5 files changed, 77 insertions, 15 deletions
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 476ecbe10..67bcd996a 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -92,6 +92,15 @@ int checkcfg(int val) {
                                else
                                        goto errout;
                        }
+                        // join
+                        else if (strncmp(ptr, "join ", 5) == 0) {
+                                if (strcmp(ptr + 5, "yes") == 0)
+                                        cfg_val[CFG_JOIN] = 1;
+                                else if (strcmp(ptr + 5, "no") == 0)
+                                        cfg_val[CFG_JOIN] = 0;
+                                else
+                                        goto errout;
+                        }
                        // x11
                        else if (strncmp(ptr, "x11 ", 4) == 0) {
                                if (strcmp(ptr + 4, "yes") == 0)
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index f85560588..dbb6c4d16 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -686,6 +686,7 @@ enum {
        CFG_FOLLOW_SYMLINK_PRIVATE_BIN,
        CFG_DISABLE_MNT,
        CFG_CACHE_TMPFS,
+        CFG_JOIN,
        CFG_MAX // this should always be the last entry
 };
 extern char *xephyr_screen;
diff --git a/src/firejail/main.c b/src/firejail/main.c
index db9a9c8cb..3dcc5c62d 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -615,23 +615,27 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
        }
 #endif
        else if (strncmp(argv[i], "--join=", 7) == 0) {
-                logargs(argc, argv);
+                if (checkcfg(CFG_JOIN) || getuid() == 0) {
+                        logargs(argc, argv);
-                if (arg_shell_none) {
+        
-                        if (argc <= (i+1)) {
+                        if (arg_shell_none) {
-                                fprintf(stderr, "Error: --shell=none set, but no command specified\n");
+                                if (argc <= (i+1)) {
-                                exit(1);
+                                        fprintf(stderr, "Error: --shell=none set, but no command specified\n");
+                                        exit(1);
+                                }
+                                cfg.original_program_index = i + 1;
                        }
-                        cfg.original_program_index = i + 1;
+        
+                        if (!cfg.shell && !arg_shell_none)
+                                cfg.shell = guess_shell();
+        
+                        // join sandbox by pid or by name
+                        pid_t pid = read_pid(argv[i] + 7);
+                        join(pid, argc, argv, i + 1);
+                        exit(0);
                }
+                else
-                if (!cfg.shell && !arg_shell_none)
+                        exit_err_feature("join");
-                        cfg.shell = guess_shell();
-                // join sandbox by pid or by name
-                pid_t pid = read_pid(argv[i] + 7);
-                join(pid, argc, argv, i + 1);
-                exit(0);
        }
        else if (strncmp(argv[i], "--join-or-start=", 16) == 0) {
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index f26f8b06a..d1557e8b2 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -742,6 +742,20 @@ int sandbox(void* sandbox_arg) {
                else {
                        // private-tmp is implemented as a whitelist
                        EUID_USER();
+                        // check XAUTHORITY file, KDE keeps it under /tmp
+                        char *xauth = getenv("XAUTHORITY");
+                        if (xauth) {
+                                char *rp = realpath(xauth, NULL);
+                                if (rp && strncmp(rp, "/tmp/", 5) == 0) {
+                                        char *cmd;
+                                        if (asprintf(&cmd, "whitelist %s", rp) == -1)
+                                                errExit("asprintf");
+                                        profile_add(cmd); // profile_add does not duplicate the string
+                                }
+                                if (rp)
+                                        free(rp);
+                        }
+                        // whitelist x11 directory
                        profile_add("whitelist /tmp/.X11-unix");
                        EUID_ROOT();
                }
diff --git a/src/include/syscall.h b/src/include/syscall.h
index c49760703..8852fcbd5 100644
--- a/src/include/syscall.h
+++ b/src/include/syscall.h
@@ -1076,6 +1076,11 @@
        {"preadv", __NR_preadv},
 #endif
 #endif
+#ifdef SYS_preadv2
+#ifdef __NR_preadv2
+        {"preadv2", __NR_preadv2},
+#endif
+#endif
 #ifdef SYS_prlimit64
 #ifdef __NR_prlimit64
        {"prlimit64", __NR_prlimit64},
@@ -1126,6 +1131,11 @@
        {"pwritev", __NR_pwritev},
 #endif
 #endif
+#ifdef SYS_pwritev2
+#ifdef __NR_pwritev2
+        {"pwritev2", __NR_pwritev2},
+#endif
+#endif
 #ifdef SYS_query_module
 #ifdef __NR_query_module
        {"query_module", __NR_query_module},
@@ -1892,6 +1902,7 @@
 #endif
 #endif
 #endif
+//#endif
 #if defined __x86_64__ && defined __LP64__
 #ifdef SYS__sysctl
 #ifdef __NR__sysctl
@@ -2828,6 +2839,11 @@
        {"preadv", __NR_preadv},
 #endif
 #endif
+#ifdef SYS_preadv2
+#ifdef __NR_preadv2
+        {"preadv2", __NR_preadv2},
+#endif
+#endif
 #ifdef SYS_prlimit64
 #ifdef __NR_prlimit64
        {"prlimit64", __NR_prlimit64},
@@ -2868,6 +2884,11 @@
        {"pwritev", __NR_pwritev},
 #endif
 #endif
+#ifdef SYS_pwritev2
+#ifdef __NR_pwritev2
+        {"pwritev2", __NR_pwritev2},
+#endif
+#endif
 #ifdef SYS_query_module
 #ifdef __NR_query_module
        {"query_module", __NR_query_module},
@@ -3529,6 +3550,7 @@
 #endif
 #endif
 #endif
+//#endif
 #if defined __x86_64__ && defined __ILP32__
 #ifdef SYS_accept
 #ifdef __NR_accept
@@ -4430,6 +4452,11 @@
        {"preadv", __NR_preadv},
 #endif
 #endif
+#ifdef SYS_preadv2
+#ifdef __NR_preadv2
+        {"preadv2", __NR_preadv2},
+#endif
+#endif
 #ifdef SYS_prlimit64
 #ifdef __NR_prlimit64
        {"prlimit64", __NR_prlimit64},
@@ -4470,6 +4497,11 @@
        {"pwritev", __NR_pwritev},
 #endif
 #endif
+#ifdef SYS_pwritev2
+#ifdef __NR_pwritev2
+        {"pwritev2", __NR_pwritev2},
+#endif
+#endif
 #ifdef SYS_quotactl
 #ifdef __NR_quotactl
        {"quotactl", __NR_quotactl},
@@ -5111,3 +5143,5 @@
 #endif
 #endif
 #endif
+//#endif

diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 476ecbe10..67bcd996a 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c
@@ -92,6 +92,15 @@ int checkcfg(int val) {
92	else	92	else
93	goto errout;	93	goto errout;
94	}	94	}
		95	// join
		96	else if (strncmp(ptr, "join ", 5) == 0) {
		97	if (strcmp(ptr + 5, "yes") == 0)
		98	cfg_val[CFG_JOIN] = 1;
		99	else if (strcmp(ptr + 5, "no") == 0)
		100	cfg_val[CFG_JOIN] = 0;
		101	else
		102	goto errout;
		103	}
95	// x11	104	// x11
96	else if (strncmp(ptr, "x11 ", 4) == 0) {	105	else if (strncmp(ptr, "x11 ", 4) == 0) {
97	if (strcmp(ptr + 4, "yes") == 0)	106	if (strcmp(ptr + 4, "yes") == 0)


diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index f85560588..dbb6c4d16 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -686,6 +686,7 @@ enum {
686	CFG_FOLLOW_SYMLINK_PRIVATE_BIN,	686	CFG_FOLLOW_SYMLINK_PRIVATE_BIN,
687	CFG_DISABLE_MNT,	687	CFG_DISABLE_MNT,
688	CFG_CACHE_TMPFS,	688	CFG_CACHE_TMPFS,
		689	CFG_JOIN,
689	CFG_MAX // this should always be the last entry	690	CFG_MAX // this should always be the last entry
690	};	691	};
691	extern char *xephyr_screen;	692	extern char *xephyr_screen;


diff --git a/src/firejail/main.c b/src/firejail/main.c index db9a9c8cb..3dcc5c62d 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -615,23 +615,27 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
615	}	615	}
616	#endif	616	#endif
617	else if (strncmp(argv[i], "--join=", 7) == 0) {	617	else if (strncmp(argv[i], "--join=", 7) == 0) {
618	logargs(argc, argv);	618	if (checkcfg(CFG_JOIN) \|\| getuid() == 0) {
619		619	logargs(argc, argv);
620	if (arg_shell_none) {	620
621	if (argc <= (i+1)) {	621	if (arg_shell_none) {
622	fprintf(stderr, "Error: --shell=none set, but no command specified\n");	622	if (argc <= (i+1)) {
623	exit(1);	623	fprintf(stderr, "Error: --shell=none set, but no command specified\n");
		624	exit(1);
		625	}
		626	cfg.original_program_index = i + 1;
624	}	627	}
625	cfg.original_program_index = i + 1;	628
		629	if (!cfg.shell && !arg_shell_none)
		630	cfg.shell = guess_shell();
		631
		632	// join sandbox by pid or by name
		633	pid_t pid = read_pid(argv[i] + 7);
		634	join(pid, argc, argv, i + 1);
		635	exit(0);
626	}	636	}
627		637	else
628	if (!cfg.shell && !arg_shell_none)	638	exit_err_feature("join");
629	cfg.shell = guess_shell();
630
631	// join sandbox by pid or by name
632	pid_t pid = read_pid(argv[i] + 7);
633	join(pid, argc, argv, i + 1);
634	exit(0);
635		639
636	}	640	}
637	else if (strncmp(argv[i], "--join-or-start=", 16) == 0) {	641	else if (strncmp(argv[i], "--join-or-start=", 16) == 0) {


diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index f26f8b06a..d1557e8b2 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c
@@ -742,6 +742,20 @@ int sandbox(void* sandbox_arg) {
742	else {	742	else {
743	// private-tmp is implemented as a whitelist	743	// private-tmp is implemented as a whitelist
744	EUID_USER();	744	EUID_USER();
		745	// check XAUTHORITY file, KDE keeps it under /tmp
		746	char *xauth = getenv("XAUTHORITY");
		747	if (xauth) {
		748	char *rp = realpath(xauth, NULL);
		749	if (rp && strncmp(rp, "/tmp/", 5) == 0) {
		750	char *cmd;
		751	if (asprintf(&cmd, "whitelist %s", rp) == -1)
		752	errExit("asprintf");
		753	profile_add(cmd); // profile_add does not duplicate the string
		754	}
		755	if (rp)
		756	free(rp);
		757	}
		758	// whitelist x11 directory
745	profile_add("whitelist /tmp/.X11-unix");	759	profile_add("whitelist /tmp/.X11-unix");
746	EUID_ROOT();	760	EUID_ROOT();
747	}	761	}


diff --git a/src/include/syscall.h b/src/include/syscall.h index c49760703..8852fcbd5 100644 --- a/src/include/syscall.h +++ b/src/include/syscall.h
@@ -1076,6 +1076,11 @@
1076	{"preadv", __NR_preadv},	1076	{"preadv", __NR_preadv},
1077	#endif	1077	#endif
1078	#endif	1078	#endif
		1079	#ifdef SYS_preadv2
		1080	#ifdef __NR_preadv2
		1081	{"preadv2", __NR_preadv2},
		1082	#endif
		1083	#endif
1079	#ifdef SYS_prlimit64	1084	#ifdef SYS_prlimit64
1080	#ifdef __NR_prlimit64	1085	#ifdef __NR_prlimit64
1081	{"prlimit64", __NR_prlimit64},	1086	{"prlimit64", __NR_prlimit64},
@@ -1126,6 +1131,11 @@
1126	{"pwritev", __NR_pwritev},	1131	{"pwritev", __NR_pwritev},
1127	#endif	1132	#endif
1128	#endif	1133	#endif
		1134	#ifdef SYS_pwritev2
		1135	#ifdef __NR_pwritev2
		1136	{"pwritev2", __NR_pwritev2},
		1137	#endif
		1138	#endif
1129	#ifdef SYS_query_module	1139	#ifdef SYS_query_module
1130	#ifdef __NR_query_module	1140	#ifdef __NR_query_module
1131	{"query_module", __NR_query_module},	1141	{"query_module", __NR_query_module},
@@ -1892,6 +1902,7 @@
1892	#endif	1902	#endif
1893	#endif	1903	#endif
1894	#endif	1904	#endif
		1905	//#endif
1895	#if defined __x86_64__ && defined __LP64__	1906	#if defined __x86_64__ && defined __LP64__
1896	#ifdef SYS__sysctl	1907	#ifdef SYS__sysctl
1897	#ifdef __NR__sysctl	1908	#ifdef __NR__sysctl
@@ -2828,6 +2839,11 @@
2828	{"preadv", __NR_preadv},	2839	{"preadv", __NR_preadv},
2829	#endif	2840	#endif
2830	#endif	2841	#endif
		2842	#ifdef SYS_preadv2
		2843	#ifdef __NR_preadv2
		2844	{"preadv2", __NR_preadv2},
		2845	#endif
		2846	#endif
2831	#ifdef SYS_prlimit64	2847	#ifdef SYS_prlimit64
2832	#ifdef __NR_prlimit64	2848	#ifdef __NR_prlimit64
2833	{"prlimit64", __NR_prlimit64},	2849	{"prlimit64", __NR_prlimit64},
@@ -2868,6 +2884,11 @@
2868	{"pwritev", __NR_pwritev},	2884	{"pwritev", __NR_pwritev},
2869	#endif	2885	#endif
2870	#endif	2886	#endif
		2887	#ifdef SYS_pwritev2
		2888	#ifdef __NR_pwritev2
		2889	{"pwritev2", __NR_pwritev2},
		2890	#endif
		2891	#endif
2871	#ifdef SYS_query_module	2892	#ifdef SYS_query_module
2872	#ifdef __NR_query_module	2893	#ifdef __NR_query_module
2873	{"query_module", __NR_query_module},	2894	{"query_module", __NR_query_module},
@@ -3529,6 +3550,7 @@
3529	#endif	3550	#endif
3530	#endif	3551	#endif
3531	#endif	3552	#endif
		3553	//#endif
3532	#if defined __x86_64__ && defined __ILP32__	3554	#if defined __x86_64__ && defined __ILP32__
3533	#ifdef SYS_accept	3555	#ifdef SYS_accept
3534	#ifdef __NR_accept	3556	#ifdef __NR_accept
@@ -4430,6 +4452,11 @@
4430	{"preadv", __NR_preadv},	4452	{"preadv", __NR_preadv},
4431	#endif	4453	#endif
4432	#endif	4454	#endif
		4455	#ifdef SYS_preadv2
		4456	#ifdef __NR_preadv2
		4457	{"preadv2", __NR_preadv2},
		4458	#endif
		4459	#endif
4433	#ifdef SYS_prlimit64	4460	#ifdef SYS_prlimit64
4434	#ifdef __NR_prlimit64	4461	#ifdef __NR_prlimit64
4435	{"prlimit64", __NR_prlimit64},	4462	{"prlimit64", __NR_prlimit64},
@@ -4470,6 +4497,11 @@
4470	{"pwritev", __NR_pwritev},	4497	{"pwritev", __NR_pwritev},
4471	#endif	4498	#endif
4472	#endif	4499	#endif
		4500	#ifdef SYS_pwritev2
		4501	#ifdef __NR_pwritev2
		4502	{"pwritev2", __NR_pwritev2},
		4503	#endif
		4504	#endif
4473	#ifdef SYS_quotactl	4505	#ifdef SYS_quotactl
4474	#ifdef __NR_quotactl	4506	#ifdef __NR_quotactl
4475	{"quotactl", __NR_quotactl},	4507	{"quotactl", __NR_quotactl},
@@ -5111,3 +5143,5 @@
5111	#endif	5143	#endif
5112	#endif	5144	#endif
5113	#endif	5145	#endif
		5146	//#endif
		5147