b6e5a81410173c5fc70a1f24570b1.tar.zst firejail-34e5973bcd3b6e5a81410173c5fc70a1f24570b1.zip | |
extra x11 hardening
Diffstat (limited to 'src')
| -rw-r--r-- | src/firejail/x11.c | 19 |
1 files changed, 8 insertions, 11 deletions
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 74de24b47..98ac184d9 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
| @@ -1235,16 +1235,15 @@ void x11_xorg(void) { | |||
| 1235 | 1235 | ||
| 1236 | // move the temporary file in RUN_XAUTHORITY_SEC_FILE in order to have it deleted | 1236 | // move the temporary file in RUN_XAUTHORITY_SEC_FILE in order to have it deleted |
| 1237 | // automatically when the sandbox is closed (rename doesn't work) | 1237 | // automatically when the sandbox is closed (rename doesn't work) |
| 1238 | // root needed | 1238 | if (arg_debug) |
| 1239 | if (copy_file(tmpfname, RUN_XAUTHORITY_SEC_FILE, getuid(), getgid(), 0600)) { | 1239 | printf("Copying the new .Xauthority file\n"); |
| 1240 | fprintf(stderr, "Error: cannot create the new .Xauthority file\n"); | 1240 | copy_file_from_user_to_root(tmpfname, RUN_XAUTHORITY_SEC_FILE, getuid(), getgid(), 0600); |
| 1241 | exit(1); | 1241 | |
| 1242 | } | ||
| 1243 | /* coverity[toctou] */ | 1242 | /* coverity[toctou] */ |
| 1244 | unlink(tmpfname); | 1243 | unlink(tmpfname); |
| 1245 | umount("/tmp"); | 1244 | umount("/tmp"); |
| 1246 | 1245 | ||
| 1247 | // remount RUN_XAUTHORITY_SEC_FILE noexec, nodev, nosuid | 1246 | // mount RUN_XAUTHORITY_SEC_FILE noexec, nodev, nosuid |
| 1248 | fs_remount(RUN_XAUTHORITY_SEC_FILE, MOUNT_NOEXEC, 0); | 1247 | fs_remount(RUN_XAUTHORITY_SEC_FILE, MOUNT_NOEXEC, 0); |
| 1249 | 1248 | ||
| 1250 | // Ensure there is already a file in the usual location, so that bind-mount below will work. | 1249 | // Ensure there is already a file in the usual location, so that bind-mount below will work. |
| @@ -1354,19 +1353,17 @@ void fs_x11(void) { | |||
| 1354 | if (mount("/tmp/.X11-unix", RUN_WHITELIST_X11_DIR, 0, MS_BIND|MS_REC, 0) < 0) | 1353 | if (mount("/tmp/.X11-unix", RUN_WHITELIST_X11_DIR, 0, MS_BIND|MS_REC, 0) < 0) |
| 1355 | errExit("mount bind"); | 1354 | errExit("mount bind"); |
| 1356 | 1355 | ||
| 1357 | // This directory must be mode 1777, or Xlib will barf. | 1356 | // This directory must be mode 1777 |
| 1358 | if (mount("tmpfs", "/tmp/.X11-unix", "tmpfs", | 1357 | if (mount("tmpfs", "/tmp/.X11-unix", "tmpfs", |
| 1359 | MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME, | 1358 | MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME, |
| 1360 | "mode=1777,uid=0,gid=0") < 0) | 1359 | "mode=1777,uid=0,gid=0") < 0) |
| 1361 | errExit("mounting tmpfs on /tmp/.X11-unix"); | 1360 | errExit("mounting tmpfs on /tmp/.X11-unix"); |
| 1362 | fs_logger("tmpfs /tmp/.X11-unix"); | 1361 | fs_logger("tmpfs /tmp/.X11-unix"); |
| 1363 | 1362 | ||
| 1364 | // create an empty file which will have the desired socket bind-mounted over it | 1363 | // create an empty root-owned file which will have the desired socket bind-mounted over it |
| 1365 | int fd = open(x11file, O_RDWR|O_CREAT|O_EXCL, x11stat.st_mode & ~S_IFMT); | 1364 | int fd = open(x11file, O_RDONLY|O_CREAT|O_EXCL, S_IRUSR | S_IWUSR); |
| 1366 | if (fd < 0) | 1365 | if (fd < 0) |
| 1367 | errExit(x11file); | 1366 | errExit(x11file); |
| 1368 | if (fchown(fd, x11stat.st_uid, x11stat.st_gid)) | ||
| 1369 | errExit("fchown"); | ||
| 1370 | close(fd); | 1367 | close(fd); |
| 1371 | 1368 | ||
| 1372 | // the mount source is under control of the user, so be careful and | 1369 | // the mount source is under control of the user, so be careful and |