From b7d5d68ae43edb1cd2da60762a9e297934f76b5b Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 2 Oct 2016 10:23:29 -0400 Subject: renamed --x11=block to --x11=none, brought back the requirement for network namespaces for x11 sandboxing --- README | 3 ++- README.md | 4 ++-- RELNOTES | 2 -- src/firejail/main.c | 2 +- src/firejail/x11.c | 7 ++----- src/man/firejail.txt | 2 +- 6 files changed, 8 insertions(+), 12 deletions(-) diff --git a/README b/README index e98352913..325ef2aa5 100644 --- a/README +++ b/README @@ -43,7 +43,7 @@ Aleksey Manevich (https://github.com/manevich) - added --fix option to firecfg utility - read_pid fix - added --x11=block options - - x11 xpra, xphyr, block profile commands + - x11 xpra, xphyr, none profile commands - added --join-or-start command - CVE-2016-7545 Fred-Barclay (https://github.com/Fred-Barclay) @@ -79,6 +79,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) - evince profile enhancement vismir2 (https://github.com/vismir2) - feh, ranger and zathura profiles + - lots of profile fixes graywolf (https://github.com/graywolf) - spelling fix Dara Adib (https://github.com/daradib) diff --git a/README.md b/README.md index b6f80a52f..a8075cc1e 100644 --- a/README.md +++ b/README.md @@ -47,7 +47,7 @@ If you keep your Firejail profiles in a public repository, please give us a link ## New command line options ````` - --x11=block + --x11=none Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} environment variable. Remove DISPLAY and XAUTHORITY environment variables. Stop with error message if X11 @@ -84,7 +84,7 @@ If you keep your Firejail profiles in a public repository, please give us a link ## New profile commands -x11 xpra, x11 xephyr, x11 block, allusers, join-or-start +x11 xpra, x11 xephyr, x11 none, allusers, join-or-start ## New profiles diff --git a/RELNOTES b/RELNOTES index ad4c750b5..4ae23c2f3 100644 --- a/RELNOTES +++ b/RELNOTES @@ -4,8 +4,6 @@ firejail (0.9.43) baseline; urgency=low * modifs: removed man firejail-config * modifs: --private-tmp whitelists /tmp/.X11-unix directory * modifs: Nvidia drivers added to --private-dev - * modifs: dropping requirement for network namespace when - using a --x11 * feature: support starting/joining sandbox is a single command (--join-or-start) * feature: X11 detection support for --audit diff --git a/src/firejail/main.c b/src/firejail/main.c index 91ea523ab..c4b7ce4dc 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -2208,7 +2208,7 @@ int main(int argc, char **argv) { return 1; } } - else if (strcmp(argv[i], "--x11=block") == 0) { + else if (strcmp(argv[i], "--x11=none") == 0) { arg_x11_block = 1; } else if (strncmp(argv[i], "--join-or-start=", 16) == 0) { diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 36023e067..def1dd324 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c @@ -52,7 +52,6 @@ static int x11_check_xephyr(void) { return 1; } -#if 0 // check for X11 abstract sockets static int x11_abstract_sockets_present(void) { char *path; @@ -77,7 +76,6 @@ static int x11_abstract_sockets_present(void) { return 0; } -#endif static int random_display_number(void) { int i; @@ -598,18 +596,17 @@ void x11_start(int argc, char **argv) { void x11_block(void) { #ifdef HAVE_X11 mask_x11_abstract_socket = 1; -#if 0 + // check abstract socket presence and network namespace options if ((!arg_nonetwork && !cfg.bridge0.configured && !cfg.interface0.configured) && x11_abstract_sockets_present()) { - fprintf(stderr, "ERROR: --x11=block specified, but abstract X11 socket still accessible.\n" + fprintf(stderr, "ERROR: --x11=none specified, but abstract X11 socket still accessible.\n" "Additional setup required. To block abstract X11 socket you can either:\n" " * use network namespace in firejail (--net=none, --net=...)\n" " * add \"-nolisten local\" to xserver options\n" " (eg. to your display manager config, or /etc/X11/xinit/xserverrc)\n"); exit(1); } -#endif // blacklist sockets profile_check_line("blacklist /tmp/.X11-unix", 0, NULL); diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 3ceb21e78..aadc54677 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1713,7 +1713,7 @@ Example: $ firejail \-\-x11=xephyr --net=eth0 openbox .TP -\fB\-\-x11=block +\fB\-\-x11=none Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} environment variable. Remove DISPLAY and XAUTHORITY environment variables. Stop with error message if X11 abstract socket will be accessible in jail. -- cgit v1.2.3-54-g00ecf