diff options
Diffstat (limited to 'src/firejail/x11.c')
| -rw-r--r-- | src/firejail/x11.c | 25 |
1 files changed, 7 insertions, 18 deletions
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index f4f093138..afe77e246 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
| @@ -1276,12 +1276,7 @@ void x11_xorg(void) { | |||
| 1276 | // mount via the link in /proc/self/fd | 1276 | // mount via the link in /proc/self/fd |
| 1277 | if (arg_debug) | 1277 | if (arg_debug) |
| 1278 | printf("Mounting %s on %s\n", tmpfname, dest); | 1278 | printf("Mounting %s on %s\n", tmpfname, dest); |
| 1279 | char *proc_src, *proc_dst; | 1279 | if (bind_mount_by_fd(src, dst)) { |
| 1280 | if (asprintf(&proc_src, "/proc/self/fd/%d", src) == -1) | ||
| 1281 | errExit("asprintf"); | ||
| 1282 | if (asprintf(&proc_dst, "/proc/self/fd/%d", dst) == -1) | ||
| 1283 | errExit("asprintf"); | ||
| 1284 | if (mount(proc_src, proc_dst, NULL, MS_BIND, NULL) == -1) { | ||
| 1285 | fprintf(stderr, "Error: cannot mount the new .Xauthority file\n"); | 1280 | fprintf(stderr, "Error: cannot mount the new .Xauthority file\n"); |
| 1286 | exit(1); | 1281 | exit(1); |
| 1287 | } | 1282 | } |
| @@ -1289,8 +1284,6 @@ void x11_xorg(void) { | |||
| 1289 | MountData *mptr = get_last_mount(); | 1284 | MountData *mptr = get_last_mount(); |
| 1290 | if (strcmp(mptr->dir, dest) != 0 || strcmp(mptr->fstype, "tmpfs") != 0) | 1285 | if (strcmp(mptr->dir, dest) != 0 || strcmp(mptr->fstype, "tmpfs") != 0) |
| 1291 | errLogExit("invalid .Xauthority mount"); | 1286 | errLogExit("invalid .Xauthority mount"); |
| 1292 | free(proc_src); | ||
| 1293 | free(proc_dst); | ||
| 1294 | close(src); | 1287 | close(src); |
| 1295 | close(dst); | 1288 | close(dst); |
| 1296 | 1289 | ||
| @@ -1336,6 +1329,8 @@ void fs_x11(void) { | |||
| 1336 | return; | 1329 | return; |
| 1337 | } | 1330 | } |
| 1338 | 1331 | ||
| 1332 | // the mount source is under control of the user, so be careful and | ||
| 1333 | // mount without following symbolic links, using a file descriptor | ||
| 1339 | char *x11file; | 1334 | char *x11file; |
| 1340 | if (asprintf(&x11file, "/tmp/.X11-unix/X%d", display) == -1) | 1335 | if (asprintf(&x11file, "/tmp/.X11-unix/X%d", display) == -1) |
| 1341 | errExit("asprintf"); | 1336 | errExit("asprintf"); |
| @@ -1344,10 +1339,10 @@ void fs_x11(void) { | |||
| 1344 | free(x11file); | 1339 | free(x11file); |
| 1345 | return; | 1340 | return; |
| 1346 | } | 1341 | } |
| 1347 | struct stat x11stat; | 1342 | struct stat s3; |
| 1348 | if (fstat(src, &x11stat) < 0) | 1343 | if (fstat(src, &s3) < 0) |
| 1349 | errExit("fstat"); | 1344 | errExit("fstat"); |
| 1350 | if (!S_ISSOCK(x11stat.st_mode)) { | 1345 | if (!S_ISSOCK(s3.st_mode)) { |
| 1351 | close(src); | 1346 | close(src); |
| 1352 | free(x11file); | 1347 | free(x11file); |
| 1353 | return; | 1348 | return; |
| @@ -1367,14 +1362,8 @@ void fs_x11(void) { | |||
| 1367 | if (dst < 0) | 1362 | if (dst < 0) |
| 1368 | errExit("open"); | 1363 | errExit("open"); |
| 1369 | 1364 | ||
| 1370 | char *proc_src, *proc_dst; | 1365 | if (bind_mount_by_fd(src, dst)) |
| 1371 | if (asprintf(&proc_src, "/proc/self/fd/%d", src) == -1 || | ||
| 1372 | asprintf(&proc_dst, "/proc/self/fd/%d", dst) == -1) | ||
| 1373 | errExit("asprintf"); | ||
| 1374 | if (mount(proc_src, proc_dst, NULL, MS_BIND | MS_REC, NULL) < 0) | ||
| 1375 | errExit("mount bind"); | 1366 | errExit("mount bind"); |
| 1376 | free(proc_src); | ||
| 1377 | free(proc_dst); | ||
| 1378 | close(src); | 1367 | close(src); |
| 1379 | close(dst); | 1368 | close(dst); |
| 1380 | fs_logger2("whitelist", x11file); | 1369 | fs_logger2("whitelist", x11file); |