From 4515f44e59001c13122f9e9976f420c230806737 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 6 May 2017 13:03:15 -0400 Subject: merge #1100 from zackw: added support for sandboxing Xpra, Xvfb and Xephyr in independent sandboxes when started with firejail --x11 --- etc/xpra.profile | 31 ++++++++++++++++++++++++------- 1 file changed, 24 insertions(+), 7 deletions(-) (limited to 'etc/xpra.profile') diff --git a/etc/xpra.profile b/etc/xpra.profile index d0fff2ebf..f4f28f9de 100644 --- a/etc/xpra.profile +++ b/etc/xpra.profile @@ -2,26 +2,43 @@ # Persistent customizations should go in a .local file. include /etc/firejail/xpra.local -# xpra profile + +# +# This profile will sandbox Xpra server itself when used with firejail --x11=xpra. +# The target program is sandboxed with its own profile. By default the this functionality +# is disabled. To enable it, create a firejail-xpra symlink in /usr/local/bin: +# +# $ sudo ln -s /usr/bin/firejail /usr/local/bin/xpra +# +# We have this functionality disabled by default because it creates problems on +# some Linux distributions. +# + +# private home directory doesn't work on some distros, so we go for a regular home +#private include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -netfilter +# xpra needs to be allowed access to the abstract Unix socket namespace. +#net none nogroups nonewprivs -noroot +# In noroot mode, xpra cannot create a socket in the real /tmp/.X11-unix. +#noroot nosound shell none seccomp -protocol unix,inet,inet6 +protocol unix -# blacklist /tmp/.X11-unix -# private-bin private-dev private-tmp -# private-etc +#private-bin xpra,python,Xvfb,Xorg,sh,xkbcomp,xauth,dbus-launch,pactl,ldconfig,which,strace,bash,cat,ls +#private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname,machine-id,xpra,X11 + +blacklist /media +whitelist /var/lib/xkb -- cgit v1.2.3-70-g09d2