From 300402947156774d31c43ae2b734184315d33122 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Wed, 30 Mar 2016 09:55:51 -0400
Subject: x11 work

---
 README.md                   | 48 ++++++++++++++++++++++++++++++++++++++++-----
 RELNOTES                    | 10 ++++++----
 etc/firejail.config         | 16 +++++++--------
 src/man/firejail-config.txt | 27 +++++++++++++++++++------
 src/man/firejail.txt        | 43 ++++++++++++++++++++++++++++++++++++++--
 5 files changed, 119 insertions(+), 25 deletions(-)

diff --git a/README.md b/README.md
index 11ee02118..9b69753ed 100644
--- a/README.md
+++ b/README.md
@@ -41,13 +41,51 @@ FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/
 
 ## X11 sandboxing support
 
-X11 support is built around Xpra (http://xpra.org/).
-So far I've seen it working on Debian 7 and 8, and Ubuntu 14.04. If you manage to run it on another
-distribution, please let me know. Example:
+X11 support is built around Xpra (http://xpra.org/) of Xephyr.
 `````
-$ firejail --x11 --net=eth0 firefox
+       --x11  Start a new X11 server using Xpra or Xephyr and attach the sand‐
+              box to this server.  The regular X11 server (display 0)  is  not
+              visible  in  the sandbox. This prevents screenshot and keylogger
+              applications started in the sandbox  from  accessing  other  X11
+              displays.  A network namespace needs to be instantiated in order
+              to deny access to X11 abstract Unix domain socket.
+
+              Firejail will try first Xpra, and if Xpra is  not  installed  on
+              the  system,  it  will  try to find Xephyr.  This feature is not
+              available when running as root.
+
+              Example:
+              $ firejail --x11 --net=eth0 firefox
+
+       --x11=xpra
+              Start a new X11 server using Xpra (http://xpra.org)  and  attach
+              the sandbox to this server.  Xpra is a persistent remote display
+              server and client for forwarding X11  applications  and  desktop
+              screens.  On Debian platforms Xpra is installed with the command
+              sudo apt-get install xpra.  This feature is not  available  when
+              running as root.
+
+              Example:
+              $ firejail --x11 --net=eth0 firefox
+
+       --x11=xephyr
+              Start  a  new  X11 server using Xephyr and attach the sandbox to
+              this server.  Xephyr is a display server  implementing  the  X11
+              display  server protocol.  It runs in a window just like other X
+              applications, but it is an X server itself in which you can  run
+              other software.  The default Xephyr window size is 800x600. This
+              can be modified in /etc/firejail/firejail.config file, see man 5
+              firejail-config for more details.
+
+              The  recommended way to use this feature is to run a window man‐
+              ager inside the sandbox.  A security profile for OpenBox is pro‐
+              vided.  On Debian platforms Xephyr is installed with the command
+              sudo apt-get install xserver-xephyr.  This feature is not avail‐
+              able when running as root.
+
+              Example:
+              $ firejail --x11 --net=eth0 openbox
 `````
---x11 starts the server, --net is required in order to remove the main X11 server socket from the sandbox.
 More information here: https://firejail.wordpress.com/documentation-2/x11-guide/
 
 ## File transfers
diff --git a/RELNOTES b/RELNOTES
index 78ed8ac5a..0b5ea924d 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,8 +1,8 @@
 firejail (0.9.39) baseline; urgency=low
-  * default seccomp filter update
-  * disable STUN/WebRTC in default netfilter configuration
   * added --nice option
   * added --x11 option
+  * added --x11=xpra option
+  * added --x11=xephyr option
   * added filetransfer options --ls and --get
   * added mkdir, ipc-namespace and nosound profile commands
   * --version also prints compile options
@@ -10,10 +10,12 @@ firejail (0.9.39) baseline; urgency=low
   * added compile-time option to restrict --net= to root only
   * run time config support, man firejail-config
   * added firecfg utility
-  * build rpm packages using "make rpms"
+  * default seccomp filter update
+  * disable STUN/WebRTC in default netfilter configuration
   * new profiles: lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril
   * new profiles: qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars
-  * new profiles: qTox
+  * new profiles: qTox, OpenSSH client, OpenBox
+  * build rpm packages using "make rpms"
   * bugfixes
  -- netblue30 <netblue30@yahoo.com>  Wed, 16 Mar 2016 08:00:00 -0500
 
diff --git a/etc/firejail.config b/etc/firejail.config
index 8333c26ba..41cd08e68 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -3,14 +3,14 @@
 # Most features are enabled by default. Use 'yes' or 'no' as configuration
 # values.
 
-# Enable or disable seccomp support, default enabled.
-# seccomp yes
+# Enable or disable bind support, default enabled.
+# bind yes
 
 # Enable or disable chroot support, default enabled.
 # chroot yes
 
-# Enable or disable bind support, default enabled.
-# bind yes
+# Enable or disable file transfer support, default enabled.
+# file-transfer yes
 
 # Enable or disable networking features, default enabled.
 # network yes
@@ -21,17 +21,17 @@
 # only to root user. Regular users are only allowed --net=none.
 # restricted-network no
 
+# Enable or disable seccomp support, default enabled.
+# seccomp yes
+
 # Enable or disable user namespace support, default enabled.
 # userns yes
 
 # Enable or disable X11 sandboxing support, default enabled.
 # x11 yes
 
-# Enable or disable file transfer support, default enabled.
-# file-transfer yes
-
 # Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for
-# a full list of resolutions available on your specifc setup.
+# a full list of resolutions available on your specific setup.
 # xephyr-screen 640x480
 # xephyr-screen 800x600
 # xephyr-screen 1024x768
diff --git a/src/man/firejail-config.txt b/src/man/firejail-config.txt
index 687aedf59..fcf4109ee 100644
--- a/src/man/firejail-config.txt
+++ b/src/man/firejail-config.txt
@@ -14,16 +14,16 @@ time. Most features are enabled by default both at compile time and
 at run time.
 
 .TP
-\fBsecomp
-Enable or disable seccomp support, default enabled.
+\fBbind
+Enable or disable bind support, default enabled.
 
 .TP
 \fBchroot
 Enable or disable chroot support, default enabled.
 
 .TP
-\fBbind
-Enable or disable bind support, default enabled.
+\fBfile-transfer
+Enable or disable file transfer support, default enabled.
 
 .TP
 \fBnetwork
@@ -36,6 +36,10 @@ networking features should also be enabled (network yes).
 Restricted networking grants access to --interface and --net=ethXXX
 only to root user. Regular users are only allowed --net=none.
 
+.TP
+\fBsecomp
+Enable or disable seccomp support, default enabled.
+
 .TP
 \fBuserns
 Enable or disable user namespace support, default enabled.
@@ -45,8 +49,19 @@ Enable or disable user namespace support, default enabled.
 Enable or disable X11 sandboxing support, default enabled.
 
 .TP
-\fBfile-transfer
-Enable or disable file transfer support, default enabled.
+\fBxephyr-screen
+Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for
+a full list of resolutions available on your specific setup. Examples:
+.br
+
+.br
+xephyr-screen 640x480
+.br
+xephyr-screen 800x600
+.br
+xephyr-screen 1024x768
+.br
+xephyr-screen 1280x1024
 
 .SH FILES
 /etc/firejail/firejail.config
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 6eb7c3ff7..a3c39a82b 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1513,10 +1513,28 @@ $ firejail "\-\-whitelist=/home/username/My Virtual Machines"
 
 .TP
 \fB\-\-x11
+Start a new X11 server using Xpra or Xephyr and attach the sandbox to this server.
+The regular X11 server (display 0) is not visible in the sandbox. This prevents screenshot and keylogger
+applications started in the sandbox from accessing other X11 displays.
+A network namespace needs to be instantiated in order to deny access to X11 abstract Unix domain socket.
+.br
+
+.br
+Firejail will try first Xpra, and if Xpra is not installed on the system, it will try to find Xephyr.
+This feature is not available when running as root. 
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-x11 --net=eth0 firefox
+
+.TP
+\fB\-\-x11=xpra
 Start a new X11 server using Xpra (http://xpra.org) and attach the sandbox to this server.
 Xpra is a persistent remote display server and client for forwarding X11 applications and desktop screens.
-The regular X11 server (display 0) is not visible in the sandbox. This prevents screenshot and keylogger
-applications started in the sandbox from accessing display 0. This feature is not available when running as root. 
+On Debian platforms Xpra is installed with the command \fBsudo apt-get install xpra\fR.
+This feature is not available when running as root.
 .br
 
 .br
@@ -1524,6 +1542,27 @@ Example:
 .br
 $ firejail \-\-x11 --net=eth0 firefox
 
+.TP
+\fB\-\-x11=xephyr
+Start a new X11 server using Xephyr and attach the sandbox to this server.
+Xephyr is a display server implementing the X11 display server protocol.
+It runs in a window just like other X applications, but it is an X server itself in which you can run other software.
+The default Xephyr window size is 800x600. This can be modified in /etc/firejail/firejail.config file,
+see \fBman 5 firejail-config\fR for more details.
+.br
+
+.br
+The recommended way to use this feature is to run a window manager inside the sandbox.
+A security profile for OpenBox is provided.
+On Debian platforms Xephyr is installed with the command \fBsudo apt-get install xserver-xephyr\fR.
+This feature is not available when running as root. 
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-x11 --net=eth0 openbox
+
 .TP
 \fB\-\-zsh
 Use /usr/bin/zsh as default user shell.
-- 
cgit v1.2.3-54-g00ecf