16 files changed, 140 insertions, 122 deletions
diff --git a/Makefile.in b/Makefile.in
index f1002f892..890ba1b0a 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -18,15 +18,16 @@ HAVE_SUID=@HAVE_SUID@
 all: all_items man filters
 APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats
-SBOX_APPS = src/faudit/faudit src/fbuilder/fbuilder src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter src/ftee/ftee
+SBOX_APPS = src/faudit/faudit src/fbuilder/fbuilder src/ftee/ftee
+SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter
 MYDIRS = src/lib
 MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so
 MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5
 ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP)
-SBOX_APPS += src/fsec-optimize/fsec-optimize src/fsec-print/fsec-print src/fseccomp/fseccomp
+SBOX_APPS_NON_DUMPABLE += src/fsec-optimize/fsec-optimize src/fsec-print/fsec-print src/fseccomp/fseccomp
 SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32
 endif
-ALL_ITEMS = $(APPS) $(SBOX_APPS) $(MYLIBS)
+ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS)
 .PHONY: all_items $(ALL_ITEMS)
 all_items: $(ALL_ITEMS)
@@ -43,7 +44,7 @@ $(MANPAGES): $(wildcard src/man/*.txt)
 man: $(MANPAGES)
-filters: $(SECCOMP_FILTERS) $(SBOX_APPS)
+filters: $(SECCOMP_FILTERS) $(SBOX_APPS_NON_DUMPABLE)
 ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP)
 seccomp: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize
        src/fseccomp/fseccomp default seccomp
@@ -106,7 +107,10 @@ endif
        install -m 0755 -d $(DESTDIR)$(libdir)/firejail
        install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS) src/firecfg/firecfg.config
        install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS)
+        # non-dumpable plugins
+        install -m 0711 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS_NON_DUMPABLE)
 ifeq ($(HAVE_CONTRIB_INSTALL),yes)
+        # contrib scripts
        install -m 0755 -t $(DESTDIR)$(libdir)/firejail contrib/*.py contrib/*.sh
        # vim syntax
        install -m 0755 -d $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect
diff --git a/src/fcopy/main.c b/src/fcopy/main.c
index 83d9c17e6..67237b4ea 100644
--- a/src/fcopy/main.c
+++ b/src/fcopy/main.c
@@ -23,6 +23,7 @@
 #include <ftw.h>
 #include <errno.h>
 #include <pwd.h>
+#include <sys/prctl.h>
 #if HAVE_SELINUX
 #include <sys/stat.h>
@@ -411,6 +412,11 @@ int main(int argc, char **argv) {
                exit(1);
        }
+#ifdef WARN_DUMPABLE
+        if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid())
+                fprintf(stderr, "Error fcopy: I am dumpable\n");
+#endif
        // trim trailing chars
        if (src[strlen(src) - 1] == '/')
                src[strlen(src) - 1] = '\0';
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 412c6148a..1ffa6158c 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1305,6 +1305,10 @@ int main(int argc, char **argv, char **envp) {
        }
        EUID_ASSERT();
+#ifdef WARN_DUMPABLE
+        if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid())
+                fprintf(stderr, "Error: Firejail is dumpable\n");
+#endif
        // check for force-nonewprivs in /etc/firejail/firejail.config file
        if (checkcfg(CFG_FORCE_NONEWPRIVS))
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c
index 57c21ce78..a92d62940 100644
--- a/src/firejail/sbox.c
+++ b/src/firejail/sbox.c
@@ -48,6 +48,7 @@ static int __attribute__((noreturn)) sbox_do_exec_v(unsigned filtermask, char *
        if (cfg.seccomp_error_action)
                if (asprintf(&new_environment[env_index++], "FIREJAIL_SECCOMP_ERROR_ACTION=%s", cfg.seccomp_error_action) == -1)
                        errExit("asprintf");
+        new_environment[env_index++] = "FIREJAIL_PLUGIN="; // always set
        if (filtermask & SBOX_STDIN_FROM_FILE) {
                int fd;
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index ba54ca376..e10abad4e 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -34,7 +34,7 @@
 #include <fcntl.h>
 #ifndef O_PATH
-# define O_PATH 010000000
+#define O_PATH 010000000
 #endif
@@ -1129,28 +1129,17 @@ void x11_start(int argc, char **argv) {
 }
 #endif
-// Porting notes:
-//
-// 1. merge #1100 from zackw:
-//     Attempting to run xauth -f directly on a file in /run/firejail/mnt/ directory fails on Debian 8
-//     with this message:
-//            xauth:  timeout in locking authority file /run/firejail/mnt/sec.Xauthority-Qt5Mu4
-//            Failed to create untrusted X cookie: xauth: exit 1
-//     For this reason we run xauth on a file in a tmpfs filesystem mounted on /tmp. This was
-//     a partial merge.
-//
-// 2. Since we cannot deal with the TOCTOU condition when mounting .Xauthority in user home
-// directory, we need to make sure /usr/bin/xauth executable is the real thing, and not
-// something picked up on $PATH.
-//
-// 3. If for any reason xauth command fails, we exit the sandbox. On Debian 8 this happens
-// when using a network namespace. Somehow, xauth tries to connect to the abstract socket,
-// and it fails because of the network namespace - it should try to connect to the regular
-// Unix socket! If we ignore the fail condition, the program will be started on X server without
-// the security extension loaded.
 void x11_xorg(void) {
 #ifdef HAVE_X11
+        // get DISPLAY env
+        char *display = getenv("DISPLAY");
+        if (!display) {
+                fputs("Error: --x11=xorg requires an 'outer' X11 server to use.\n", stderr);
+                exit(1);
+        }
        // check xauth utility is present in the system
        struct stat s;
        if (stat("/usr/bin/xauth", &s) == -1) {
@@ -1160,26 +1149,27 @@ void x11_xorg(void) {
                fprintf(stderr, "   Fedora: sudo dnf install xorg-x11-xauth\n");
                exit(1);
        }
-        if (s.st_uid != 0 && s.st_gid != 0) {
+        if ((s.st_uid != 0 && s.st_gid != 0) || (s.st_mode & S_IWOTH)) {
                fprintf(stderr, "Error: invalid /usr/bin/xauth executable\n");
                exit(1);
        }
+        if (s.st_size > 1024 * 1024) {
-        // get DISPLAY env
+                fprintf(stderr, "Error: /usr/bin/xauth executable is too large\n");
-        char *display = getenv("DISPLAY");
-        if (!display) {
-                fputs("Error: --x11=xorg requires an 'outer' X11 server to use.\n", stderr);
                exit(1);
        }
+        // copy /usr/bin/xauth in the sandbox and set mode to 0711
-        // temporarily mount a tempfs on top of /tmp directory
+        // users are not able to trace the running xauth this way
-        if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME,  "mode=1777,gid=0") < 0)
-                errExit("mounting /tmp");
-        // create the temporary .Xauthority file
        if (arg_debug)
-                printf("Generating a new .Xauthority file\n");
+                printf("Copying /usr/bin/xauth to %s\n", RUN_XAUTH_FILE);
-        char tmpfname[] = "/tmp/.tmpXauth-XXXXXX";
+        if (copy_file("/usr/bin/xauth", RUN_XAUTH_FILE, 0, 0, 0711)) {
+                fprintf(stderr, "Error: cannot copy /usr/bin/xauth executable\n");
+                exit(1);
+        }
+        fmessage("Generating a new .Xauthority file\n");
+        mkdir_attr(RUN_XAUTHORITY_SEC_DIR, 0700, getuid(), getgid());
+        // create new Xauthority file in RUN_XAUTHORITY_SEC_DIR
+        char tmpfname[] = RUN_XAUTHORITY_SEC_DIR "/.Xauth-XXXXXX";
        int fd = mkstemp(tmpfname);
        if (fd == -1) {
                fprintf(stderr, "Error: cannot create .Xauthority file\n");
@@ -1189,64 +1179,17 @@ void x11_xorg(void) {
                errExit("chown");
        close(fd);
-        pid_t child = fork();
+        // run xauth
-        if (child < 0)
-                errExit("fork");
-        if (child == 0) {
-                drop_privs(1);
-                clearenv();
-#ifdef HAVE_GCOV
-                __gcov_flush();
-#endif
-                if (arg_debug) {
-                        execlp("/usr/bin/xauth", "/usr/bin/xauth", "-v", "-f", tmpfname,
-                        "generate", display, "MIT-MAGIC-COOKIE-1", "untrusted", NULL);
-                }
-                else {
-                        execlp("/usr/bin/xauth", "/usr/bin/xauth", "-f", tmpfname,
-                        "generate", display, "MIT-MAGIC-COOKIE-1", "untrusted", NULL);
-                }
-                _exit(127);
-        }
-        // wait for the xauth process to finish
-        int status;
-        if (waitpid(child, &status, 0) != child)
-                errExit("waitpid");
-        if (WIFEXITED(status) && WEXITSTATUS(status) == 0) {
-                /* success */
-        }
-        else if (WIFEXITED(status)) {
-                fprintf(stderr, "Failed to create untrusted X cookie: xauth: exit %d\n",
-                        WEXITSTATUS(status));
-                exit(1);
-        }
-        else if (WIFSIGNALED(status)) {
-                fprintf(stderr, "Failed to create untrusted X cookie: xauth: %s\n",
-                        strsignal(WTERMSIG(status)));
-                exit(1);
-        }
-        else {
-                fprintf(stderr, "Failed to create untrusted X cookie: "
-                        "xauth: un-decodable exit status %04x\n", status);
-                exit(1);
-        }
-        // move the temporary file in RUN_XAUTHORITY_SEC_FILE in order to have it deleted
-        // automatically when the sandbox is closed (rename doesn't work)
        if (arg_debug)
-                printf("Copying the new .Xauthority file\n");
+                sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 8, RUN_XAUTH_FILE, "-v", "-f", tmpfname,
-        copy_file_from_user_to_root(tmpfname, RUN_XAUTHORITY_SEC_FILE, getuid(), getgid(), 0600);
+                        "generate", display, "MIT-MAGIC-COOKIE-1", "untrusted");
-        
+        else
-        /* coverity[toctou] */
+                sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 7, RUN_XAUTH_FILE, "-f", tmpfname,
-        unlink(tmpfname);
+                        "generate", display, "MIT-MAGIC-COOKIE-1", "untrusted");
-        umount("/tmp");
+        // remove xauth copy
+        unlink(RUN_XAUTH_FILE);
-        // mount RUN_XAUTHORITY_SEC_FILE noexec, nodev, nosuid
-        fs_remount(RUN_XAUTHORITY_SEC_FILE, MOUNT_NOEXEC, 0);
-        // Ensure there is already a file in the usual location, so that bind-mount below will work.
+        // ensure there is already a file ~/.Xauthority, so that bind-mount below will work.
        char *dest;
        if (asprintf(&dest, "%s/.Xauthority", cfg.homedir) == -1)
                errExit("asprintf");
@@ -1257,13 +1200,12 @@ void x11_xorg(void) {
                        exit(1);
                }
        }
+        // get a file descriptor for ~/.Xauthority
-        // get a file descriptor for .Xauthority
+        int dst = safe_fd(dest, O_PATH|O_NOFOLLOW|O_CLOEXEC);
-        fd = safe_fd(dest, O_PATH|O_NOFOLLOW|O_CLOEXEC);
+        if (dst == -1)
-        if (fd == -1)
                errExit("safe_fd");
        // check if the actual mount destination is a user owned regular file
-        if (fstat(fd, &s) == -1)
+        if (fstat(dst, &s) == -1)
                errExit("fstat");
        if (!S_ISREG(s.st_mode) || s.st_uid != getuid()) {
                if (S_ISLNK(s.st_mode))
@@ -1274,31 +1216,49 @@ void x11_xorg(void) {
        }
        // preserve a read-only mount
        struct statvfs vfs;
-        if (fstatvfs(fd, &vfs) == -1)
+        if (fstatvfs(dst, &vfs) == -1)
                errExit("fstatvfs");
        if ((vfs.f_flag & MS_RDONLY) == MS_RDONLY)
-                fs_remount(RUN_XAUTHORITY_SEC_FILE, MOUNT_READONLY, 0);
+                fs_remount(RUN_XAUTHORITY_SEC_DIR, MOUNT_READONLY, 0);
+        // always mounting the new Xauthority file noexec,nodev,nosuid
+        fs_remount(RUN_XAUTHORITY_SEC_DIR, MOUNT_NOEXEC, 0);
+        // get a file descriptor for the new Xauthority file
+        int src = safe_fd(tmpfname, O_PATH|O_NOFOLLOW|O_CLOEXEC);
+        if (src == -1)
+                errExit("safe_fd");
+        if (fstat(src, &s) == -1)
+                errExit("fstat");
+        if (!S_ISREG(s.st_mode)) {
+                errno = EPERM;
+                errExit("mounting Xauthority file");
+        }
        // mount via the link in /proc/self/fd
        if (arg_debug)
-                printf("Mounting %s on %s\n", RUN_XAUTHORITY_SEC_FILE, dest);
+                printf("Mounting %s on %s\n", tmpfname, dest);
-        char *proc;
+        char *proc_src, *proc_dst;
-        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
+        if (asprintf(&proc_src, "/proc/self/fd/%d", src) == -1)
+                errExit("asprintf");
+        if (asprintf(&proc_dst, "/proc/self/fd/%d", dst) == -1)
                errExit("asprintf");
-        if (mount(RUN_XAUTHORITY_SEC_FILE, proc, "none", MS_BIND, "mode=0600") == -1) {
+        if (mount(proc_src, proc_dst, NULL, MS_BIND, NULL) == -1) {
                fprintf(stderr, "Error: cannot mount the new .Xauthority file\n");
                exit(1);
        }
-        free(proc);
-        close(fd);
        // check /proc/self/mountinfo to confirm the mount is ok
        MountData *mptr = get_last_mount();
        if (strcmp(mptr->dir, dest) != 0 || strcmp(mptr->fstype, "tmpfs") != 0)
                errLogExit("invalid .Xauthority mount");
+        free(proc_src);
+        free(proc_dst);
+        close(src);
+        close(dst);
        ASSERT_PERMS(dest, getuid(), getgid(), 0600);
-        // blacklist .Xauthority file if it is not masked already
+        // blacklist user .Xauthority file if it is not masked already
        char *envar = getenv("XAUTHORITY");
        if (envar) {
                char *rp = realpath(envar, NULL);
@@ -1312,6 +1272,11 @@ void x11_xorg(void) {
        if (setenv("XAUTHORITY", dest, 1) < 0)
                errExit("setenv");
        free(dest);
+        // mask RUN_XAUTHORITY_SEC_DIR
+        if (mount("tmpfs", RUN_XAUTHORITY_SEC_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
+                errExit("mounting tmpfs");
+        fs_logger2("tmpfs", RUN_XAUTHORITY_SEC_DIR);
 #endif
 }
diff --git a/src/fldd/main.c b/src/fldd/main.c
index dd22e601e..d68504f6b 100644
--- a/src/fldd/main.c
+++ b/src/fldd/main.c
@@ -24,6 +24,7 @@
 #include <fcntl.h>
 #include <sys/mman.h>
 #include <sys/mount.h>
+#include <sys/prctl.h>
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <unistd.h>
@@ -302,6 +303,11 @@ printf("\n");
                return 0;
        }
+#ifdef WARN_DUMPABLE
+        if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid())
+                fprintf(stderr, "Error fldd: I am dumpable\n");
+#endif
        // check program access
        if (access(argv[1], R_OK)) {
                fprintf(stderr, "Error fldd: cannot access %s\n", argv[1]);
diff --git a/src/fnet/main.c b/src/fnet/main.c
index 95e12164e..f6316a7fe 100644
--- a/src/fnet/main.c
+++ b/src/fnet/main.c
@@ -21,6 +21,7 @@
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <sys/utsname.h>
+#include <sys/prctl.h>
 int arg_quiet = 0;
@@ -64,16 +65,19 @@ printf("\n");
                usage();
                return 1;
        }
-        char *quiet = getenv("FIREJAIL_QUIET");
-        if (quiet && strcmp(quiet, "yes") == 0)
-                arg_quiet = 1;
        if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") ==0) {
                usage();
                return 0;
        }
-        else if (argc == 3 && strcmp(argv[1], "ifup") == 0) {
+#ifdef WARN_DUMPABLE
+        if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid())
+                fprintf(stderr, "Error fnet: I am dumpable\n");
+#endif
+        char *quiet = getenv("FIREJAIL_QUIET");
+        if (quiet && strcmp(quiet, "yes") == 0)
+                arg_quiet = 1;
+        if (argc == 3 && strcmp(argv[1], "ifup") == 0) {
                net_if_up(argv[2]);
        }
        else if (argc == 2 && strcmp(argv[1], "printif") == 0) {
diff --git a/src/fnetfilter/main.c b/src/fnetfilter/main.c
index 8124beb1a..1ca35ab56 100644
--- a/src/fnetfilter/main.c
+++ b/src/fnetfilter/main.c
@@ -18,6 +18,7 @@
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "../include/common.h"
+#include <sys/prctl.h>
 #define MAXBUF 4098
 #define MAXARGS 16
@@ -180,7 +181,10 @@ printf("\n");
                usage();
                return 1;
        }
+#ifdef WARN_DUMPABLE
+        if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid())
+                fprintf(stderr, "Error fnetfilter: I am dumpable\n");
+#endif
        char *destfile = (argc == 3)? argv[2]: argv[1];
        char *command = (argc == 3)? argv[1]: NULL;
 //printf("command %s\n", command);
diff --git a/src/fsec-optimize/fsec_optimize.h b/src/fsec-optimize/fsec_optimize.h
index 211111641..034fde2ac 100644
--- a/src/fsec-optimize/fsec_optimize.h
+++ b/src/fsec-optimize/fsec_optimize.h
@@ -22,6 +22,7 @@
 #include "../include/common.h"
 #include "../include/seccomp.h"
 #include <sys/mman.h>
+#include <sys/prctl.h>
 // optimize.c
 struct sock_filter *duplicate(struct sock_filter *filter, int entries);
diff --git a/src/fsec-optimize/main.c b/src/fsec-optimize/main.c
index 416d85b88..fb13eeca8 100644
--- a/src/fsec-optimize/main.c
+++ b/src/fsec-optimize/main.c
@@ -44,6 +44,12 @@ printf("\n");
                return 0;
        }
+#ifdef WARN_DUMPABLE
+        // check FIREJAIL_PLUGIN in order to not print a warning during make
+        if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid() && getenv("FIREJAIL_PLUGIN"))
+                fprintf(stderr, "Error fsec-optimize: I am dumpable\n");
+#endif
        char *fname = argv[1];
        // open input file
diff --git a/src/fsec-print/fsec_print.h b/src/fsec-print/fsec_print.h
index 337199288..9d17e3f18 100644
--- a/src/fsec-print/fsec_print.h
+++ b/src/fsec-print/fsec_print.h
@@ -23,6 +23,7 @@
 #include "../include/seccomp.h"
 #include "../include/syscall.h"
 #include <sys/mman.h>
+#include <sys/prctl.h>
 // print.c
 void print(struct sock_filter *filter, int entries);
diff --git a/src/fsec-print/main.c b/src/fsec-print/main.c
index ade45c881..d1f056e47 100644
--- a/src/fsec-print/main.c
+++ b/src/fsec-print/main.c
@@ -61,6 +61,11 @@ printf("\n");
                return 0;
        }
+#ifdef WARN_DUMPABLE
+        if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid())
+                fprintf(stderr, "Error fsec-print: I am dumpable\n");
+#endif
        char *fname = argv[1];
        // open input file
diff --git a/src/fseccomp/fseccomp.h b/src/fseccomp/fseccomp.h
index e8dd083b6..e40999938 100644
--- a/src/fseccomp/fseccomp.h
+++ b/src/fseccomp/fseccomp.h
@@ -23,6 +23,7 @@
 #include <stdlib.h>
 #include <string.h>
 #include <assert.h>
+#include <sys/prctl.h>
 #include "../include/common.h"
 #include "../include/syscall.h"
diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c
index 3b3c92b46..f505ca0f3 100644
--- a/src/fseccomp/main.c
+++ b/src/fseccomp/main.c
@@ -64,6 +64,16 @@ printf("\n");
                usage();
                return 1;
        }
+        if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") ==0) {
+                usage();
+                return 0;
+        }
+#ifdef WARN_DUMPABLE
+        // check FIREJAIL_PLUGIN in order to not print a warning during make
+        if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid() && getenv("FIREJAIL_PLUGIN"))
+                fprintf(stderr, "Error fseccomp: I am dumpable\n");
+#endif
        char *quiet = getenv("FIREJAIL_QUIET");
        if (quiet && strcmp(quiet, "yes") == 0)
@@ -83,11 +93,7 @@ printf("\n");
                }
        }
-        if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") ==0) {
+        if (argc == 2 && strcmp(argv[1], "debug-syscalls") == 0)
-                usage();
-                return 0;
-        }
-        else if (argc == 2 && strcmp(argv[1], "debug-syscalls") == 0)
                syscall_print();
        else if (argc == 2 && strcmp(argv[1], "debug-syscalls32") == 0)
                syscall_print_32();
diff --git a/src/include/common.h b/src/include/common.h
index c65ba0d55..025f3c247 100644
--- a/src/include/common.h
+++ b/src/include/common.h
@@ -34,6 +34,9 @@
 #define errExit(msg)    do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
+// check if processes run with dumpable flag set
+#define WARN_DUMPABLE
 // macro to print ip addresses in a printf statement
 #define PRINT_IP(A) \
 ((int) (((A) >> 24) & 0xFF)),  ((int) (((A) >> 16) & 0xFF)), ((int) (((A) >> 8) & 0xFF)), ((int) ( (A) & 0xFF))
diff --git a/src/include/rundefs.h b/src/include/rundefs.h
index f8bcdec52..d56623907 100644
--- a/src/include/rundefs.h
+++ b/src/include/rundefs.h
@@ -99,8 +99,9 @@
 #define RUN_WHITELIST_SHARE_DIR         RUN_MNT_DIR "/orig-share"
 #define RUN_WHITELIST_MODULE_DIR        RUN_MNT_DIR "/orig-module"
-#define RUN_XAUTHORITY_FILE             RUN_MNT_DIR "/.Xauthority"
+#define RUN_XAUTHORITY_FILE             RUN_MNT_DIR "/.Xauthority"              // private options
-#define RUN_XAUTHORITY_SEC_FILE         RUN_MNT_DIR "/sec.Xauthority"
+#define RUN_XAUTH_FILE                  RUN_MNT_DIR "/xauth"                    // x11=xorg
+#define RUN_XAUTHORITY_SEC_DIR          RUN_MNT_DIR "/.sec.Xauthority"          // x11=xorg
 #define RUN_ASOUNDRC_FILE               RUN_MNT_DIR "/.asoundrc"
 #define RUN_HOSTNAME_FILE               RUN_MNT_DIR "/hostname"
 #define RUN_HOSTS_FILE                  RUN_MNT_DIR "/hosts"