From 4515f44e59001c13122f9e9976f420c230806737 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Sat, 6 May 2017 13:03:15 -0400
Subject: merge #1100 from zackw:  added support for sandboxing Xpra, Xvfb and
 Xephyr in  independent sandboxes when started with firejail --x11

---
 etc/Xephyr.profile | 40 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)
 create mode 100644 etc/Xephyr.profile

(limited to 'etc/Xephyr.profile')

diff --git a/etc/Xephyr.profile b/etc/Xephyr.profile
new file mode 100644
index 000000000..362318bb1
--- /dev/null
+++ b/etc/Xephyr.profile
@@ -0,0 +1,40 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/Xephyr.local
+
+#
+# This profile will sandbox Xephyr server itself when used with firejail --x11=xephyr.
+# The target program is sandboxed with its own profile. By default the this functionality
+# is disabled. To enable it, create a firejail-Xephyr  symlink in /usr/local/bin:
+#
+#    $ sudo ln -s /usr/bin/firejail /usr/local/bin/Xephyr
+#
+# We have this functionality disabled by default because it creates problems on
+# some Linux distributions.
+#
+
+
+# using a private home directory
+private
+
+
+caps.drop all
+# Xephyr needs to be allowed access to the abstract Unix socket namespace.
+#net none
+nogroups
+nonewprivs
+# In noroot mode, Xephyr cannot create a socket in the real /tmp/.X11-unix.
+#noroot
+nosound
+shell none
+seccomp
+protocol unix
+
+private-dev
+private-tmp
+#private-bin Xephyr,sh,xkbcomp,strace,bash,cat,ls
+#private-bin Xephyr,sh,xkbcomp
+#private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname
+
+blacklist /media
+whitelist /var/lib/xkb
-- 
cgit v1.2.3-54-g00ecf