From 4515f44e59001c13122f9e9976f420c230806737 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Sat, 6 May 2017 13:03:15 -0400
Subject: merge #1100 from zackw:  added support for sandboxing Xpra, Xvfb and
 Xephyr in  independent sandboxes when started with firejail --x11

---
 etc/Xephyr.profile | 40 ++++++++++++++++++++++++++++++++++++++++
 etc/Xvfb.profile   | 39 +++++++++++++++++++++++++++++++++++++++
 etc/xpra.profile   | 31 ++++++++++++++++++++++++-------
 3 files changed, 103 insertions(+), 7 deletions(-)
 create mode 100644 etc/Xephyr.profile
 create mode 100644 etc/Xvfb.profile

(limited to 'etc')

diff --git a/etc/Xephyr.profile b/etc/Xephyr.profile
new file mode 100644
index 000000000..362318bb1
--- /dev/null
+++ b/etc/Xephyr.profile
@@ -0,0 +1,40 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/Xephyr.local
+
+#
+# This profile will sandbox Xephyr server itself when used with firejail --x11=xephyr.
+# The target program is sandboxed with its own profile. By default the this functionality
+# is disabled. To enable it, create a firejail-Xephyr  symlink in /usr/local/bin:
+#
+#    $ sudo ln -s /usr/bin/firejail /usr/local/bin/Xephyr
+#
+# We have this functionality disabled by default because it creates problems on
+# some Linux distributions.
+#
+
+
+# using a private home directory
+private
+
+
+caps.drop all
+# Xephyr needs to be allowed access to the abstract Unix socket namespace.
+#net none
+nogroups
+nonewprivs
+# In noroot mode, Xephyr cannot create a socket in the real /tmp/.X11-unix.
+#noroot
+nosound
+shell none
+seccomp
+protocol unix
+
+private-dev
+private-tmp
+#private-bin Xephyr,sh,xkbcomp,strace,bash,cat,ls
+#private-bin Xephyr,sh,xkbcomp
+#private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname
+
+blacklist /media
+whitelist /var/lib/xkb
diff --git a/etc/Xvfb.profile b/etc/Xvfb.profile
new file mode 100644
index 000000000..9c919f432
--- /dev/null
+++ b/etc/Xvfb.profile
@@ -0,0 +1,39 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/xvfb.local
+
+#
+# This profile will sandbox Xvfb server itself when used with firejail --x11=xvfb.
+# The target program is sandboxed with its own profile. By default the this functionality
+# is disabled. To enable it, create a firejail-Xvfb  symlink in /usr/local/bin:
+#
+#    $ sudo ln -s /usr/bin/firejail /usr/local/bin/Xvfb
+#
+# We have this functionality disabled by default because it creates problems on
+# some Linux distributions.
+#
+
+
+# using a private home directory
+private
+
+caps.drop all
+# Xvfb needs to be allowed access to the abstract Unix socket namespace.
+#net none
+nogroups
+nonewprivs
+# In noroot mode, Xvfb cannot create a socket in the real /tmp/.X11-unix.
+#noroot
+nosound
+shell none
+seccomp
+protocol unix
+
+private-dev
+private-tmp
+private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname
+#private-bin Xvfb,sh,xkbcomp,strace,bash,cat,ls
+#private-bin Xvfb,sh,xkbcomp
+
+blacklist /media
+whitelist /var/lib/xkb
diff --git a/etc/xpra.profile b/etc/xpra.profile
index d0fff2ebf..f4f28f9de 100644
--- a/etc/xpra.profile
+++ b/etc/xpra.profile
@@ -2,26 +2,43 @@
 # Persistent customizations should go in a .local file.
 include /etc/firejail/xpra.local
 
-# xpra profile
+
+#
+# This profile will sandbox Xpra server itself when used with firejail --x11=xpra.
+# The target program is sandboxed with its own profile. By default the this functionality
+# is disabled. To enable it, create a firejail-xpra  symlink in /usr/local/bin:
+#
+#    $ sudo ln -s /usr/bin/firejail /usr/local/bin/xpra
+#
+# We have this functionality disabled by default because it creates problems on
+# some Linux distributions.
+#
+
+# private home directory doesn't work on some distros, so we go for a regular home
+#private
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
-netfilter
+# xpra needs to be allowed access to the abstract Unix socket namespace.
+#net none
 nogroups
 nonewprivs
-noroot
+# In noroot mode, xpra cannot create a socket in the real /tmp/.X11-unix.
+#noroot
 nosound
 shell none
 seccomp
-protocol unix,inet,inet6
+protocol unix
 
-# blacklist /tmp/.X11-unix
 
-# private-bin 
 private-dev
 private-tmp
-# private-etc
+#private-bin xpra,python,Xvfb,Xorg,sh,xkbcomp,xauth,dbus-launch,pactl,ldconfig,which,strace,bash,cat,ls
+#private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname,machine-id,xpra,X11
+
+blacklist /media
+whitelist /var/lib/xkb
 
-- 
cgit v1.2.3-54-g00ecf