From 8db0f9d8b925887df2c1a0941d53c379492d36b0 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 22 Aug 2016 18:20:35 -0400 Subject: x11 command in profile files --- RELNOTES | 1 + src/firejail/profile.c | 17 +++++++++++++++++ src/man/firejail-profile.txt | 3 +++ 3 files changed, 21 insertions(+) diff --git a/RELNOTES b/RELNOTES index 1f62c4d64..6d029d320 100644 --- a/RELNOTES +++ b/RELNOTES @@ -29,6 +29,7 @@ firejail (0.9.42~rc2) baseline; urgency=low * run time support to disable remounting of /proc and /sys * added quiet-by-default config option in /etc/firejail/firejail.config * added netfilter-default config option in /etc/firejail/firejail.config + * added x11 command for profile files * new profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice * new profiles: pix, audacity, xz, xzdec, gzip, cpio, less * new profiles: Atom Beta, Atom, jitsi, eom, uudeview diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 26f434f3b..916e39892 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -613,6 +613,23 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { arg_private = 1; return 0; } + + if (strcmp(ptr, "x11") == 0) { +#ifdef HAVE_X11 + if (checkcfg(CFG_X11)) { + char *x11env = getenv("FIREJAIL_X11"); + if (x11env && strcmp(x11env, "yes") == 0) + return 0; + else { + // start x11 + x11_start(cfg.original_argc, cfg.original_argv); + exit(0); + } + } +#endif + return 0; + } + if (strncmp(ptr, "private-template ", 17) == 0) { if (arg_private) { diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 52802755f..e3217bbff 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -258,6 +258,9 @@ does not result in an increase of privilege. \fBnoroot Use this command to enable an user namespace. The namespace has only one user, the current user. There is no root account (uid 0) defined in the namespace. +.TP +\fBx11 +Enable X11 sandboxing. .SH Resource limits, CPU affinity, Control Groups These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox. -- cgit v1.2.3-70-g09d2