x11 command in profile files

2 files changed, 20 insertions, 0 deletions

diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 26f434f3b..916e39892 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -613,6 +613,23 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 arg_private = 1;
                 return 0;
         }
+        
+        if (strcmp(ptr, "x11") == 0) {
+#ifdef HAVE_X11
+                if (checkcfg(CFG_X11)) {
+                        char *x11env = getenv("FIREJAIL_X11");
+                        if (x11env && strcmp(x11env, "yes") == 0)
+                                return 0;
+                        else {
+                                // start x11
+                                x11_start(cfg.original_argc, cfg.original_argv);
+                                exit(0);                
+                        }
+                }
+#endif          
+                return 0;
+        }
+        
 
    if (strncmp(ptr, "private-template ", 17) == 0) {
       if (arg_private) {
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 52802755f..e3217bbff 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -258,6 +258,9 @@ does not result in an increase of privilege.
 \fBnoroot
 Use this command  to enable an user namespace. The namespace has only one user, the current user.
 There is no root account (uid 0) defined in the namespace.
+.TP
+\fBx11
+Enable X11 sandboxing.
 
 .SH Resource limits, CPU affinity, Control Groups
 These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox.