disable x11 abstract socket for --x11=block

Makefile.in

@@ -1,6 +1,6 @@
 all: apps man
 MYLIBS = src/lib
-APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit
+APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/libx11
 MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5
 
 prefix=@prefix@
@@ -71,6 +71,7 @@ realinstall:
  install -m 0755 -d $(DESTDIR)/$(libdir)/firejail
  install -c -m 0644 src/libtrace/libtrace.so $(DESTDIR)/$(libdir)/firejail/.
  install -c -m 0644 src/libtracelog/libtracelog.so $(DESTDIR)/$(libdir)/firejail/.
+ install -c -m 0644 src/libx11/libx11.so $(DESTDIR)/$(libdir)/firejail/.
  install -c -m 0755 src/ftee/ftee $(DESTDIR)/$(libdir)/firejail/.
  install -c -m 0755 src/fshaper/fshaper.sh $(DESTDIR)/$(libdir)/firejail/.
  install -c -m 0644 src/firecfg/firecfg.config $(DESTDIR)/$(libdir)/firejail/.
@@ -120,6 +121,7 @@ install-strip: all
  strip src/firecfg/firecfg
  strip src/libtrace/libtrace.so
  strip src/libtracelog/libtracelog.so
+ strip src/libx11/libx11.so
  strip src/ftee/ftee
  strip src/faudit/faudit
  $(MAKE) realinstall

configure

@@ -3759,7 +3759,7 @@ if test "$prefix" = /usr; then
  sysconfdir="/etc"
 fi
 
-ac_config_files="$ac_config_files Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile"
+ac_config_files="$ac_config_files Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile src/libx11/Makefile"
 
 cat >confcache <<\_ACEOF
 # This file is a shell script that caches the results of configure
@@ -4477,6 +4477,7 @@ do
  "src/firecfg/Makefile") CONFIG_FILES="$CONFIG_FILES src/firecfg/Makefile" ;;
  "src/ftee/Makefile") CONFIG_FILES="$CONFIG_FILES src/ftee/Makefile" ;;
  "src/faudit/Makefile") CONFIG_FILES="$CONFIG_FILES src/faudit/Makefile" ;;
+ "src/libx11/Makefile") CONFIG_FILES="$CONFIG_FILES src/libx11/Makefile" ;;
 
  *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;;
  esac

configure.ac

@@ -148,7 +148,7 @@ if test "$prefix" = /usr; then
  sysconfdir="/etc"
 fi
 
-AC_OUTPUT(Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile)
+AC_OUTPUT(Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile src/libx11/Makefile)
 
 echo
 echo "Configuration options:"

platform/debian/conffiles

@@ -149,4 +149,3 @@
 /etc/firejail/synfigstudio.profile
 /etc/firejail/gimp.profile
 /etc/firejail/inkscape.profile
-

src/faudit/dbus.c

@@ -79,10 +79,8 @@ void dbus_test(void) {
  else if (rv == -1)
  printf("GOOD: cannot connect to D-Bus socket %s\n", sockfile);
  }
- else if ((sockfile = strstr(bus, "tcp:host=")) != NULL) {
- printf("UGLY: session bus configured for TCPcommunication.\n");
- rv = -2;
- }
+ else if ((sockfile = strstr(bus, "tcp:host=")) != NULL)
+ printf("UGLY: session bus configured for TCP communication.\n");
  else
  printf("GOOD: cannot find a D-Bus socket\n");
 

src/faudit/x11.c

@@ -35,8 +35,9 @@ void x11_test(void) {
  if (!(dir = opendir("/tmp/.X11-unix"))) {
  // sleep 2 seconds and try again
  sleep(2);
- if (!(dir = opendir("/tmp/.X11-unix")))
+ if (!(dir = opendir("/tmp/.X11-unix"))) {
  ;
+ }
  }
 
  if (dir == NULL)

src/firejail/firejail.h

@@ -627,6 +627,7 @@ void fs_mkdir(const char *name);
 void fs_mkfile(const char *name);
 
 // x11.c
+extern int mask_x11_abstract_socket;
 void fs_x11(void);
 int x11_display(void);
 void x11_start(int argc, char **argv);

src/firejail/fs_trace.c

@@ -54,15 +54,17 @@ void fs_trace(void) {
  FILE *fp = fopen(RUN_LDPRELOAD_FILE, "w");
  if (!fp)
  errExit("fopen");
- if (arg_trace)
+ if (arg_trace) {
  fprintf(fp, "%s/firejail/libtrace.so\n", LIBDIR);
+ }
  else if (arg_tracelog) {
  fprintf(fp, "%s/firejail/libtracelog.so\n", LIBDIR);
  if (!arg_quiet)
  printf("Blacklist violations are logged to syslog\n");
  } 
- else
- assert(0);
+
+ if (mask_x11_abstract_socket)
+ fprintf(fp, "%s/firejail/libx11.so\n", LIBDIR);
 
  SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
  fclose(fp);

src/firejail/ls.c

@@ -419,7 +419,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
  EUID_USER();
  }
  // get file from host and store it in the sandbox
- else if (op == SANDBOX_FS_PUT) {
+ else if (op == SANDBOX_FS_PUT && path2) {
  // verify the source file
  const char *src_fname = path1;
  struct stat s;

src/firejail/sandbox.c

@@ -479,7 +479,7 @@ int sandbox(void* sandbox_arg) {
  fs_build_cp_command();
 
  // trace pre-install
- if (arg_trace || arg_tracelog)
+ if (arg_trace || arg_tracelog || mask_x11_abstract_socket)
  fs_trace_preload();
 
  //****************************
@@ -505,7 +505,7 @@ int sandbox(void* sandbox_arg) {
  //****************************
  // trace pre-install, this time inside chroot
  //****************************
- if (arg_trace || arg_tracelog)
+ if (arg_trace || arg_tracelog || mask_x11_abstract_socket)
  fs_trace_preload();
  }
  else 
@@ -575,7 +575,7 @@ int sandbox(void* sandbox_arg) {
  else {
  fs_private_etc_list();
  // create /etc/ld.so.preload file again
- if (arg_trace || arg_tracelog)
+ if (arg_trace || arg_tracelog || mask_x11_abstract_socket)
  fs_trace_preload();
  }
  }
@@ -626,7 +626,7 @@ int sandbox(void* sandbox_arg) {
  //****************************
  // install trace
  //****************************
- if (arg_trace || arg_tracelog)
+ if (arg_trace || arg_tracelog || mask_x11_abstract_socket)
  fs_trace();
 
  //****************************

src/firejail/x11.c

@@ -27,6 +27,7 @@
 #include <dirent.h>
 #include <sys/mount.h>
 #include <sys/wait.h>
+int mask_x11_abstract_socket = 0;
 
 #ifdef HAVE_X11
 // return 1 if xpra is installed on the system
@@ -51,6 +52,7 @@ static int x11_check_xephyr(void) {
  return 1;
 }
 
+#if 0
 // check for X11 abstract sockets
 static int x11_abstract_sockets_present(void) {
  char *path;
@@ -75,6 +77,7 @@ static int x11_abstract_sockets_present(void) {
 
  return 0;
 }
+#endif
 
 static int random_display_number(void) {
  int i;
@@ -594,6 +597,8 @@ void x11_start(int argc, char **argv) {
 
 void x11_block(void) {
 #ifdef HAVE_X11
+ mask_x11_abstract_socket = 1;
+#if 0
  // check abstract socket presence and network namespace options
  if ((!arg_nonetwork && !cfg.bridge0.configured && !cfg.interface0.configured)
  && x11_abstract_sockets_present()) {
@@ -604,6 +609,7 @@ void x11_block(void) {
  " (eg. to your display manager config, or /etc/X11/xinit/xserverrc)\n");
  exit(1);
  }
+#endif
 
  // blacklist sockets
  profile_check_line("blacklist /tmp/.X11-unix", 0, NULL);

src/libx11/Makefile.in

@@ -0,0 +1,25 @@
+PREFIX=@prefix@
+VERSION=@PACKAGE_VERSION@
+NAME=@PACKAGE_NAME@
+HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
+
+H_FILE_LIST = $(sort $(wildcard *.[h]))
+C_FILE_LIST = $(sort $(wildcard *.c))
+OBJS = $(C_FILE_LIST:.c=.o)
+BINOBJS = $(foreach file, $(OBJS), $file)
+CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security
+LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now 
+
+all: libx11.so
+
+%.o : %.c $(H_FILE_LIST)
+ $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
+
+libx11.so: $(OBJS)
+ $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl
+
+
+clean:; rm -f $(OBJS) libx11.so
+
+distclean: clean
+ rm -fr Makefile

src/libx11/libx11.c

@@ -0,0 +1,66 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <dlfcn.h>
+#include <sys/types.h>
+#include <unistd.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <sys/un.h>
+#include <sys/stat.h>
+#include <dirent.h>
+#include <errno.h>
+
+//#define DEBUG
+
+//static int check_sockaddr(int sockfd, const char *call, const struct sockaddr *addr, int rv) {
+static int check_sockaddr(const struct sockaddr *addr) {
+ if (addr->sa_family == AF_UNIX) {
+ struct sockaddr_un *a = (struct sockaddr_un *) addr;
+ if (a->sun_path[0] == '\0') {
+// printf("@%s\n", a->sun_path + 1);
+ errno = ENOENT;
+ return -1;
+ }
+ }
+
+ return 0;
+}
+
+//
+// syscalls
+//
+
+// connect
+typedef int (*orig_connect_t)(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
+static orig_connect_t orig_connect = NULL;
+int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen) {
+ if (!orig_connect)
+ orig_connect = (orig_connect_t)dlsym(RTLD_NEXT, "connect");
+
+ if (check_sockaddr(addr) == -1)
+ return -1;
+
+ return orig_connect(sockfd, addr, addrlen);
+}