1 files changed, 66 insertions, 4 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index f978661dc..2b6069a7a 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1772,17 +1772,17 @@ $ sudo firejail --writable-var-log
 .TP
 \fB\-\-x11
-Sandbox the application using Xpra, Xephyr or Xorg security extension.
+Sandbox the application using Xpra, Xephyr, Xvfb or Xorg security extension.
 The sandbox will prevents screenshot and keylogger applications started inside the sandbox from accessing
 clients running outside the sandbox.
 Firejail will try first Xpra, and if Xpra is not installed on the system, it will try to find Xephyr.
-If all fails, Firejail will not attempt to use X11 security extension.
+If all fails, Firejail will not attempt to use Xvfb or X11 security extension. 
 .br
 .br
-Xpra and Xephyr modes require a network namespace to be instantiated in order to disable
+Xpra, Xephyr and Xvfb modes require a network namespace to be instantiated in order to disable
 X11 abstract Unix socket. If this is not possible, the user can disable the abstract socket
-by adding "-nolisten local" on Xorg command line.
+by adding "-nolisten local" on Xorg command line at system level.
 .br
 .br
@@ -1859,6 +1859,68 @@ Example:
 .br
 $ firejail \-\-x11=xpra --net=eth0 firefox
+.TP
+\fB\-\-x11=xvfb
+Start Xvfb X11 server and attach the sandbox to this server. 
+Xvfb, short for X virtual framebuffer, performs all graphical operations in memory 
+without showing any screen output. Xvfb is mainly used for remote access and software 
+testing on headless servers.
+.br
+.br
+On Debian platforms Xvfb is installed with the command \fBsudo apt-get install xvfb\fR.
+This feature is not available when running as root.
+.br
+.br
+Example: remote VNC access
+.br
+.br
+On the server we start a sandbox using Xvfb and openbox
+window manager. The default size of Xvfb screen is 800x600 - it can be changed
+in /etc/firejail/firejail.config (xvfb-screen). Some sort of networking (--net) is required
+in order to isolate the abstract sockets used by other X servers.
+.br
+.br
+$ firejail --net=none --x11=xvfb openbox
+.br
+.br
+*** Attaching to Xvfb display 792 ***
+.br
+.br
+Reading profile /etc/firejail/openbox.profile
+.br
+Reading profile /etc/firejail/disable-common.inc
+.br
+Reading profile /etc/firejail/disable-common.local
+.br
+Parent pid 5400, child pid 5401
+.br
+.br
+On the server we also start a VNC server and attach it to the display handled by our
+Xvfb server (792).
+.br
+.br
+$ x11vnc -display :792
+.br
+.br
+On the client machine we start a VNC viewer and use it to connect to our server:
+.br
+.br
+$ vncviewer
+.br
 .TP
 \fB\-\-zsh
 Use /usr/bin/zsh as default user shell.

diff --git a/src/man/firejail.txt b/src/man/firejail.txt index f978661dc..2b6069a7a 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -1772,17 +1772,17 @@ $ sudo firejail --writable-var-log
1772		1772
1773	.TP	1773	.TP
1774	\fB\-\-x11	1774	\fB\-\-x11
1775	Sandbox the application using Xpra, Xephyr or Xorg security extension.	1775	Sandbox the application using Xpra, Xephyr, Xvfb or Xorg security extension.
1776	The sandbox will prevents screenshot and keylogger applications started inside the sandbox from accessing	1776	The sandbox will prevents screenshot and keylogger applications started inside the sandbox from accessing
1777	clients running outside the sandbox.	1777	clients running outside the sandbox.
1778	Firejail will try first Xpra, and if Xpra is not installed on the system, it will try to find Xephyr.	1778	Firejail will try first Xpra, and if Xpra is not installed on the system, it will try to find Xephyr.
1779	If all fails, Firejail will not attempt to use X11 security extension.	1779	If all fails, Firejail will not attempt to use Xvfb or X11 security extension.
1780	.br	1780	.br
1781		1781
1782	.br	1782	.br
1783	Xpra and Xephyr modes require a network namespace to be instantiated in order to disable	1783	Xpra, Xephyr and Xvfb modes require a network namespace to be instantiated in order to disable
1784	X11 abstract Unix socket. If this is not possible, the user can disable the abstract socket	1784	X11 abstract Unix socket. If this is not possible, the user can disable the abstract socket
1785	by adding "-nolisten local" on Xorg command line.	1785	by adding "-nolisten local" on Xorg command line at system level.
1786	.br	1786	.br
1787		1787
1788	.br	1788	.br
@@ -1859,6 +1859,68 @@ Example:
1859	.br	1859	.br
1860	$ firejail \-\-x11=xpra --net=eth0 firefox	1860	$ firejail \-\-x11=xpra --net=eth0 firefox
1861		1861
		1862
		1863	.TP
		1864	\fB\-\-x11=xvfb
		1865	Start Xvfb X11 server and attach the sandbox to this server.
		1866	Xvfb, short for X virtual framebuffer, performs all graphical operations in memory
		1867	without showing any screen output. Xvfb is mainly used for remote access and software
		1868	testing on headless servers.
		1869	.br
		1870
		1871	.br
		1872	On Debian platforms Xvfb is installed with the command \fBsudo apt-get install xvfb\fR.
		1873	This feature is not available when running as root.
		1874	.br
		1875
		1876	.br
		1877	Example: remote VNC access
		1878	.br
		1879
		1880	.br
		1881	On the server we start a sandbox using Xvfb and openbox
		1882	window manager. The default size of Xvfb screen is 800x600 - it can be changed
		1883	in /etc/firejail/firejail.config (xvfb-screen). Some sort of networking (--net) is required
		1884	in order to isolate the abstract sockets used by other X servers.
		1885	.br
		1886
		1887	.br
		1888	$ firejail --net=none --x11=xvfb openbox
		1889	.br
		1890
		1891	.br
		1892	* Attaching to Xvfb display 792 *
		1893	.br
		1894
		1895	.br
		1896	Reading profile /etc/firejail/openbox.profile
		1897	.br
		1898	Reading profile /etc/firejail/disable-common.inc
		1899	.br
		1900	Reading profile /etc/firejail/disable-common.local
		1901	.br
		1902	Parent pid 5400, child pid 5401
		1903	.br
		1904
		1905	.br
		1906	On the server we also start a VNC server and attach it to the display handled by our
		1907	Xvfb server (792).
		1908	.br
		1909
		1910	.br
		1911	$ x11vnc -display :792
		1912	.br
		1913
		1914	.br
		1915	On the client machine we start a VNC viewer and use it to connect to our server:
		1916	.br
		1917
		1918	.br
		1919	$ vncviewer
		1920	.br
		1921
		1922
		1923
1862	.TP	1924	.TP
1863	\fB\-\-zsh	1925	\fB\-\-zsh
1864	Use /usr/bin/zsh as default user shell.	1926	Use /usr/bin/zsh as default user shell.