diff options
Diffstat (limited to 'src/man/firejail.txt')
-rw-r--r-- | src/man/firejail.txt | 70 |
1 files changed, 66 insertions, 4 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index f978661dc..2b6069a7a 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1772,17 +1772,17 @@ $ sudo firejail --writable-var-log | |||
1772 | 1772 | ||
1773 | .TP | 1773 | .TP |
1774 | \fB\-\-x11 | 1774 | \fB\-\-x11 |
1775 | Sandbox the application using Xpra, Xephyr or Xorg security extension. | 1775 | Sandbox the application using Xpra, Xephyr, Xvfb or Xorg security extension. |
1776 | The sandbox will prevents screenshot and keylogger applications started inside the sandbox from accessing | 1776 | The sandbox will prevents screenshot and keylogger applications started inside the sandbox from accessing |
1777 | clients running outside the sandbox. | 1777 | clients running outside the sandbox. |
1778 | Firejail will try first Xpra, and if Xpra is not installed on the system, it will try to find Xephyr. | 1778 | Firejail will try first Xpra, and if Xpra is not installed on the system, it will try to find Xephyr. |
1779 | If all fails, Firejail will not attempt to use X11 security extension. | 1779 | If all fails, Firejail will not attempt to use Xvfb or X11 security extension. |
1780 | .br | 1780 | .br |
1781 | 1781 | ||
1782 | .br | 1782 | .br |
1783 | Xpra and Xephyr modes require a network namespace to be instantiated in order to disable | 1783 | Xpra, Xephyr and Xvfb modes require a network namespace to be instantiated in order to disable |
1784 | X11 abstract Unix socket. If this is not possible, the user can disable the abstract socket | 1784 | X11 abstract Unix socket. If this is not possible, the user can disable the abstract socket |
1785 | by adding "-nolisten local" on Xorg command line. | 1785 | by adding "-nolisten local" on Xorg command line at system level. |
1786 | .br | 1786 | .br |
1787 | 1787 | ||
1788 | .br | 1788 | .br |
@@ -1859,6 +1859,68 @@ Example: | |||
1859 | .br | 1859 | .br |
1860 | $ firejail \-\-x11=xpra --net=eth0 firefox | 1860 | $ firejail \-\-x11=xpra --net=eth0 firefox |
1861 | 1861 | ||
1862 | |||
1863 | .TP | ||
1864 | \fB\-\-x11=xvfb | ||
1865 | Start Xvfb X11 server and attach the sandbox to this server. | ||
1866 | Xvfb, short for X virtual framebuffer, performs all graphical operations in memory | ||
1867 | without showing any screen output. Xvfb is mainly used for remote access and software | ||
1868 | testing on headless servers. | ||
1869 | .br | ||
1870 | |||
1871 | .br | ||
1872 | On Debian platforms Xvfb is installed with the command \fBsudo apt-get install xvfb\fR. | ||
1873 | This feature is not available when running as root. | ||
1874 | .br | ||
1875 | |||
1876 | .br | ||
1877 | Example: remote VNC access | ||
1878 | .br | ||
1879 | |||
1880 | .br | ||
1881 | On the server we start a sandbox using Xvfb and openbox | ||
1882 | window manager. The default size of Xvfb screen is 800x600 - it can be changed | ||
1883 | in /etc/firejail/firejail.config (xvfb-screen). Some sort of networking (--net) is required | ||
1884 | in order to isolate the abstract sockets used by other X servers. | ||
1885 | .br | ||
1886 | |||
1887 | .br | ||
1888 | $ firejail --net=none --x11=xvfb openbox | ||
1889 | .br | ||
1890 | |||
1891 | .br | ||
1892 | *** Attaching to Xvfb display 792 *** | ||
1893 | .br | ||
1894 | |||
1895 | .br | ||
1896 | Reading profile /etc/firejail/openbox.profile | ||
1897 | .br | ||
1898 | Reading profile /etc/firejail/disable-common.inc | ||
1899 | .br | ||
1900 | Reading profile /etc/firejail/disable-common.local | ||
1901 | .br | ||
1902 | Parent pid 5400, child pid 5401 | ||
1903 | .br | ||
1904 | |||
1905 | .br | ||
1906 | On the server we also start a VNC server and attach it to the display handled by our | ||
1907 | Xvfb server (792). | ||
1908 | .br | ||
1909 | |||
1910 | .br | ||
1911 | $ x11vnc -display :792 | ||
1912 | .br | ||
1913 | |||
1914 | .br | ||
1915 | On the client machine we start a VNC viewer and use it to connect to our server: | ||
1916 | .br | ||
1917 | |||
1918 | .br | ||
1919 | $ vncviewer | ||
1920 | .br | ||
1921 | |||
1922 | |||
1923 | |||
1862 | .TP | 1924 | .TP |
1863 | \fB\-\-zsh | 1925 | \fB\-\-zsh |
1864 | Use /usr/bin/zsh as default user shell. | 1926 | Use /usr/bin/zsh as default user shell. |