13 files changed, 118 insertions, 17 deletions
diff --git a/Makefile.in b/Makefile.in
index ee17ae60c..cdb3535c2 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,6 +1,6 @@
 all: apps man
 MYLIBS = src/lib
-APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit
+APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/libx11
 MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5
 prefix=@prefix@
@@ -71,6 +71,7 @@ realinstall:
        install -m 0755 -d $(DESTDIR)/$(libdir)/firejail
        install -c -m 0644 src/libtrace/libtrace.so $(DESTDIR)/$(libdir)/firejail/.
        install -c -m 0644 src/libtracelog/libtracelog.so $(DESTDIR)/$(libdir)/firejail/.
+        install -c -m 0644 src/libx11/libx11.so $(DESTDIR)/$(libdir)/firejail/.
        install -c -m 0755 src/ftee/ftee $(DESTDIR)/$(libdir)/firejail/.
        install -c -m 0755 src/fshaper/fshaper.sh $(DESTDIR)/$(libdir)/firejail/.
        install -c -m 0644 src/firecfg/firecfg.config $(DESTDIR)/$(libdir)/firejail/.
@@ -120,6 +121,7 @@ install-strip: all
        strip src/firecfg/firecfg
        strip src/libtrace/libtrace.so
        strip src/libtracelog/libtracelog.so
+        strip src/libx11/libx11.so
        strip src/ftee/ftee
        strip src/faudit/faudit
        $(MAKE) realinstall
diff --git a/configure b/configure
index 42c59279e..c27787397 100755
--- a/configure
+++ b/configure
@@ -3759,7 +3759,7 @@ if test "$prefix" = /usr; then
        sysconfdir="/etc"
 fi
-ac_config_files="$ac_config_files Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile"
+ac_config_files="$ac_config_files Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile src/libx11/Makefile"
 cat >confcache <<\_ACEOF
 # This file is a shell script that caches the results of configure
@@ -4477,6 +4477,7 @@ do
    "src/firecfg/Makefile") CONFIG_FILES="$CONFIG_FILES src/firecfg/Makefile" ;;
    "src/ftee/Makefile") CONFIG_FILES="$CONFIG_FILES src/ftee/Makefile" ;;
    "src/faudit/Makefile") CONFIG_FILES="$CONFIG_FILES src/faudit/Makefile" ;;
+    "src/libx11/Makefile") CONFIG_FILES="$CONFIG_FILES src/libx11/Makefile" ;;
  *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;;
  esac
diff --git a/configure.ac b/configure.ac
index e664cbe31..523ebd831 100644
--- a/configure.ac
+++ b/configure.ac
@@ -148,7 +148,7 @@ if test "$prefix" = /usr; then
        sysconfdir="/etc"
 fi
-AC_OUTPUT(Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile)
+AC_OUTPUT(Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile src/libx11/Makefile)
 echo
 echo "Configuration options:"
diff --git a/platform/debian/conffiles b/platform/debian/conffiles
index 75e7a469b..fb6c18b36 100644
--- a/platform/debian/conffiles
+++ b/platform/debian/conffiles
@@ -149,4 +149,3 @@
 /etc/firejail/synfigstudio.profile
 /etc/firejail/gimp.profile
 /etc/firejail/inkscape.profile
diff --git a/src/faudit/dbus.c b/src/faudit/dbus.c
index d17d3922a..4debf2ff6 100644
--- a/src/faudit/dbus.c
+++ b/src/faudit/dbus.c
@@ -79,10 +79,8 @@ void dbus_test(void) {
                        else if (rv == -1)
                                printf("GOOD: cannot connect to D-Bus socket %s\n", sockfile);
                }
-                else if ((sockfile = strstr(bus, "tcp:host=")) != NULL) {
+                else if ((sockfile = strstr(bus, "tcp:host=")) != NULL)
-                        printf("UGLY: session bus configured for TCPcommunication.\n");
+                        printf("UGLY: session bus configured for TCP communication.\n");
-                        rv = -2;
-                }
                else
                        printf("GOOD: cannot find a D-Bus socket\n");
                        
diff --git a/src/faudit/x11.c b/src/faudit/x11.c
index e1a4bf66e..43f40f4e9 100644
--- a/src/faudit/x11.c
+++ b/src/faudit/x11.c
@@ -35,8 +35,9 @@ void x11_test(void) {
        if (!(dir = opendir("/tmp/.X11-unix"))) {
                // sleep 2 seconds and try again
                sleep(2);
-                if (!(dir = opendir("/tmp/.X11-unix")))
+                if (!(dir = opendir("/tmp/.X11-unix"))) {
                        ;
+                }
        }
        
        if (dir == NULL)
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 29cdc2c20..f2d490a6c 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -627,6 +627,7 @@ void fs_mkdir(const char *name);
 void fs_mkfile(const char *name);
 // x11.c
+extern int mask_x11_abstract_socket;
 void fs_x11(void);
 int x11_display(void);
 void x11_start(int argc, char **argv);
diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c
index bab117b7e..861b8a9a7 100644
--- a/src/firejail/fs_trace.c
+++ b/src/firejail/fs_trace.c
@@ -54,15 +54,17 @@ void fs_trace(void) {
        FILE *fp = fopen(RUN_LDPRELOAD_FILE, "w");
        if (!fp)
                errExit("fopen");
-        if (arg_trace)
+        if (arg_trace) {
                fprintf(fp, "%s/firejail/libtrace.so\n", LIBDIR);
+        }
        else if (arg_tracelog) {
                fprintf(fp, "%s/firejail/libtracelog.so\n", LIBDIR);
                if (!arg_quiet)
                        printf("Blacklist violations are logged to syslog\n");
        }       
-        else
-                assert(0);
+        if (mask_x11_abstract_socket)
+                fprintf(fp, "%s/firejail/libx11.so\n", LIBDIR);
        SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
        fclose(fp);
diff --git a/src/firejail/ls.c b/src/firejail/ls.c
index 14991ba94..39efaa0a6 100644
--- a/src/firejail/ls.c
+++ b/src/firejail/ls.c
@@ -419,7 +419,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
                EUID_USER();
        }
        // get file from host and store it in the sandbox
-        else if (op == SANDBOX_FS_PUT) {
+        else if (op == SANDBOX_FS_PUT && path2) {
                // verify the source file
                const char *src_fname = path1;
                struct stat s;
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 7666f1f62..7b519c8c2 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -479,7 +479,7 @@ int sandbox(void* sandbox_arg) {
        fs_build_cp_command();
        
        // trace pre-install
-        if (arg_trace || arg_tracelog)
+        if (arg_trace || arg_tracelog || mask_x11_abstract_socket)
                fs_trace_preload();
        //****************************
@@ -505,7 +505,7 @@ int sandbox(void* sandbox_arg) {
                //****************************
                // trace pre-install, this time inside chroot
                //****************************
-                if (arg_trace || arg_tracelog)
+                if (arg_trace || arg_tracelog || mask_x11_abstract_socket)
                        fs_trace_preload();
        }
        else 
@@ -575,7 +575,7 @@ int sandbox(void* sandbox_arg) {
                else {
                        fs_private_etc_list();
                        // create /etc/ld.so.preload file again
-                        if (arg_trace || arg_tracelog)
+                        if (arg_trace || arg_tracelog || mask_x11_abstract_socket)
                                fs_trace_preload();
                }
        }
@@ -626,7 +626,7 @@ int sandbox(void* sandbox_arg) {
        //****************************
        // install trace
        //****************************
-        if (arg_trace || arg_tracelog)
+        if (arg_trace || arg_tracelog || mask_x11_abstract_socket)
                fs_trace();
                
        //****************************
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 774294ff1..2fa7f84d8 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -27,6 +27,7 @@
 #include <dirent.h>
 #include <sys/mount.h>
 #include <sys/wait.h>
+int mask_x11_abstract_socket = 0;
 #ifdef HAVE_X11
 // return 1 if xpra is installed on the system
@@ -51,6 +52,7 @@ static int x11_check_xephyr(void) {
        return 1;
 }
+#if 0
 // check for X11 abstract sockets
 static int x11_abstract_sockets_present(void) {
        char *path;
@@ -75,6 +77,7 @@ static int x11_abstract_sockets_present(void) {
        return 0;
 }
+#endif
 static int random_display_number(void) {
        int i;
@@ -594,6 +597,8 @@ void x11_start(int argc, char **argv) {
 void x11_block(void) {
 #ifdef HAVE_X11
+        mask_x11_abstract_socket = 1;
+#if 0
        // check abstract socket presence and network namespace options
        if ((!arg_nonetwork && !cfg.bridge0.configured && !cfg.interface0.configured)
                && x11_abstract_sockets_present()) {
@@ -604,6 +609,7 @@ void x11_block(void) {
                                                "   (eg. to your display manager config, or /etc/X11/xinit/xserverrc)\n");
                exit(1);
        }
+#endif
        // blacklist sockets
        profile_check_line("blacklist /tmp/.X11-unix", 0, NULL);
diff --git a/src/libx11/Makefile.in b/src/libx11/Makefile.in
new file mode 100644
index 000000000..2dfef8076
--- /dev/null
+++ b/src/libx11/Makefile.in
@@ -0,0 +1,25 @@
+PREFIX=@prefix@
+VERSION=@PACKAGE_VERSION@
+NAME=@PACKAGE_NAME@
+HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
+H_FILE_LIST       = $(sort $(wildcard *.[h]))
+C_FILE_LIST       = $(sort $(wildcard *.c))
+OBJS = $(C_FILE_LIST:.c=.o)
+BINOBJS =  $(foreach file, $(OBJS), $file)
+CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security
+LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now 
+all: libx11.so
+%.o : %.c $(H_FILE_LIST)
+        $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
+libx11.so: $(OBJS)
+        $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl
+clean:; rm -f $(OBJS) libx11.so
+distclean: clean
+        rm -fr Makefile
diff --git a/src/libx11/libx11.c b/src/libx11/libx11.c
new file mode 100644
index 000000000..208fb65ed
--- /dev/null
+++ b/src/libx11/libx11.c
@@ -0,0 +1,66 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <dlfcn.h>
+#include <sys/types.h>
+#include <unistd.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <sys/un.h>
+#include <sys/stat.h>
+#include <dirent.h>
+#include <errno.h>
+//#define DEBUG
+//static int check_sockaddr(int sockfd, const char *call, const struct sockaddr *addr, int rv) {
+static int check_sockaddr(const struct sockaddr *addr) {
+        if (addr->sa_family == AF_UNIX) {
+                struct sockaddr_un *a = (struct sockaddr_un *) addr;
+                if (a->sun_path[0] == '\0') {
+//                      printf("@%s\n", a->sun_path + 1);
+                        errno = ENOENT;
+                        return -1;
+                }
+        }
+        
+        return 0;
+}
+//
+// syscalls
+//
+// connect
+typedef int (*orig_connect_t)(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
+static orig_connect_t orig_connect = NULL;
+int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen) {
+        if (!orig_connect)
+                orig_connect = (orig_connect_t)dlsym(RTLD_NEXT, "connect");
+                        
+        if (check_sockaddr(addr) == -1)
+                return -1;
+                
+        return orig_connect(sockfd, addr, addrlen);
+}

diff --git a/Makefile.in b/Makefile.in index ee17ae60c..cdb3535c2 100644 --- a/Makefile.in +++ b/Makefile.in
@@ -1,6 +1,6 @@
1	all: apps man	1	all: apps man
2	MYLIBS = src/lib	2	MYLIBS = src/lib
3	APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit	3	APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/libx11
4	MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5	4	MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5
5		5
6	prefix=@prefix@	6	prefix=@prefix@
@@ -71,6 +71,7 @@ realinstall:
71	install -m 0755 -d $(DESTDIR)/$(libdir)/firejail	71	install -m 0755 -d $(DESTDIR)/$(libdir)/firejail
72	install -c -m 0644 src/libtrace/libtrace.so $(DESTDIR)/$(libdir)/firejail/.	72	install -c -m 0644 src/libtrace/libtrace.so $(DESTDIR)/$(libdir)/firejail/.
73	install -c -m 0644 src/libtracelog/libtracelog.so $(DESTDIR)/$(libdir)/firejail/.	73	install -c -m 0644 src/libtracelog/libtracelog.so $(DESTDIR)/$(libdir)/firejail/.
		74	install -c -m 0644 src/libx11/libx11.so $(DESTDIR)/$(libdir)/firejail/.
74	install -c -m 0755 src/ftee/ftee $(DESTDIR)/$(libdir)/firejail/.	75	install -c -m 0755 src/ftee/ftee $(DESTDIR)/$(libdir)/firejail/.
75	install -c -m 0755 src/fshaper/fshaper.sh $(DESTDIR)/$(libdir)/firejail/.	76	install -c -m 0755 src/fshaper/fshaper.sh $(DESTDIR)/$(libdir)/firejail/.
76	install -c -m 0644 src/firecfg/firecfg.config $(DESTDIR)/$(libdir)/firejail/.	77	install -c -m 0644 src/firecfg/firecfg.config $(DESTDIR)/$(libdir)/firejail/.
@@ -120,6 +121,7 @@ install-strip: all
120	strip src/firecfg/firecfg	121	strip src/firecfg/firecfg
121	strip src/libtrace/libtrace.so	122	strip src/libtrace/libtrace.so
122	strip src/libtracelog/libtracelog.so	123	strip src/libtracelog/libtracelog.so
		124	strip src/libx11/libx11.so
123	strip src/ftee/ftee	125	strip src/ftee/ftee
124	strip src/faudit/faudit	126	strip src/faudit/faudit
125	$(MAKE) realinstall	127	$(MAKE) realinstall


diff --git a/configure b/configure index 42c59279e..c27787397 100755 --- a/configure +++ b/configure
@@ -3759,7 +3759,7 @@ if test "$prefix" = /usr; then
3759	sysconfdir="/etc"	3759	sysconfdir="/etc"
3760	fi	3760	fi
3761		3761
3762	ac_config_files="$ac_config_files Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile"	3762	ac_config_files="$ac_config_files Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile src/libx11/Makefile"
3763		3763
3764	cat >confcache <<\_ACEOF	3764	cat >confcache <<\_ACEOF
3765	# This file is a shell script that caches the results of configure	3765	# This file is a shell script that caches the results of configure
@@ -4477,6 +4477,7 @@ do
4477	"src/firecfg/Makefile") CONFIG_FILES="$CONFIG_FILES src/firecfg/Makefile" ;;	4477	"src/firecfg/Makefile") CONFIG_FILES="$CONFIG_FILES src/firecfg/Makefile" ;;
4478	"src/ftee/Makefile") CONFIG_FILES="$CONFIG_FILES src/ftee/Makefile" ;;	4478	"src/ftee/Makefile") CONFIG_FILES="$CONFIG_FILES src/ftee/Makefile" ;;
4479	"src/faudit/Makefile") CONFIG_FILES="$CONFIG_FILES src/faudit/Makefile" ;;	4479	"src/faudit/Makefile") CONFIG_FILES="$CONFIG_FILES src/faudit/Makefile" ;;
		4480	"src/libx11/Makefile") CONFIG_FILES="$CONFIG_FILES src/libx11/Makefile" ;;
4480		4481
4481	*) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;;	4482	*) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;;
4482	esac	4483	esac


diff --git a/configure.ac b/configure.ac index e664cbe31..523ebd831 100644 --- a/configure.ac +++ b/configure.ac
@@ -148,7 +148,7 @@ if test "$prefix" = /usr; then
148	sysconfdir="/etc"	148	sysconfdir="/etc"
149	fi	149	fi
150		150
151	AC_OUTPUT(Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile)	151	AC_OUTPUT(Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile src/libx11/Makefile)
152		152
153	echo	153	echo
154	echo "Configuration options:"	154	echo "Configuration options:"


diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 75e7a469b..fb6c18b36 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles
@@ -149,4 +149,3 @@
149	/etc/firejail/synfigstudio.profile	149	/etc/firejail/synfigstudio.profile
150	/etc/firejail/gimp.profile	150	/etc/firejail/gimp.profile
151	/etc/firejail/inkscape.profile	151	/etc/firejail/inkscape.profile
152


diff --git a/src/faudit/dbus.c b/src/faudit/dbus.c index d17d3922a..4debf2ff6 100644 --- a/src/faudit/dbus.c +++ b/src/faudit/dbus.c
@@ -79,10 +79,8 @@ void dbus_test(void) {
79	else if (rv == -1)	79	else if (rv == -1)
80	printf("GOOD: cannot connect to D-Bus socket %s\n", sockfile);	80	printf("GOOD: cannot connect to D-Bus socket %s\n", sockfile);
81	}	81	}
82	else if ((sockfile = strstr(bus, "tcp:host=")) != NULL) {	82	else if ((sockfile = strstr(bus, "tcp:host=")) != NULL)
83	printf("UGLY: session bus configured for TCPcommunication.\n");	83	printf("UGLY: session bus configured for TCP communication.\n");
84	rv = -2;
85	}
86	else	84	else
87	printf("GOOD: cannot find a D-Bus socket\n");	85	printf("GOOD: cannot find a D-Bus socket\n");
88		86


diff --git a/src/faudit/x11.c b/src/faudit/x11.c index e1a4bf66e..43f40f4e9 100644 --- a/src/faudit/x11.c +++ b/src/faudit/x11.c
@@ -35,8 +35,9 @@ void x11_test(void) {
35	if (!(dir = opendir("/tmp/.X11-unix"))) {	35	if (!(dir = opendir("/tmp/.X11-unix"))) {
36	// sleep 2 seconds and try again	36	// sleep 2 seconds and try again
37	sleep(2);	37	sleep(2);
38	if (!(dir = opendir("/tmp/.X11-unix")))	38	if (!(dir = opendir("/tmp/.X11-unix"))) {
39	;	39	;
		40	}
40	}	41	}
41		42
42	if (dir == NULL)	43	if (dir == NULL)


diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 29cdc2c20..f2d490a6c 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -627,6 +627,7 @@ void fs_mkdir(const char *name);
627	void fs_mkfile(const char *name);	627	void fs_mkfile(const char *name);
628		628
629	// x11.c	629	// x11.c
		630	extern int mask_x11_abstract_socket;
630	void fs_x11(void);	631	void fs_x11(void);
631	int x11_display(void);	632	int x11_display(void);
632	void x11_start(int argc, char **argv);	633	void x11_start(int argc, char **argv);


diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c index bab117b7e..861b8a9a7 100644 --- a/src/firejail/fs_trace.c +++ b/src/firejail/fs_trace.c
@@ -54,15 +54,17 @@ void fs_trace(void) {
54	FILE *fp = fopen(RUN_LDPRELOAD_FILE, "w");	54	FILE *fp = fopen(RUN_LDPRELOAD_FILE, "w");
55	if (!fp)	55	if (!fp)
56	errExit("fopen");	56	errExit("fopen");
57	if (arg_trace)	57	if (arg_trace) {
58	fprintf(fp, "%s/firejail/libtrace.so\n", LIBDIR);	58	fprintf(fp, "%s/firejail/libtrace.so\n", LIBDIR);
		59	}
59	else if (arg_tracelog) {	60	else if (arg_tracelog) {
60	fprintf(fp, "%s/firejail/libtracelog.so\n", LIBDIR);	61	fprintf(fp, "%s/firejail/libtracelog.so\n", LIBDIR);
61	if (!arg_quiet)	62	if (!arg_quiet)
62	printf("Blacklist violations are logged to syslog\n");	63	printf("Blacklist violations are logged to syslog\n");
63	}	64	}
64	else	65
65	assert(0);	66	if (mask_x11_abstract_socket)
		67	fprintf(fp, "%s/firejail/libx11.so\n", LIBDIR);
66		68
67	SET_PERMS_STREAM(fp, 0, 0, S_IRUSR \| S_IWRITE \| S_IRGRP \| S_IROTH);	69	SET_PERMS_STREAM(fp, 0, 0, S_IRUSR \| S_IWRITE \| S_IRGRP \| S_IROTH);
68	fclose(fp);	70	fclose(fp);


diff --git a/src/firejail/ls.c b/src/firejail/ls.c index 14991ba94..39efaa0a6 100644 --- a/src/firejail/ls.c +++ b/src/firejail/ls.c
@@ -419,7 +419,7 @@ void sandboxfs(int op, pid_t pid, const char path1, const char path2) {
419	EUID_USER();	419	EUID_USER();
420	}	420	}
421	// get file from host and store it in the sandbox	421	// get file from host and store it in the sandbox
422	else if (op == SANDBOX_FS_PUT) {	422	else if (op == SANDBOX_FS_PUT && path2) {
423	// verify the source file	423	// verify the source file
424	const char *src_fname = path1;	424	const char *src_fname = path1;
425	struct stat s;	425	struct stat s;


diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 7666f1f62..7b519c8c2 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c
@@ -479,7 +479,7 @@ int sandbox(void* sandbox_arg) {
479	fs_build_cp_command();	479	fs_build_cp_command();
480		480
481	// trace pre-install	481	// trace pre-install
482	if (arg_trace \|\| arg_tracelog)	482	if (arg_trace \|\| arg_tracelog \|\| mask_x11_abstract_socket)
483	fs_trace_preload();	483	fs_trace_preload();
484		484
485	//****************************	485	//****************************
@@ -505,7 +505,7 @@ int sandbox(void* sandbox_arg) {
505	//****************************	505	//****************************
506	// trace pre-install, this time inside chroot	506	// trace pre-install, this time inside chroot
507	//****************************	507	//****************************
508	if (arg_trace \|\| arg_tracelog)	508	if (arg_trace \|\| arg_tracelog \|\| mask_x11_abstract_socket)
509	fs_trace_preload();	509	fs_trace_preload();
510	}	510	}
511	else	511	else
@@ -575,7 +575,7 @@ int sandbox(void* sandbox_arg) {
575	else {	575	else {
576	fs_private_etc_list();	576	fs_private_etc_list();
577	// create /etc/ld.so.preload file again	577	// create /etc/ld.so.preload file again
578	if (arg_trace \|\| arg_tracelog)	578	if (arg_trace \|\| arg_tracelog \|\| mask_x11_abstract_socket)
579	fs_trace_preload();	579	fs_trace_preload();
580	}	580	}
581	}	581	}
@@ -626,7 +626,7 @@ int sandbox(void* sandbox_arg) {
626	//****************************	626	//****************************
627	// install trace	627	// install trace
628	//****************************	628	//****************************
629	if (arg_trace \|\| arg_tracelog)	629	if (arg_trace \|\| arg_tracelog \|\| mask_x11_abstract_socket)
630	fs_trace();	630	fs_trace();
631		631
632	//****************************	632	//****************************


diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 774294ff1..2fa7f84d8 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c
@@ -27,6 +27,7 @@
27	#include <dirent.h>	27	#include <dirent.h>
28	#include <sys/mount.h>	28	#include <sys/mount.h>
29	#include <sys/wait.h>	29	#include <sys/wait.h>
		30	int mask_x11_abstract_socket = 0;
30		31
31	#ifdef HAVE_X11	32	#ifdef HAVE_X11
32	// return 1 if xpra is installed on the system	33	// return 1 if xpra is installed on the system
@@ -51,6 +52,7 @@ static int x11_check_xephyr(void) {
51	return 1;	52	return 1;
52	}	53	}
53		54
		55	#if 0
54	// check for X11 abstract sockets	56	// check for X11 abstract sockets
55	static int x11_abstract_sockets_present(void) {	57	static int x11_abstract_sockets_present(void) {
56	char *path;	58	char *path;
@@ -75,6 +77,7 @@ static int x11_abstract_sockets_present(void) {
75		77
76	return 0;	78	return 0;
77	}	79	}
		80	#endif
78		81
79	static int random_display_number(void) {	82	static int random_display_number(void) {
80	int i;	83	int i;
@@ -594,6 +597,8 @@ void x11_start(int argc, char **argv) {
594		597
595	void x11_block(void) {	598	void x11_block(void) {
596	#ifdef HAVE_X11	599	#ifdef HAVE_X11
		600	mask_x11_abstract_socket = 1;
		601	#if 0
597	// check abstract socket presence and network namespace options	602	// check abstract socket presence and network namespace options
598	if ((!arg_nonetwork && !cfg.bridge0.configured && !cfg.interface0.configured)	603	if ((!arg_nonetwork && !cfg.bridge0.configured && !cfg.interface0.configured)
599	&& x11_abstract_sockets_present()) {	604	&& x11_abstract_sockets_present()) {
@@ -604,6 +609,7 @@ void x11_block(void) {
604	" (eg. to your display manager config, or /etc/X11/xinit/xserverrc)\n");	609	" (eg. to your display manager config, or /etc/X11/xinit/xserverrc)\n");
605	exit(1);	610	exit(1);
606	}	611	}
		612	#endif
607		613
608	// blacklist sockets	614	// blacklist sockets
609	profile_check_line("blacklist /tmp/.X11-unix", 0, NULL);	615	profile_check_line("blacklist /tmp/.X11-unix", 0, NULL);


diff --git a/src/libx11/Makefile.in b/src/libx11/Makefile.in new file mode 100644 index 000000000..2dfef8076 --- /dev/null +++ b/src/libx11/Makefile.in
@@ -0,0 +1,25 @@
		1	PREFIX=@prefix@
		2	VERSION=@PACKAGE_VERSION@
		3	NAME=@PACKAGE_NAME@
		4	HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
		5
		6	H_FILE_LIST = $(sort $(wildcard *.[h]))
		7	C_FILE_LIST = $(sort $(wildcard *.c))
		8	OBJS = $(C_FILE_LIST:.c=.o)
		9	BINOBJS = $(foreach file, $(OBJS), $file)
		10	CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security
		11	LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now
		12
		13	all: libx11.so
		14
		15	%.o : %.c $(H_FILE_LIST)
		16	$(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
		17
		18	libx11.so: $(OBJS)
		19	$(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl
		20
		21
		22	clean:; rm -f $(OBJS) libx11.so
		23
		24	distclean: clean
		25	rm -fr Makefile


diff --git a/src/libx11/libx11.c b/src/libx11/libx11.c new file mode 100644 index 000000000..208fb65ed --- /dev/null +++ b/src/libx11/libx11.c
@@ -0,0 +1,66 @@
		1	/*
		2	* Copyright (C) 2014-2016 Firejail Authors
		3	*
		4	* This file is part of firejail project
		5	*
		6	* This program is free software; you can redistribute it and/or modify
		7	* it under the terms of the GNU General Public License as published by
		8	* the Free Software Foundation; either version 2 of the License, or
		9	* (at your option) any later version.
		10	*
		11	* This program is distributed in the hope that it will be useful,
		12	* but WITHOUT ANY WARRANTY; without even the implied warranty of
		13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
		14	* GNU General Public License for more details.
		15	*
		16	* You should have received a copy of the GNU General Public License along
		17	* with this program; if not, write to the Free Software Foundation, Inc.,
		18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
		19	*/
		20	#define _GNU_SOURCE
		21	#include <stdio.h>
		22	#include <stdlib.h>
		23	#include <string.h>
		24	#include <dlfcn.h>
		25	#include <sys/types.h>
		26	#include <unistd.h>
		27	#include <sys/socket.h>
		28	#include <netinet/in.h>
		29	#include <arpa/inet.h>
		30	#include <sys/un.h>
		31	#include <sys/stat.h>
		32	#include <dirent.h>
		33	#include <errno.h>
		34
		35	//#define DEBUG
		36
		37	//static int check_sockaddr(int sockfd, const char call, const struct sockaddr addr, int rv) {
		38	static int check_sockaddr(const struct sockaddr *addr) {
		39	if (addr->sa_family == AF_UNIX) {
		40	struct sockaddr_un a = (struct sockaddr_un ) addr;
		41	if (a->sun_path[0] == '\0') {
		42	// printf("@%s\n", a->sun_path + 1);
		43	errno = ENOENT;
		44	return -1;
		45	}
		46	}
		47
		48	return 0;
		49	}
		50
		51	//
		52	// syscalls
		53	//
		54
		55	// connect
		56	typedef int (orig_connect_t)(int sockfd, const struct sockaddr addr, socklen_t addrlen);
		57	static orig_connect_t orig_connect = NULL;
		58	int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen) {
		59	if (!orig_connect)
		60	orig_connect = (orig_connect_t)dlsym(RTLD_NEXT, "connect");
		61
		62	if (check_sockaddr(addr) == -1)
		63	return -1;
		64
		65	return orig_connect(sockfd, addr, addrlen);
		66	}