From b35c000fee9a4c1418a44e5a5a641bcf48f08345 Mon Sep 17 00:00:00 2001
From: smitsohu <smitsohu@gmail.com>
Date: Tue, 8 Oct 2019 20:58:59 +0000
Subject: x11 xorg: blacklist non-default Xauthority file

fixes #1652
---
 src/firejail/x11.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 0927593b0..e707ab8bd 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -1238,6 +1238,20 @@ void x11_xorg(void) {
 		errLogExit("invalid .Xauthority mount");
 
 	ASSERT_PERMS(dest, getuid(), getgid(), 0600);
+	
+	// blacklist .Xauthority file if it is not masked already
+	char *envar = getenv("XAUTHORITY");
+	if (envar) {
+		char *rp = realpath(envar, NULL);
+		if (rp) {
+			if (strcmp(rp, dest) != 0)
+				disable_file_or_dir(rp);
+			free(rp);
+		}
+		// update environment variable, so our new .Xauthority file is used
+		if (setenv("XAUTHORITY", dest, 1) < 0)
+			errExit("setenv");
+	}
 	free(dest);
 #endif
 }
-- 
cgit v1.2.3-54-g00ecf