Firejail X11 sandboxing support is built around an external X11 server software package. Both Xpra and Xephyr are supported (apt-get install xpra xserver-xephyr on Debian/Ubuntu). To allow people to use the sandbox on headless systems, Firejail compile and install is not be dependent on Xpra or Xephyr packages.
The sandbox replaces the regular X11 server with Xpra or Xephyr server. This prevents X11 keyboard loggers and screenshot utilities from accessing the main X11 server.
The commands are as follows:
$ firejail --x11=xpra --net=eth0 program-and-arguments $ firejail --x11=xephyr --net=eth0 program-and-arguments
A shorter form is also available:
$ firejail --x11 --net=eth0 program-and-arguments
In this case, Firejail will try first Xpra, and if Xpra is not installed on the system, it will try to find Xephyr. For various reasons, X11 sandboxing features are not supported if the sandbox is started as root user.
The main X11 server running on a Linux computer has two sockets active:
/tmp/.X11-unix/X0 is disabled using a temporary filesystem mounted on /tmp/.X11-unix directory. The only way to disable the abstract socket @/tmp/.X11-unix/X0 is by using a network namespace. If for any reasons you cannot use a network namespace, the abstract socket will still be visible inside the sandbox. Hackers can attach keylogger and screenshot programs to this socket.
Installing Xpra on Arch Linux
Install xpra-winswitch package from AUR, and in /etc/X11/Xwrapper.config modify “allowed_users=anybody”.
Xpra is a persistent remote display server and client for forwarding X11 applications and desktop screens. The default configuration of the software package works fine in most cases, text configuration files are located in /etc/xpra directory.
The current running session adds a small icon in the system tray. This can be used to enable or disable at run time the clipboard and a number of other parameters. It also provides statistics for the current session. Each active sandbox can be configured independently in such a window.
Xephyr runs in its own window just like any other X application, but it is an X server itself. Firejail sandboxed applications are started in this window. The default Xephyr window size is 800×600. This can be modified in /etc/firejail/firejail.config file, see man 5 firejail-config for more details. Or you can use xrandr, see below.
The recommended way to use this feature is to run a window manager inside the sandbox. This is the only way to resize or minimize the windows running on Xephyr server. Lots of light window managers are available on Linux platform, Firejail software provides a security profile for Openbox (apt-get install openbox) as a reference in /etc/firejail/openbox.profile.
$ firejail --x11=xephyr --net=eth0 openbox
Applications can be started using the window manager – right-click on an empty area of the window to open the application menu in Openbox. All apps started this way share the same sandbox with the window manager.
How to test
Start a sandboxed terminal (firejail –x11 –net=eth0 xterm) and run netstat command. /tmp/.X11-unix/X0 sockets should not be visible:
To test the keyboard, I start an xterm sandbox (firejail –x11 –net=eth0 –noprofile xterm) and use xinput (sudo apt-get install xinput).
Testing screenshots is even easier: firejail –x11 –net=none gimp.
Attaching new sandboxes to an existing X11 server
Drag and drop between windows running on different X11 servers is not possible. The way to get around this limitation is to run multiple sandboxed applications on the same server.
firemon command was enhanced to print X11 display information:
$ firemon --x11 2142:netblue:firejail --x11 --net=eth0 firefox DISPLAY :470
We have Firefox already running in a sandbox, on X11 display server :470. We start a new sandbox and place it on the same server:
$ DISPLAY=:470 firejail --net=eth0 transmission-gtk
Please note, a –x11 option is not necessary when the second sandbox is started, DISPLAY environment variable does all the magic.
–net command line option is still required for both sandboxes in order to disable access to the main X11 server. Each sandbox has a different IP addresses and different container filesystems, but they share the X11 socket in /tmp/.X11-unix directory. User Downloads directory is also shared between the sandboxes. Drag and drop between the two sandboxes is possible.
Resizing Xephyr window
You can use xrandr utility to resize a Xephyr window. I sandbox an xterm, find out the display number used by the sandbox, and resize the window:
$ firejail --x11=xephyr xterm & $ firemon --x11 16148:netblue:firejail xterm DISPLAY :139 $ xrandr --display :139 default connected 640x400+0+0 (normal left inverted right x axis y axis) 0mm x 0mm 1600x1200 0.00 1400x1050 0.00 1280x960 0.00 1280x1024 0.00 1152x864 0.00 1024x768 0.00 832x624 0.00 800x600 0.00 720x400 0.00 480x640 0.00 640x480 0.00 640x400 0.00* 320x240 0.00 240x320 0.00 160x160 0.00 $ xrandr --display :139 --output default --mode 1280x1024