11 files changed, 95 insertions, 22 deletions
diff --git a/README b/README
index 405eb5c4e..03b934a3e 100644
--- a/README
+++ b/README
@@ -351,6 +351,10 @@ SYN-cook (https://github.com/SYN-cook)
        - Engrampa profile
        - Scribus profile
        - autostart blacklist for KDE
+        - blacklist startup scripts
+startx2017 (https://github.com/startx2017)
+        - syscall list update
+        - enable/disable join support in /etc/firejail/firejail.config
 thewisenerd (https://github.com/thewisenerd)
        - allow multiple private-home commands
        - use $SHELL variable if the shell is not specified
diff --git a/RELNOTES b/RELNOTES
index ea09f17e4..61732c390 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -37,6 +37,7 @@ firejail (0.9.45) baseline; urgency=low
  * feature: allow tmpfs for regular users for files in home directory
  * feature: mount a tmpfs on top of ~/.cache directory by default
  * feature: config support to disable tmpfs mounting on ~/.cache (cache-tmpfs)
+  * feature: config support to disable join (join)
  * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire,
  * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma,
  * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator,
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index 3bf609214..be3144133 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -7,19 +7,27 @@ blacklist-nolog ${HOME}/.history
 blacklist-nolog ${HOME}/.*_history
 blacklist-nolog ${HOME}/.bash_history
 blacklist ${HOME}/.local/share/systemd
+blacklist ${HOME}/.config/systemd
 blacklist-nolog ${HOME}/.adobe
 blacklist-nolog ${HOME}/.macromedia
 read-only ${HOME}/.local/share/applications
 # X11 session autostart
 blacklist ${HOME}/.xinitrc
+blacklist ${HOME}/.xserverrc
+blacklist /etc/X11/Xsession.d/
+blacklist ${HOME}/.Xsession
+blacklist ${HOME}/.xsession
+blacklist ${HOME}/.xsessionrc
 blacklist ${HOME}/.xprofile
+blacklist ${HOME}/.gnomerc
 blacklist ${HOME}/.config/autostart
 blacklist /etc/xdg/autostart
 blacklist ${HOME}/.kde4/Autostart
 blacklist ${HOME}/.kde4/share/autostart
 blacklist ${HOME}/.kde/Autostart
 blacklist ${HOME}/.kde/share/autostart
+blacklist ${HOME}/.local/share/autostart
 blacklist ${HOME}/.config/autostart-scripts
 blacklist ${HOME}/.config/plasma-workspace/shutdown
 blacklist ${HOME}/.config/plasma-workspace/env
@@ -27,8 +35,6 @@ blacklist ${HOME}/.config/lxsession/LXDE/autostart
 blacklist ${HOME}/.fluxbox/startup
 blacklist ${HOME}/.config/openbox/autostart
 blacklist ${HOME}/.config/openbox/environment
-blacklist ${HOME}/.gnomerc
-blacklist /etc/X11/Xsession.d/
 # blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs
 # VirtualBox
@@ -78,8 +84,6 @@ blacklist /etc/rc.local
 blacklist /etc/anacrontab
 # Startup files
-read-only ${HOME}/.xinitrc
-read-only ${HOME}/.xserverrc
 read-only ${HOME}/.antigen
 read-only ${HOME}/.bash_login
 read-only ${HOME}/.bashrc
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 90d0d5375..00c6e195a 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -42,8 +42,6 @@ blacklist ${HOME}/.config/ardour5
 blacklist ${HOME}/.config/arkrc
 blacklist ${HOME}/.config/atril
 blacklist ${HOME}/.config/audacious
-blacklist ${HOME}/.config/autostart
-blacklist ${HOME}/.config/autostart/dropbox.desktop
 blacklist ${HOME}/.config/aweather
 blacklist ${HOME}/.config/blender
 blacklist ${HOME}/.config/bless
diff --git a/etc/firefox.profile b/etc/firefox.profile
index dec44ca67..20acde62a 100644
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@@ -51,4 +51,4 @@ include /etc/firejail/whitelist-common.inc
 #private-bin firefox,which,sh,dbus-launch,dbus-send,env
 #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse
 private-dev 
-#private-tmp
+private-tmp
diff --git a/etc/firejail.config b/etc/firejail.config
index 0887e05b5..1db734f77 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -43,6 +43,10 @@
 # that is partially under their control.  Default disabled.
 # force-nonewprivs no
+# Allow sandbox joining as a regular user, default enabled.
+# root user can always join sandboxes.
+# join yes
 # Enable or disable networking features, default enabled.
 # network yes
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 476ecbe10..67bcd996a 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -92,6 +92,15 @@ int checkcfg(int val) {
                                else
                                        goto errout;
                        }
+                        // join
+                        else if (strncmp(ptr, "join ", 5) == 0) {
+                                if (strcmp(ptr + 5, "yes") == 0)
+                                        cfg_val[CFG_JOIN] = 1;
+                                else if (strcmp(ptr + 5, "no") == 0)
+                                        cfg_val[CFG_JOIN] = 0;
+                                else
+                                        goto errout;
+                        }
                        // x11
                        else if (strncmp(ptr, "x11 ", 4) == 0) {
                                if (strcmp(ptr + 4, "yes") == 0)
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index f85560588..dbb6c4d16 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -686,6 +686,7 @@ enum {
        CFG_FOLLOW_SYMLINK_PRIVATE_BIN,
        CFG_DISABLE_MNT,
        CFG_CACHE_TMPFS,
+        CFG_JOIN,
        CFG_MAX // this should always be the last entry
 };
 extern char *xephyr_screen;
diff --git a/src/firejail/main.c b/src/firejail/main.c
index db9a9c8cb..3dcc5c62d 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -615,23 +615,27 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
        }
 #endif
        else if (strncmp(argv[i], "--join=", 7) == 0) {
-                logargs(argc, argv);
+                if (checkcfg(CFG_JOIN) || getuid() == 0) {
+                        logargs(argc, argv);
-                if (arg_shell_none) {
+        
-                        if (argc <= (i+1)) {
+                        if (arg_shell_none) {
-                                fprintf(stderr, "Error: --shell=none set, but no command specified\n");
+                                if (argc <= (i+1)) {
-                                exit(1);
+                                        fprintf(stderr, "Error: --shell=none set, but no command specified\n");
+                                        exit(1);
+                                }
+                                cfg.original_program_index = i + 1;
                        }
-                        cfg.original_program_index = i + 1;
+        
+                        if (!cfg.shell && !arg_shell_none)
+                                cfg.shell = guess_shell();
+        
+                        // join sandbox by pid or by name
+                        pid_t pid = read_pid(argv[i] + 7);
+                        join(pid, argc, argv, i + 1);
+                        exit(0);
                }
+                else
-                if (!cfg.shell && !arg_shell_none)
+                        exit_err_feature("join");
-                        cfg.shell = guess_shell();
-                // join sandbox by pid or by name
-                pid_t pid = read_pid(argv[i] + 7);
-                join(pid, argc, argv, i + 1);
-                exit(0);
        }
        else if (strncmp(argv[i], "--join-or-start=", 16) == 0) {
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index f26f8b06a..d1557e8b2 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -742,6 +742,20 @@ int sandbox(void* sandbox_arg) {
                else {
                        // private-tmp is implemented as a whitelist
                        EUID_USER();
+                        // check XAUTHORITY file, KDE keeps it under /tmp
+                        char *xauth = getenv("XAUTHORITY");
+                        if (xauth) {
+                                char *rp = realpath(xauth, NULL);
+                                if (rp && strncmp(rp, "/tmp/", 5) == 0) {
+                                        char *cmd;
+                                        if (asprintf(&cmd, "whitelist %s", rp) == -1)
+                                                errExit("asprintf");
+                                        profile_add(cmd); // profile_add does not duplicate the string
+                                }
+                                if (rp)
+                                        free(rp);
+                        }
+                        // whitelist x11 directory
                        profile_add("whitelist /tmp/.X11-unix");
                        EUID_ROOT();
                }
diff --git a/src/include/syscall.h b/src/include/syscall.h
index c49760703..8852fcbd5 100644
--- a/src/include/syscall.h
+++ b/src/include/syscall.h
@@ -1076,6 +1076,11 @@
        {"preadv", __NR_preadv},
 #endif
 #endif
+#ifdef SYS_preadv2
+#ifdef __NR_preadv2
+        {"preadv2", __NR_preadv2},
+#endif
+#endif
 #ifdef SYS_prlimit64
 #ifdef __NR_prlimit64
        {"prlimit64", __NR_prlimit64},
@@ -1126,6 +1131,11 @@
        {"pwritev", __NR_pwritev},
 #endif
 #endif
+#ifdef SYS_pwritev2
+#ifdef __NR_pwritev2
+        {"pwritev2", __NR_pwritev2},
+#endif
+#endif
 #ifdef SYS_query_module
 #ifdef __NR_query_module
        {"query_module", __NR_query_module},
@@ -1892,6 +1902,7 @@
 #endif
 #endif
 #endif
+//#endif
 #if defined __x86_64__ && defined __LP64__
 #ifdef SYS__sysctl
 #ifdef __NR__sysctl
@@ -2828,6 +2839,11 @@
        {"preadv", __NR_preadv},
 #endif
 #endif
+#ifdef SYS_preadv2
+#ifdef __NR_preadv2
+        {"preadv2", __NR_preadv2},
+#endif
+#endif
 #ifdef SYS_prlimit64
 #ifdef __NR_prlimit64
        {"prlimit64", __NR_prlimit64},
@@ -2868,6 +2884,11 @@
        {"pwritev", __NR_pwritev},
 #endif
 #endif
+#ifdef SYS_pwritev2
+#ifdef __NR_pwritev2
+        {"pwritev2", __NR_pwritev2},
+#endif
+#endif
 #ifdef SYS_query_module
 #ifdef __NR_query_module
        {"query_module", __NR_query_module},
@@ -3529,6 +3550,7 @@
 #endif
 #endif
 #endif
+//#endif
 #if defined __x86_64__ && defined __ILP32__
 #ifdef SYS_accept
 #ifdef __NR_accept
@@ -4430,6 +4452,11 @@
        {"preadv", __NR_preadv},
 #endif
 #endif
+#ifdef SYS_preadv2
+#ifdef __NR_preadv2
+        {"preadv2", __NR_preadv2},
+#endif
+#endif
 #ifdef SYS_prlimit64
 #ifdef __NR_prlimit64
        {"prlimit64", __NR_prlimit64},
@@ -4470,6 +4497,11 @@
        {"pwritev", __NR_pwritev},
 #endif
 #endif
+#ifdef SYS_pwritev2
+#ifdef __NR_pwritev2
+        {"pwritev2", __NR_pwritev2},
+#endif
+#endif
 #ifdef SYS_quotactl
 #ifdef __NR_quotactl
        {"quotactl", __NR_quotactl},
@@ -5111,3 +5143,5 @@
 #endif
 #endif
 #endif
+//#endif

diff --git a/README b/README index 405eb5c4e..03b934a3e 100644 --- a/README +++ b/README
@@ -351,6 +351,10 @@ SYN-cook (https://github.com/SYN-cook)
351	- Engrampa profile	351	- Engrampa profile
352	- Scribus profile	352	- Scribus profile
353	- autostart blacklist for KDE	353	- autostart blacklist for KDE
		354	- blacklist startup scripts
		355	startx2017 (https://github.com/startx2017)
		356	- syscall list update
		357	- enable/disable join support in /etc/firejail/firejail.config
354	thewisenerd (https://github.com/thewisenerd)	358	thewisenerd (https://github.com/thewisenerd)
355	- allow multiple private-home commands	359	- allow multiple private-home commands
356	- use $SHELL variable if the shell is not specified	360	- use $SHELL variable if the shell is not specified


diff --git a/RELNOTES b/RELNOTES index ea09f17e4..61732c390 100644 --- a/RELNOTES +++ b/RELNOTES
@@ -37,6 +37,7 @@ firejail (0.9.45) baseline; urgency=low
37	* feature: allow tmpfs for regular users for files in home directory	37	* feature: allow tmpfs for regular users for files in home directory
38	* feature: mount a tmpfs on top of ~/.cache directory by default	38	* feature: mount a tmpfs on top of ~/.cache directory by default
39	* feature: config support to disable tmpfs mounting on ~/.cache (cache-tmpfs)	39	* feature: config support to disable tmpfs mounting on ~/.cache (cache-tmpfs)
		40	* feature: config support to disable join (join)
40	* new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire,	41	* new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire,
41	* new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma,	42	* new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma,
42	* new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator,	43	* new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator,


diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 3bf609214..be3144133 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc
@@ -7,19 +7,27 @@ blacklist-nolog ${HOME}/.history
7	blacklist-nolog ${HOME}/.*_history	7	blacklist-nolog ${HOME}/.*_history
8	blacklist-nolog ${HOME}/.bash_history	8	blacklist-nolog ${HOME}/.bash_history
9	blacklist ${HOME}/.local/share/systemd	9	blacklist ${HOME}/.local/share/systemd
		10	blacklist ${HOME}/.config/systemd
10	blacklist-nolog ${HOME}/.adobe	11	blacklist-nolog ${HOME}/.adobe
11	blacklist-nolog ${HOME}/.macromedia	12	blacklist-nolog ${HOME}/.macromedia
12	read-only ${HOME}/.local/share/applications	13	read-only ${HOME}/.local/share/applications
13		14
14	# X11 session autostart	15	# X11 session autostart
15	blacklist ${HOME}/.xinitrc	16	blacklist ${HOME}/.xinitrc
		17	blacklist ${HOME}/.xserverrc
		18	blacklist /etc/X11/Xsession.d/
		19	blacklist ${HOME}/.Xsession
		20	blacklist ${HOME}/.xsession
		21	blacklist ${HOME}/.xsessionrc
16	blacklist ${HOME}/.xprofile	22	blacklist ${HOME}/.xprofile
		23	blacklist ${HOME}/.gnomerc
17	blacklist ${HOME}/.config/autostart	24	blacklist ${HOME}/.config/autostart
18	blacklist /etc/xdg/autostart	25	blacklist /etc/xdg/autostart
19	blacklist ${HOME}/.kde4/Autostart	26	blacklist ${HOME}/.kde4/Autostart
20	blacklist ${HOME}/.kde4/share/autostart	27	blacklist ${HOME}/.kde4/share/autostart
21	blacklist ${HOME}/.kde/Autostart	28	blacklist ${HOME}/.kde/Autostart
22	blacklist ${HOME}/.kde/share/autostart	29	blacklist ${HOME}/.kde/share/autostart
		30	blacklist ${HOME}/.local/share/autostart
23	blacklist ${HOME}/.config/autostart-scripts	31	blacklist ${HOME}/.config/autostart-scripts
24	blacklist ${HOME}/.config/plasma-workspace/shutdown	32	blacklist ${HOME}/.config/plasma-workspace/shutdown
25	blacklist ${HOME}/.config/plasma-workspace/env	33	blacklist ${HOME}/.config/plasma-workspace/env
@@ -27,8 +35,6 @@ blacklist ${HOME}/.config/lxsession/LXDE/autostart
27	blacklist ${HOME}/.fluxbox/startup	35	blacklist ${HOME}/.fluxbox/startup
28	blacklist ${HOME}/.config/openbox/autostart	36	blacklist ${HOME}/.config/openbox/autostart
29	blacklist ${HOME}/.config/openbox/environment	37	blacklist ${HOME}/.config/openbox/environment
30	blacklist ${HOME}/.gnomerc
31	blacklist /etc/X11/Xsession.d/
32	# blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs	38	# blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs
33		39
34	# VirtualBox	40	# VirtualBox
@@ -78,8 +84,6 @@ blacklist /etc/rc.local
78	blacklist /etc/anacrontab	84	blacklist /etc/anacrontab
79		85
80	# Startup files	86	# Startup files
81	read-only ${HOME}/.xinitrc
82	read-only ${HOME}/.xserverrc
83	read-only ${HOME}/.antigen	87	read-only ${HOME}/.antigen
84	read-only ${HOME}/.bash_login	88	read-only ${HOME}/.bash_login
85	read-only ${HOME}/.bashrc	89	read-only ${HOME}/.bashrc


diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 90d0d5375..00c6e195a 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc
@@ -42,8 +42,6 @@ blacklist ${HOME}/.config/ardour5
42	blacklist ${HOME}/.config/arkrc	42	blacklist ${HOME}/.config/arkrc
43	blacklist ${HOME}/.config/atril	43	blacklist ${HOME}/.config/atril
44	blacklist ${HOME}/.config/audacious	44	blacklist ${HOME}/.config/audacious
45	blacklist ${HOME}/.config/autostart
46	blacklist ${HOME}/.config/autostart/dropbox.desktop
47	blacklist ${HOME}/.config/aweather	45	blacklist ${HOME}/.config/aweather
48	blacklist ${HOME}/.config/blender	46	blacklist ${HOME}/.config/blender
49	blacklist ${HOME}/.config/bless	47	blacklist ${HOME}/.config/bless


diff --git a/etc/firefox.profile b/etc/firefox.profile index dec44ca67..20acde62a 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile
@@ -51,4 +51,4 @@ include /etc/firejail/whitelist-common.inc
51	#private-bin firefox,which,sh,dbus-launch,dbus-send,env	51	#private-bin firefox,which,sh,dbus-launch,dbus-send,env
52	#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse	52	#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse
53	private-dev	53	private-dev
54	#private-tmp	54	private-tmp


diff --git a/etc/firejail.config b/etc/firejail.config index 0887e05b5..1db734f77 100644 --- a/etc/firejail.config +++ b/etc/firejail.config
@@ -43,6 +43,10 @@
43	# that is partially under their control. Default disabled.	43	# that is partially under their control. Default disabled.
44	# force-nonewprivs no	44	# force-nonewprivs no
45		45
		46	# Allow sandbox joining as a regular user, default enabled.
		47	# root user can always join sandboxes.
		48	# join yes
		49
46	# Enable or disable networking features, default enabled.	50	# Enable or disable networking features, default enabled.
47	# network yes	51	# network yes
48		52


diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 476ecbe10..67bcd996a 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c
@@ -92,6 +92,15 @@ int checkcfg(int val) {
92	else	92	else
93	goto errout;	93	goto errout;
94	}	94	}
		95	// join
		96	else if (strncmp(ptr, "join ", 5) == 0) {
		97	if (strcmp(ptr + 5, "yes") == 0)
		98	cfg_val[CFG_JOIN] = 1;
		99	else if (strcmp(ptr + 5, "no") == 0)
		100	cfg_val[CFG_JOIN] = 0;
		101	else
		102	goto errout;
		103	}
95	// x11	104	// x11
96	else if (strncmp(ptr, "x11 ", 4) == 0) {	105	else if (strncmp(ptr, "x11 ", 4) == 0) {
97	if (strcmp(ptr + 4, "yes") == 0)	106	if (strcmp(ptr + 4, "yes") == 0)


diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index f85560588..dbb6c4d16 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -686,6 +686,7 @@ enum {
686	CFG_FOLLOW_SYMLINK_PRIVATE_BIN,	686	CFG_FOLLOW_SYMLINK_PRIVATE_BIN,
687	CFG_DISABLE_MNT,	687	CFG_DISABLE_MNT,
688	CFG_CACHE_TMPFS,	688	CFG_CACHE_TMPFS,
		689	CFG_JOIN,
689	CFG_MAX // this should always be the last entry	690	CFG_MAX // this should always be the last entry
690	};	691	};
691	extern char *xephyr_screen;	692	extern char *xephyr_screen;


diff --git a/src/firejail/main.c b/src/firejail/main.c index db9a9c8cb..3dcc5c62d 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -615,23 +615,27 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
615	}	615	}
616	#endif	616	#endif
617	else if (strncmp(argv[i], "--join=", 7) == 0) {	617	else if (strncmp(argv[i], "--join=", 7) == 0) {
618	logargs(argc, argv);	618	if (checkcfg(CFG_JOIN) \|\| getuid() == 0) {
619		619	logargs(argc, argv);
620	if (arg_shell_none) {	620
621	if (argc <= (i+1)) {	621	if (arg_shell_none) {
622	fprintf(stderr, "Error: --shell=none set, but no command specified\n");	622	if (argc <= (i+1)) {
623	exit(1);	623	fprintf(stderr, "Error: --shell=none set, but no command specified\n");
		624	exit(1);
		625	}
		626	cfg.original_program_index = i + 1;
624	}	627	}
625	cfg.original_program_index = i + 1;	628
		629	if (!cfg.shell && !arg_shell_none)
		630	cfg.shell = guess_shell();
		631
		632	// join sandbox by pid or by name
		633	pid_t pid = read_pid(argv[i] + 7);
		634	join(pid, argc, argv, i + 1);
		635	exit(0);
626	}	636	}
627		637	else
628	if (!cfg.shell && !arg_shell_none)	638	exit_err_feature("join");
629	cfg.shell = guess_shell();
630
631	// join sandbox by pid or by name
632	pid_t pid = read_pid(argv[i] + 7);
633	join(pid, argc, argv, i + 1);
634	exit(0);
635		639
636	}	640	}
637	else if (strncmp(argv[i], "--join-or-start=", 16) == 0) {	641	else if (strncmp(argv[i], "--join-or-start=", 16) == 0) {


diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index f26f8b06a..d1557e8b2 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c
@@ -742,6 +742,20 @@ int sandbox(void* sandbox_arg) {
742	else {	742	else {
743	// private-tmp is implemented as a whitelist	743	// private-tmp is implemented as a whitelist
744	EUID_USER();	744	EUID_USER();
		745	// check XAUTHORITY file, KDE keeps it under /tmp
		746	char *xauth = getenv("XAUTHORITY");
		747	if (xauth) {
		748	char *rp = realpath(xauth, NULL);
		749	if (rp && strncmp(rp, "/tmp/", 5) == 0) {
		750	char *cmd;
		751	if (asprintf(&cmd, "whitelist %s", rp) == -1)
		752	errExit("asprintf");
		753	profile_add(cmd); // profile_add does not duplicate the string
		754	}
		755	if (rp)
		756	free(rp);
		757	}
		758	// whitelist x11 directory
745	profile_add("whitelist /tmp/.X11-unix");	759	profile_add("whitelist /tmp/.X11-unix");
746	EUID_ROOT();	760	EUID_ROOT();
747	}	761	}


diff --git a/src/include/syscall.h b/src/include/syscall.h index c49760703..8852fcbd5 100644 --- a/src/include/syscall.h +++ b/src/include/syscall.h
@@ -1076,6 +1076,11 @@
1076	{"preadv", __NR_preadv},	1076	{"preadv", __NR_preadv},
1077	#endif	1077	#endif
1078	#endif	1078	#endif
		1079	#ifdef SYS_preadv2
		1080	#ifdef __NR_preadv2
		1081	{"preadv2", __NR_preadv2},
		1082	#endif
		1083	#endif
1079	#ifdef SYS_prlimit64	1084	#ifdef SYS_prlimit64
1080	#ifdef __NR_prlimit64	1085	#ifdef __NR_prlimit64
1081	{"prlimit64", __NR_prlimit64},	1086	{"prlimit64", __NR_prlimit64},
@@ -1126,6 +1131,11 @@
1126	{"pwritev", __NR_pwritev},	1131	{"pwritev", __NR_pwritev},
1127	#endif	1132	#endif
1128	#endif	1133	#endif
		1134	#ifdef SYS_pwritev2
		1135	#ifdef __NR_pwritev2
		1136	{"pwritev2", __NR_pwritev2},
		1137	#endif
		1138	#endif
1129	#ifdef SYS_query_module	1139	#ifdef SYS_query_module
1130	#ifdef __NR_query_module	1140	#ifdef __NR_query_module
1131	{"query_module", __NR_query_module},	1141	{"query_module", __NR_query_module},
@@ -1892,6 +1902,7 @@
1892	#endif	1902	#endif
1893	#endif	1903	#endif
1894	#endif	1904	#endif
		1905	//#endif
1895	#if defined __x86_64__ && defined __LP64__	1906	#if defined __x86_64__ && defined __LP64__
1896	#ifdef SYS__sysctl	1907	#ifdef SYS__sysctl
1897	#ifdef __NR__sysctl	1908	#ifdef __NR__sysctl
@@ -2828,6 +2839,11 @@
2828	{"preadv", __NR_preadv},	2839	{"preadv", __NR_preadv},
2829	#endif	2840	#endif
2830	#endif	2841	#endif
		2842	#ifdef SYS_preadv2
		2843	#ifdef __NR_preadv2
		2844	{"preadv2", __NR_preadv2},
		2845	#endif
		2846	#endif
2831	#ifdef SYS_prlimit64	2847	#ifdef SYS_prlimit64
2832	#ifdef __NR_prlimit64	2848	#ifdef __NR_prlimit64
2833	{"prlimit64", __NR_prlimit64},	2849	{"prlimit64", __NR_prlimit64},
@@ -2868,6 +2884,11 @@
2868	{"pwritev", __NR_pwritev},	2884	{"pwritev", __NR_pwritev},
2869	#endif	2885	#endif
2870	#endif	2886	#endif
		2887	#ifdef SYS_pwritev2
		2888	#ifdef __NR_pwritev2
		2889	{"pwritev2", __NR_pwritev2},
		2890	#endif
		2891	#endif
2871	#ifdef SYS_query_module	2892	#ifdef SYS_query_module
2872	#ifdef __NR_query_module	2893	#ifdef __NR_query_module
2873	{"query_module", __NR_query_module},	2894	{"query_module", __NR_query_module},
@@ -3529,6 +3550,7 @@
3529	#endif	3550	#endif
3530	#endif	3551	#endif
3531	#endif	3552	#endif
		3553	//#endif
3532	#if defined __x86_64__ && defined __ILP32__	3554	#if defined __x86_64__ && defined __ILP32__
3533	#ifdef SYS_accept	3555	#ifdef SYS_accept
3534	#ifdef __NR_accept	3556	#ifdef __NR_accept
@@ -4430,6 +4452,11 @@
4430	{"preadv", __NR_preadv},	4452	{"preadv", __NR_preadv},
4431	#endif	4453	#endif
4432	#endif	4454	#endif
		4455	#ifdef SYS_preadv2
		4456	#ifdef __NR_preadv2
		4457	{"preadv2", __NR_preadv2},
		4458	#endif
		4459	#endif
4433	#ifdef SYS_prlimit64	4460	#ifdef SYS_prlimit64
4434	#ifdef __NR_prlimit64	4461	#ifdef __NR_prlimit64
4435	{"prlimit64", __NR_prlimit64},	4462	{"prlimit64", __NR_prlimit64},
@@ -4470,6 +4497,11 @@
4470	{"pwritev", __NR_pwritev},	4497	{"pwritev", __NR_pwritev},
4471	#endif	4498	#endif
4472	#endif	4499	#endif
		4500	#ifdef SYS_pwritev2
		4501	#ifdef __NR_pwritev2
		4502	{"pwritev2", __NR_pwritev2},
		4503	#endif
		4504	#endif
4473	#ifdef SYS_quotactl	4505	#ifdef SYS_quotactl
4474	#ifdef __NR_quotactl	4506	#ifdef __NR_quotactl
4475	{"quotactl", __NR_quotactl},	4507	{"quotactl", __NR_quotactl},
@@ -5111,3 +5143,5 @@
5111	#endif	5143	#endif
5112	#endif	5144	#endif
5113	#endif	5145	#endif
		5146	//#endif
		5147