renamed --x11=block to --x11=none, brought back the requirement for network namespaces for x11 sandboxing

author: netblue30 <netblue30@yahoo.com> 2016-10-02 10:23:29 -0400
committer: netblue30 <netblue30@yahoo.com> 2016-10-02 10:23:29 -0400
commit: b7d5d68ae43edb1cd2da60762a9e297934f76b5b (patch)
tree: e67378bea9dba366dd2fd6901af30a756b49e252 /src
parent: Merge pull request #829 from reinerh/master (diff)
download: firejail-b7d5d68ae43edb1cd2da60762a9e297934f76b5b.tar.gz
firejail-b7d5d68ae43edb1cd2da60762a9e297934f76b5b.tar.zst
firejail-b7d5d68ae43edb1cd2da60762a9e297934f76b5b.zip
3 files changed, 4 insertions, 7 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 91ea523ab..c4b7ce4dc 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -2208,7 +2208,7 @@ int main(int argc, char **argv) {
                                return 1;
                        }
                }
-                else if (strcmp(argv[i], "--x11=block") == 0) {
+                else if (strcmp(argv[i], "--x11=none") == 0) {
                        arg_x11_block = 1;
                }
                else if (strncmp(argv[i], "--join-or-start=", 16) == 0) {
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 36023e067..def1dd324 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -52,7 +52,6 @@ static int x11_check_xephyr(void) {
        return 1;
 }
-#if 0
 // check for X11 abstract sockets
 static int x11_abstract_sockets_present(void) {
        char *path;
@@ -77,7 +76,6 @@ static int x11_abstract_sockets_present(void) {
        return 0;
 }
-#endif
 static int random_display_number(void) {
        int i;
@@ -598,18 +596,17 @@ void x11_start(int argc, char **argv) {
 void x11_block(void) {
 #ifdef HAVE_X11
        mask_x11_abstract_socket = 1;
-#if 0
        // check abstract socket presence and network namespace options
        if ((!arg_nonetwork && !cfg.bridge0.configured && !cfg.interface0.configured)
                && x11_abstract_sockets_present()) {
-                fprintf(stderr, "ERROR: --x11=block specified, but abstract X11 socket still accessible.\n"
+                fprintf(stderr, "ERROR: --x11=none specified, but abstract X11 socket still accessible.\n"
                                                "Additional setup required. To block abstract X11 socket you can either:\n"
                                                " * use network namespace in firejail (--net=none, --net=...)\n"
                                                " * add \"-nolisten local\" to xserver options\n"
                                                "   (eg. to your display manager config, or /etc/X11/xinit/xserverrc)\n");
                exit(1);
        }
-#endif
        // blacklist sockets
        profile_check_line("blacklist /tmp/.X11-unix", 0, NULL);
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 3ceb21e78..aadc54677 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1713,7 +1713,7 @@ Example:
 $ firejail \-\-x11=xephyr --net=eth0 openbox
 .TP
-\fB\-\-x11=block
+\fB\-\-x11=none
 Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} environment variable.
 Remove DISPLAY and XAUTHORITY environment variables.
 Stop with error message if X11 abstract socket will be accessible in jail.
author	netblue30 <netblue30@yahoo.com>	2016-10-02 10:23:29 -0400
committer	netblue30 <netblue30@yahoo.com>	2016-10-02 10:23:29 -0400
commit	b7d5d68ae43edb1cd2da60762a9e297934f76b5b (patch)
tree	e67378bea9dba366dd2fd6901af30a756b49e252 /src
parent	Merge pull request #829 from reinerh/master (diff)
download	firejail-b7d5d68ae43edb1cd2da60762a9e297934f76b5b.tar.gz firejail-b7d5d68ae43edb1cd2da60762a9e297934f76b5b.tar.zst firejail-b7d5d68ae43edb1cd2da60762a9e297934f76b5b.zip

diff --git a/src/firejail/main.c b/src/firejail/main.c index 91ea523ab..c4b7ce4dc 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -2208,7 +2208,7 @@ int main(int argc, char **argv) {
2208	return 1;	2208	return 1;
2209	}	2209	}
2210	}	2210	}
2211	else if (strcmp(argv[i], "--x11=block") == 0) {	2211	else if (strcmp(argv[i], "--x11=none") == 0) {
2212	arg_x11_block = 1;	2212	arg_x11_block = 1;
2213	}	2213	}
2214	else if (strncmp(argv[i], "--join-or-start=", 16) == 0) {	2214	else if (strncmp(argv[i], "--join-or-start=", 16) == 0) {


diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 36023e067..def1dd324 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c
@@ -52,7 +52,6 @@ static int x11_check_xephyr(void) {
52	return 1;	52	return 1;
53	}	53	}
54		54
55	#if 0
56	// check for X11 abstract sockets	55	// check for X11 abstract sockets
57	static int x11_abstract_sockets_present(void) {	56	static int x11_abstract_sockets_present(void) {
58	char *path;	57	char *path;
@@ -77,7 +76,6 @@ static int x11_abstract_sockets_present(void) {
77		76
78	return 0;	77	return 0;
79	}	78	}
80	#endif
81		79
82	static int random_display_number(void) {	80	static int random_display_number(void) {
83	int i;	81	int i;
@@ -598,18 +596,17 @@ void x11_start(int argc, char **argv) {
598	void x11_block(void) {	596	void x11_block(void) {
599	#ifdef HAVE_X11	597	#ifdef HAVE_X11
600	mask_x11_abstract_socket = 1;	598	mask_x11_abstract_socket = 1;
601	#if 0	599
602	// check abstract socket presence and network namespace options	600	// check abstract socket presence and network namespace options
603	if ((!arg_nonetwork && !cfg.bridge0.configured && !cfg.interface0.configured)	601	if ((!arg_nonetwork && !cfg.bridge0.configured && !cfg.interface0.configured)
604	&& x11_abstract_sockets_present()) {	602	&& x11_abstract_sockets_present()) {
605	fprintf(stderr, "ERROR: --x11=block specified, but abstract X11 socket still accessible.\n"	603	fprintf(stderr, "ERROR: --x11=none specified, but abstract X11 socket still accessible.\n"
606	"Additional setup required. To block abstract X11 socket you can either:\n"	604	"Additional setup required. To block abstract X11 socket you can either:\n"
607	" * use network namespace in firejail (--net=none, --net=...)\n"	605	" * use network namespace in firejail (--net=none, --net=...)\n"
608	" * add \"-nolisten local\" to xserver options\n"	606	" * add \"-nolisten local\" to xserver options\n"
609	" (eg. to your display manager config, or /etc/X11/xinit/xserverrc)\n");	607	" (eg. to your display manager config, or /etc/X11/xinit/xserverrc)\n");
610	exit(1);	608	exit(1);
611	}	609	}
612	#endif
613		610
614	// blacklist sockets	611	// blacklist sockets
615	profile_check_line("blacklist /tmp/.X11-unix", 0, NULL);	612	profile_check_line("blacklist /tmp/.X11-unix", 0, NULL);


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 3ceb21e78..aadc54677 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -1713,7 +1713,7 @@ Example:
1713	$ firejail \-\-x11=xephyr --net=eth0 openbox	1713	$ firejail \-\-x11=xephyr --net=eth0 openbox
1714		1714
1715	.TP	1715	.TP
1716	\fB\-\-x11=block	1716	\fB\-\-x11=none
1717	Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} environment variable.	1717	Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} environment variable.
1718	Remove DISPLAY and XAUTHORITY environment variables.	1718	Remove DISPLAY and XAUTHORITY environment variables.
1719	Stop with error message if X11 abstract socket will be accessible in jail.	1719	Stop with error message if X11 abstract socket will be accessible in jail.