From ae7c2f508b0f27b5e7115dd3e75cec19eb40befa Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Fri, 17 Feb 2017 10:08:12 -0500
Subject: [PATCH] merge #1100 from zackw: x11=xorg testing

---
 src/firejail/x11.c                      | 10 +++++++---
 test/apps-x11-xorg/firefox.exp          |  2 +-
 test/apps-x11-xorg/icedove.exp          |  2 +-
 test/apps-x11-xorg/transmission-gtk.exp |  2 +-
 4 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 0fa789ff1..74eb00268 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -625,7 +625,6 @@ void x11_start(int argc, char **argv) {
 		exit(0);
 	}
 }
-
 #endif
 
 // Porting notes:
@@ -642,6 +641,11 @@ void x11_start(int argc, char **argv) {
 // directory, we need to make sure /usr/bin/xauth executable is the real thing, and not
 // something picked up on $PATH.
 //
+// 3. If for any reason xauth command fails, we exit the sandbox. On Debian 8 this happens
+// when using a network namespace. Somehow, xauth tries to connect to the abstract socket,
+// and it failes because of the network namespace - it should try to connect to the regular
+// Unix socket! If we ignore the fail condition, the program will be started on X server without
+// the security extension loaded.
 void x11_xorg(void) {
 #ifdef HAVE_X11
 
@@ -690,7 +694,7 @@ void x11_xorg(void) {
 #ifdef HAVE_GCOV
 		__gcov_flush();
 #endif
-		execlp("/usr/bin/xauth", "/usr/bin/xauth", "-f", tmpfname,
+		execlp("/usr/bin/xauth", "/usr/bin/xauth", "-v", "-f", tmpfname,
 			"generate", display, "MIT-MAGIC-COOKIE-1", "untrusted", NULL); 
 		
 		_exit(127);
@@ -719,7 +723,7 @@ void x11_xorg(void) {
 	// ensure the file has the correct permissions and move it
 	// into the correct location.
 	if (stat(tmpfname, &s) == -1) {
-		fprintf(stderr, "Error: .Xauthority file was mpt created\n");
+		fprintf(stderr, "Error: .Xauthority file was not created\n");
 		exit(1);
 	}
 	if (set_perms(tmpfname, getuid(), getgid(), 0600))
diff --git a/test/apps-x11-xorg/firefox.exp b/test/apps-x11-xorg/firefox.exp
index f66aeddd8..4da9e5a16 100755
--- a/test/apps-x11-xorg/firefox.exp
+++ b/test/apps-x11-xorg/firefox.exp
@@ -7,7 +7,7 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail --name=test --x11=xorg firefox -no-remote www.gentoo.org\r"
+send -- "firejail --name=test --x11=xorg --ignore=net --ignore=netfilter --ignore=iprange firefox -no-remote www.gentoo.org\r"
 sleep 10
 
 spawn $env(SHELL)
diff --git a/test/apps-x11-xorg/icedove.exp b/test/apps-x11-xorg/icedove.exp
index f7a08aa8f..ce1d38222 100755
--- a/test/apps-x11-xorg/icedove.exp
+++ b/test/apps-x11-xorg/icedove.exp
@@ -7,7 +7,7 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail --name=test --x11=xorg icedove\r"
+send -- "firejail --name=test --x11=xorg --ignore=net --ignore=netfilter --ignore=iprange icedove\r"
 sleep 10
 
 spawn $env(SHELL)
diff --git a/test/apps-x11-xorg/transmission-gtk.exp b/test/apps-x11-xorg/transmission-gtk.exp
index de8a7f7c6..c6d9ba13a 100755
--- a/test/apps-x11-xorg/transmission-gtk.exp
+++ b/test/apps-x11-xorg/transmission-gtk.exp
@@ -7,7 +7,7 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail --name=test --x11=xorg transmission-gtk\r"
+send -- "firejail --name=test --x11=xorg --ignore=net --ignore=netfilter --ignore=iprange transmission-gtk\r"
 sleep 10
 
 spawn $env(SHELL)