From 74ad73c808ecbd4e0ccdfb1d6893b65c68647c62 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Sat, 1 Oct 2016 09:36:22 -0400
Subject: x11 detection support for --audit

---
 src/faudit/dbus.c   | 59 +++++++++++++++++++++++++++++++++++---------------
 src/faudit/faudit.h |  1 +
 src/faudit/main.c   |  5 +++++
 src/faudit/x11.c    | 62 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 todo                | 14 +++++++++++-
 5 files changed, 123 insertions(+), 18 deletions(-)
 create mode 100644 src/faudit/x11.c

diff --git a/src/faudit/dbus.c b/src/faudit/dbus.c
index 64f5d8ae4..d17d3922a 100644
--- a/src/faudit/dbus.c
+++ b/src/faudit/dbus.c
@@ -21,15 +21,15 @@
 #include <sys/socket.h>
 #include <sys/un.h>
 
-void check_session_bus(const char *sockfile) {
+// return 0 if the connection is possible
+int check_unix(const char *sockfile) {
 	assert(sockfile);
-	
+	int rv = -1;
+
 	// open socket
 	int sock = socket(AF_UNIX, SOCK_STREAM, 0);
-	if (sock == -1) {
-		printf("GOOD: I cannot connect to session bus. If the application misbehaves, please log a bug with the application developer.\n");
-		return;
-	}
+	if (sock == -1) 
+		return rv;
 
 	// connect
 	struct sockaddr_un remote;
@@ -37,35 +37,60 @@ void check_session_bus(const char *sockfile) {
 	remote.sun_family = AF_UNIX;
 	strcpy(remote.sun_path, sockfile);
 	int len = strlen(remote.sun_path) + sizeof(remote.sun_family);
-	remote.sun_path[0] = '\0';
-	if (connect(sock, (struct sockaddr *)&remote, len) == -1) {
-		printf("GOOD: I cannot connect to session bus. If the application misbehaves, please log a bug with the application developer.\n");
-	}
-	else {
-		printf("MAYBE: I can connect to session bus. It could be a good idea to disable it by creating a new network namespace using \"--net=none\" or \"--net=eth0\".\n");
-	}	
-
+	if (*sockfile == '@')
+		remote.sun_path[0] = '\0';
+	if (connect(sock, (struct sockaddr *)&remote, len) == 0)
+		rv = 0;
+	
 	close(sock);
+	return rv;
 }
 
 void dbus_test(void) {
 	// check the session bus
 	char *str = getenv("DBUS_SESSION_BUS_ADDRESS");
 	if (str) {
+		int rv = 0;
 		char *bus = strdup(str);
 		if (!bus)
 			errExit("strdup");
-		char *sockfile = strstr(bus, "unix:abstract=");
-		if (sockfile) {
+		char *sockfile;
+		if ((sockfile = strstr(bus, "unix:abstract=")) != NULL) {
 			sockfile += 13;
 			*sockfile = '@';
 			char *ptr = strchr(sockfile, ',');
 			if (ptr)
 				*ptr = '\0';	
-			check_session_bus(sockfile);
+			rv = check_unix(sockfile);
+			*sockfile = '@';
+			if (rv == 0)
+				printf("MAYBE: D-Bus socket %s is available\n", sockfile);
+			else if (rv == -1)
+				printf("GOOD: cannot connect to D-Bus socket %s\n", sockfile);
+		}
+		else if ((sockfile = strstr(bus, "unix:path=")) != NULL) {
+			sockfile += 10;
+			char *ptr = strchr(sockfile, ',');
+			if (ptr)
+				*ptr = '\0';
+			rv = check_unix(sockfile);
+			if (rv == 0)
+				printf("MAYBE: D-Bus socket %s is available\n", sockfile);
+			else if (rv == -1)
+				printf("GOOD: cannot connect to D-Bus socket %s\n", sockfile);
+		}
+		else if ((sockfile = strstr(bus, "tcp:host=")) != NULL) {
+			printf("UGLY: session bus configured for TCPcommunication.\n");
+			rv = -2;
 		}
+		else
+			printf("GOOD: cannot find a D-Bus socket\n");
+			
+			
 		free(bus);
 	}
+	else
+		printf("GOOD: DBUS_SESSION_BUS_ADDRESS environment variable not configured.");
 }
 
 
diff --git a/src/faudit/faudit.h b/src/faudit/faudit.h
index 93fb4b709..3fddbf1f5 100644
--- a/src/faudit/faudit.h
+++ b/src/faudit/faudit.h
@@ -56,6 +56,7 @@ void files_test(void);
 void network_test(void);
 
 // dbus.c
+int check_unix(const char *sockfile);
 void dbus_test(void);
 
 // dev.c
diff --git a/src/faudit/main.c b/src/faudit/main.c
index 6ff938d98..61005945d 100644
--- a/src/faudit/main.c
+++ b/src/faudit/main.c
@@ -69,10 +69,15 @@ int main(int argc, char **argv) {
 	dbus_test();
 	printf("\n");
 
+	// x11 test
+	x11_test();
+	printf("\n");
+
 	// /dev test
 	dev_test();
 	printf("\n");
 
+
 	free(prog);
 	printf("--------------------------------------------------------------------------------\n");
 
diff --git a/src/faudit/x11.c b/src/faudit/x11.c
new file mode 100644
index 000000000..e1a4bf66e
--- /dev/null
+++ b/src/faudit/x11.c
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "faudit.h"
+#include <sys/socket.h>
+#include <dirent.h>
+
+
+void x11_test(void) {
+	// check regular display 0 sockets
+	if (check_unix("/tmp/.X11-unix/X0") == 0)
+		printf("MAYBE: X11 socket /tmp/.X11-unix/X0 is available\n");
+
+	if (check_unix("@/tmp/.X11-unix/X0") == 0)
+		printf("MAYBE: X11 socket @/tmp/.X11-unix/X0 is available\n");
+		
+	// check all unix sockets in /tmp/.X11-unix directory
+	DIR *dir;
+	if (!(dir = opendir("/tmp/.X11-unix"))) {
+		// sleep 2 seconds and try again
+		sleep(2);
+		if (!(dir = opendir("/tmp/.X11-unix")))
+			;
+	}
+	
+	if (dir == NULL)
+		printf("GOOD: cannot open /tmp/.X11-unix directory\n");
+	else {
+		struct dirent *entry;
+		while ((entry = readdir(dir)) != NULL) {
+			if (strcmp(entry->d_name, "X0") == 0)
+				continue;
+			if (strcmp(entry->d_name, ".") == 0)
+				continue;
+			if (strcmp(entry->d_name, "..") == 0)
+				continue;
+			char *name;
+			if (asprintf(&name, "/tmp/.X11-unix/%s", entry->d_name) == -1)
+				errExit("asprintf");
+			if (check_unix(name) == 0)
+				printf("MAYBE: X11 socket %s is available\n", name);
+			free(name);
+		}
+		closedir(dir);
+	}
+}
diff --git a/todo b/todo
index 26c3e247c..ddf886fcd 100644
--- a/todo
+++ b/todo
@@ -273,4 +273,16 @@ dm-crypt+LUKS – dm-crypt is a transparent disk encryption subsystem in
 Linux kernel v2.6+ and later and DragonFly BSD. It can encrypt whole disks, 
 removable media, partitions, software RAID volumes, logical volumes, and files.
 
-28. add support for whitelisting /mtn
+28. Merge --dbus=none from https://github.com/Sidnioulz/firejail
+
+  // block dbus session bus the hard way if necessary
+  if (cfg.dbus == 0) {
+    char *dbus_path;
+		if (asprintf(&dbus_path, "/run/user/%d/bus", getuid()) == -1)
+			errExit("asprintf");
+    fs_blacklist_file(dbus_path);
+    free(dbus_path);
+}
+
+
+
-- 
cgit v1.2.3-54-g00ecf