diff options
| -rw-r--r-- | src/firejail/x11.c | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 29111d5ff..774294ff1 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
| @@ -54,7 +54,11 @@ static int x11_check_xephyr(void) { | |||
| 54 | // check for X11 abstract sockets | 54 | // check for X11 abstract sockets |
| 55 | static int x11_abstract_sockets_present(void) { | 55 | static int x11_abstract_sockets_present(void) { |
| 56 | char *path; | 56 | char *path; |
| 57 | |||
| 58 | EUID_ROOT(); // grsecurity fix | ||
| 57 | FILE *fp = fopen("/proc/net/unix", "r"); | 59 | FILE *fp = fopen("/proc/net/unix", "r"); |
| 60 | EUID_USER(); | ||
| 61 | |||
| 58 | if (!fp) | 62 | if (!fp) |
| 59 | errExit("fopen"); | 63 | errExit("fopen"); |
| 60 | 64 | ||
| @@ -594,9 +598,10 @@ void x11_block(void) { | |||
| 594 | if ((!arg_nonetwork && !cfg.bridge0.configured && !cfg.interface0.configured) | 598 | if ((!arg_nonetwork && !cfg.bridge0.configured && !cfg.interface0.configured) |
| 595 | && x11_abstract_sockets_present()) { | 599 | && x11_abstract_sockets_present()) { |
| 596 | fprintf(stderr, "ERROR: --x11=block specified, but abstract X11 socket still accessible.\n" | 600 | fprintf(stderr, "ERROR: --x11=block specified, but abstract X11 socket still accessible.\n" |
| 597 | "Additional setup required. To block abstract X11 socket you need either:\n" | 601 | "Additional setup required. To block abstract X11 socket you can either:\n" |
| 598 | " * use network namespace (--net=none, --net=...)\n" | 602 | " * use network namespace in firejail (--net=none, --net=...)\n" |
| 599 | " * add \"-nolisten local\" to xserver options (eg. /etc/X11/xinit/xserverrc)\n"); | 603 | " * add \"-nolisten local\" to xserver options\n" |
| 604 | " (eg. to your display manager config, or /etc/X11/xinit/xserverrc)\n"); | ||
| 600 | exit(1); | 605 | exit(1); |
| 601 | } | 606 | } |
| 602 | 607 | ||