diff options
author | netblue30 <netblue30@yahoo.com> | 2016-03-30 09:55:51 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-03-30 09:55:51 -0400 |
commit | 300402947156774d31c43ae2b734184315d33122 (patch) | |
tree | ced6b430d0ad2e460dbaaf5ada53438595ea12d6 | |
parent | todo (diff) | |
download | firejail-300402947156774d31c43ae2b734184315d33122.tar.gz firejail-300402947156774d31c43ae2b734184315d33122.tar.zst firejail-300402947156774d31c43ae2b734184315d33122.zip |
x11 work
-rw-r--r-- | README.md | 48 | ||||
-rw-r--r-- | RELNOTES | 10 | ||||
-rw-r--r-- | etc/firejail.config | 16 | ||||
-rw-r--r-- | src/man/firejail-config.txt | 27 | ||||
-rw-r--r-- | src/man/firejail.txt | 43 |
5 files changed, 119 insertions, 25 deletions
@@ -41,13 +41,51 @@ FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/ | |||
41 | 41 | ||
42 | ## X11 sandboxing support | 42 | ## X11 sandboxing support |
43 | 43 | ||
44 | X11 support is built around Xpra (http://xpra.org/). | 44 | X11 support is built around Xpra (http://xpra.org/) of Xephyr. |
45 | So far I've seen it working on Debian 7 and 8, and Ubuntu 14.04. If you manage to run it on another | ||
46 | distribution, please let me know. Example: | ||
47 | ````` | 45 | ````` |
48 | $ firejail --x11 --net=eth0 firefox | 46 | --x11 Start a new X11 server using Xpra or Xephyr and attach the sand‐ |
47 | box to this server. The regular X11 server (display 0) is not | ||
48 | visible in the sandbox. This prevents screenshot and keylogger | ||
49 | applications started in the sandbox from accessing other X11 | ||
50 | displays. A network namespace needs to be instantiated in order | ||
51 | to deny access to X11 abstract Unix domain socket. | ||
52 | |||
53 | Firejail will try first Xpra, and if Xpra is not installed on | ||
54 | the system, it will try to find Xephyr. This feature is not | ||
55 | available when running as root. | ||
56 | |||
57 | Example: | ||
58 | $ firejail --x11 --net=eth0 firefox | ||
59 | |||
60 | --x11=xpra | ||
61 | Start a new X11 server using Xpra (http://xpra.org) and attach | ||
62 | the sandbox to this server. Xpra is a persistent remote display | ||
63 | server and client for forwarding X11 applications and desktop | ||
64 | screens. On Debian platforms Xpra is installed with the command | ||
65 | sudo apt-get install xpra. This feature is not available when | ||
66 | running as root. | ||
67 | |||
68 | Example: | ||
69 | $ firejail --x11 --net=eth0 firefox | ||
70 | |||
71 | --x11=xephyr | ||
72 | Start a new X11 server using Xephyr and attach the sandbox to | ||
73 | this server. Xephyr is a display server implementing the X11 | ||
74 | display server protocol. It runs in a window just like other X | ||
75 | applications, but it is an X server itself in which you can run | ||
76 | other software. The default Xephyr window size is 800x600. This | ||
77 | can be modified in /etc/firejail/firejail.config file, see man 5 | ||
78 | firejail-config for more details. | ||
79 | |||
80 | The recommended way to use this feature is to run a window man‐ | ||
81 | ager inside the sandbox. A security profile for OpenBox is pro‐ | ||
82 | vided. On Debian platforms Xephyr is installed with the command | ||
83 | sudo apt-get install xserver-xephyr. This feature is not avail‐ | ||
84 | able when running as root. | ||
85 | |||
86 | Example: | ||
87 | $ firejail --x11 --net=eth0 openbox | ||
49 | ````` | 88 | ````` |
50 | --x11 starts the server, --net is required in order to remove the main X11 server socket from the sandbox. | ||
51 | More information here: https://firejail.wordpress.com/documentation-2/x11-guide/ | 89 | More information here: https://firejail.wordpress.com/documentation-2/x11-guide/ |
52 | 90 | ||
53 | ## File transfers | 91 | ## File transfers |
@@ -1,8 +1,8 @@ | |||
1 | firejail (0.9.39) baseline; urgency=low | 1 | firejail (0.9.39) baseline; urgency=low |
2 | * default seccomp filter update | ||
3 | * disable STUN/WebRTC in default netfilter configuration | ||
4 | * added --nice option | 2 | * added --nice option |
5 | * added --x11 option | 3 | * added --x11 option |
4 | * added --x11=xpra option | ||
5 | * added --x11=xephyr option | ||
6 | * added filetransfer options --ls and --get | 6 | * added filetransfer options --ls and --get |
7 | * added mkdir, ipc-namespace and nosound profile commands | 7 | * added mkdir, ipc-namespace and nosound profile commands |
8 | * --version also prints compile options | 8 | * --version also prints compile options |
@@ -10,10 +10,12 @@ firejail (0.9.39) baseline; urgency=low | |||
10 | * added compile-time option to restrict --net= to root only | 10 | * added compile-time option to restrict --net= to root only |
11 | * run time config support, man firejail-config | 11 | * run time config support, man firejail-config |
12 | * added firecfg utility | 12 | * added firecfg utility |
13 | * build rpm packages using "make rpms" | 13 | * default seccomp filter update |
14 | * disable STUN/WebRTC in default netfilter configuration | ||
14 | * new profiles: lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril | 15 | * new profiles: lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril |
15 | * new profiles: qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars | 16 | * new profiles: qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars |
16 | * new profiles: qTox | 17 | * new profiles: qTox, OpenSSH client, OpenBox |
18 | * build rpm packages using "make rpms" | ||
17 | * bugfixes | 19 | * bugfixes |
18 | -- netblue30 <netblue30@yahoo.com> Wed, 16 Mar 2016 08:00:00 -0500 | 20 | -- netblue30 <netblue30@yahoo.com> Wed, 16 Mar 2016 08:00:00 -0500 |
19 | 21 | ||
diff --git a/etc/firejail.config b/etc/firejail.config index 8333c26ba..41cd08e68 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
@@ -3,14 +3,14 @@ | |||
3 | # Most features are enabled by default. Use 'yes' or 'no' as configuration | 3 | # Most features are enabled by default. Use 'yes' or 'no' as configuration |
4 | # values. | 4 | # values. |
5 | 5 | ||
6 | # Enable or disable seccomp support, default enabled. | 6 | # Enable or disable bind support, default enabled. |
7 | # seccomp yes | 7 | # bind yes |
8 | 8 | ||
9 | # Enable or disable chroot support, default enabled. | 9 | # Enable or disable chroot support, default enabled. |
10 | # chroot yes | 10 | # chroot yes |
11 | 11 | ||
12 | # Enable or disable bind support, default enabled. | 12 | # Enable or disable file transfer support, default enabled. |
13 | # bind yes | 13 | # file-transfer yes |
14 | 14 | ||
15 | # Enable or disable networking features, default enabled. | 15 | # Enable or disable networking features, default enabled. |
16 | # network yes | 16 | # network yes |
@@ -21,17 +21,17 @@ | |||
21 | # only to root user. Regular users are only allowed --net=none. | 21 | # only to root user. Regular users are only allowed --net=none. |
22 | # restricted-network no | 22 | # restricted-network no |
23 | 23 | ||
24 | # Enable or disable seccomp support, default enabled. | ||
25 | # seccomp yes | ||
26 | |||
24 | # Enable or disable user namespace support, default enabled. | 27 | # Enable or disable user namespace support, default enabled. |
25 | # userns yes | 28 | # userns yes |
26 | 29 | ||
27 | # Enable or disable X11 sandboxing support, default enabled. | 30 | # Enable or disable X11 sandboxing support, default enabled. |
28 | # x11 yes | 31 | # x11 yes |
29 | 32 | ||
30 | # Enable or disable file transfer support, default enabled. | ||
31 | # file-transfer yes | ||
32 | |||
33 | # Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for | 33 | # Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for |
34 | # a full list of resolutions available on your specifc setup. | 34 | # a full list of resolutions available on your specific setup. |
35 | # xephyr-screen 640x480 | 35 | # xephyr-screen 640x480 |
36 | # xephyr-screen 800x600 | 36 | # xephyr-screen 800x600 |
37 | # xephyr-screen 1024x768 | 37 | # xephyr-screen 1024x768 |
diff --git a/src/man/firejail-config.txt b/src/man/firejail-config.txt index 687aedf59..fcf4109ee 100644 --- a/src/man/firejail-config.txt +++ b/src/man/firejail-config.txt | |||
@@ -14,16 +14,16 @@ time. Most features are enabled by default both at compile time and | |||
14 | at run time. | 14 | at run time. |
15 | 15 | ||
16 | .TP | 16 | .TP |
17 | \fBsecomp | 17 | \fBbind |
18 | Enable or disable seccomp support, default enabled. | 18 | Enable or disable bind support, default enabled. |
19 | 19 | ||
20 | .TP | 20 | .TP |
21 | \fBchroot | 21 | \fBchroot |
22 | Enable or disable chroot support, default enabled. | 22 | Enable or disable chroot support, default enabled. |
23 | 23 | ||
24 | .TP | 24 | .TP |
25 | \fBbind | 25 | \fBfile-transfer |
26 | Enable or disable bind support, default enabled. | 26 | Enable or disable file transfer support, default enabled. |
27 | 27 | ||
28 | .TP | 28 | .TP |
29 | \fBnetwork | 29 | \fBnetwork |
@@ -37,6 +37,10 @@ Restricted networking grants access to --interface and --net=ethXXX | |||
37 | only to root user. Regular users are only allowed --net=none. | 37 | only to root user. Regular users are only allowed --net=none. |
38 | 38 | ||
39 | .TP | 39 | .TP |
40 | \fBsecomp | ||
41 | Enable or disable seccomp support, default enabled. | ||
42 | |||
43 | .TP | ||
40 | \fBuserns | 44 | \fBuserns |
41 | Enable or disable user namespace support, default enabled. | 45 | Enable or disable user namespace support, default enabled. |
42 | 46 | ||
@@ -45,8 +49,19 @@ Enable or disable user namespace support, default enabled. | |||
45 | Enable or disable X11 sandboxing support, default enabled. | 49 | Enable or disable X11 sandboxing support, default enabled. |
46 | 50 | ||
47 | .TP | 51 | .TP |
48 | \fBfile-transfer | 52 | \fBxephyr-screen |
49 | Enable or disable file transfer support, default enabled. | 53 | Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for |
54 | a full list of resolutions available on your specific setup. Examples: | ||
55 | .br | ||
56 | |||
57 | .br | ||
58 | xephyr-screen 640x480 | ||
59 | .br | ||
60 | xephyr-screen 800x600 | ||
61 | .br | ||
62 | xephyr-screen 1024x768 | ||
63 | .br | ||
64 | xephyr-screen 1280x1024 | ||
50 | 65 | ||
51 | .SH FILES | 66 | .SH FILES |
52 | /etc/firejail/firejail.config | 67 | /etc/firejail/firejail.config |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 6eb7c3ff7..a3c39a82b 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1513,10 +1513,28 @@ $ firejail "\-\-whitelist=/home/username/My Virtual Machines" | |||
1513 | 1513 | ||
1514 | .TP | 1514 | .TP |
1515 | \fB\-\-x11 | 1515 | \fB\-\-x11 |
1516 | Start a new X11 server using Xpra or Xephyr and attach the sandbox to this server. | ||
1517 | The regular X11 server (display 0) is not visible in the sandbox. This prevents screenshot and keylogger | ||
1518 | applications started in the sandbox from accessing other X11 displays. | ||
1519 | A network namespace needs to be instantiated in order to deny access to X11 abstract Unix domain socket. | ||
1520 | .br | ||
1521 | |||
1522 | .br | ||
1523 | Firejail will try first Xpra, and if Xpra is not installed on the system, it will try to find Xephyr. | ||
1524 | This feature is not available when running as root. | ||
1525 | .br | ||
1526 | |||
1527 | .br | ||
1528 | Example: | ||
1529 | .br | ||
1530 | $ firejail \-\-x11 --net=eth0 firefox | ||
1531 | |||
1532 | .TP | ||
1533 | \fB\-\-x11=xpra | ||
1516 | Start a new X11 server using Xpra (http://xpra.org) and attach the sandbox to this server. | 1534 | Start a new X11 server using Xpra (http://xpra.org) and attach the sandbox to this server. |
1517 | Xpra is a persistent remote display server and client for forwarding X11 applications and desktop screens. | 1535 | Xpra is a persistent remote display server and client for forwarding X11 applications and desktop screens. |
1518 | The regular X11 server (display 0) is not visible in the sandbox. This prevents screenshot and keylogger | 1536 | On Debian platforms Xpra is installed with the command \fBsudo apt-get install xpra\fR. |
1519 | applications started in the sandbox from accessing display 0. This feature is not available when running as root. | 1537 | This feature is not available when running as root. |
1520 | .br | 1538 | .br |
1521 | 1539 | ||
1522 | .br | 1540 | .br |
@@ -1525,6 +1543,27 @@ Example: | |||
1525 | $ firejail \-\-x11 --net=eth0 firefox | 1543 | $ firejail \-\-x11 --net=eth0 firefox |
1526 | 1544 | ||
1527 | .TP | 1545 | .TP |
1546 | \fB\-\-x11=xephyr | ||
1547 | Start a new X11 server using Xephyr and attach the sandbox to this server. | ||
1548 | Xephyr is a display server implementing the X11 display server protocol. | ||
1549 | It runs in a window just like other X applications, but it is an X server itself in which you can run other software. | ||
1550 | The default Xephyr window size is 800x600. This can be modified in /etc/firejail/firejail.config file, | ||
1551 | see \fBman 5 firejail-config\fR for more details. | ||
1552 | .br | ||
1553 | |||
1554 | .br | ||
1555 | The recommended way to use this feature is to run a window manager inside the sandbox. | ||
1556 | A security profile for OpenBox is provided. | ||
1557 | On Debian platforms Xephyr is installed with the command \fBsudo apt-get install xserver-xephyr\fR. | ||
1558 | This feature is not available when running as root. | ||
1559 | .br | ||
1560 | |||
1561 | .br | ||
1562 | Example: | ||
1563 | .br | ||
1564 | $ firejail \-\-x11 --net=eth0 openbox | ||
1565 | |||
1566 | .TP | ||
1528 | \fB\-\-zsh | 1567 | \fB\-\-zsh |
1529 | Use /usr/bin/zsh as default user shell. | 1568 | Use /usr/bin/zsh as default user shell. |
1530 | .br | 1569 | .br |