diff options
author | netblue30 <netblue30@yahoo.com> | 2016-03-30 09:55:51 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-03-30 09:55:51 -0400 |
commit | 300402947156774d31c43ae2b734184315d33122 (patch) | |
tree | ced6b430d0ad2e460dbaaf5ada53438595ea12d6 /README.md | |
parent | todo (diff) | |
download | firejail-300402947156774d31c43ae2b734184315d33122.tar.gz firejail-300402947156774d31c43ae2b734184315d33122.tar.zst firejail-300402947156774d31c43ae2b734184315d33122.zip |
x11 work
Diffstat (limited to 'README.md')
-rw-r--r-- | README.md | 48 |
1 files changed, 43 insertions, 5 deletions
@@ -41,13 +41,51 @@ FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/ | |||
41 | 41 | ||
42 | ## X11 sandboxing support | 42 | ## X11 sandboxing support |
43 | 43 | ||
44 | X11 support is built around Xpra (http://xpra.org/). | 44 | X11 support is built around Xpra (http://xpra.org/) of Xephyr. |
45 | So far I've seen it working on Debian 7 and 8, and Ubuntu 14.04. If you manage to run it on another | ||
46 | distribution, please let me know. Example: | ||
47 | ````` | 45 | ````` |
48 | $ firejail --x11 --net=eth0 firefox | 46 | --x11 Start a new X11 server using Xpra or Xephyr and attach the sand‐ |
47 | box to this server. The regular X11 server (display 0) is not | ||
48 | visible in the sandbox. This prevents screenshot and keylogger | ||
49 | applications started in the sandbox from accessing other X11 | ||
50 | displays. A network namespace needs to be instantiated in order | ||
51 | to deny access to X11 abstract Unix domain socket. | ||
52 | |||
53 | Firejail will try first Xpra, and if Xpra is not installed on | ||
54 | the system, it will try to find Xephyr. This feature is not | ||
55 | available when running as root. | ||
56 | |||
57 | Example: | ||
58 | $ firejail --x11 --net=eth0 firefox | ||
59 | |||
60 | --x11=xpra | ||
61 | Start a new X11 server using Xpra (http://xpra.org) and attach | ||
62 | the sandbox to this server. Xpra is a persistent remote display | ||
63 | server and client for forwarding X11 applications and desktop | ||
64 | screens. On Debian platforms Xpra is installed with the command | ||
65 | sudo apt-get install xpra. This feature is not available when | ||
66 | running as root. | ||
67 | |||
68 | Example: | ||
69 | $ firejail --x11 --net=eth0 firefox | ||
70 | |||
71 | --x11=xephyr | ||
72 | Start a new X11 server using Xephyr and attach the sandbox to | ||
73 | this server. Xephyr is a display server implementing the X11 | ||
74 | display server protocol. It runs in a window just like other X | ||
75 | applications, but it is an X server itself in which you can run | ||
76 | other software. The default Xephyr window size is 800x600. This | ||
77 | can be modified in /etc/firejail/firejail.config file, see man 5 | ||
78 | firejail-config for more details. | ||
79 | |||
80 | The recommended way to use this feature is to run a window man‐ | ||
81 | ager inside the sandbox. A security profile for OpenBox is pro‐ | ||
82 | vided. On Debian platforms Xephyr is installed with the command | ||
83 | sudo apt-get install xserver-xephyr. This feature is not avail‐ | ||
84 | able when running as root. | ||
85 | |||
86 | Example: | ||
87 | $ firejail --x11 --net=eth0 openbox | ||
49 | ````` | 88 | ````` |
50 | --x11 starts the server, --net is required in order to remove the main X11 server socket from the sandbox. | ||
51 | More information here: https://firejail.wordpress.com/documentation-2/x11-guide/ | 89 | More information here: https://firejail.wordpress.com/documentation-2/x11-guide/ |
52 | 90 | ||
53 | ## File transfers | 91 | ## File transfers |