From 300402947156774d31c43ae2b734184315d33122 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 30 Mar 2016 09:55:51 -0400 Subject: x11 work --- src/man/firejail.txt | 43 +++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 41 insertions(+), 2 deletions(-) (limited to 'src/man/firejail.txt') diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 6eb7c3ff7..a3c39a82b 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1513,10 +1513,28 @@ $ firejail "\-\-whitelist=/home/username/My Virtual Machines" .TP \fB\-\-x11 +Start a new X11 server using Xpra or Xephyr and attach the sandbox to this server. +The regular X11 server (display 0) is not visible in the sandbox. This prevents screenshot and keylogger +applications started in the sandbox from accessing other X11 displays. +A network namespace needs to be instantiated in order to deny access to X11 abstract Unix domain socket. +.br + +.br +Firejail will try first Xpra, and if Xpra is not installed on the system, it will try to find Xephyr. +This feature is not available when running as root. +.br + +.br +Example: +.br +$ firejail \-\-x11 --net=eth0 firefox + +.TP +\fB\-\-x11=xpra Start a new X11 server using Xpra (http://xpra.org) and attach the sandbox to this server. Xpra is a persistent remote display server and client for forwarding X11 applications and desktop screens. -The regular X11 server (display 0) is not visible in the sandbox. This prevents screenshot and keylogger -applications started in the sandbox from accessing display 0. This feature is not available when running as root. +On Debian platforms Xpra is installed with the command \fBsudo apt-get install xpra\fR. +This feature is not available when running as root. .br .br @@ -1524,6 +1542,27 @@ Example: .br $ firejail \-\-x11 --net=eth0 firefox +.TP +\fB\-\-x11=xephyr +Start a new X11 server using Xephyr and attach the sandbox to this server. +Xephyr is a display server implementing the X11 display server protocol. +It runs in a window just like other X applications, but it is an X server itself in which you can run other software. +The default Xephyr window size is 800x600. This can be modified in /etc/firejail/firejail.config file, +see \fBman 5 firejail-config\fR for more details. +.br + +.br +The recommended way to use this feature is to run a window manager inside the sandbox. +A security profile for OpenBox is provided. +On Debian platforms Xephyr is installed with the command \fBsudo apt-get install xserver-xephyr\fR. +This feature is not available when running as root. +.br + +.br +Example: +.br +$ firejail \-\-x11 --net=eth0 openbox + .TP \fB\-\-zsh Use /usr/bin/zsh as default user shell. -- cgit v1.2.3-70-g09d2