diff options
Diffstat (limited to 'src/firejail/x11.c')
| -rw-r--r-- | src/firejail/x11.c | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 09956b903..0619ff380 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
| @@ -1204,14 +1204,13 @@ void x11_xorg(void) { | |||
| 1204 | fmessage("Generating a new .Xauthority file\n"); | 1204 | fmessage("Generating a new .Xauthority file\n"); |
| 1205 | mkdir_attr(RUN_XAUTHORITY_SEC_DIR, 0700, getuid(), getgid()); | 1205 | mkdir_attr(RUN_XAUTHORITY_SEC_DIR, 0700, getuid(), getgid()); |
| 1206 | // create new Xauthority file in RUN_XAUTHORITY_SEC_DIR | 1206 | // create new Xauthority file in RUN_XAUTHORITY_SEC_DIR |
| 1207 | EUID_USER(); | ||
| 1207 | char tmpfname[] = RUN_XAUTHORITY_SEC_DIR "/.Xauth-XXXXXX"; | 1208 | char tmpfname[] = RUN_XAUTHORITY_SEC_DIR "/.Xauth-XXXXXX"; |
| 1208 | int fd = mkstemp(tmpfname); | 1209 | int fd = mkstemp(tmpfname); |
| 1209 | if (fd == -1) { | 1210 | if (fd == -1) { |
| 1210 | fprintf(stderr, "Error: cannot create .Xauthority file\n"); | 1211 | fprintf(stderr, "Error: cannot create .Xauthority file\n"); |
| 1211 | exit(1); | 1212 | exit(1); |
| 1212 | } | 1213 | } |
| 1213 | if (fchown(fd, getuid(), getgid()) == -1) | ||
| 1214 | errExit("chown"); | ||
| 1215 | close(fd); | 1214 | close(fd); |
| 1216 | 1215 | ||
| 1217 | // run xauth | 1216 | // run xauth |
| @@ -1221,8 +1220,6 @@ void x11_xorg(void) { | |||
| 1221 | else | 1220 | else |
| 1222 | sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 7, RUN_XAUTH_FILE, "-f", tmpfname, | 1221 | sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 7, RUN_XAUTH_FILE, "-f", tmpfname, |
| 1223 | "generate", display, "MIT-MAGIC-COOKIE-1", "untrusted"); | 1222 | "generate", display, "MIT-MAGIC-COOKIE-1", "untrusted"); |
| 1224 | // remove xauth copy | ||
| 1225 | unlink(RUN_XAUTH_FILE); | ||
| 1226 | 1223 | ||
| 1227 | // ensure there is already a file ~/.Xauthority, so that bind-mount below will work. | 1224 | // ensure there is already a file ~/.Xauthority, so that bind-mount below will work. |
| 1228 | char *dest; | 1225 | char *dest; |
| @@ -1273,10 +1270,12 @@ void x11_xorg(void) { | |||
| 1273 | // mount via the link in /proc/self/fd | 1270 | // mount via the link in /proc/self/fd |
| 1274 | if (arg_debug) | 1271 | if (arg_debug) |
| 1275 | printf("Mounting %s on %s\n", tmpfname, dest); | 1272 | printf("Mounting %s on %s\n", tmpfname, dest); |
| 1273 | EUID_ROOT(); | ||
| 1276 | if (bind_mount_by_fd(src, dst)) { | 1274 | if (bind_mount_by_fd(src, dst)) { |
| 1277 | fprintf(stderr, "Error: cannot mount the new .Xauthority file\n"); | 1275 | fprintf(stderr, "Error: cannot mount the new .Xauthority file\n"); |
| 1278 | exit(1); | 1276 | exit(1); |
| 1279 | } | 1277 | } |
| 1278 | EUID_USER(); | ||
| 1280 | // check /proc/self/mountinfo to confirm the mount is ok | 1279 | // check /proc/self/mountinfo to confirm the mount is ok |
| 1281 | MountData *mptr = get_last_mount(); | 1280 | MountData *mptr = get_last_mount(); |
| 1282 | if (strcmp(mptr->dir, dest) != 0 || strcmp(mptr->fstype, "tmpfs") != 0) | 1281 | if (strcmp(mptr->dir, dest) != 0 || strcmp(mptr->fstype, "tmpfs") != 0) |
| @@ -1289,9 +1288,10 @@ void x11_xorg(void) { | |||
| 1289 | // blacklist user .Xauthority file if it is not masked already | 1288 | // blacklist user .Xauthority file if it is not masked already |
| 1290 | const char *envar = env_get("XAUTHORITY"); | 1289 | const char *envar = env_get("XAUTHORITY"); |
| 1291 | if (envar) { | 1290 | if (envar) { |
| 1292 | char *rp = realpath_as_user(envar); | 1291 | char *rp = realpath(envar, NULL); |
| 1293 | if (rp) { | 1292 | if (rp) { |
| 1294 | if (strcmp(rp, dest) != 0) | 1293 | if (strcmp(rp, dest) != 0) |
| 1294 | // disable_file_or_dir returns with EUID 0 | ||
| 1295 | disable_file_or_dir(rp); | 1295 | disable_file_or_dir(rp); |
| 1296 | free(rp); | 1296 | free(rp); |
| 1297 | } | 1297 | } |
| @@ -1301,9 +1301,13 @@ void x11_xorg(void) { | |||
| 1301 | free(dest); | 1301 | free(dest); |
| 1302 | 1302 | ||
| 1303 | // mask RUN_XAUTHORITY_SEC_DIR | 1303 | // mask RUN_XAUTHORITY_SEC_DIR |
| 1304 | EUID_ROOT(); | ||
| 1304 | if (mount("tmpfs", RUN_XAUTHORITY_SEC_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) | 1305 | if (mount("tmpfs", RUN_XAUTHORITY_SEC_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) |
| 1305 | errExit("mounting tmpfs"); | 1306 | errExit("mounting tmpfs"); |
| 1306 | fs_logger2("tmpfs", RUN_XAUTHORITY_SEC_DIR); | 1307 | fs_logger2("tmpfs", RUN_XAUTHORITY_SEC_DIR); |
| 1308 | |||
| 1309 | // cleanup | ||
| 1310 | unlink(RUN_XAUTH_FILE); | ||
| 1307 | #endif | 1311 | #endif |
| 1308 | } | 1312 | } |
| 1309 | 1313 | ||
| @@ -1352,6 +1356,7 @@ void fs_x11(void) { | |||
| 1352 | MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME, | 1356 | MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME, |
| 1353 | "mode=1777,uid=0,gid=0") < 0) | 1357 | "mode=1777,uid=0,gid=0") < 0) |
| 1354 | errExit("mounting tmpfs on /tmp/.X11-unix"); | 1358 | errExit("mounting tmpfs on /tmp/.X11-unix"); |
| 1359 | selinux_relabel_path("/tmp/.X11-unix", "/tmp/.X11-unix"); | ||
| 1355 | fs_logger("tmpfs /tmp/.X11-unix"); | 1360 | fs_logger("tmpfs /tmp/.X11-unix"); |
| 1356 | 1361 | ||
| 1357 | // create an empty root-owned file which will have the desired socket bind-mounted over it | 1362 | // create an empty root-owned file which will have the desired socket bind-mounted over it |