6 files changed, 12 insertions, 11 deletions

diff --git a/README b/README
index 915001ec2..e45c6d412 100644
--- a/README
+++ b/README
@@ -468,5 +468,6 @@ Zack Weinberg (https://github.com/zackw)
         - Xvfb and Xephyr profiles, modified Xpra profile
         - support for sandboxing Xpra, Xvfb and Xephyr in independent sandboxes when started
           with firejail --x11
-
+        - support for xpra-extra-params in firejail.config
+        
 Copyright (C) 2014-2017 Firejail Authors
diff --git a/RELNOTES b/RELNOTES
index be9e35af7..119bead76 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -34,6 +34,8 @@ firejail (0.9.46-rc1) baseline; urgency=low
   * feature: --fix-sound support in firecfg
   * feature: added support for sandboxing Xpra, Xvfb and Xephyr in 
     independent sandboxes when started with firejail --x11
+  * feature: enable automatic X server sandboxing for --x11=xpra
+    and --x11=xephyr
   * feature: support for Xpra extra params in firejail config file
   * new profiles: xiphos, Tor Browser Bundle, display (imagemagick), Wire,
   * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma,
diff --git a/etc/Xephyr.profile b/etc/Xephyr.profile
index 362318bb1..d3349f7f7 100644
--- a/etc/Xephyr.profile
+++ b/etc/Xephyr.profile
@@ -4,13 +4,11 @@ include /etc/firejail/Xephyr.local
 
 #
 # This profile will sandbox Xephyr server itself when used with firejail --x11=xephyr.
-# The target program is sandboxed with its own profile. By default the this functionality
-# is disabled. To enable it, create a firejail-Xephyr  symlink in /usr/local/bin:
+# To enable it, create a firejail-Xephyr  symlink in /usr/local/bin:
 #
 #    $ sudo ln -s /usr/bin/firejail /usr/local/bin/Xephyr
 #
-# We have this functionality disabled by default because it creates problems on
-# some Linux distributions.
+# or run "sudo firecfg"
 #
 
 
diff --git a/etc/Xvfb.profile b/etc/Xvfb.profile
index 9c919f432..0cf9b7e1c 100644
--- a/etc/Xvfb.profile
+++ b/etc/Xvfb.profile
@@ -10,7 +10,7 @@ include /etc/firejail/xvfb.local
 #    $ sudo ln -s /usr/bin/firejail /usr/local/bin/Xvfb
 #
 # We have this functionality disabled by default because it creates problems on
-# some Linux distributions.
+# some Linux distributions. Also, older versions of Xpra use Xvfb.
 #
 
 
diff --git a/etc/xpra.profile b/etc/xpra.profile
index f4f28f9de..11bfec7eb 100644
--- a/etc/xpra.profile
+++ b/etc/xpra.profile
@@ -5,14 +5,11 @@ include /etc/firejail/xpra.local
 
 #
 # This profile will sandbox Xpra server itself when used with firejail --x11=xpra.
-# The target program is sandboxed with its own profile. By default the this functionality
-# is disabled. To enable it, create a firejail-xpra  symlink in /usr/local/bin:
+# To enable it, create a firejail-xpra  symlink in /usr/local/bin:
 #
 #    $ sudo ln -s /usr/bin/firejail /usr/local/bin/xpra
 #
-# We have this functionality disabled by default because it creates problems on
-# some Linux distributions.
-#
+# or run "sudo firecfg"
 
 # private home directory doesn't work on some distros, so we go for a regular home
 #private
@@ -36,6 +33,7 @@ protocol unix
 
 private-dev
 private-tmp
+# older Xpra versions also use Xvfb
 #private-bin xpra,python,Xvfb,Xorg,sh,xkbcomp,xauth,dbus-launch,pactl,ldconfig,which,strace,bash,cat,ls
 #private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname,machine-id,xpra,X11
 
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 60e414755..f46fdea35 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -230,6 +230,7 @@ wire
 wireshark
 xchat
 xed
+Xephyr
 xfburn
 xfce4-dict
 xfce4-notes
@@ -239,6 +240,7 @@ xonotic-glx
 xonotic-sdl
 xpdf
 xplayer
+xpra
 xreader
 xviewer
 youtube-dl