From feae44c4ff406f6191426762cc2edec000bed0af Mon Sep 17 00:00:00 2001
From: ಚಿರಾಗ್ ನಟರಾಜ್ <chiraag.nataraj@gmail.com>
Date: Sun, 19 May 2019 22:56:36 +0000
Subject: Expose /tmp/.X11-unix as read-only as per Issue #2269

---
 src/firejail/fs.c | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'src')

diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index bf7c0a4b2..f3ef97aeb 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -1519,6 +1519,8 @@ void fs_private_tmp(void) {
 
 	// whitelist x11 directory
 	profile_add("whitelist /tmp/.X11-unix");
+        // read-only x11 directory
+        profile_add("read-only /tmp/.X11-unix");
 
 	// whitelist any pulse* file in /tmp directory
 	// some distros use PulseAudio sockets under /tmp instead of the socket in /urn/user
-- 
cgit v1.2.3-70-g09d2