support for Xephyr screen size

6 files changed, 78 insertions, 0 deletions

diff --git a/src/firejail/main.c b/src/firejail/main.c
index 7f3f0f248..c055a1537 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1061,6 +1061,19 @@ int main(int argc, char **argv) {
                         // already handled
                 }
 
+
+                //*************************************
+                // x11
+                //*************************************
+
+#ifdef HAVE_X11
+                else if (strncmp(argv[i], "--xephyr-screen=", 14) == 0) {
+                        if (checkcfg(CFG_X11))
+                                ; // the processing is done directly in x11.c
+                        else
+                                exit_err_feature("x11");
+                }
+#endif
                 //*************************************
                 // filtering
                 //*************************************
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 88f04f47f..18891ac58 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -20,6 +20,7 @@
 #include "firejail.h"
 #include <dirent.h>
 #include <sys/stat.h>
+extern char *xephyr_screen;
 
 #define MAX_READ 8192                             // line buffer for profile files
 
@@ -112,6 +113,16 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 return 0;
         }
 
+        if (strncmp(ptr, "xephyr-screen ", 14) == 0) {
+#ifdef HAVE_X11
+                if (checkcfg(CFG_X11)) {
+                        xephyr_screen = ptr + 14;
+                }
+                else
+                        warning_feature_disabled("x11");
+#endif
+                return 0;
+        }
         // mkdir
         if (strncmp(ptr, "mkdir ", 6) == 0) {
                 fs_mkdir(ptr + 6);
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 6f8298589..71bb6f24e 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -205,6 +205,7 @@ void usage(void) {
         printf("    --writable-etc - /etc directory is mounted read-write.\n");
         printf("    --writable-var - /var directory is mounted read-write.\n");
         printf("    --writable-var-log - use the real /var/log directory, not a clone.\n");
+#ifdef HAVE_X11
         printf("    --x11 - enable X11 sandboxing. The software checks first if Xpra is\n");
         printf("\tinstalled, then it checks if Xephyr is installed. If all fails, it will\n");
         printf("\tattempt to use X11 security extension.\n");
@@ -213,6 +214,8 @@ void usage(void) {
         printf("    --x11=xorg - enable X11 security extension.\n");
         printf("    --x11=xpra - enable Xpra X11 server.\n");
         printf("    --x11=xvfb - enable Xvfb X11 server.\n");
+        printf("    --xephyr-screen=WIDTHxHEIGHT - set screen size for --x11=xephyr.\n");
+#endif
         printf("    --zsh - use /usr/bin/zsh as default shell.\n");
         printf("\n");
         printf("Examples:\n");
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 2e2e3dff2..c6bb7e1e3 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -398,6 +398,27 @@ void x11_start_xvfb(int argc, char **argv) {
 }
 
 
+
+static char *extract_setting(int argc, char **argv, const char *argument) {
+        int i;
+        int len = strlen(argument);
+
+        for (i = 1; i < argc; i++) {
+                if (strncmp(argv[i], argument, len) == 0) {
+                        return argv[i] + len;
+                }
+
+                // detect end of firejail params
+                if (strcmp(argv[i], "--") == 0)
+                        break;
+                if (strncmp(argv[i], "--", 2) != 0)
+                        break;
+        }
+
+        return NULL;
+}
+
+
 //$ Xephyr -ac -br -noreset -screen 800x600 :22 &
 //$ DISPLAY=:22 firejail --net=eth0 --blacklist=/tmp/.X11-unix/x0 firefox
 void x11_start_xephyr(int argc, char **argv) {
@@ -407,6 +428,11 @@ void x11_start_xephyr(int argc, char **argv) {
         pid_t jail = 0;
         pid_t server = 0;
 
+        // default xephyr screen can be overwriten by a --xephyr-screen= command line option
+        char *newscreen = extract_setting(argc, argv, "--xephyr-screen=");
+        if (newscreen)
+                xephyr_screen = newscreen;
+
         setenv("FIREJAIL_X11", "yes", 1);
 
         // unfortunately, xephyr does a number of weird things when started by root user!!!
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 9f4f4a927..f446f37b8 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -341,6 +341,21 @@ Enable X11 sandboxing with Xpra server.
 .TP
 \fBx11 xvfb
 Enable X11 sandboxing with Xvfb server.
+.TP
+\fBxephyr-screen WIDTHxHEIGHT
+Set screen size for x11 xephyr. This command should be included in the profile file before x11 xephyr command.
+.br
+
+.br
+Example:
+.br
+
+.br
+xephyr-screen 640x480
+.br
+x11 xephyr
+
+
 
 .SH Resource limits, CPU affinity, Control Groups
 These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox.
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 6e49fc25f..3253ae8bb 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1980,7 +1980,17 @@ On the client machine we start a VNC viewer and use it to connect to our server:
 $ vncviewer
 .br
 
+.TP
+\fB\-\-xephyr-screen=WIDTHxHEIGHT
+Set screen size for --x11=xephyr. The setting will overwrite the default set in /etc/firejail/firejail.config
+for the current sandbox. Run xrandr to get a list of supported resolutions on your computer.
+.br
 
+.br
+Example:
+.br
+$ firejail --net=eth0 --x11=xephyr --xephyr-screen=640x480 firefox
+.br
 
 .TP
 \fB\-\-zsh