automatic X server sandboxing for --x11=xpra and --x11=xephyr

2026-05-15 14:16:14 -06:00 · 2017-05-12 11:12:17 -04:00 · 2017-05-12 11:12:17 -04:00 · c62e7c7798
commit c62e7c7798
parent 59e17f93bc
6 changed files with 12 additions and 11 deletions
--- a/3
+++ b/3
@ -468,5 +468,6 @@ Zack Weinberg (https://github.com/zackw)
 	- Xvfb and Xephyr profiles, modified Xpra profile
 	- support for sandboxing Xpra, Xvfb and Xephyr in independent sandboxes when started
 	  with firejail --x11
-
+	- support for xpra-extra-params in firejail.config
+	
 Copyright (C) 2014-2017 Firejail Authors
--- a/2
+++ b/2
@ -34,6 +34,8 @@ firejail (0.9.46-rc1) baseline; urgency=low
  * feature: --fix-sound support in firecfg
  * feature: added support for sandboxing Xpra, Xvfb and Xephyr in 
    independent sandboxes when started with firejail --x11
+  * feature: enable automatic X server sandboxing for --x11=xpra
+    and --x11=xephyr
  * feature: support for Xpra extra params in firejail config file
  * new profiles: xiphos, Tor Browser Bundle, display (imagemagick), Wire,
  * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma,
--- a/etc/Xephyr.profile
+++ b/etc/Xephyr.profile
@ -4,13 +4,11 @@ include /etc/firejail/Xephyr.local

 #
 # This profile will sandbox Xephyr server itself when used with firejail --x11=xephyr.
-# The target program is sandboxed with its own profile. By default the this functionality
-# is disabled. To enable it, create a firejail-Xephyr  symlink in /usr/local/bin:
+# To enable it, create a firejail-Xephyr  symlink in /usr/local/bin:
 #
 #    $ sudo ln -s /usr/bin/firejail /usr/local/bin/Xephyr
 #
-# We have this functionality disabled by default because it creates problems on
-# some Linux distributions.
+# or run "sudo firecfg"
 #


--- a/etc/Xvfb.profile
+++ b/etc/Xvfb.profile
@ -10,7 +10,7 @@ include /etc/firejail/xvfb.local
 #    $ sudo ln -s /usr/bin/firejail /usr/local/bin/Xvfb
 #
 # We have this functionality disabled by default because it creates problems on
-# some Linux distributions.
+# some Linux distributions. Also, older versions of Xpra use Xvfb.
 #


--- a/etc/xpra.profile
+++ b/etc/xpra.profile
@ -5,14 +5,11 @@ include /etc/firejail/xpra.local

 #
 # This profile will sandbox Xpra server itself when used with firejail --x11=xpra.
-# The target program is sandboxed with its own profile. By default the this functionality
-# is disabled. To enable it, create a firejail-xpra  symlink in /usr/local/bin:
+# To enable it, create a firejail-xpra  symlink in /usr/local/bin:
 #
 #    $ sudo ln -s /usr/bin/firejail /usr/local/bin/xpra
 #
-# We have this functionality disabled by default because it creates problems on
-# some Linux distributions.
-#
+# or run "sudo firecfg"

 # private home directory doesn't work on some distros, so we go for a regular home
 #private
@ -36,6 +33,7 @@ protocol unix

 private-dev
 private-tmp
+# older Xpra versions also use Xvfb
 #private-bin xpra,python,Xvfb,Xorg,sh,xkbcomp,xauth,dbus-launch,pactl,ldconfig,which,strace,bash,cat,ls
 #private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname,machine-id,xpra,X11

--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@ -230,6 +230,7 @@ wire
 wireshark
 xchat
 xed
+Xephyr
 xfburn
 xfce4-dict
 xfce4-notes
@ -239,6 +240,7 @@ xonotic-glx
 xonotic-sdl
 xpdf
 xplayer
+xpra
 xreader
 xviewer
 youtube-dl