diff options
| author |  netblue30 <netblue30@yahoo.com> | 2016-10-03 10:15:14 -0400 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2016-10-03 10:15:14 -0400 |
| commit | 0579100e2df9b9af899a7143ff1dd2511ca226c1 (patch) | |
| tree | 850382d42d3aa0afa71b00d5fdd1703b0c5f5658 /src/man | |
| parent | renamed --x11=block to --x11=none, brought back the requirement for network n... (diff) | |
| download | firejail-0579100e2df9b9af899a7143ff1dd2511ca226c1.tar.gz firejail-0579100e2df9b9af899a7143ff1dd2511ca226c1.tar.zst firejail-0579100e2df9b9af899a7143ff1dd2511ca226c1.zip | |
--x11=xorg
Diffstat (limited to 'src/man')
| -rw-r--r-- | src/man/firejail-profile.txt | 15 | ||||
| -rw-r--r-- | src/man/firejail.txt | 84 |
2 files changed, 66 insertions, 33 deletions
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index f4b2c22fa..d420fab7a 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
| @@ -279,16 +279,19 @@ There is no root account (uid 0) defined in the namespace. | |||
| 279 | \fBx11 | 279 | \fBx11 |
| 280 | Enable X11 sandboxing. | 280 | Enable X11 sandboxing. |
| 281 | .TP | 281 | .TP |
| 282 | \fBx11 xpra | ||
| 283 | Enable X11 sandboxing with xpra. | ||
| 284 | .TP | ||
| 285 | \fBx11 xephyr | ||
| 286 | Enable X11 sandboxing with xephyr. | ||
| 287 | .TP | ||
| 288 | \fBx11 none | 282 | \fBx11 none |
| 289 | Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} environment variable. | 283 | Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} environment variable. |
| 290 | Remove DISPLAY and XAUTHORITY environment variables. | 284 | Remove DISPLAY and XAUTHORITY environment variables. |
| 291 | Stop with error message if X11 abstract socket will be accessible in jail. | 285 | Stop with error message if X11 abstract socket will be accessible in jail. |
| 286 | .TP | ||
| 287 | \fBx11 xephyr | ||
| 288 | Enable X11 sandboxing with xephyr. | ||
| 289 | .TP | ||
| 290 | \fBx11 xorg | ||
| 291 | Enable X11 sandboxing with X11 security extension. | ||
| 292 | .TP | ||
| 293 | \fBx11 xpra | ||
| 294 | Enable X11 sandboxing with xpra. | ||
| 292 | 295 | ||
| 293 | .SH Resource limits, CPU affinity, Control Groups | 296 | .SH Resource limits, CPU affinity, Control Groups |
| 294 | These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox. | 297 | These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox. |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index aadc54677..4aebb71e8 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
| @@ -1662,15 +1662,17 @@ $ sudo firejail --writable-var | |||
| 1662 | 1662 | ||
| 1663 | .TP | 1663 | .TP |
| 1664 | \fB\-\-x11 | 1664 | \fB\-\-x11 |
| 1665 | Start a new X11 server using Xpra or Xephyr and attach the sandbox to this server. | 1665 | Sandbox the application using Xpra, Xephyr or Xorg security extension. |
| 1666 | The regular X11 server (display 0) is not visible in the sandbox. This prevents screenshot and keylogger | 1666 | The sandbox will prevents screenshot and keylogger applications started inside the sandbox from accessing |
| 1667 | applications started in the sandbox from accessing other X11 displays. | 1667 | clients running outside the sandbox. |
| 1668 | A network namespace needs to be instantiated in order to deny access to X11 abstract Unix domain socket. | 1668 | Firejail will try first Xpra, and if Xpra is not installed on the system, it will try to find Xephyr. |
| 1669 | If all fails, Firejail will not attempt to use X11 security extension. | ||
| 1669 | .br | 1670 | .br |
| 1670 | 1671 | ||
| 1671 | br | 1672 | .br |
| 1672 | Firejail will try first Xpra, and if Xpra is not installed on the system, it will try to find Xephyr. | 1673 | Xpra and Xephyr modes require a network namespace to be instantiated in order to disable |
| 1673 | This feature is not available when running as root. | 1674 | X11 abstract Unix socket. If this is not possible, the user can disable the abstract socket |
| 1675 | by adding "-nolisten local" on Xorg command line. | ||
| 1674 | .br | 1676 | .br |
| 1675 | 1677 | ||
| 1676 | .br | 1678 | .br |
| @@ -1679,31 +1681,30 @@ Example: | |||
| 1679 | $ firejail \-\-x11 --net=eth0 firefox | 1681 | $ firejail \-\-x11 --net=eth0 firefox |
| 1680 | 1682 | ||
| 1681 | .TP | 1683 | .TP |
| 1682 | \fB\-\-x11=xpra | 1684 | \fB\-\-x11=none |
| 1683 | Start a new X11 server using Xpra (http://xpra.org) and attach the sandbox to this server. | 1685 | Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and the file specified in ${XAUTHORITY} environment variable. |
| 1684 | Xpra is a persistent remote display server and client for forwarding X11 applications and desktop screens. | 1686 | Remove DISPLAY and XAUTHORITY environment variables. |
| 1685 | On Debian platforms Xpra is installed with the command \fBsudo apt-get install xpra\fR. | 1687 | Stop with error message if X11 abstract socket will be accessible in jail. |
| 1686 | This feature is not available when running as root. | ||
| 1687 | .br | ||
| 1688 | |||
| 1689 | .br | ||
| 1690 | Example: | ||
| 1691 | .br | ||
| 1692 | $ firejail \-\-x11=xpra --net=eth0 firefox | ||
| 1693 | 1688 | ||
| 1694 | .TP | 1689 | .TP |
| 1695 | \fB\-\-x11=xephyr | 1690 | \fB\-\-x11=xephyr |
| 1696 | Start a new X11 server using Xephyr and attach the sandbox to this server. | 1691 | Start Xephyr and attach the sandbox to this server. |
| 1697 | Xephyr is a display server implementing the X11 display server protocol. | 1692 | Xephyr is a display server implementing the X11 display server protocol. |
| 1698 | It runs in a window just like other X applications, but it is an X server itself in which you can run other software. | 1693 | A network namespace needs to be instantiated in order to deny access to X11 abstract Unix domain socket. |
| 1699 | The default Xephyr window size is 800x600. This can be modified in /etc/firejail/firejail.config file, | 1694 | .br |
| 1700 | see \fBman 5 firejail-config\fR for more details. | 1695 | |
| 1696 | .br | ||
| 1697 | Xephyr runs in a window just like any other X11 application. The default window size is 800x600. | ||
| 1698 | This can be modified in /etc/firejail/firejail.config file. | ||
| 1701 | .br | 1699 | .br |
| 1702 | 1700 | ||
| 1703 | .br | 1701 | .br |
| 1704 | The recommended way to use this feature is to run a window manager inside the sandbox. | 1702 | The recommended way to use this feature is to run a window manager inside the sandbox. |
| 1705 | A security profile for OpenBox is provided. | 1703 | A security profile for OpenBox is provided. |
| 1706 | On Debian platforms Xephyr is installed with the command \fBsudo apt-get install xserver-xephyr\fR. | 1704 | .br |
| 1705 | |||
| 1706 | .br | ||
| 1707 | Xephyr is developed by Xorg project. On Debian platforms it is installed with the command \fBsudo apt-get install xserver-xephyr\fR. | ||
| 1707 | This feature is not available when running as root. | 1708 | This feature is not available when running as root. |
| 1708 | .br | 1709 | .br |
| 1709 | 1710 | ||
| @@ -1713,11 +1714,40 @@ Example: | |||
| 1713 | $ firejail \-\-x11=xephyr --net=eth0 openbox | 1714 | $ firejail \-\-x11=xephyr --net=eth0 openbox |
| 1714 | 1715 | ||
| 1715 | .TP | 1716 | .TP |
| 1716 | \fB\-\-x11=none | 1717 | \fB\-\-x11=xorg |
| 1717 | Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} environment variable. | 1718 | Sandbox the application using the untrusted mode implemented by X11 security extension. |
| 1718 | Remove DISPLAY and XAUTHORITY environment variables. | 1719 | The extension is available in Xorg package |
| 1719 | Stop with error message if X11 abstract socket will be accessible in jail. | 1720 | and it is installed by default on most Linux distributions. It provides support for a simple trusted/untrusted |
| 1721 | connection model. Untrusted clients are restricted in certain ways to prevent them from reading window | ||
| 1722 | contents of other clients, stealing input events, etc. | ||
| 1723 | |||
| 1724 | The untrusted mode has several limitations. A lot of regular programs assume they are a trusted X11 clients | ||
| 1725 | and will crash or lock up when run in untrusted mode. Chromium browser and xterm are two examples. | ||
| 1726 | Firefox and transmission-gtk seem to be working fine. | ||
| 1727 | A network namespace is not required for this option. | ||
| 1728 | .br | ||
| 1729 | |||
| 1730 | .br | ||
| 1731 | Example: | ||
| 1732 | .br | ||
| 1733 | $ firejail \-\-x11=xorg firefox | ||
| 1734 | |||
| 1735 | .TP | ||
| 1736 | \fB\-\-x11=xpra | ||
| 1737 | Start Xpra (http://xpra.org) and attach the sandbox to this server. | ||
| 1738 | Xpra is a persistent remote display server and client for forwarding X11 applications and desktop screens. | ||
| 1739 | A network namespace needs to be instantiated in order to deny access to X11 abstract Unix domain socket. | ||
| 1740 | .br | ||
| 1741 | |||
| 1742 | .br | ||
| 1743 | On Debian platforms Xpra is installed with the command \fBsudo apt-get install xpra\fR. | ||
| 1744 | This feature is not available when running as root. | ||
| 1745 | .br | ||
| 1746 | |||
| 1720 | .br | 1747 | .br |
| 1748 | Example: | ||
| 1749 | .br | ||
| 1750 | $ firejail \-\-x11=xpra --net=eth0 firefox | ||
| 1721 | 1751 | ||
| 1722 | .TP | 1752 | .TP |
| 1723 | \fB\-\-zsh | 1753 | \fB\-\-zsh |