diff options
Diffstat (limited to 'src/firejail/x11.c')
-rw-r--r-- | src/firejail/x11.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 7d02701c9..9a15a06c8 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
@@ -20,6 +20,7 @@ | |||
20 | #include "firejail.h" | 20 | #include "firejail.h" |
21 | #include <sys/types.h> | 21 | #include <sys/types.h> |
22 | #include <sys/stat.h> | 22 | #include <sys/stat.h> |
23 | #include <sys/statvfs.h> | ||
23 | #include <sys/socket.h> | 24 | #include <sys/socket.h> |
24 | #include <sys/un.h> | 25 | #include <sys/un.h> |
25 | #include <unistd.h> | 26 | #include <unistd.h> |
@@ -1163,6 +1164,9 @@ void x11_xorg(void) { | |||
1163 | unlink(tmpfname); | 1164 | unlink(tmpfname); |
1164 | umount("/tmp"); | 1165 | umount("/tmp"); |
1165 | 1166 | ||
1167 | // remount RUN_XAUTHORITY_SEC_FILE noexec, nodev, nosuid | ||
1168 | fs_noexec(RUN_XAUTHORITY_SEC_FILE); | ||
1169 | |||
1166 | // Ensure there is already a file in the usual location, so that bind-mount below will work. | 1170 | // Ensure there is already a file in the usual location, so that bind-mount below will work. |
1167 | char *dest; | 1171 | char *dest; |
1168 | if (asprintf(&dest, "%s/.Xauthority", cfg.homedir) == -1) | 1172 | if (asprintf(&dest, "%s/.Xauthority", cfg.homedir) == -1) |
@@ -1184,6 +1188,12 @@ void x11_xorg(void) { | |||
1184 | fprintf(stderr, "Error: .Xauthority is not a user owned regular file\n"); | 1188 | fprintf(stderr, "Error: .Xauthority is not a user owned regular file\n"); |
1185 | exit(1); | 1189 | exit(1); |
1186 | } | 1190 | } |
1191 | // preserve a read-only mount | ||
1192 | struct statvfs vfs; | ||
1193 | if (fstatvfs(fd, &vfs) == -1) | ||
1194 | errExit("fstatvfs"); | ||
1195 | if ((vfs.f_flag & MS_RDONLY) == MS_RDONLY) | ||
1196 | fs_rdonly(RUN_XAUTHORITY_SEC_FILE); | ||
1187 | 1197 | ||
1188 | // mount via the link in /proc/self/fd | 1198 | // mount via the link in /proc/self/fd |
1189 | char *proc; | 1199 | char *proc; |