diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/firejail/sandbox.c | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index f26f8b06a..d1557e8b2 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
| @@ -742,6 +742,20 @@ int sandbox(void* sandbox_arg) { | |||
| 742 | else { | 742 | else { |
| 743 | // private-tmp is implemented as a whitelist | 743 | // private-tmp is implemented as a whitelist |
| 744 | EUID_USER(); | 744 | EUID_USER(); |
| 745 | // check XAUTHORITY file, KDE keeps it under /tmp | ||
| 746 | char *xauth = getenv("XAUTHORITY"); | ||
| 747 | if (xauth) { | ||
| 748 | char *rp = realpath(xauth, NULL); | ||
| 749 | if (rp && strncmp(rp, "/tmp/", 5) == 0) { | ||
| 750 | char *cmd; | ||
| 751 | if (asprintf(&cmd, "whitelist %s", rp) == -1) | ||
| 752 | errExit("asprintf"); | ||
| 753 | profile_add(cmd); // profile_add does not duplicate the string | ||
| 754 | } | ||
| 755 | if (rp) | ||
| 756 | free(rp); | ||
| 757 | } | ||
| 758 | // whitelist x11 directory | ||
| 745 | profile_add("whitelist /tmp/.X11-unix"); | 759 | profile_add("whitelist /tmp/.X11-unix"); |
| 746 | EUID_ROOT(); | 760 | EUID_ROOT(); |
| 747 | } | 761 | } |