10 files changed, 212 insertions, 59 deletions

diff --git a/README.md b/README.md
index a8075cc1e..43aa183ef 100644
--- a/README.md
+++ b/README.md
@@ -45,14 +45,36 @@ If you keep your Firejail profiles in a public repository, please give us a link
 `````
 # Current development version: 0.9.43
 
-## New command line options
+## X11 development
 `````
-      --x11=none
-              Blacklist  /tmp/.X11-unix  directory,  ${HOME}/.Xauthority  and  file
-              specified in ${XAUTHORITY} environment variable.  Remove  DISPLAY  and
-              XAUTHORITY  environment  variables.   Stop  with  error message if X11
-              abstract socket will be accessible in jail.
+       --x11=none
+              Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and  the
+              file  specified  in  ${XAUTHORITY} environment variable.  Remove
+              DISPLAY and XAUTHORITY environment variables.  Stop  with  error
+              message if X11 abstract socket will be accessible in jail.
+
+      --x11=xorg
+              Sandbox the application using the untrusted mode implemented  by
+              X11  security  extension.   The  extension  is available in Xorg
+              package and it is installed by default on most  Linux  distribu‐
+              tions.  It  provides support for a simple trusted/untrusted con‐
+              nection model. Untrusted clients are restricted in certain  ways
+              to  prevent  them from reading window contents of other clients,
+              stealing input events, etc.
+
+              The untrusted mode has several limitations.  A  lot  of  regular
+              programs   assume  they are a trusted X11 clients and will crash
+              or lock up when run in  untrusted  mode.  Chromium  browser  and
+              xterm are two examples.  Firefox and transmission-gtk seem to be
+              working fine.  A network namespace  is  not  required  for  this
+              option.
 
+              Example:
+              $ firejail --x11=xorg firefox
+`````
+
+## Other command line options
+`````
       --put=name|pid src-filename dest-filename
               Put src-filename in sandbox container.  The container is specified by name or PID.
 
@@ -84,7 +106,7 @@ If you keep your Firejail profiles in a public repository, please give us a link
 
 ## New profile commands
 
-x11 xpra, x11 xephyr, x11 none, allusers, join-or-start
+x11 xpra, x11 xephyr, x11 none, x11 xorg allusers, join-or-start
 
 ## New profiles
 
diff --git a/RELNOTES b/RELNOTES
index 4ae23c2f3..df495c31a 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -12,6 +12,7 @@ firejail (0.9.43) baseline; urgency=low
   * feature: all user home directories are visible (--allusers)
   * feature: add files to sandbox container (--put)
   * feature: blocking x11 (--x11=block)
+  * feature: X11 security extension (--x11=xorg)
   * feature: disable 3D hardware acceleration (--no3d)
   * feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands
   * new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index f2d490a6c..f4d468394 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -61,6 +61,7 @@
 #define RUN_WHITELIST_OPT_DIR   "/run/firejail/mnt/orig-opt"
 
 #define RUN_XAUTHORITY_FILE     "/run/firejail/mnt/.Xauthority"
+#define RUN_XAUTHORITY_SEC_FILE "/run/firejail/mnt/sec.Xauthority"
 #define RUN_ASOUNDRC_FILE       "/run/firejail/mnt/.asoundrc"
 #define RUN_HOSTNAME_FILE       "/run/firejail/mnt/hostname"
 #define RUN_HOSTS_FILE  "/run/firejail/mnt/hosts"
@@ -321,6 +322,7 @@ extern char *arg_audit_prog;	// audit
 extern int arg_apparmor;        // apparmor
 extern int arg_allow_debuggers; // allow debuggers
 extern int arg_x11_block;       // block X11
+extern int arg_x11_xorg;        // use X11 security extention
 extern int arg_allusers;        // all user home directories visible
 
 extern int login_shell;
diff --git a/src/firejail/main.c b/src/firejail/main.c
index c4b7ce4dc..6d4eb21df 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -107,6 +107,7 @@ char *arg_audit_prog = NULL;			// audit
 int arg_apparmor = 0;                           // apparmor
 int arg_allow_debuggers = 0;                    // allow debuggers
 int arg_x11_block = 0;                          // block X11
+int arg_x11_xorg = 0;                           // use X11 security extention
 int arg_allusers = 0;                           // all user home directories visible
 
 int login_shell = 0;
@@ -2208,9 +2209,21 @@ int main(int argc, char **argv) {
                                 return 1;
                         }
                 }
+                
+                // unlike all other x11 features, this is available always
                 else if (strcmp(argv[i], "--x11=none") == 0) {
                         arg_x11_block = 1;
                 }
+#ifdef HAVE_X11
+                else if (strcmp(argv[i], "--x11=xorg") == 0) {
+                        if (checkcfg(CFG_X11))
+                                arg_x11_xorg = 1;
+                        else {
+                                fprintf(stderr, "Error: --x11 feature is disabled in Firejail configuration file\n");
+                                exit(1);
+                        }
+                }
+#endif
                 else if (strncmp(argv[i], "--join-or-start=", 16) == 0) {
                         // NOTE: this is second part of option handler,
                         //               atempt to find and join sandbox is done in other one
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 59ef42a74..e5c35a89d 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -657,9 +657,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
         }
 
         if (strcmp(ptr, "x11 none") == 0) {
-#ifdef HAVE_X11
                 arg_x11_block = 1;
-#endif
                 return 0;
         }
 
@@ -681,6 +679,17 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 return 0;
         }
 
+        if (strcmp(ptr, "x11 xorg") == 0) {
+#ifdef HAVE_X11
+                if (checkcfg(CFG_X11))
+                        arg_x11_xorg = 1;
+                else {
+                        fprintf(stderr, "Error: --x11 feature is disabled in Firejail configuration file\n");
+                        return 0;
+                }
+#endif
+                return 0;
+        }
         if (strcmp(ptr, "x11 xpra") == 0) {
 #ifdef HAVE_X11
                 if (checkcfg(CFG_X11)) {
@@ -717,19 +726,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 return 0;
         }
         
-#if 0
-   if (strncmp(ptr, "private-template ", 17) == 0) {
-      if (arg_private) {
-         fprintf(stderr, "Error: --private and --private-template are mutually exclusive\n");
-         exit(1);
-      }
-      cfg.private_template = ptr + 17;
-      fs_check_private_template();
-      arg_private_template = 1;
-
-      return 0;
-   }
-#endif   
         // private /etc list of files and directories
         if (strncmp(ptr, "private-etc ", 12) == 0) {
                 if (arg_writable_etc) {
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 7b519c8c2..8021ce9a3 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -585,8 +585,19 @@ int sandbox(void* sandbox_arg) {
                         fprintf(stderr, "Warning: private-bin feature is disabled in chroot\n");
                 else if (arg_overlay)
                         fprintf(stderr, "Warning: private-bin feature is disabled in overlay\n");
-                else
+                else {
+                        // for --x11=xorg we need to add xauth command
+                        if (arg_x11_xorg) {
+                                EUID_USER();
+                                char *tmp;
+                                if (asprintf(&tmp, "%s,xauth", cfg.bin_private_keep) == -1)
+                                        errExit("asprintf");
+                                cfg.bin_private_keep = tmp;
+                                fs_check_bin_list();
+                                EUID_ROOT();
+                        }
                         fs_private_bin_list();
+                }
         }
         
         if (arg_private_tmp) {
@@ -784,6 +795,8 @@ int sandbox(void* sandbox_arg) {
         
         // clean /tmp/.X11-unix sockets
         fs_x11();
+        if (arg_x11_xorg)
+                x11_xorg();
         
         //****************************
         // set security filters
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 903817099..7db91b5a9 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -282,10 +282,13 @@ void usage(void) {
         printf("    --writable-etc - /etc directory is mounted read-write.\n\n");
         printf("    --writable-var - /var directory is mounted read-write.\n\n");
         
-        printf("    --x11 - enable X11 server. The software checks first if Xpra is installed,\n");
-        printf("\tthen it checks if Xephyr is installed.\n\n");
-        printf("    --x11=xpra - enable Xpra X11 server.\n\n");
+        printf("    --x11 - enable X11 sandboxing. The software checks first if Xpra is\n");
+        printf("\tinstalled, then it checks if Xephyr is installed. If all fails, it will\n");
+        printf("\tattempt to use X11 security extension.\n\n");
+        printf("    --x11=none - disable access to X11 sockets.\n\n");
         printf("    --x11=xephyr - enable Xephyr X11 server. The window size is 800x600.\n\n");
+        printf("    --x11=xorg - enable X11 security extension.\n\n");
+        printf("    --x11=xpra - enable Xpra X11 server.\n\n");
         printf("    --zsh - use /usr/bin/zsh as default shell.\n\n");
         printf("\n");
         printf("\n");
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index def1dd324..d40d349e1 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -629,3 +629,73 @@ void x11_block(void) {
         env_store("XAUTHORITY", RMENV);
 #endif
 }
+
+void x11_xorg(void) {
+#ifdef HAVE_X11
+        // destination
+        char *dest;
+        if (asprintf(&dest, "%s/.Xauthority", cfg.homedir) == -1)
+                errExit("asprintf");
+        struct stat s;
+        if (stat(dest, &s) == -1) {
+                // create an .Xauthority file
+                FILE *fp = fopen(dest, "w");
+                if (!fp)
+                        errExit("fopen");
+                SET_PERMS_STREAM(fp, getuid(), getgid(), 0600);
+                fclose(fp);
+        }
+
+        if (stat("/usr/bin/xauth", &s) == -1) {
+                fprintf(stderr, "Error: cannot find /usr/bin/xauth executable\n");
+                exit(1);
+        }
+
+        pid_t child = fork();
+        if (child < 0)
+                errExit("fork");
+        if (child == 0) {
+                // generate a new .Xauthority file
+                if (arg_debug)
+                        printf("Generating a new .Xauthority file\n");
+
+                // elevate privileges - files in /run/firejail/mnt directory belong to root
+                if (setreuid(0, 0) < 0)
+                        errExit("setreuid");
+                if (setregid(0, 0) < 0)
+                        errExit("setregid");
+                
+                char *display = getenv("DISPLAY");
+                if (!display)
+                        display = ":0.0";
+                        
+                execlp("/usr/bin/xauth", "/usr/bin/xauth", "-f", RUN_XAUTHORITY_SEC_FILE,
+                        "generate", display, "MIT-MAGIC-COOKIE-1", "untrusted", NULL); 
+                
+                exit(0);
+        }
+        // wait for the child to finish
+        waitpid(child, NULL, 0);
+
+        // check the file was created and set mode and ownership
+        if (stat(RUN_XAUTHORITY_SEC_FILE, &s) == -1) {
+                fprintf(stderr, "Error: cannot create the new .Xauthority file\n");
+                exit(1);
+        }
+        if (chown(RUN_XAUTHORITY_SEC_FILE, getuid(), getgid()) == -1)
+                errExit("chown");
+        if (chmod(RUN_XAUTHORITY_SEC_FILE, 0600) == -1)
+                errExit("chmod");
+        
+        // mount
+        if (mount(RUN_XAUTHORITY_SEC_FILE, dest, "none", MS_BIND, "mode=0600") == -1) {
+                fprintf(stderr, "Error: cannot mount the new .Xauthority file\n");
+                exit(1);
+        }
+        if (chown(dest, getuid(), getgid()) == -1)
+                errExit("chown");
+        if (chmod(dest, 0600) == -1)
+                errExit("chmod");
+        free(dest);
+#endif  
+}
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index f4b2c22fa..d420fab7a 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -279,16 +279,19 @@ There is no root account (uid 0) defined in the namespace.
 \fBx11
 Enable X11 sandboxing.
 .TP
-\fBx11 xpra
-Enable X11 sandboxing with xpra.
-.TP
-\fBx11 xephyr
-Enable X11 sandboxing with xephyr.
-.TP
 \fBx11 none
 Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} environment variable.
 Remove DISPLAY and XAUTHORITY environment variables.
 Stop with error message if X11 abstract socket will be accessible in jail.
+.TP
+\fBx11 xephyr
+Enable X11 sandboxing with xephyr.
+.TP
+\fBx11 xorg
+Enable X11 sandboxing with X11 security extension.
+.TP
+\fBx11 xpra
+Enable X11 sandboxing with xpra.
 
 .SH Resource limits, CPU affinity, Control Groups
 These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox.
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index aadc54677..4aebb71e8 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1662,15 +1662,17 @@ $ sudo firejail --writable-var
 
 .TP
 \fB\-\-x11
-Start a new X11 server using Xpra or Xephyr and attach the sandbox to this server.
-The regular X11 server (display 0) is not visible in the sandbox. This prevents screenshot and keylogger
-applications started in the sandbox from accessing other X11 displays.
-A network namespace needs to be instantiated in order to deny access to X11 abstract Unix domain socket.
+Sandbox the application using Xpra, Xephyr or Xorg security extension.
+The sandbox will prevents screenshot and keylogger applications started inside the sandbox from accessing
+clients running outside the sandbox.
+Firejail will try first Xpra, and if Xpra is not installed on the system, it will try to find Xephyr.
+If all fails, Firejail will not attempt to use X11 security extension.
 .br
 
-br
-Firejail will try first Xpra, and if Xpra is not installed on the system, it will try to find Xephyr.
-This feature is not available when running as root. 
+.br
+Xpra and Xephyr modes require a network namespace to be instantiated in order to disable
+X11 abstract Unix socket. If this is not possible, the user can disable the abstract socket
+by adding "-nolisten local" on Xorg command line.
 .br
 
 .br
@@ -1679,31 +1681,30 @@ Example:
 $ firejail \-\-x11 --net=eth0 firefox
 
 .TP
-\fB\-\-x11=xpra
-Start a new X11 server using Xpra (http://xpra.org) and attach the sandbox to this server.
-Xpra is a persistent remote display server and client for forwarding X11 applications and desktop screens.
-On Debian platforms Xpra is installed with the command \fBsudo apt-get install xpra\fR.
-This feature is not available when running as root.
-.br
-
-.br
-Example:
-.br
-$ firejail \-\-x11=xpra --net=eth0 firefox
+\fB\-\-x11=none
+Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and the file specified in ${XAUTHORITY} environment variable.
+Remove DISPLAY and XAUTHORITY environment variables.
+Stop with error message if X11 abstract socket will be accessible in jail.
 
 .TP
 \fB\-\-x11=xephyr
-Start a new X11 server using Xephyr and attach the sandbox to this server.
+Start Xephyr and attach the sandbox to this server.
 Xephyr is a display server implementing the X11 display server protocol.
-It runs in a window just like other X applications, but it is an X server itself in which you can run other software.
-The default Xephyr window size is 800x600. This can be modified in /etc/firejail/firejail.config file,
-see \fBman 5 firejail-config\fR for more details.
+A network namespace needs to be instantiated in order to deny access to X11 abstract Unix domain socket.
+.br
+
+.br
+Xephyr runs in a window just like any other X11 application. The default window size is 800x600.
+This can be modified in /etc/firejail/firejail.config file.
 .br
 
 .br
 The recommended way to use this feature is to run a window manager inside the sandbox.
 A security profile for OpenBox is provided.
-On Debian platforms Xephyr is installed with the command \fBsudo apt-get install xserver-xephyr\fR.
+.br
+
+.br
+Xephyr is developed by Xorg project. On Debian platforms it is installed with the command \fBsudo apt-get install xserver-xephyr\fR.
 This feature is not available when running as root. 
 .br
 
@@ -1713,11 +1714,40 @@ Example:
 $ firejail \-\-x11=xephyr --net=eth0 openbox
 
 .TP
-\fB\-\-x11=none
-Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} environment variable.
-Remove DISPLAY and XAUTHORITY environment variables.
-Stop with error message if X11 abstract socket will be accessible in jail.
+\fB\-\-x11=xorg
+Sandbox the application using the untrusted mode implemented by X11 security extension. 
+The extension is available in Xorg package
+and it is installed by default on most Linux distributions. It provides support for a simple trusted/untrusted 
+connection model. Untrusted clients are restricted in certain ways to prevent them from reading window
+contents of other clients, stealing input events, etc.
+
+The untrusted mode has several limitations. A lot of regular programs  assume they are a trusted X11 clients
+and will crash or lock up when run in untrusted mode. Chromium browser and xterm are two examples.
+Firefox and transmission-gtk seem to be working fine.
+A network namespace is not required for this option.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-x11=xorg firefox
+
+.TP
+\fB\-\-x11=xpra
+Start Xpra (http://xpra.org) and attach the sandbox to this server.
+Xpra is a persistent remote display server and client for forwarding X11 applications and desktop screens.
+A network namespace needs to be instantiated in order to deny access to X11 abstract Unix domain socket.
+.br
+
+.br
+On Debian platforms Xpra is installed with the command \fBsudo apt-get install xpra\fR.
+This feature is not available when running as root.
+.br
+
 .br
+Example:
+.br
+$ firejail \-\-x11=xpra --net=eth0 firefox
 
 .TP
 \fB\-\-zsh