From 46a15d38d347fe012b25a913c381a128a392edb0 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Wed, 17 Aug 2016 10:27:58 -0400
Subject: firemon fixes for x11 sandboxes

---
 src/lib/common.c | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 src/lib/pid.c    | 18 +++++++----------
 2 files changed, 66 insertions(+), 11 deletions(-)

diff --git a/src/lib/common.c b/src/lib/common.c
index 8ea926df1..885f31881 100644
--- a/src/lib/common.c
+++ b/src/lib/common.c
@@ -199,3 +199,62 @@ char *pid_proc_cmdline(const pid_t pid) {
 	}
 	return rv;
 }
+
+// return 1 if firejail --x11 on command line
+int pid_proc_cmdline_x11(const pid_t pid) {
+	// if comm is not firejail return 0
+	char *comm = pid_proc_comm(pid);
+	if (strcmp(comm, "firejail") != 0) {
+		free(comm);
+		return 0;
+	}
+	free(comm);
+
+	// open /proc/pid/cmdline file
+	char *fname;
+	int fd;
+	if (asprintf(&fname, "/proc/%d/cmdline", pid) == -1)
+		return 0;
+	if ((fd = open(fname, O_RDONLY)) < 0) {
+		free(fname);
+		return 0;
+	}
+	free(fname);
+
+	// read file
+	unsigned char buffer[BUFLEN];
+	ssize_t len;
+	if ((len = read(fd, buffer, sizeof(buffer) - 1)) <= 0) {
+		close(fd);
+		return 0;
+	}
+	buffer[len] = '\0';
+	close(fd);
+
+	// skip the first argument
+	int i;
+	for (i = 0; buffer[i] != '\0'; i++);
+
+	// parse remaining command line options
+	while (1) {
+		// extract argument
+		i++;
+		if (i >= len)
+			break;
+		char *arg = buffer + i;
+		
+		// detect the last command line option
+		if (strcmp(arg, "--") == 0)
+			break;
+		if (strncmp(arg, "--", 2) != 0)
+			break;
+			
+		// check x11
+		if (strcmp(arg, "--x11") == 0 || strncmp(arg, "--x11=", 6) == 0)
+			return 1;
+	}
+	return 0;
+}
+
+
+
diff --git a/src/lib/pid.c b/src/lib/pid.c
index d1ade389e..4540247a0 100644
--- a/src/lib/pid.c
+++ b/src/lib/pid.c
@@ -340,18 +340,14 @@ void pid_read(pid_t mon_pid) {
 					exit(1);
 				}
 
-				if (mon_pid == 0 && strncmp(ptr, "firejail", 8) == 0) {
-					pids[pid].level = 1;
+				if ((strncmp(ptr, "firejail", 8) == 0) && (mon_pid == 0 || mon_pid == pid)) {
+					if (pid_proc_cmdline_x11(pid)) {
+						printf("--x11 detected for pid %d\n", pid);
+						pids[pid].level = -1;
+					}
+					else
+						pids[pid].level = 1;
 				}
-				else if (mon_pid == pid && strncmp(ptr, "firejail", 8) == 0) {
-					pids[pid].level = 1;
-				}
-//				else if (mon_pid == 0 && strncmp(ptr, "lxc-execute", 11) == 0) {
-//					pids[pid].level = 1;
-//				}
-//				else if (mon_pid == pid && strncmp(ptr, "lxc-execute", 11) == 0) {
-//					pids[pid].level = 1;
-//				}
 				else
 					pids[pid].level = -1;
 			}
-- 
cgit v1.2.3-70-g09d2