5 files changed, 58 insertions, 16 deletions
diff --git a/RELNOTES b/RELNOTES
index ba90eaece..ef95a1bc0 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -30,6 +30,7 @@ firejail (0.9.46-rc1) baseline; urgency=low
  * feature: config support to disable join (join)
  * feature: disabled Go, Rust, and OpenSSL in disable-devel.conf
  * feature: support overlay, overlay-named and overlay-tmpfs in profile files
+  * feature: allow PulseAudio sockets in --private-tmp
  * new profiles: xiphos, Tor Browser Bundle, display (imagemagick), Wire,
  * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma,
  * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator,
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 8831d07f0..09fadcf34 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -408,6 +408,7 @@ void fs_overlayfs(void);
 // chroot into an existing directory; mount exiting /dev and update /etc/resolv.conf
 void fs_chroot(const char *rootdir);
 void fs_check_chroot_dir(const char *rootdir);
+void fs_private_tmp(void);
 // profile.c
 // find and read the profile specified by name from dir directory
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 025e715e6..ac68e7738 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -1214,4 +1214,46 @@ void fs_chroot(const char *rootdir) {
 }
 #endif
+// this function is called from sandbox.c before blacklist/whitelist functions
+void fs_private_tmp(void) {
+        // check XAUTHORITY file, KDE keeps it under /tmp
+        char *xauth = getenv("XAUTHORITY");
+        if (xauth) {
+                char *rp = realpath(xauth, NULL);
+                if (rp && strncmp(rp, "/tmp/", 5) == 0) {
+                        char *cmd;
+                        if (asprintf(&cmd, "whitelist %s", rp) == -1)
+                                errExit("asprintf");
+                        profile_add(cmd); // profile_add does not duplicate the string
+                }
+                if (rp)
+                        free(rp);
+        }
+        
+        // whitelist x11 directory
+        profile_add("whitelist /tmp/.X11-unix");
+        
+        // whitelist any pulse* file in /tmp directory
+        // some distros use PulseAudio sockets under /tmp instead of the socket in /urn/user
+        DIR *dir;
+        if (!(dir = opendir("/tmp"))) {
+                // sleep 2 seconds and try again
+                sleep(2);
+                if (!(dir = opendir("/tmp"))) {
+                        return;
+                }
+        }
+        struct dirent *entry;
+        while ((entry = readdir(dir))) {
+                if (strncmp(entry->d_name, "pulse-", 6) == 0) {
+                        char *cmd;
+                        if (asprintf(&cmd, "whitelist /tmp/%s", entry->d_name) == -1)
+                                errExit("asprintf");
+                        profile_add(cmd); // profile_add does not duplicate the string
+                }
+        }
+        closedir(dir);
+}
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 35ca4ff2d..e6deddac5 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -741,21 +741,7 @@ int sandbox(void* sandbox_arg) {
                else {
                        // private-tmp is implemented as a whitelist
                        EUID_USER();
-                        // check XAUTHORITY file, KDE keeps it under /tmp
+                        fs_private_tmp();
-                        char *xauth = getenv("XAUTHORITY");
-                        if (xauth) {
-                                char *rp = realpath(xauth, NULL);
-                                if (rp && strncmp(rp, "/tmp/", 5) == 0) {
-                                        char *cmd;
-                                        if (asprintf(&cmd, "whitelist %s", rp) == -1)
-                                                errExit("asprintf");
-                                        profile_add(cmd); // profile_add does not duplicate the string
-                                }
-                                if (rp)
-                                        free(rp);
-                        }
-                        // whitelist x11 directory
-                        profile_add("whitelist /tmp/.X11-unix");
                        EUID_ROOT();
                }
        }
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index c481da8d2..bc4c3f19a 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1278,13 +1278,25 @@ Example:
 .TP
 \fB\-\-private-tmp
-Mount an empty temporary filesystem on top of /tmp directory whitelisting /tmp/.X11-unix.
+Mount an empty temporary filesystem on top of /tmp directory whitelisting X11 and PulseAudio sockets.
 .br
 .br
 Example:
 .br
 $ firejail \-\-private-tmp
+.br
+$ ls -al /tmp
+.br
+drwxrwxrwt  4 nobody nogroup   80 Apr 30 11:46 .
+.br
+drwxr-xr-x 30 nobody nogroup 4096 Apr 26 22:18 ..
+.br
+drwx------  2 nobody nogroup 4096 Apr 30 10:52 pulse-PKdhtXMmr18n
+.br
+drwxrwxrwt  2 nobody nogroup 4096 Apr 30 10:52 .X11-unix
+.br
 .TP
 \fB\-\-profile=filename

diff --git a/RELNOTES b/RELNOTES index ba90eaece..ef95a1bc0 100644 --- a/RELNOTES +++ b/RELNOTES
@@ -30,6 +30,7 @@ firejail (0.9.46-rc1) baseline; urgency=low
30	* feature: config support to disable join (join)	30	* feature: config support to disable join (join)
31	* feature: disabled Go, Rust, and OpenSSL in disable-devel.conf	31	* feature: disabled Go, Rust, and OpenSSL in disable-devel.conf
32	* feature: support overlay, overlay-named and overlay-tmpfs in profile files	32	* feature: support overlay, overlay-named and overlay-tmpfs in profile files
		33	* feature: allow PulseAudio sockets in --private-tmp
33	* new profiles: xiphos, Tor Browser Bundle, display (imagemagick), Wire,	34	* new profiles: xiphos, Tor Browser Bundle, display (imagemagick), Wire,
34	* new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma,	35	* new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma,
35	* new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator,	36	* new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator,


diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 8831d07f0..09fadcf34 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -408,6 +408,7 @@ void fs_overlayfs(void);
408	// chroot into an existing directory; mount exiting /dev and update /etc/resolv.conf	408	// chroot into an existing directory; mount exiting /dev and update /etc/resolv.conf
409	void fs_chroot(const char *rootdir);	409	void fs_chroot(const char *rootdir);
410	void fs_check_chroot_dir(const char *rootdir);	410	void fs_check_chroot_dir(const char *rootdir);
		411	void fs_private_tmp(void);
411		412
412	// profile.c	413	// profile.c
413	// find and read the profile specified by name from dir directory	414	// find and read the profile specified by name from dir directory


diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 025e715e6..ac68e7738 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c
@@ -1214,4 +1214,46 @@ void fs_chroot(const char *rootdir) {
1214	}	1214	}
1215	#endif	1215	#endif
1216		1216
		1217	// this function is called from sandbox.c before blacklist/whitelist functions
		1218	void fs_private_tmp(void) {
		1219	// check XAUTHORITY file, KDE keeps it under /tmp
		1220	char *xauth = getenv("XAUTHORITY");
		1221	if (xauth) {
		1222	char *rp = realpath(xauth, NULL);
		1223	if (rp && strncmp(rp, "/tmp/", 5) == 0) {
		1224	char *cmd;
		1225	if (asprintf(&cmd, "whitelist %s", rp) == -1)
		1226	errExit("asprintf");
		1227	profile_add(cmd); // profile_add does not duplicate the string
		1228	}
		1229	if (rp)
		1230	free(rp);
		1231	}
		1232
		1233	// whitelist x11 directory
		1234	profile_add("whitelist /tmp/.X11-unix");
		1235
		1236	// whitelist any pulse* file in /tmp directory
		1237	// some distros use PulseAudio sockets under /tmp instead of the socket in /urn/user
		1238	DIR *dir;
		1239	if (!(dir = opendir("/tmp"))) {
		1240	// sleep 2 seconds and try again
		1241	sleep(2);
		1242	if (!(dir = opendir("/tmp"))) {
		1243	return;
		1244	}
		1245	}
1217		1246
		1247	struct dirent *entry;
		1248	while ((entry = readdir(dir))) {
		1249	if (strncmp(entry->d_name, "pulse-", 6) == 0) {
		1250	char *cmd;
		1251	if (asprintf(&cmd, "whitelist /tmp/%s", entry->d_name) == -1)
		1252	errExit("asprintf");
		1253	profile_add(cmd); // profile_add does not duplicate the string
		1254	}
		1255	}
		1256	closedir(dir);
		1257
		1258
		1259	}


diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 35ca4ff2d..e6deddac5 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c
@@ -741,21 +741,7 @@ int sandbox(void* sandbox_arg) {
741	else {	741	else {
742	// private-tmp is implemented as a whitelist	742	// private-tmp is implemented as a whitelist
743	EUID_USER();	743	EUID_USER();
744	// check XAUTHORITY file, KDE keeps it under /tmp	744	fs_private_tmp();
745	char *xauth = getenv("XAUTHORITY");
746	if (xauth) {
747	char *rp = realpath(xauth, NULL);
748	if (rp && strncmp(rp, "/tmp/", 5) == 0) {
749	char *cmd;
750	if (asprintf(&cmd, "whitelist %s", rp) == -1)
751	errExit("asprintf");
752	profile_add(cmd); // profile_add does not duplicate the string
753	}
754	if (rp)
755	free(rp);
756	}
757	// whitelist x11 directory
758	profile_add("whitelist /tmp/.X11-unix");
759	EUID_ROOT();	745	EUID_ROOT();
760	}	746	}
761	}	747	}


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index c481da8d2..bc4c3f19a 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -1278,13 +1278,25 @@ Example:
1278		1278
1279	.TP	1279	.TP
1280	\fB\-\-private-tmp	1280	\fB\-\-private-tmp
1281	Mount an empty temporary filesystem on top of /tmp directory whitelisting /tmp/.X11-unix.	1281	Mount an empty temporary filesystem on top of /tmp directory whitelisting X11 and PulseAudio sockets.
1282	.br	1282	.br
1283		1283
1284	.br	1284	.br
1285	Example:	1285	Example:
1286	.br	1286	.br
1287	$ firejail \-\-private-tmp	1287	$ firejail \-\-private-tmp
		1288	.br
		1289	$ ls -al /tmp
		1290	.br
		1291	drwxrwxrwt 4 nobody nogroup 80 Apr 30 11:46 .
		1292	.br
		1293	drwxr-xr-x 30 nobody nogroup 4096 Apr 26 22:18 ..
		1294	.br
		1295	drwx------ 2 nobody nogroup 4096 Apr 30 10:52 pulse-PKdhtXMmr18n
		1296	.br
		1297	drwxrwxrwt 2 nobody nogroup 4096 Apr 30 10:52 .X11-unix
		1298	.br
		1299
1288		1300
1289	.TP	1301	.TP
1290	\fB\-\-profile=filename	1302	\fB\-\-profile=filename