--x11=xorg

README.md

@@ -45,14 +45,36 @@ If you keep your Firejail profiles in a public repository, please give us a link
 `````
 # Current development version: 0.9.43
 
-## New command line options
+## X11 development
 `````
-      --x11=none
-              Blacklist  /tmp/.X11-unix  directory,  ${HOME}/.Xauthority  and  file
-              specified in ${XAUTHORITY} environment variable.  Remove  DISPLAY  and
-              XAUTHORITY  environment  variables.   Stop  with  error message if X11
-              abstract socket will be accessible in jail.
+       --x11=none
+              Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and  the
+              file  specified  in  ${XAUTHORITY} environment variable.  Remove
+              DISPLAY and XAUTHORITY environment variables.  Stop  with  error
+              message if X11 abstract socket will be accessible in jail.
 
+      --x11=xorg
+              Sandbox the application using the untrusted mode implemented  by
+              X11  security  extension.   The  extension  is available in Xorg
+              package and it is installed by default on most  Linux  distribu‐
+              tions.  It  provides support for a simple trusted/untrusted con‐
+              nection model. Untrusted clients are restricted in certain  ways
+              to  prevent  them from reading window contents of other clients,
+              stealing input events, etc.
+
+              The untrusted mode has several limitations.  A  lot  of  regular
+              programs   assume  they are a trusted X11 clients and will crash
+              or lock up when run in  untrusted  mode.  Chromium  browser  and
+              xterm are two examples.  Firefox and transmission-gtk seem to be
+              working fine.  A network namespace  is  not  required  for  this
+              option.
+
+              Example:
+              $ firejail --x11=xorg firefox
+`````
+
+## Other command line options
+`````
       --put=name|pid src-filename dest-filename
               Put src-filename in sandbox container.  The container is specified by name or PID.
 
@@ -84,7 +106,7 @@ If you keep your Firejail profiles in a public repository, please give us a link
 
 ## New profile commands
 
-x11 xpra, x11 xephyr, x11 none, allusers, join-or-start
+x11 xpra, x11 xephyr, x11 none, x11 xorg allusers, join-or-start
 
 ## New profiles
 

RELNOTES

@@ -12,6 +12,7 @@ firejail (0.9.43) baseline; urgency=low
   * feature: all user home directories are visible (--allusers)
   * feature: add files to sandbox container (--put)
   * feature: blocking x11 (--x11=block)
+  * feature: X11 security extension (--x11=xorg)
   * feature: disable 3D hardware acceleration (--no3d)
   * feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands
   * new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape

src/firejail/firejail.h

@@ -61,6 +61,7 @@
 #define RUN_WHITELIST_OPT_DIR	"/run/firejail/mnt/orig-opt"
 
 #define RUN_XAUTHORITY_FILE	"/run/firejail/mnt/.Xauthority"
+#define RUN_XAUTHORITY_SEC_FILE	"/run/firejail/mnt/sec.Xauthority"
 #define RUN_ASOUNDRC_FILE	"/run/firejail/mnt/.asoundrc"
 #define RUN_HOSTNAME_FILE	"/run/firejail/mnt/hostname"
 #define RUN_HOSTS_FILE	"/run/firejail/mnt/hosts"
@@ -321,6 +322,7 @@ extern char *arg_audit_prog;	// audit
 extern int arg_apparmor;	// apparmor
 extern int arg_allow_debuggers;	// allow debuggers
 extern int arg_x11_block;	// block X11
+extern int arg_x11_xorg;	// use X11 security extention
 extern int arg_allusers;	// all user home directories visible
 
 extern int login_shell;

src/firejail/main.c

@@ -107,6 +107,7 @@ char *arg_audit_prog = NULL;			// audit
 int arg_apparmor = 0;				// apparmor
 int arg_allow_debuggers = 0;			// allow debuggers
 int arg_x11_block = 0;				// block X11
+int arg_x11_xorg = 0;				// use X11 security extention
 int arg_allusers = 0;				// all user home directories visible
 
 int login_shell = 0;
@@ -2208,9 +2209,21 @@ int main(int argc, char **argv) {
 				return 1;
 			}
 		}
+		
+		// unlike all other x11 features, this is available always
 		else if (strcmp(argv[i], "--x11=none") == 0) {
 			arg_x11_block = 1;
 		}
+#ifdef HAVE_X11
+		else if (strcmp(argv[i], "--x11=xorg") == 0) {
+			if (checkcfg(CFG_X11))
+				arg_x11_xorg = 1;
+			else {
+				fprintf(stderr, "Error: --x11 feature is disabled in Firejail configuration file\n");
+				exit(1);
+			}
+		}
+#endif
 		else if (strncmp(argv[i], "--join-or-start=", 16) == 0) {
 			// NOTE: this is second part of option handler,
 			//		 atempt to find and join sandbox is done in other one

src/firejail/profile.c

@@ -657,9 +657,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 	}
 
 	if (strcmp(ptr, "x11 none") == 0) {
-#ifdef HAVE_X11
 		arg_x11_block = 1;
-#endif
 		return 0;
 	}
 
@@ -681,6 +679,17 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 		return 0;
 	}
 
+	if (strcmp(ptr, "x11 xorg") == 0) {
+#ifdef HAVE_X11
+		if (checkcfg(CFG_X11))
+			arg_x11_xorg = 1;
+		else {
+			fprintf(stderr, "Error: --x11 feature is disabled in Firejail configuration file\n");
+			return 0;
+		}
+#endif
+		return 0;
+	}
 	if (strcmp(ptr, "x11 xpra") == 0) {
 #ifdef HAVE_X11
 		if (checkcfg(CFG_X11)) {
@@ -717,19 +726,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 		return 0;
 	}
 	
-#if 0
-   if (strncmp(ptr, "private-template ", 17) == 0) {
-      if (arg_private) {
-         fprintf(stderr, "Error: --private and --private-template are mutually exclusive\n");
-         exit(1);
-      }
-      cfg.private_template = ptr + 17;
-      fs_check_private_template();
-      arg_private_template = 1;
-
-      return 0;
-   }
-#endif   
 	// private /etc list of files and directories
 	if (strncmp(ptr, "private-etc ", 12) == 0) {
 		if (arg_writable_etc) {

src/firejail/sandbox.c

@@ -585,8 +585,19 @@ int sandbox(void* sandbox_arg) {
 			fprintf(stderr, "Warning: private-bin feature is disabled in chroot\n");
 		else if (arg_overlay)
 			fprintf(stderr, "Warning: private-bin feature is disabled in overlay\n");
-		else
+		else {
+			// for --x11=xorg we need to add xauth command
+			if (arg_x11_xorg) {
+				EUID_USER();
+				char *tmp;
+				if (asprintf(&tmp, "%s,xauth", cfg.bin_private_keep) == -1)
+					errExit("asprintf");
+				cfg.bin_private_keep = tmp;
+				fs_check_bin_list();
+				EUID_ROOT();
+			}
 			fs_private_bin_list();
+		}
 	}
 	
 	if (arg_private_tmp) {
@@ -784,6 +795,8 @@ int sandbox(void* sandbox_arg) {
 	
 	// clean /tmp/.X11-unix sockets
 	fs_x11();
+	if (arg_x11_xorg)
+		x11_xorg();
 	
 	//****************************
 	// set security filters

src/firejail/usage.c

@@ -282,10 +282,13 @@ void usage(void) {
 	printf("    --writable-etc - /etc directory is mounted read-write.\n\n");
 	printf("    --writable-var - /var directory is mounted read-write.\n\n");
 	
-	printf("    --x11 - enable X11 server. The software checks first if Xpra is installed,\n");
-	printf("\tthen it checks if Xephyr is installed.\n\n");
-	printf("    --x11=xpra - enable Xpra X11 server.\n\n");
+	printf("    --x11 - enable X11 sandboxing. The software checks first if Xpra is\n");
+	printf("\tinstalled, then it checks if Xephyr is installed. If all fails, it will\n");
+	printf("\tattempt to use X11 security extension.\n\n");
+	printf("    --x11=none - disable access to X11 sockets.\n\n");
 	printf("    --x11=xephyr - enable Xephyr X11 server. The window size is 800x600.\n\n");
+	printf("    --x11=xorg - enable X11 security extension.\n\n");
+	printf("    --x11=xpra - enable Xpra X11 server.\n\n");
 	printf("    --zsh - use /usr/bin/zsh as default shell.\n\n");
 	printf("\n");
 	printf("\n");

src/firejail/x11.c

@@ -629,3 +629,73 @@ void x11_block(void) {
 	env_store("XAUTHORITY", RMENV);
 #endif
 }
+
+void x11_xorg(void) {
+#ifdef HAVE_X11
+	// destination
+	char *dest;
+	if (asprintf(&dest, "%s/.Xauthority", cfg.homedir) == -1)
+		errExit("asprintf");
+	struct stat s;
+	if (stat(dest, &s) == -1) {
+		// create an .Xauthority file
+		FILE *fp = fopen(dest, "w");
+		if (!fp)
+			errExit("fopen");
+		SET_PERMS_STREAM(fp, getuid(), getgid(), 0600);
+		fclose(fp);
+	}
+
+	if (stat("/usr/bin/xauth", &s) == -1) {
+		fprintf(stderr, "Error: cannot find /usr/bin/xauth executable\n");
+		exit(1);
+	}
+
+	pid_t child = fork();
+	if (child < 0)
+		errExit("fork");
+	if (child == 0) {
+		// generate a new .Xauthority file
+		if (arg_debug)
+			printf("Generating a new .Xauthority file\n");
+
+		// elevate privileges - files in /run/firejail/mnt directory belong to root
+		if (setreuid(0, 0) < 0)
+			errExit("setreuid");
+		if (setregid(0, 0) < 0)
+			errExit("setregid");
+		
+		char *display = getenv("DISPLAY");
+		if (!display)
+			display = ":0.0";
+			
+		execlp("/usr/bin/xauth", "/usr/bin/xauth", "-f", RUN_XAUTHORITY_SEC_FILE,
+			"generate", display, "MIT-MAGIC-COOKIE-1", "untrusted", NULL); 
+		
+		exit(0);
+	}
+	// wait for the child to finish
+	waitpid(child, NULL, 0);
+
+	// check the file was created and set mode and ownership
+	if (stat(RUN_XAUTHORITY_SEC_FILE, &s) == -1) {
+		fprintf(stderr, "Error: cannot create the new .Xauthority file\n");
+		exit(1);
+	}
+	if (chown(RUN_XAUTHORITY_SEC_FILE, getuid(), getgid()) == -1)
+		errExit("chown");
+	if (chmod(RUN_XAUTHORITY_SEC_FILE, 0600) == -1)
+		errExit("chmod");
+	
+	// mount
+	if (mount(RUN_XAUTHORITY_SEC_FILE, dest, "none", MS_BIND, "mode=0600") == -1) {
+		fprintf(stderr, "Error: cannot mount the new .Xauthority file\n");
+		exit(1);
+	}
+	if (chown(dest, getuid(), getgid()) == -1)
+		errExit("chown");
+	if (chmod(dest, 0600) == -1)
+		errExit("chmod");
+	free(dest);
+#endif	
+}

src/man/firejail-profile.txt

@@ -279,16 +279,19 @@ There is no root account (uid 0) defined in the namespace.
 \fBx11
 Enable X11 sandboxing.
 .TP
-\fBx11 xpra
-Enable X11 sandboxing with xpra.
-.TP
-\fBx11 xephyr
-Enable X11 sandboxing with xephyr.
-.TP
 \fBx11 none
 Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} environment variable.
 Remove DISPLAY and XAUTHORITY environment variables.
 Stop with error message if X11 abstract socket will be accessible in jail.
+.TP
+\fBx11 xephyr
+Enable X11 sandboxing with xephyr.
+.TP
+\fBx11 xorg
+Enable X11 sandboxing with X11 security extension.
+.TP
+\fBx11 xpra
+Enable X11 sandboxing with xpra.
 
 .SH Resource limits, CPU affinity, Control Groups
 These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox.

src/man/firejail.txt

@@ -1662,15 +1662,17 @@ $ sudo firejail --writable-var
 
 .TP
 \fB\-\-x11
-Start a new X11 server using Xpra or Xephyr and attach the sandbox to this server.
-The regular X11 server (display 0) is not visible in the sandbox. This prevents screenshot and keylogger
-applications started in the sandbox from accessing other X11 displays.
-A network namespace needs to be instantiated in order to deny access to X11 abstract Unix domain socket.
+Sandbox the application using Xpra, Xephyr or Xorg security extension.
+The sandbox will prevents screenshot and keylogger applications started inside the sandbox from accessing
+clients running outside the sandbox.
+Firejail will try first Xpra, and if Xpra is not installed on the system, it will try to find Xephyr.
+If all fails, Firejail will not attempt to use X11 security extension.
 .br
 
-br
-Firejail will try first Xpra, and if Xpra is not installed on the system, it will try to find Xephyr.
-This feature is not available when running as root. 
+.br
+Xpra and Xephyr modes require a network namespace to be instantiated in order to disable
+X11 abstract Unix socket. If this is not possible, the user can disable the abstract socket
+by adding "-nolisten local" on Xorg command line.
 .br
 
 .br
@@ -1679,31 +1681,30 @@ Example:
 $ firejail \-\-x11 --net=eth0 firefox
 
 .TP
-\fB\-\-x11=xpra
-Start a new X11 server using Xpra (http://xpra.org) and attach the sandbox to this server.
-Xpra is a persistent remote display server and client for forwarding X11 applications and desktop screens.
-On Debian platforms Xpra is installed with the command \fBsudo apt-get install xpra\fR.
-This feature is not available when running as root.
-.br
-
-.br
-Example:
-.br
-$ firejail \-\-x11=xpra --net=eth0 firefox
+\fB\-\-x11=none
+Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and the file specified in ${XAUTHORITY} environment variable.
+Remove DISPLAY and XAUTHORITY environment variables.
+Stop with error message if X11 abstract socket will be accessible in jail.
 
 .TP
 \fB\-\-x11=xephyr
-Start a new X11 server using Xephyr and attach the sandbox to this server.
+Start Xephyr and attach the sandbox to this server.
 Xephyr is a display server implementing the X11 display server protocol.
-It runs in a window just like other X applications, but it is an X server itself in which you can run other software.
-The default Xephyr window size is 800x600. This can be modified in /etc/firejail/firejail.config file,
-see \fBman 5 firejail-config\fR for more details.
+A network namespace needs to be instantiated in order to deny access to X11 abstract Unix domain socket.
+.br
+
+.br
+Xephyr runs in a window just like any other X11 application. The default window size is 800x600.
+This can be modified in /etc/firejail/firejail.config file.
 .br
 
 .br
 The recommended way to use this feature is to run a window manager inside the sandbox.
 A security profile for OpenBox is provided.
-On Debian platforms Xephyr is installed with the command \fBsudo apt-get install xserver-xephyr\fR.
+.br
+
+.br
+Xephyr is developed by Xorg project. On Debian platforms it is installed with the command \fBsudo apt-get install xserver-xephyr\fR.
 This feature is not available when running as root. 
 .br
 
@@ -1713,12 +1714,41 @@ Example:
 $ firejail \-\-x11=xephyr --net=eth0 openbox
 
 .TP
-\fB\-\-x11=none
-Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} environment variable.
-Remove DISPLAY and XAUTHORITY environment variables.
-Stop with error message if X11 abstract socket will be accessible in jail.
+\fB\-\-x11=xorg
+Sandbox the application using the untrusted mode implemented by X11 security extension. 
+The extension is available in Xorg package
+and it is installed by default on most Linux distributions. It provides support for a simple trusted/untrusted 
+connection model. Untrusted clients are restricted in certain ways to prevent them from reading window
+contents of other clients, stealing input events, etc.
+
+The untrusted mode has several limitations. A lot of regular programs  assume they are a trusted X11 clients
+and will crash or lock up when run in untrusted mode. Chromium browser and xterm are two examples.
+Firefox and transmission-gtk seem to be working fine.
+A network namespace is not required for this option.
 .br
 
+.br
+Example:
+.br
+$ firejail \-\-x11=xorg firefox
+
+.TP
+\fB\-\-x11=xpra
+Start Xpra (http://xpra.org) and attach the sandbox to this server.
+Xpra is a persistent remote display server and client for forwarding X11 applications and desktop screens.
+A network namespace needs to be instantiated in order to deny access to X11 abstract Unix domain socket.
+.br
+
+.br
+On Debian platforms Xpra is installed with the command \fBsudo apt-get install xpra\fR.
+This feature is not available when running as root.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-x11=xpra --net=eth0 firefox
+
 .TP
 \fB\-\-zsh
 Use /usr/bin/zsh as default user shell.