--x11=xorg

author: netblue30 <netblue30@yahoo.com> 2016-10-03 10:15:14 -0400
committer: netblue30 <netblue30@yahoo.com> 2016-10-03 10:15:14 -0400
commit: 0579100e2df9b9af899a7143ff1dd2511ca226c1 (patch)
tree: 850382d42d3aa0afa71b00d5fdd1703b0c5f5658 /README.md
parent: renamed --x11=block to --x11=none, brought back the requirement for network n... (diff)
download: firejail-0579100e2df9b9af899a7143ff1dd2511ca226c1.tar.gz
firejail-0579100e2df9b9af899a7143ff1dd2511ca226c1.tar.zst
firejail-0579100e2df9b9af899a7143ff1dd2511ca226c1.zip
1 files changed, 29 insertions, 7 deletions
diff --git a/README.md b/README.md
index a8075cc1e..43aa183ef 100644
--- a/README.md
+++ b/README.md
@@ -45,14 +45,36 @@ If you keep your Firejail profiles in a public repository, please give us a link
 `````
 # Current development version: 0.9.43
-## New command line options
+## X11 development
 `````
-      --x11=none
+       --x11=none
-              Blacklist  /tmp/.X11-unix  directory,  ${HOME}/.Xauthority  and  file
+              Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and  the
-              specified in ${XAUTHORITY} environment variable.  Remove  DISPLAY  and
+              file  specified  in  ${XAUTHORITY} environment variable.  Remove
-              XAUTHORITY  environment  variables.   Stop  with  error message if X11
+              DISPLAY and XAUTHORITY environment variables.  Stop  with  error
-              abstract socket will be accessible in jail.
+              message if X11 abstract socket will be accessible in jail.
+      --x11=xorg
+              Sandbox the application using the untrusted mode implemented  by
+              X11  security  extension.   The  extension  is available in Xorg
+              package and it is installed by default on most  Linux  distribu‐
+              tions.  It  provides support for a simple trusted/untrusted con‐
+              nection model. Untrusted clients are restricted in certain  ways
+              to  prevent  them from reading window contents of other clients,
+              stealing input events, etc.
+              The untrusted mode has several limitations.  A  lot  of  regular
+              programs   assume  they are a trusted X11 clients and will crash
+              or lock up when run in  untrusted  mode.  Chromium  browser  and
+              xterm are two examples.  Firefox and transmission-gtk seem to be
+              working fine.  A network namespace  is  not  required  for  this
+              option.
+              Example:
+              $ firejail --x11=xorg firefox
+`````
+## Other command line options
+`````
      --put=name|pid src-filename dest-filename
              Put src-filename in sandbox container.  The container is specified by name or PID.
@@ -84,7 +106,7 @@ If you keep your Firejail profiles in a public repository, please give us a link
 ## New profile commands
-x11 xpra, x11 xephyr, x11 none, allusers, join-or-start
+x11 xpra, x11 xephyr, x11 none, x11 xorg allusers, join-or-start
 ## New profiles
author	netblue30 <netblue30@yahoo.com>	2016-10-03 10:15:14 -0400
committer	netblue30 <netblue30@yahoo.com>	2016-10-03 10:15:14 -0400
commit	0579100e2df9b9af899a7143ff1dd2511ca226c1 (patch)
tree	850382d42d3aa0afa71b00d5fdd1703b0c5f5658 /README.md
parent	renamed --x11=block to --x11=none, brought back the requirement for network n... (diff)
download	firejail-0579100e2df9b9af899a7143ff1dd2511ca226c1.tar.gz firejail-0579100e2df9b9af899a7143ff1dd2511ca226c1.tar.zst firejail-0579100e2df9b9af899a7143ff1dd2511ca226c1.zip

diff --git a/README.md b/README.md index a8075cc1e..43aa183ef 100644 --- a/README.md +++ b/README.md
@@ -45,14 +45,36 @@ If you keep your Firejail profiles in a public repository, please give us a link
45	`````	45	`````
46	# Current development version: 0.9.43	46	# Current development version: 0.9.43
47		47
48	## New command line options	48	## X11 development
49	`````	49	`````
50	--x11=none	50	--x11=none
51	Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file	51	Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and the
52	specified in ${XAUTHORITY} environment variable. Remove DISPLAY and	52	file specified in ${XAUTHORITY} environment variable. Remove
53	XAUTHORITY environment variables. Stop with error message if X11	53	DISPLAY and XAUTHORITY environment variables. Stop with error
54	abstract socket will be accessible in jail.	54	message if X11 abstract socket will be accessible in jail.
		55
		56	--x11=xorg
		57	Sandbox the application using the untrusted mode implemented by
		58	X11 security extension. The extension is available in Xorg
		59	package and it is installed by default on most Linux distribu‐
		60	tions. It provides support for a simple trusted/untrusted con‐
		61	nection model. Untrusted clients are restricted in certain ways
		62	to prevent them from reading window contents of other clients,
		63	stealing input events, etc.
		64
		65	The untrusted mode has several limitations. A lot of regular
		66	programs assume they are a trusted X11 clients and will crash
		67	or lock up when run in untrusted mode. Chromium browser and
		68	xterm are two examples. Firefox and transmission-gtk seem to be
		69	working fine. A network namespace is not required for this
		70	option.
55		71
		72	Example:
		73	$ firejail --x11=xorg firefox
		74	`````
		75
		76	## Other command line options
		77	`````
56	--put=name\|pid src-filename dest-filename	78	--put=name\|pid src-filename dest-filename
57	Put src-filename in sandbox container. The container is specified by name or PID.	79	Put src-filename in sandbox container. The container is specified by name or PID.
58		80
@@ -84,7 +106,7 @@ If you keep your Firejail profiles in a public repository, please give us a link
84		106
85	## New profile commands	107	## New profile commands
86		108
87	x11 xpra, x11 xephyr, x11 none, allusers, join-or-start	109	x11 xpra, x11 xephyr, x11 none, x11 xorg allusers, join-or-start
88		110
89	## New profiles	111	## New profiles
90		112