diff options
author | netblue30 <netblue30@yahoo.com> | 2016-10-03 10:15:14 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-10-03 10:15:14 -0400 |
commit | 0579100e2df9b9af899a7143ff1dd2511ca226c1 (patch) | |
tree | 850382d42d3aa0afa71b00d5fdd1703b0c5f5658 /src/man | |
parent | renamed --x11=block to --x11=none, brought back the requirement for network n... (diff) | |
download | firejail-0579100e2df9b9af899a7143ff1dd2511ca226c1.tar.gz firejail-0579100e2df9b9af899a7143ff1dd2511ca226c1.tar.zst firejail-0579100e2df9b9af899a7143ff1dd2511ca226c1.zip |
--x11=xorg
Diffstat (limited to 'src/man')
-rw-r--r-- | src/man/firejail-profile.txt | 15 | ||||
-rw-r--r-- | src/man/firejail.txt | 84 |
2 files changed, 66 insertions, 33 deletions
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index f4b2c22fa..d420fab7a 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -279,16 +279,19 @@ There is no root account (uid 0) defined in the namespace. | |||
279 | \fBx11 | 279 | \fBx11 |
280 | Enable X11 sandboxing. | 280 | Enable X11 sandboxing. |
281 | .TP | 281 | .TP |
282 | \fBx11 xpra | ||
283 | Enable X11 sandboxing with xpra. | ||
284 | .TP | ||
285 | \fBx11 xephyr | ||
286 | Enable X11 sandboxing with xephyr. | ||
287 | .TP | ||
288 | \fBx11 none | 282 | \fBx11 none |
289 | Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} environment variable. | 283 | Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} environment variable. |
290 | Remove DISPLAY and XAUTHORITY environment variables. | 284 | Remove DISPLAY and XAUTHORITY environment variables. |
291 | Stop with error message if X11 abstract socket will be accessible in jail. | 285 | Stop with error message if X11 abstract socket will be accessible in jail. |
286 | .TP | ||
287 | \fBx11 xephyr | ||
288 | Enable X11 sandboxing with xephyr. | ||
289 | .TP | ||
290 | \fBx11 xorg | ||
291 | Enable X11 sandboxing with X11 security extension. | ||
292 | .TP | ||
293 | \fBx11 xpra | ||
294 | Enable X11 sandboxing with xpra. | ||
292 | 295 | ||
293 | .SH Resource limits, CPU affinity, Control Groups | 296 | .SH Resource limits, CPU affinity, Control Groups |
294 | These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox. | 297 | These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox. |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index aadc54677..4aebb71e8 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1662,15 +1662,17 @@ $ sudo firejail --writable-var | |||
1662 | 1662 | ||
1663 | .TP | 1663 | .TP |
1664 | \fB\-\-x11 | 1664 | \fB\-\-x11 |
1665 | Start a new X11 server using Xpra or Xephyr and attach the sandbox to this server. | 1665 | Sandbox the application using Xpra, Xephyr or Xorg security extension. |
1666 | The regular X11 server (display 0) is not visible in the sandbox. This prevents screenshot and keylogger | 1666 | The sandbox will prevents screenshot and keylogger applications started inside the sandbox from accessing |
1667 | applications started in the sandbox from accessing other X11 displays. | 1667 | clients running outside the sandbox. |
1668 | A network namespace needs to be instantiated in order to deny access to X11 abstract Unix domain socket. | 1668 | Firejail will try first Xpra, and if Xpra is not installed on the system, it will try to find Xephyr. |
1669 | If all fails, Firejail will not attempt to use X11 security extension. | ||
1669 | .br | 1670 | .br |
1670 | 1671 | ||
1671 | br | 1672 | .br |
1672 | Firejail will try first Xpra, and if Xpra is not installed on the system, it will try to find Xephyr. | 1673 | Xpra and Xephyr modes require a network namespace to be instantiated in order to disable |
1673 | This feature is not available when running as root. | 1674 | X11 abstract Unix socket. If this is not possible, the user can disable the abstract socket |
1675 | by adding "-nolisten local" on Xorg command line. | ||
1674 | .br | 1676 | .br |
1675 | 1677 | ||
1676 | .br | 1678 | .br |
@@ -1679,31 +1681,30 @@ Example: | |||
1679 | $ firejail \-\-x11 --net=eth0 firefox | 1681 | $ firejail \-\-x11 --net=eth0 firefox |
1680 | 1682 | ||
1681 | .TP | 1683 | .TP |
1682 | \fB\-\-x11=xpra | 1684 | \fB\-\-x11=none |
1683 | Start a new X11 server using Xpra (http://xpra.org) and attach the sandbox to this server. | 1685 | Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and the file specified in ${XAUTHORITY} environment variable. |
1684 | Xpra is a persistent remote display server and client for forwarding X11 applications and desktop screens. | 1686 | Remove DISPLAY and XAUTHORITY environment variables. |
1685 | On Debian platforms Xpra is installed with the command \fBsudo apt-get install xpra\fR. | 1687 | Stop with error message if X11 abstract socket will be accessible in jail. |
1686 | This feature is not available when running as root. | ||
1687 | .br | ||
1688 | |||
1689 | .br | ||
1690 | Example: | ||
1691 | .br | ||
1692 | $ firejail \-\-x11=xpra --net=eth0 firefox | ||
1693 | 1688 | ||
1694 | .TP | 1689 | .TP |
1695 | \fB\-\-x11=xephyr | 1690 | \fB\-\-x11=xephyr |
1696 | Start a new X11 server using Xephyr and attach the sandbox to this server. | 1691 | Start Xephyr and attach the sandbox to this server. |
1697 | Xephyr is a display server implementing the X11 display server protocol. | 1692 | Xephyr is a display server implementing the X11 display server protocol. |
1698 | It runs in a window just like other X applications, but it is an X server itself in which you can run other software. | 1693 | A network namespace needs to be instantiated in order to deny access to X11 abstract Unix domain socket. |
1699 | The default Xephyr window size is 800x600. This can be modified in /etc/firejail/firejail.config file, | 1694 | .br |
1700 | see \fBman 5 firejail-config\fR for more details. | 1695 | |
1696 | .br | ||
1697 | Xephyr runs in a window just like any other X11 application. The default window size is 800x600. | ||
1698 | This can be modified in /etc/firejail/firejail.config file. | ||
1701 | .br | 1699 | .br |
1702 | 1700 | ||
1703 | .br | 1701 | .br |
1704 | The recommended way to use this feature is to run a window manager inside the sandbox. | 1702 | The recommended way to use this feature is to run a window manager inside the sandbox. |
1705 | A security profile for OpenBox is provided. | 1703 | A security profile for OpenBox is provided. |
1706 | On Debian platforms Xephyr is installed with the command \fBsudo apt-get install xserver-xephyr\fR. | 1704 | .br |
1705 | |||
1706 | .br | ||
1707 | Xephyr is developed by Xorg project. On Debian platforms it is installed with the command \fBsudo apt-get install xserver-xephyr\fR. | ||
1707 | This feature is not available when running as root. | 1708 | This feature is not available when running as root. |
1708 | .br | 1709 | .br |
1709 | 1710 | ||
@@ -1713,11 +1714,40 @@ Example: | |||
1713 | $ firejail \-\-x11=xephyr --net=eth0 openbox | 1714 | $ firejail \-\-x11=xephyr --net=eth0 openbox |
1714 | 1715 | ||
1715 | .TP | 1716 | .TP |
1716 | \fB\-\-x11=none | 1717 | \fB\-\-x11=xorg |
1717 | Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} environment variable. | 1718 | Sandbox the application using the untrusted mode implemented by X11 security extension. |
1718 | Remove DISPLAY and XAUTHORITY environment variables. | 1719 | The extension is available in Xorg package |
1719 | Stop with error message if X11 abstract socket will be accessible in jail. | 1720 | and it is installed by default on most Linux distributions. It provides support for a simple trusted/untrusted |
1721 | connection model. Untrusted clients are restricted in certain ways to prevent them from reading window | ||
1722 | contents of other clients, stealing input events, etc. | ||
1723 | |||
1724 | The untrusted mode has several limitations. A lot of regular programs assume they are a trusted X11 clients | ||
1725 | and will crash or lock up when run in untrusted mode. Chromium browser and xterm are two examples. | ||
1726 | Firefox and transmission-gtk seem to be working fine. | ||
1727 | A network namespace is not required for this option. | ||
1728 | .br | ||
1729 | |||
1730 | .br | ||
1731 | Example: | ||
1732 | .br | ||
1733 | $ firejail \-\-x11=xorg firefox | ||
1734 | |||
1735 | .TP | ||
1736 | \fB\-\-x11=xpra | ||
1737 | Start Xpra (http://xpra.org) and attach the sandbox to this server. | ||
1738 | Xpra is a persistent remote display server and client for forwarding X11 applications and desktop screens. | ||
1739 | A network namespace needs to be instantiated in order to deny access to X11 abstract Unix domain socket. | ||
1740 | .br | ||
1741 | |||
1742 | .br | ||
1743 | On Debian platforms Xpra is installed with the command \fBsudo apt-get install xpra\fR. | ||
1744 | This feature is not available when running as root. | ||
1745 | .br | ||
1746 | |||
1720 | .br | 1747 | .br |
1748 | Example: | ||
1749 | .br | ||
1750 | $ firejail \-\-x11=xpra --net=eth0 firefox | ||
1721 | 1751 | ||
1722 | .TP | 1752 | .TP |
1723 | \fB\-\-zsh | 1753 | \fB\-\-zsh |