1 files changed, 70 insertions, 4 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index f978661dc..f603daecb 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1067,6 +1067,10 @@ Example:
 $ firejail \-\-nosound firefox
 .TP
+\fB\-\-nowhitelist=dirname_or_filename
+Disable whitelist for this directory or file.
+.TP
 \fB\-\-output=logfile
 stdout logging and log rotation. Copy stdout and stderr to logfile, and keep the size of the file under 500KB using log
 rotation. Five files with prefixes .1 to .5 are used in rotation.
@@ -1772,17 +1776,17 @@ $ sudo firejail --writable-var-log
 .TP
 \fB\-\-x11
-Sandbox the application using Xpra, Xephyr or Xorg security extension.
+Sandbox the application using Xpra, Xephyr, Xvfb or Xorg security extension.
 The sandbox will prevents screenshot and keylogger applications started inside the sandbox from accessing
 clients running outside the sandbox.
 Firejail will try first Xpra, and if Xpra is not installed on the system, it will try to find Xephyr.
-If all fails, Firejail will not attempt to use X11 security extension.
+If all fails, Firejail will not attempt to use Xvfb or X11 security extension. 
 .br
 .br
-Xpra and Xephyr modes require a network namespace to be instantiated in order to disable
+Xpra, Xephyr and Xvfb modes require a network namespace to be instantiated in order to disable
 X11 abstract Unix socket. If this is not possible, the user can disable the abstract socket
-by adding "-nolisten local" on Xorg command line.
+by adding "-nolisten local" on Xorg command line at system level.
 .br
 .br
@@ -1859,6 +1863,68 @@ Example:
 .br
 $ firejail \-\-x11=xpra --net=eth0 firefox
+.TP
+\fB\-\-x11=xvfb
+Start Xvfb X11 server and attach the sandbox to this server. 
+Xvfb, short for X virtual framebuffer, performs all graphical operations in memory 
+without showing any screen output. Xvfb is mainly used for remote access and software 
+testing on headless servers.
+.br
+.br
+On Debian platforms Xvfb is installed with the command \fBsudo apt-get install xvfb\fR.
+This feature is not available when running as root.
+.br
+.br
+Example: remote VNC access
+.br
+.br
+On the server we start a sandbox using Xvfb and openbox
+window manager. The default size of Xvfb screen is 800x600 - it can be changed
+in /etc/firejail/firejail.config (xvfb-screen). Some sort of networking (--net) is required
+in order to isolate the abstract sockets used by other X servers.
+.br
+.br
+$ firejail --net=none --x11=xvfb openbox
+.br
+.br
+*** Attaching to Xvfb display 792 ***
+.br
+.br
+Reading profile /etc/firejail/openbox.profile
+.br
+Reading profile /etc/firejail/disable-common.inc
+.br
+Reading profile /etc/firejail/disable-common.local
+.br
+Parent pid 5400, child pid 5401
+.br
+.br
+On the server we also start a VNC server and attach it to the display handled by our
+Xvfb server (792).
+.br
+.br
+$ x11vnc -display :792
+.br
+.br
+On the client machine we start a VNC viewer and use it to connect to our server:
+.br
+.br
+$ vncviewer
+.br
 .TP
 \fB\-\-zsh
 Use /usr/bin/zsh as default user shell.

diff --git a/src/man/firejail.txt b/src/man/firejail.txt index f978661dc..f603daecb 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -1067,6 +1067,10 @@ Example:
1067	$ firejail \-\-nosound firefox	1067	$ firejail \-\-nosound firefox
1068		1068
1069	.TP	1069	.TP
		1070	\fB\-\-nowhitelist=dirname_or_filename
		1071	Disable whitelist for this directory or file.
		1072
		1073	.TP
1070	\fB\-\-output=logfile	1074	\fB\-\-output=logfile
1071	stdout logging and log rotation. Copy stdout and stderr to logfile, and keep the size of the file under 500KB using log	1075	stdout logging and log rotation. Copy stdout and stderr to logfile, and keep the size of the file under 500KB using log
1072	rotation. Five files with prefixes .1 to .5 are used in rotation.	1076	rotation. Five files with prefixes .1 to .5 are used in rotation.
@@ -1772,17 +1776,17 @@ $ sudo firejail --writable-var-log
1772		1776
1773	.TP	1777	.TP
1774	\fB\-\-x11	1778	\fB\-\-x11
1775	Sandbox the application using Xpra, Xephyr or Xorg security extension.	1779	Sandbox the application using Xpra, Xephyr, Xvfb or Xorg security extension.
1776	The sandbox will prevents screenshot and keylogger applications started inside the sandbox from accessing	1780	The sandbox will prevents screenshot and keylogger applications started inside the sandbox from accessing
1777	clients running outside the sandbox.	1781	clients running outside the sandbox.
1778	Firejail will try first Xpra, and if Xpra is not installed on the system, it will try to find Xephyr.	1782	Firejail will try first Xpra, and if Xpra is not installed on the system, it will try to find Xephyr.
1779	If all fails, Firejail will not attempt to use X11 security extension.	1783	If all fails, Firejail will not attempt to use Xvfb or X11 security extension.
1780	.br	1784	.br
1781		1785
1782	.br	1786	.br
1783	Xpra and Xephyr modes require a network namespace to be instantiated in order to disable	1787	Xpra, Xephyr and Xvfb modes require a network namespace to be instantiated in order to disable
1784	X11 abstract Unix socket. If this is not possible, the user can disable the abstract socket	1788	X11 abstract Unix socket. If this is not possible, the user can disable the abstract socket
1785	by adding "-nolisten local" on Xorg command line.	1789	by adding "-nolisten local" on Xorg command line at system level.
1786	.br	1790	.br
1787		1791
1788	.br	1792	.br
@@ -1859,6 +1863,68 @@ Example:
1859	.br	1863	.br
1860	$ firejail \-\-x11=xpra --net=eth0 firefox	1864	$ firejail \-\-x11=xpra --net=eth0 firefox
1861		1865
		1866
		1867	.TP
		1868	\fB\-\-x11=xvfb
		1869	Start Xvfb X11 server and attach the sandbox to this server.
		1870	Xvfb, short for X virtual framebuffer, performs all graphical operations in memory
		1871	without showing any screen output. Xvfb is mainly used for remote access and software
		1872	testing on headless servers.
		1873	.br
		1874
		1875	.br
		1876	On Debian platforms Xvfb is installed with the command \fBsudo apt-get install xvfb\fR.
		1877	This feature is not available when running as root.
		1878	.br
		1879
		1880	.br
		1881	Example: remote VNC access
		1882	.br
		1883
		1884	.br
		1885	On the server we start a sandbox using Xvfb and openbox
		1886	window manager. The default size of Xvfb screen is 800x600 - it can be changed
		1887	in /etc/firejail/firejail.config (xvfb-screen). Some sort of networking (--net) is required
		1888	in order to isolate the abstract sockets used by other X servers.
		1889	.br
		1890
		1891	.br
		1892	$ firejail --net=none --x11=xvfb openbox
		1893	.br
		1894
		1895	.br
		1896	* Attaching to Xvfb display 792 *
		1897	.br
		1898
		1899	.br
		1900	Reading profile /etc/firejail/openbox.profile
		1901	.br
		1902	Reading profile /etc/firejail/disable-common.inc
		1903	.br
		1904	Reading profile /etc/firejail/disable-common.local
		1905	.br
		1906	Parent pid 5400, child pid 5401
		1907	.br
		1908
		1909	.br
		1910	On the server we also start a VNC server and attach it to the display handled by our
		1911	Xvfb server (792).
		1912	.br
		1913
		1914	.br
		1915	$ x11vnc -display :792
		1916	.br
		1917
		1918	.br
		1919	On the client machine we start a VNC viewer and use it to connect to our server:
		1920	.br
		1921
		1922	.br
		1923	$ vncviewer
		1924	.br
		1925
		1926
		1927
1862	.TP	1928	.TP
1863	\fB\-\-zsh	1929	\fB\-\-zsh
1864	Use /usr/bin/zsh as default user shell.	1930	Use /usr/bin/zsh as default user shell.