diff options
author | netblue30 <netblue30@yahoo.com> | 2016-10-03 10:15:14 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-10-03 10:15:14 -0400 |
commit | 0579100e2df9b9af899a7143ff1dd2511ca226c1 (patch) | |
tree | 850382d42d3aa0afa71b00d5fdd1703b0c5f5658 /src | |
parent | renamed --x11=block to --x11=none, brought back the requirement for network n... (diff) | |
download | firejail-0579100e2df9b9af899a7143ff1dd2511ca226c1.tar.gz firejail-0579100e2df9b9af899a7143ff1dd2511ca226c1.tar.zst firejail-0579100e2df9b9af899a7143ff1dd2511ca226c1.zip |
--x11=xorg
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/firejail.h | 2 | ||||
-rw-r--r-- | src/firejail/main.c | 13 | ||||
-rw-r--r-- | src/firejail/profile.c | 26 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 15 | ||||
-rw-r--r-- | src/firejail/usage.c | 9 | ||||
-rw-r--r-- | src/firejail/x11.c | 70 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 15 | ||||
-rw-r--r-- | src/man/firejail.txt | 84 |
8 files changed, 182 insertions, 52 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index f2d490a6c..f4d468394 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -61,6 +61,7 @@ | |||
61 | #define RUN_WHITELIST_OPT_DIR "/run/firejail/mnt/orig-opt" | 61 | #define RUN_WHITELIST_OPT_DIR "/run/firejail/mnt/orig-opt" |
62 | 62 | ||
63 | #define RUN_XAUTHORITY_FILE "/run/firejail/mnt/.Xauthority" | 63 | #define RUN_XAUTHORITY_FILE "/run/firejail/mnt/.Xauthority" |
64 | #define RUN_XAUTHORITY_SEC_FILE "/run/firejail/mnt/sec.Xauthority" | ||
64 | #define RUN_ASOUNDRC_FILE "/run/firejail/mnt/.asoundrc" | 65 | #define RUN_ASOUNDRC_FILE "/run/firejail/mnt/.asoundrc" |
65 | #define RUN_HOSTNAME_FILE "/run/firejail/mnt/hostname" | 66 | #define RUN_HOSTNAME_FILE "/run/firejail/mnt/hostname" |
66 | #define RUN_HOSTS_FILE "/run/firejail/mnt/hosts" | 67 | #define RUN_HOSTS_FILE "/run/firejail/mnt/hosts" |
@@ -321,6 +322,7 @@ extern char *arg_audit_prog; // audit | |||
321 | extern int arg_apparmor; // apparmor | 322 | extern int arg_apparmor; // apparmor |
322 | extern int arg_allow_debuggers; // allow debuggers | 323 | extern int arg_allow_debuggers; // allow debuggers |
323 | extern int arg_x11_block; // block X11 | 324 | extern int arg_x11_block; // block X11 |
325 | extern int arg_x11_xorg; // use X11 security extention | ||
324 | extern int arg_allusers; // all user home directories visible | 326 | extern int arg_allusers; // all user home directories visible |
325 | 327 | ||
326 | extern int login_shell; | 328 | extern int login_shell; |
diff --git a/src/firejail/main.c b/src/firejail/main.c index c4b7ce4dc..6d4eb21df 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -107,6 +107,7 @@ char *arg_audit_prog = NULL; // audit | |||
107 | int arg_apparmor = 0; // apparmor | 107 | int arg_apparmor = 0; // apparmor |
108 | int arg_allow_debuggers = 0; // allow debuggers | 108 | int arg_allow_debuggers = 0; // allow debuggers |
109 | int arg_x11_block = 0; // block X11 | 109 | int arg_x11_block = 0; // block X11 |
110 | int arg_x11_xorg = 0; // use X11 security extention | ||
110 | int arg_allusers = 0; // all user home directories visible | 111 | int arg_allusers = 0; // all user home directories visible |
111 | 112 | ||
112 | int login_shell = 0; | 113 | int login_shell = 0; |
@@ -2208,9 +2209,21 @@ int main(int argc, char **argv) { | |||
2208 | return 1; | 2209 | return 1; |
2209 | } | 2210 | } |
2210 | } | 2211 | } |
2212 | |||
2213 | // unlike all other x11 features, this is available always | ||
2211 | else if (strcmp(argv[i], "--x11=none") == 0) { | 2214 | else if (strcmp(argv[i], "--x11=none") == 0) { |
2212 | arg_x11_block = 1; | 2215 | arg_x11_block = 1; |
2213 | } | 2216 | } |
2217 | #ifdef HAVE_X11 | ||
2218 | else if (strcmp(argv[i], "--x11=xorg") == 0) { | ||
2219 | if (checkcfg(CFG_X11)) | ||
2220 | arg_x11_xorg = 1; | ||
2221 | else { | ||
2222 | fprintf(stderr, "Error: --x11 feature is disabled in Firejail configuration file\n"); | ||
2223 | exit(1); | ||
2224 | } | ||
2225 | } | ||
2226 | #endif | ||
2214 | else if (strncmp(argv[i], "--join-or-start=", 16) == 0) { | 2227 | else if (strncmp(argv[i], "--join-or-start=", 16) == 0) { |
2215 | // NOTE: this is second part of option handler, | 2228 | // NOTE: this is second part of option handler, |
2216 | // atempt to find and join sandbox is done in other one | 2229 | // atempt to find and join sandbox is done in other one |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 59ef42a74..e5c35a89d 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -657,9 +657,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
657 | } | 657 | } |
658 | 658 | ||
659 | if (strcmp(ptr, "x11 none") == 0) { | 659 | if (strcmp(ptr, "x11 none") == 0) { |
660 | #ifdef HAVE_X11 | ||
661 | arg_x11_block = 1; | 660 | arg_x11_block = 1; |
662 | #endif | ||
663 | return 0; | 661 | return 0; |
664 | } | 662 | } |
665 | 663 | ||
@@ -681,6 +679,17 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
681 | return 0; | 679 | return 0; |
682 | } | 680 | } |
683 | 681 | ||
682 | if (strcmp(ptr, "x11 xorg") == 0) { | ||
683 | #ifdef HAVE_X11 | ||
684 | if (checkcfg(CFG_X11)) | ||
685 | arg_x11_xorg = 1; | ||
686 | else { | ||
687 | fprintf(stderr, "Error: --x11 feature is disabled in Firejail configuration file\n"); | ||
688 | return 0; | ||
689 | } | ||
690 | #endif | ||
691 | return 0; | ||
692 | } | ||
684 | if (strcmp(ptr, "x11 xpra") == 0) { | 693 | if (strcmp(ptr, "x11 xpra") == 0) { |
685 | #ifdef HAVE_X11 | 694 | #ifdef HAVE_X11 |
686 | if (checkcfg(CFG_X11)) { | 695 | if (checkcfg(CFG_X11)) { |
@@ -717,19 +726,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
717 | return 0; | 726 | return 0; |
718 | } | 727 | } |
719 | 728 | ||
720 | #if 0 | ||
721 | if (strncmp(ptr, "private-template ", 17) == 0) { | ||
722 | if (arg_private) { | ||
723 | fprintf(stderr, "Error: --private and --private-template are mutually exclusive\n"); | ||
724 | exit(1); | ||
725 | } | ||
726 | cfg.private_template = ptr + 17; | ||
727 | fs_check_private_template(); | ||
728 | arg_private_template = 1; | ||
729 | |||
730 | return 0; | ||
731 | } | ||
732 | #endif | ||
733 | // private /etc list of files and directories | 729 | // private /etc list of files and directories |
734 | if (strncmp(ptr, "private-etc ", 12) == 0) { | 730 | if (strncmp(ptr, "private-etc ", 12) == 0) { |
735 | if (arg_writable_etc) { | 731 | if (arg_writable_etc) { |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 7b519c8c2..8021ce9a3 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -585,8 +585,19 @@ int sandbox(void* sandbox_arg) { | |||
585 | fprintf(stderr, "Warning: private-bin feature is disabled in chroot\n"); | 585 | fprintf(stderr, "Warning: private-bin feature is disabled in chroot\n"); |
586 | else if (arg_overlay) | 586 | else if (arg_overlay) |
587 | fprintf(stderr, "Warning: private-bin feature is disabled in overlay\n"); | 587 | fprintf(stderr, "Warning: private-bin feature is disabled in overlay\n"); |
588 | else | 588 | else { |
589 | // for --x11=xorg we need to add xauth command | ||
590 | if (arg_x11_xorg) { | ||
591 | EUID_USER(); | ||
592 | char *tmp; | ||
593 | if (asprintf(&tmp, "%s,xauth", cfg.bin_private_keep) == -1) | ||
594 | errExit("asprintf"); | ||
595 | cfg.bin_private_keep = tmp; | ||
596 | fs_check_bin_list(); | ||
597 | EUID_ROOT(); | ||
598 | } | ||
589 | fs_private_bin_list(); | 599 | fs_private_bin_list(); |
600 | } | ||
590 | } | 601 | } |
591 | 602 | ||
592 | if (arg_private_tmp) { | 603 | if (arg_private_tmp) { |
@@ -784,6 +795,8 @@ int sandbox(void* sandbox_arg) { | |||
784 | 795 | ||
785 | // clean /tmp/.X11-unix sockets | 796 | // clean /tmp/.X11-unix sockets |
786 | fs_x11(); | 797 | fs_x11(); |
798 | if (arg_x11_xorg) | ||
799 | x11_xorg(); | ||
787 | 800 | ||
788 | //**************************** | 801 | //**************************** |
789 | // set security filters | 802 | // set security filters |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 903817099..7db91b5a9 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -282,10 +282,13 @@ void usage(void) { | |||
282 | printf(" --writable-etc - /etc directory is mounted read-write.\n\n"); | 282 | printf(" --writable-etc - /etc directory is mounted read-write.\n\n"); |
283 | printf(" --writable-var - /var directory is mounted read-write.\n\n"); | 283 | printf(" --writable-var - /var directory is mounted read-write.\n\n"); |
284 | 284 | ||
285 | printf(" --x11 - enable X11 server. The software checks first if Xpra is installed,\n"); | 285 | printf(" --x11 - enable X11 sandboxing. The software checks first if Xpra is\n"); |
286 | printf("\tthen it checks if Xephyr is installed.\n\n"); | 286 | printf("\tinstalled, then it checks if Xephyr is installed. If all fails, it will\n"); |
287 | printf(" --x11=xpra - enable Xpra X11 server.\n\n"); | 287 | printf("\tattempt to use X11 security extension.\n\n"); |
288 | printf(" --x11=none - disable access to X11 sockets.\n\n"); | ||
288 | printf(" --x11=xephyr - enable Xephyr X11 server. The window size is 800x600.\n\n"); | 289 | printf(" --x11=xephyr - enable Xephyr X11 server. The window size is 800x600.\n\n"); |
290 | printf(" --x11=xorg - enable X11 security extension.\n\n"); | ||
291 | printf(" --x11=xpra - enable Xpra X11 server.\n\n"); | ||
289 | printf(" --zsh - use /usr/bin/zsh as default shell.\n\n"); | 292 | printf(" --zsh - use /usr/bin/zsh as default shell.\n\n"); |
290 | printf("\n"); | 293 | printf("\n"); |
291 | printf("\n"); | 294 | printf("\n"); |
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index def1dd324..d40d349e1 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
@@ -629,3 +629,73 @@ void x11_block(void) { | |||
629 | env_store("XAUTHORITY", RMENV); | 629 | env_store("XAUTHORITY", RMENV); |
630 | #endif | 630 | #endif |
631 | } | 631 | } |
632 | |||
633 | void x11_xorg(void) { | ||
634 | #ifdef HAVE_X11 | ||
635 | // destination | ||
636 | char *dest; | ||
637 | if (asprintf(&dest, "%s/.Xauthority", cfg.homedir) == -1) | ||
638 | errExit("asprintf"); | ||
639 | struct stat s; | ||
640 | if (stat(dest, &s) == -1) { | ||
641 | // create an .Xauthority file | ||
642 | FILE *fp = fopen(dest, "w"); | ||
643 | if (!fp) | ||
644 | errExit("fopen"); | ||
645 | SET_PERMS_STREAM(fp, getuid(), getgid(), 0600); | ||
646 | fclose(fp); | ||
647 | } | ||
648 | |||
649 | if (stat("/usr/bin/xauth", &s) == -1) { | ||
650 | fprintf(stderr, "Error: cannot find /usr/bin/xauth executable\n"); | ||
651 | exit(1); | ||
652 | } | ||
653 | |||
654 | pid_t child = fork(); | ||
655 | if (child < 0) | ||
656 | errExit("fork"); | ||
657 | if (child == 0) { | ||
658 | // generate a new .Xauthority file | ||
659 | if (arg_debug) | ||
660 | printf("Generating a new .Xauthority file\n"); | ||
661 | |||
662 | // elevate privileges - files in /run/firejail/mnt directory belong to root | ||
663 | if (setreuid(0, 0) < 0) | ||
664 | errExit("setreuid"); | ||
665 | if (setregid(0, 0) < 0) | ||
666 | errExit("setregid"); | ||
667 | |||
668 | char *display = getenv("DISPLAY"); | ||
669 | if (!display) | ||
670 | display = ":0.0"; | ||
671 | |||
672 | execlp("/usr/bin/xauth", "/usr/bin/xauth", "-f", RUN_XAUTHORITY_SEC_FILE, | ||
673 | "generate", display, "MIT-MAGIC-COOKIE-1", "untrusted", NULL); | ||
674 | |||
675 | exit(0); | ||
676 | } | ||
677 | // wait for the child to finish | ||
678 | waitpid(child, NULL, 0); | ||
679 | |||
680 | // check the file was created and set mode and ownership | ||
681 | if (stat(RUN_XAUTHORITY_SEC_FILE, &s) == -1) { | ||
682 | fprintf(stderr, "Error: cannot create the new .Xauthority file\n"); | ||
683 | exit(1); | ||
684 | } | ||
685 | if (chown(RUN_XAUTHORITY_SEC_FILE, getuid(), getgid()) == -1) | ||
686 | errExit("chown"); | ||
687 | if (chmod(RUN_XAUTHORITY_SEC_FILE, 0600) == -1) | ||
688 | errExit("chmod"); | ||
689 | |||
690 | // mount | ||
691 | if (mount(RUN_XAUTHORITY_SEC_FILE, dest, "none", MS_BIND, "mode=0600") == -1) { | ||
692 | fprintf(stderr, "Error: cannot mount the new .Xauthority file\n"); | ||
693 | exit(1); | ||
694 | } | ||
695 | if (chown(dest, getuid(), getgid()) == -1) | ||
696 | errExit("chown"); | ||
697 | if (chmod(dest, 0600) == -1) | ||
698 | errExit("chmod"); | ||
699 | free(dest); | ||
700 | #endif | ||
701 | } | ||
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index f4b2c22fa..d420fab7a 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -279,16 +279,19 @@ There is no root account (uid 0) defined in the namespace. | |||
279 | \fBx11 | 279 | \fBx11 |
280 | Enable X11 sandboxing. | 280 | Enable X11 sandboxing. |
281 | .TP | 281 | .TP |
282 | \fBx11 xpra | ||
283 | Enable X11 sandboxing with xpra. | ||
284 | .TP | ||
285 | \fBx11 xephyr | ||
286 | Enable X11 sandboxing with xephyr. | ||
287 | .TP | ||
288 | \fBx11 none | 282 | \fBx11 none |
289 | Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} environment variable. | 283 | Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} environment variable. |
290 | Remove DISPLAY and XAUTHORITY environment variables. | 284 | Remove DISPLAY and XAUTHORITY environment variables. |
291 | Stop with error message if X11 abstract socket will be accessible in jail. | 285 | Stop with error message if X11 abstract socket will be accessible in jail. |
286 | .TP | ||
287 | \fBx11 xephyr | ||
288 | Enable X11 sandboxing with xephyr. | ||
289 | .TP | ||
290 | \fBx11 xorg | ||
291 | Enable X11 sandboxing with X11 security extension. | ||
292 | .TP | ||
293 | \fBx11 xpra | ||
294 | Enable X11 sandboxing with xpra. | ||
292 | 295 | ||
293 | .SH Resource limits, CPU affinity, Control Groups | 296 | .SH Resource limits, CPU affinity, Control Groups |
294 | These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox. | 297 | These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox. |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index aadc54677..4aebb71e8 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1662,15 +1662,17 @@ $ sudo firejail --writable-var | |||
1662 | 1662 | ||
1663 | .TP | 1663 | .TP |
1664 | \fB\-\-x11 | 1664 | \fB\-\-x11 |
1665 | Start a new X11 server using Xpra or Xephyr and attach the sandbox to this server. | 1665 | Sandbox the application using Xpra, Xephyr or Xorg security extension. |
1666 | The regular X11 server (display 0) is not visible in the sandbox. This prevents screenshot and keylogger | 1666 | The sandbox will prevents screenshot and keylogger applications started inside the sandbox from accessing |
1667 | applications started in the sandbox from accessing other X11 displays. | 1667 | clients running outside the sandbox. |
1668 | A network namespace needs to be instantiated in order to deny access to X11 abstract Unix domain socket. | 1668 | Firejail will try first Xpra, and if Xpra is not installed on the system, it will try to find Xephyr. |
1669 | If all fails, Firejail will not attempt to use X11 security extension. | ||
1669 | .br | 1670 | .br |
1670 | 1671 | ||
1671 | br | 1672 | .br |
1672 | Firejail will try first Xpra, and if Xpra is not installed on the system, it will try to find Xephyr. | 1673 | Xpra and Xephyr modes require a network namespace to be instantiated in order to disable |
1673 | This feature is not available when running as root. | 1674 | X11 abstract Unix socket. If this is not possible, the user can disable the abstract socket |
1675 | by adding "-nolisten local" on Xorg command line. | ||
1674 | .br | 1676 | .br |
1675 | 1677 | ||
1676 | .br | 1678 | .br |
@@ -1679,31 +1681,30 @@ Example: | |||
1679 | $ firejail \-\-x11 --net=eth0 firefox | 1681 | $ firejail \-\-x11 --net=eth0 firefox |
1680 | 1682 | ||
1681 | .TP | 1683 | .TP |
1682 | \fB\-\-x11=xpra | 1684 | \fB\-\-x11=none |
1683 | Start a new X11 server using Xpra (http://xpra.org) and attach the sandbox to this server. | 1685 | Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and the file specified in ${XAUTHORITY} environment variable. |
1684 | Xpra is a persistent remote display server and client for forwarding X11 applications and desktop screens. | 1686 | Remove DISPLAY and XAUTHORITY environment variables. |
1685 | On Debian platforms Xpra is installed with the command \fBsudo apt-get install xpra\fR. | 1687 | Stop with error message if X11 abstract socket will be accessible in jail. |
1686 | This feature is not available when running as root. | ||
1687 | .br | ||
1688 | |||
1689 | .br | ||
1690 | Example: | ||
1691 | .br | ||
1692 | $ firejail \-\-x11=xpra --net=eth0 firefox | ||
1693 | 1688 | ||
1694 | .TP | 1689 | .TP |
1695 | \fB\-\-x11=xephyr | 1690 | \fB\-\-x11=xephyr |
1696 | Start a new X11 server using Xephyr and attach the sandbox to this server. | 1691 | Start Xephyr and attach the sandbox to this server. |
1697 | Xephyr is a display server implementing the X11 display server protocol. | 1692 | Xephyr is a display server implementing the X11 display server protocol. |
1698 | It runs in a window just like other X applications, but it is an X server itself in which you can run other software. | 1693 | A network namespace needs to be instantiated in order to deny access to X11 abstract Unix domain socket. |
1699 | The default Xephyr window size is 800x600. This can be modified in /etc/firejail/firejail.config file, | 1694 | .br |
1700 | see \fBman 5 firejail-config\fR for more details. | 1695 | |
1696 | .br | ||
1697 | Xephyr runs in a window just like any other X11 application. The default window size is 800x600. | ||
1698 | This can be modified in /etc/firejail/firejail.config file. | ||
1701 | .br | 1699 | .br |
1702 | 1700 | ||
1703 | .br | 1701 | .br |
1704 | The recommended way to use this feature is to run a window manager inside the sandbox. | 1702 | The recommended way to use this feature is to run a window manager inside the sandbox. |
1705 | A security profile for OpenBox is provided. | 1703 | A security profile for OpenBox is provided. |
1706 | On Debian platforms Xephyr is installed with the command \fBsudo apt-get install xserver-xephyr\fR. | 1704 | .br |
1705 | |||
1706 | .br | ||
1707 | Xephyr is developed by Xorg project. On Debian platforms it is installed with the command \fBsudo apt-get install xserver-xephyr\fR. | ||
1707 | This feature is not available when running as root. | 1708 | This feature is not available when running as root. |
1708 | .br | 1709 | .br |
1709 | 1710 | ||
@@ -1713,11 +1714,40 @@ Example: | |||
1713 | $ firejail \-\-x11=xephyr --net=eth0 openbox | 1714 | $ firejail \-\-x11=xephyr --net=eth0 openbox |
1714 | 1715 | ||
1715 | .TP | 1716 | .TP |
1716 | \fB\-\-x11=none | 1717 | \fB\-\-x11=xorg |
1717 | Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} environment variable. | 1718 | Sandbox the application using the untrusted mode implemented by X11 security extension. |
1718 | Remove DISPLAY and XAUTHORITY environment variables. | 1719 | The extension is available in Xorg package |
1719 | Stop with error message if X11 abstract socket will be accessible in jail. | 1720 | and it is installed by default on most Linux distributions. It provides support for a simple trusted/untrusted |
1721 | connection model. Untrusted clients are restricted in certain ways to prevent them from reading window | ||
1722 | contents of other clients, stealing input events, etc. | ||
1723 | |||
1724 | The untrusted mode has several limitations. A lot of regular programs assume they are a trusted X11 clients | ||
1725 | and will crash or lock up when run in untrusted mode. Chromium browser and xterm are two examples. | ||
1726 | Firefox and transmission-gtk seem to be working fine. | ||
1727 | A network namespace is not required for this option. | ||
1728 | .br | ||
1729 | |||
1730 | .br | ||
1731 | Example: | ||
1732 | .br | ||
1733 | $ firejail \-\-x11=xorg firefox | ||
1734 | |||
1735 | .TP | ||
1736 | \fB\-\-x11=xpra | ||
1737 | Start Xpra (http://xpra.org) and attach the sandbox to this server. | ||
1738 | Xpra is a persistent remote display server and client for forwarding X11 applications and desktop screens. | ||
1739 | A network namespace needs to be instantiated in order to deny access to X11 abstract Unix domain socket. | ||
1740 | .br | ||
1741 | |||
1742 | .br | ||
1743 | On Debian platforms Xpra is installed with the command \fBsudo apt-get install xpra\fR. | ||
1744 | This feature is not available when running as root. | ||
1745 | .br | ||
1746 | |||
1720 | .br | 1747 | .br |
1748 | Example: | ||
1749 | .br | ||
1750 | $ firejail \-\-x11=xpra --net=eth0 firefox | ||
1721 | 1751 | ||
1722 | .TP | 1752 | .TP |
1723 | \fB\-\-zsh | 1753 | \fB\-\-zsh |