diff options
author | netblue30 <netblue30@yahoo.com> | 2016-10-03 10:15:14 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-10-03 10:15:14 -0400 |
commit | 0579100e2df9b9af899a7143ff1dd2511ca226c1 (patch) | |
tree | 850382d42d3aa0afa71b00d5fdd1703b0c5f5658 /README.md | |
parent | renamed --x11=block to --x11=none, brought back the requirement for network n... (diff) | |
download | firejail-0579100e2df9b9af899a7143ff1dd2511ca226c1.tar.gz firejail-0579100e2df9b9af899a7143ff1dd2511ca226c1.tar.zst firejail-0579100e2df9b9af899a7143ff1dd2511ca226c1.zip |
--x11=xorg
Diffstat (limited to 'README.md')
-rw-r--r-- | README.md | 36 |
1 files changed, 29 insertions, 7 deletions
@@ -45,14 +45,36 @@ If you keep your Firejail profiles in a public repository, please give us a link | |||
45 | ````` | 45 | ````` |
46 | # Current development version: 0.9.43 | 46 | # Current development version: 0.9.43 |
47 | 47 | ||
48 | ## New command line options | 48 | ## X11 development |
49 | ````` | 49 | ````` |
50 | --x11=none | 50 | --x11=none |
51 | Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file | 51 | Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and the |
52 | specified in ${XAUTHORITY} environment variable. Remove DISPLAY and | 52 | file specified in ${XAUTHORITY} environment variable. Remove |
53 | XAUTHORITY environment variables. Stop with error message if X11 | 53 | DISPLAY and XAUTHORITY environment variables. Stop with error |
54 | abstract socket will be accessible in jail. | 54 | message if X11 abstract socket will be accessible in jail. |
55 | |||
56 | --x11=xorg | ||
57 | Sandbox the application using the untrusted mode implemented by | ||
58 | X11 security extension. The extension is available in Xorg | ||
59 | package and it is installed by default on most Linux distribu‐ | ||
60 | tions. It provides support for a simple trusted/untrusted con‐ | ||
61 | nection model. Untrusted clients are restricted in certain ways | ||
62 | to prevent them from reading window contents of other clients, | ||
63 | stealing input events, etc. | ||
64 | |||
65 | The untrusted mode has several limitations. A lot of regular | ||
66 | programs assume they are a trusted X11 clients and will crash | ||
67 | or lock up when run in untrusted mode. Chromium browser and | ||
68 | xterm are two examples. Firefox and transmission-gtk seem to be | ||
69 | working fine. A network namespace is not required for this | ||
70 | option. | ||
55 | 71 | ||
72 | Example: | ||
73 | $ firejail --x11=xorg firefox | ||
74 | ````` | ||
75 | |||
76 | ## Other command line options | ||
77 | ````` | ||
56 | --put=name|pid src-filename dest-filename | 78 | --put=name|pid src-filename dest-filename |
57 | Put src-filename in sandbox container. The container is specified by name or PID. | 79 | Put src-filename in sandbox container. The container is specified by name or PID. |
58 | 80 | ||
@@ -84,7 +106,7 @@ If you keep your Firejail profiles in a public repository, please give us a link | |||
84 | 106 | ||
85 | ## New profile commands | 107 | ## New profile commands |
86 | 108 | ||
87 | x11 xpra, x11 xephyr, x11 none, allusers, join-or-start | 109 | x11 xpra, x11 xephyr, x11 none, x11 xorg allusers, join-or-start |
88 | 110 | ||
89 | ## New profiles | 111 | ## New profiles |
90 | 112 | ||