4 files changed, 10 insertions, 6 deletions

diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 0fa789ff1..74eb00268 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -625,7 +625,6 @@ void x11_start(int argc, char **argv) {
                 exit(0);
         }
 }
-
 #endif
 
 // Porting notes:
@@ -642,6 +641,11 @@ void x11_start(int argc, char **argv) {
 // directory, we need to make sure /usr/bin/xauth executable is the real thing, and not
 // something picked up on $PATH.
 //
+// 3. If for any reason xauth command fails, we exit the sandbox. On Debian 8 this happens
+// when using a network namespace. Somehow, xauth tries to connect to the abstract socket,
+// and it failes because of the network namespace - it should try to connect to the regular
+// Unix socket! If we ignore the fail condition, the program will be started on X server without
+// the security extension loaded.
 void x11_xorg(void) {
 #ifdef HAVE_X11
 
@@ -690,7 +694,7 @@ void x11_xorg(void) {
 #ifdef HAVE_GCOV
                 __gcov_flush();
 #endif
-                execlp("/usr/bin/xauth", "/usr/bin/xauth", "-f", tmpfname,
+                execlp("/usr/bin/xauth", "/usr/bin/xauth", "-v", "-f", tmpfname,
                         "generate", display, "MIT-MAGIC-COOKIE-1", "untrusted", NULL); 
                 
                 _exit(127);
@@ -719,7 +723,7 @@ void x11_xorg(void) {
         // ensure the file has the correct permissions and move it
         // into the correct location.
         if (stat(tmpfname, &s) == -1) {
-                fprintf(stderr, "Error: .Xauthority file was mpt created\n");
+                fprintf(stderr, "Error: .Xauthority file was not created\n");
                 exit(1);
         }
         if (set_perms(tmpfname, getuid(), getgid(), 0600))
diff --git a/test/apps-x11-xorg/firefox.exp b/test/apps-x11-xorg/firefox.exp
index f66aeddd8..4da9e5a16 100755
--- a/test/apps-x11-xorg/firefox.exp
+++ b/test/apps-x11-xorg/firefox.exp
@@ -7,7 +7,7 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail --name=test --x11=xorg firefox -no-remote www.gentoo.org\r"
+send -- "firejail --name=test --x11=xorg --ignore=net --ignore=netfilter --ignore=iprange firefox -no-remote www.gentoo.org\r"
 sleep 10
 
 spawn $env(SHELL)
diff --git a/test/apps-x11-xorg/icedove.exp b/test/apps-x11-xorg/icedove.exp
index f7a08aa8f..ce1d38222 100755
--- a/test/apps-x11-xorg/icedove.exp
+++ b/test/apps-x11-xorg/icedove.exp
@@ -7,7 +7,7 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail --name=test --x11=xorg icedove\r"
+send -- "firejail --name=test --x11=xorg --ignore=net --ignore=netfilter --ignore=iprange icedove\r"
 sleep 10
 
 spawn $env(SHELL)
diff --git a/test/apps-x11-xorg/transmission-gtk.exp b/test/apps-x11-xorg/transmission-gtk.exp
index de8a7f7c6..c6d9ba13a 100755
--- a/test/apps-x11-xorg/transmission-gtk.exp
+++ b/test/apps-x11-xorg/transmission-gtk.exp
@@ -7,7 +7,7 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail --name=test --x11=xorg transmission-gtk\r"
+send -- "firejail --name=test --x11=xorg --ignore=net --ignore=netfilter --ignore=iprange transmission-gtk\r"
 sleep 10
 
 spawn $env(SHELL)