aboutsummaryrefslogtreecommitdiffstats
path: root/src/firejail/x11.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/firejail/x11.c')
-rw-r--r--src/firejail/x11.c10
1 files changed, 10 insertions, 0 deletions
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 7d02701c9..9a15a06c8 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -20,6 +20,7 @@
20#include "firejail.h" 20#include "firejail.h"
21#include <sys/types.h> 21#include <sys/types.h>
22#include <sys/stat.h> 22#include <sys/stat.h>
23#include <sys/statvfs.h>
23#include <sys/socket.h> 24#include <sys/socket.h>
24#include <sys/un.h> 25#include <sys/un.h>
25#include <unistd.h> 26#include <unistd.h>
@@ -1163,6 +1164,9 @@ void x11_xorg(void) {
1163 unlink(tmpfname); 1164 unlink(tmpfname);
1164 umount("/tmp"); 1165 umount("/tmp");
1165 1166
1167 // remount RUN_XAUTHORITY_SEC_FILE noexec, nodev, nosuid
1168 fs_noexec(RUN_XAUTHORITY_SEC_FILE);
1169
1166 // Ensure there is already a file in the usual location, so that bind-mount below will work. 1170 // Ensure there is already a file in the usual location, so that bind-mount below will work.
1167 char *dest; 1171 char *dest;
1168 if (asprintf(&dest, "%s/.Xauthority", cfg.homedir) == -1) 1172 if (asprintf(&dest, "%s/.Xauthority", cfg.homedir) == -1)
@@ -1184,6 +1188,12 @@ void x11_xorg(void) {
1184 fprintf(stderr, "Error: .Xauthority is not a user owned regular file\n"); 1188 fprintf(stderr, "Error: .Xauthority is not a user owned regular file\n");
1185 exit(1); 1189 exit(1);
1186 } 1190 }
1191 // preserve a read-only mount
1192 struct statvfs vfs;
1193 if (fstatvfs(fd, &vfs) == -1)
1194 errExit("fstatvfs");
1195 if ((vfs.f_flag & MS_RDONLY) == MS_RDONLY)
1196 fs_rdonly(RUN_XAUTHORITY_SEC_FILE);
1187 1197
1188 // mount via the link in /proc/self/fd 1198 // mount via the link in /proc/self/fd
1189 char *proc; 1199 char *proc;
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-08-02 03:10:42 +0000