From ddf50ee4f6364f5b465921c1eed50fc879bc2310 Mon Sep 17 00:00:00 2001
From: Aleksey Manevich <manevich.aleksey@gmail.com>
Date: Mon, 12 Sep 2016 15:03:03 +0300
Subject: [PATCH 1/2] grsecurity fix

---
 src/firejail/x11.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 29111d5ff..48af39caf 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -54,7 +54,11 @@ static int x11_check_xephyr(void) {
 // check for X11 abstract sockets
 static int x11_abstract_sockets_present(void) {
 	char *path;
+
+	EUID_ROOT(); // grsecurity fix
 	FILE *fp = fopen("/proc/net/unix", "r");
+	EUID_USER();
+
 	if (!fp)
 		errExit("fopen");
 

From 025aae5bd230a5a1809f52e714801ec77f370652 Mon Sep 17 00:00:00 2001
From: Aleksey Manevich <manevich.aleksey@gmail.com>
Date: Mon, 12 Sep 2016 16:00:58 +0300
Subject: [PATCH 2/2] change error message

---
 src/firejail/x11.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 48af39caf..774294ff1 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -598,9 +598,10 @@ void x11_block(void) {
 	if ((!arg_nonetwork && !cfg.bridge0.configured && !cfg.interface0.configured)
 		&& x11_abstract_sockets_present()) {
 		fprintf(stderr, "ERROR: --x11=block specified, but abstract X11 socket still accessible.\n"
-						"Additional setup required. To block abstract X11 socket you need either:\n"
-						" * use network namespace (--net=none, --net=...)\n"
-						" * add \"-nolisten local\" to xserver options (eg. /etc/X11/xinit/xserverrc)\n");
+						"Additional setup required. To block abstract X11 socket you can either:\n"
+						" * use network namespace in firejail (--net=none, --net=...)\n"
+						" * add \"-nolisten local\" to xserver options\n"
+						"   (eg. to your display manager config, or /etc/X11/xinit/xserverrc)\n");
 		exit(1);
 	}