diff options
-rw-r--r-- | src/firejail/x11.c | 10 | ||||
-rwxr-xr-x | test/apps-x11-xorg/firefox.exp | 2 | ||||
-rwxr-xr-x | test/apps-x11-xorg/icedove.exp | 2 | ||||
-rwxr-xr-x | test/apps-x11-xorg/transmission-gtk.exp | 2 |
4 files changed, 10 insertions, 6 deletions
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 0fa789ff1..74eb00268 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
@@ -625,7 +625,6 @@ void x11_start(int argc, char **argv) { | |||
625 | exit(0); | 625 | exit(0); |
626 | } | 626 | } |
627 | } | 627 | } |
628 | |||
629 | #endif | 628 | #endif |
630 | 629 | ||
631 | // Porting notes: | 630 | // Porting notes: |
@@ -642,6 +641,11 @@ void x11_start(int argc, char **argv) { | |||
642 | // directory, we need to make sure /usr/bin/xauth executable is the real thing, and not | 641 | // directory, we need to make sure /usr/bin/xauth executable is the real thing, and not |
643 | // something picked up on $PATH. | 642 | // something picked up on $PATH. |
644 | // | 643 | // |
644 | // 3. If for any reason xauth command fails, we exit the sandbox. On Debian 8 this happens | ||
645 | // when using a network namespace. Somehow, xauth tries to connect to the abstract socket, | ||
646 | // and it failes because of the network namespace - it should try to connect to the regular | ||
647 | // Unix socket! If we ignore the fail condition, the program will be started on X server without | ||
648 | // the security extension loaded. | ||
645 | void x11_xorg(void) { | 649 | void x11_xorg(void) { |
646 | #ifdef HAVE_X11 | 650 | #ifdef HAVE_X11 |
647 | 651 | ||
@@ -690,7 +694,7 @@ void x11_xorg(void) { | |||
690 | #ifdef HAVE_GCOV | 694 | #ifdef HAVE_GCOV |
691 | __gcov_flush(); | 695 | __gcov_flush(); |
692 | #endif | 696 | #endif |
693 | execlp("/usr/bin/xauth", "/usr/bin/xauth", "-f", tmpfname, | 697 | execlp("/usr/bin/xauth", "/usr/bin/xauth", "-v", "-f", tmpfname, |
694 | "generate", display, "MIT-MAGIC-COOKIE-1", "untrusted", NULL); | 698 | "generate", display, "MIT-MAGIC-COOKIE-1", "untrusted", NULL); |
695 | 699 | ||
696 | _exit(127); | 700 | _exit(127); |
@@ -719,7 +723,7 @@ void x11_xorg(void) { | |||
719 | // ensure the file has the correct permissions and move it | 723 | // ensure the file has the correct permissions and move it |
720 | // into the correct location. | 724 | // into the correct location. |
721 | if (stat(tmpfname, &s) == -1) { | 725 | if (stat(tmpfname, &s) == -1) { |
722 | fprintf(stderr, "Error: .Xauthority file was mpt created\n"); | 726 | fprintf(stderr, "Error: .Xauthority file was not created\n"); |
723 | exit(1); | 727 | exit(1); |
724 | } | 728 | } |
725 | if (set_perms(tmpfname, getuid(), getgid(), 0600)) | 729 | if (set_perms(tmpfname, getuid(), getgid(), 0600)) |
diff --git a/test/apps-x11-xorg/firefox.exp b/test/apps-x11-xorg/firefox.exp index f66aeddd8..4da9e5a16 100755 --- a/test/apps-x11-xorg/firefox.exp +++ b/test/apps-x11-xorg/firefox.exp | |||
@@ -7,7 +7,7 @@ set timeout 10 | |||
7 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
8 | match_max 100000 | 8 | match_max 100000 |
9 | 9 | ||
10 | send -- "firejail --name=test --x11=xorg firefox -no-remote www.gentoo.org\r" | 10 | send -- "firejail --name=test --x11=xorg --ignore=net --ignore=netfilter --ignore=iprange firefox -no-remote www.gentoo.org\r" |
11 | sleep 10 | 11 | sleep 10 |
12 | 12 | ||
13 | spawn $env(SHELL) | 13 | spawn $env(SHELL) |
diff --git a/test/apps-x11-xorg/icedove.exp b/test/apps-x11-xorg/icedove.exp index f7a08aa8f..ce1d38222 100755 --- a/test/apps-x11-xorg/icedove.exp +++ b/test/apps-x11-xorg/icedove.exp | |||
@@ -7,7 +7,7 @@ set timeout 10 | |||
7 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
8 | match_max 100000 | 8 | match_max 100000 |
9 | 9 | ||
10 | send -- "firejail --name=test --x11=xorg icedove\r" | 10 | send -- "firejail --name=test --x11=xorg --ignore=net --ignore=netfilter --ignore=iprange icedove\r" |
11 | sleep 10 | 11 | sleep 10 |
12 | 12 | ||
13 | spawn $env(SHELL) | 13 | spawn $env(SHELL) |
diff --git a/test/apps-x11-xorg/transmission-gtk.exp b/test/apps-x11-xorg/transmission-gtk.exp index de8a7f7c6..c6d9ba13a 100755 --- a/test/apps-x11-xorg/transmission-gtk.exp +++ b/test/apps-x11-xorg/transmission-gtk.exp | |||
@@ -7,7 +7,7 @@ set timeout 10 | |||
7 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
8 | match_max 100000 | 8 | match_max 100000 |
9 | 9 | ||
10 | send -- "firejail --name=test --x11=xorg transmission-gtk\r" | 10 | send -- "firejail --name=test --x11=xorg --ignore=net --ignore=netfilter --ignore=iprange transmission-gtk\r" |
11 | sleep 10 | 11 | sleep 10 |
12 | 12 | ||
13 | spawn $env(SHELL) | 13 | spawn $env(SHELL) |