From 83c7253a753a810240408ac2057e7c2b920a2a52 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Mon, 19 Sep 2016 13:11:59 -0400
Subject:  --private-tmp whitelists /tmp/.X11-unix directory

---
 src/firejail/sandbox.c | 31 +++++++++++++++++--------------
 1 file changed, 17 insertions(+), 14 deletions(-)

(limited to 'src')

diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 76efe996b..cc5483c08 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -593,8 +593,13 @@ int sandbox(void* sandbox_arg) {
 			fprintf(stderr, "Warning: private-tmp feature is disabled in chroot\n");
 		else if (arg_overlay)
 			fprintf(stderr, "Warning: private-tmp feature is disabled in overlay\n");
-		else
-			fs_private_tmp();
+		else {
+			// private-tmp is implemented as a whitelist
+			EUID_USER();
+			profile_add("whitelist /tmp/.X11-unix");
+			EUID_ROOT();
+//			fs_private_tmp();
+		}
 	}
 	
 	//****************************
@@ -606,18 +611,16 @@ int sandbox(void* sandbox_arg) {
 	//****************************
 	// apply the profile file
 	//****************************
-	if (cfg.profile) {
-		// apply all whitelist commands ... 
-		if (cfg.chrootdir)
-			fprintf(stderr, "Warning: whitelist feature is disabled in chroot\n");
-		else if (arg_overlay)
-			fprintf(stderr, "Warning: whitelist feature is disabled in overlay\n");
-		else
-			fs_whitelist();
-		
-		// ... followed by blacklist commands
-		fs_blacklist();
-	}
+	// apply all whitelist commands ... 
+	if (cfg.chrootdir)
+		fprintf(stderr, "Warning: whitelist feature is disabled in chroot\n");
+	else if (arg_overlay)
+		fprintf(stderr, "Warning: whitelist feature is disabled in overlay\n");
+	else
+		fs_whitelist();
+	
+	// ... followed by blacklist commands
+	fs_blacklist();
 	
 	//****************************
 	// install trace
-- 
cgit v1.2.3-70-g09d2