From a2e9b0709309f81050cbba8dd8e9b970fd361e91 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 30 Apr 2017 11:51:30 -0400 Subject: allow PulseAudio sockets in --private-tmp --- RELNOTES | 1 + src/firejail/firejail.h | 1 + src/firejail/fs.c | 42 ++++++++++++++++++++++++++++++++++++++++++ src/firejail/sandbox.c | 16 +--------------- src/man/firejail.txt | 14 +++++++++++++- 5 files changed, 58 insertions(+), 16 deletions(-) diff --git a/RELNOTES b/RELNOTES index ba90eaece..ef95a1bc0 100644 --- a/RELNOTES +++ b/RELNOTES @@ -30,6 +30,7 @@ firejail (0.9.46-rc1) baseline; urgency=low * feature: config support to disable join (join) * feature: disabled Go, Rust, and OpenSSL in disable-devel.conf * feature: support overlay, overlay-named and overlay-tmpfs in profile files + * feature: allow PulseAudio sockets in --private-tmp * new profiles: xiphos, Tor Browser Bundle, display (imagemagick), Wire, * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma, * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator, diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 8831d07f0..09fadcf34 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -408,6 +408,7 @@ void fs_overlayfs(void); // chroot into an existing directory; mount exiting /dev and update /etc/resolv.conf void fs_chroot(const char *rootdir); void fs_check_chroot_dir(const char *rootdir); +void fs_private_tmp(void); // profile.c // find and read the profile specified by name from dir directory diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 025e715e6..ac68e7738 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -1214,4 +1214,46 @@ void fs_chroot(const char *rootdir) { } #endif +// this function is called from sandbox.c before blacklist/whitelist functions +void fs_private_tmp(void) { + // check XAUTHORITY file, KDE keeps it under /tmp + char *xauth = getenv("XAUTHORITY"); + if (xauth) { + char *rp = realpath(xauth, NULL); + if (rp && strncmp(rp, "/tmp/", 5) == 0) { + char *cmd; + if (asprintf(&cmd, "whitelist %s", rp) == -1) + errExit("asprintf"); + profile_add(cmd); // profile_add does not duplicate the string + } + if (rp) + free(rp); + } + + // whitelist x11 directory + profile_add("whitelist /tmp/.X11-unix"); + + // whitelist any pulse* file in /tmp directory + // some distros use PulseAudio sockets under /tmp instead of the socket in /urn/user + DIR *dir; + if (!(dir = opendir("/tmp"))) { + // sleep 2 seconds and try again + sleep(2); + if (!(dir = opendir("/tmp"))) { + return; + } + } + struct dirent *entry; + while ((entry = readdir(dir))) { + if (strncmp(entry->d_name, "pulse-", 6) == 0) { + char *cmd; + if (asprintf(&cmd, "whitelist /tmp/%s", entry->d_name) == -1) + errExit("asprintf"); + profile_add(cmd); // profile_add does not duplicate the string + } + } + closedir(dir); + + +} diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 35ca4ff2d..e6deddac5 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -741,21 +741,7 @@ int sandbox(void* sandbox_arg) { else { // private-tmp is implemented as a whitelist EUID_USER(); - // check XAUTHORITY file, KDE keeps it under /tmp - char *xauth = getenv("XAUTHORITY"); - if (xauth) { - char *rp = realpath(xauth, NULL); - if (rp && strncmp(rp, "/tmp/", 5) == 0) { - char *cmd; - if (asprintf(&cmd, "whitelist %s", rp) == -1) - errExit("asprintf"); - profile_add(cmd); // profile_add does not duplicate the string - } - if (rp) - free(rp); - } - // whitelist x11 directory - profile_add("whitelist /tmp/.X11-unix"); + fs_private_tmp(); EUID_ROOT(); } } diff --git a/src/man/firejail.txt b/src/man/firejail.txt index c481da8d2..bc4c3f19a 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1278,13 +1278,25 @@ Example: .TP \fB\-\-private-tmp -Mount an empty temporary filesystem on top of /tmp directory whitelisting /tmp/.X11-unix. +Mount an empty temporary filesystem on top of /tmp directory whitelisting X11 and PulseAudio sockets. .br .br Example: .br $ firejail \-\-private-tmp +.br +$ ls -al /tmp +.br +drwxrwxrwt 4 nobody nogroup 80 Apr 30 11:46 . +.br +drwxr-xr-x 30 nobody nogroup 4096 Apr 26 22:18 .. +.br +drwx------ 2 nobody nogroup 4096 Apr 30 10:52 pulse-PKdhtXMmr18n +.br +drwxrwxrwt 2 nobody nogroup 4096 Apr 30 10:52 .X11-unix +.br + .TP \fB\-\-profile=filename -- cgit v1.2.3-54-g00ecf