netblue30 · FelixPehla · Aug 18, 2024 · kmk3 · Aug 27, 2024
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
@@ -424,6 +424,12 @@ static const char *const compiletime_support =
 		"enabled"
 #else
 		"disabled"
+#endif
+	"\n\t- wayland security context support is "
+#ifdef HAVE_WAYLAND_SECURITY_CONTEXT
+		"enabled"
+#else
+		"disabled"
 #endif
 	"\n";
 

diff --git a/src/firejail/env.c b/src/firejail/env.c
@@ -261,7 +261,8 @@ static const char * const env_whitelist[] = {
 	"LANGUAGE",
 	"LC_MESSAGES",
 	// "PATH",
-	"DISPLAY"	// required by X11
+	"DISPLAY",	// required by X11
+	"WAYLAND_DISPLAY"	// required by wayland
 };
 
 static const char * const env_whitelist_sbox[] = {

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
@@ -376,6 +376,7 @@ extern int arg_deterministic_shutdown;	// shut down the sandbox if first child d
 extern int arg_keep_fd_all;	// inherit all file descriptors to sandbox
 extern int arg_netlock;	// netlocker
 extern int arg_restrict_namespaces;
+extern int arg_wayland;	// filter wayland socket
 
 typedef enum {
 	DBUS_POLICY_ALLOW,	// Allow unrestricted access to the bus

diff --git a/src/firejail/main.c b/src/firejail/main.c
@@ -171,6 +171,7 @@ int login_shell = 0;
 int just_run_the_shell = 0;
 int arg_netlock = 0;
 int arg_restrict_namespaces = 0;
+int arg_wayland = 0;
 
 int parent_to_child_fds[2];
 int child_to_parent_fds[2];
@@ -1646,6 +1647,11 @@ int main(int argc, char **argv, char **envp) {
 				cfg.nice = 0;
 			arg_nice = 1;
 		}
+#ifdef HAVE_WAYLAND_SECURITY_CONTEXT
+		else if (strcmp(argv[1], "--wayland") == 0) {
+			arg_wayland = 1;
+		}
+#endif
 
 		//*************************************
 		// filesystem

diff --git a/src/firejail/wayland.c b/src/firejail/wayland.c
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) 2014-2024 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+ #include "firejail.h"
+
+