[GH-ISSUE #2053] [enhancement] Ability to specify xpra display #1387

New issue

Open

opened 2026-05-05 08:01:45 -06:00 by gitea-mirror · 1 comment

gitea-mirror commented

2026-05-05 08:01:45 -06:00

Owner

Originally created by @chiraag-nataraj on GitHub (Jul 22, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2053

So currently, we can use --x11 xpra to dynamically start (and attach to) a new xpra display. But for some programs (e.g. terminal emulators), it might make sense to start up an xpra display beforehand and merely connect to it each time. Of course, this can be accomplished through environment variables (using env DISPLAY=:blah). But one thing I noticed is that when I use e.g. x11 xpra, it cleans out other existing X11 sockets, which means I can whitelist the /tmp/.X11-unix directory without having to specify the specific X11 display I will want to connect to. If I go the environment variable route, I will have to specify the particular X11 display I will want to connect to, which makes the profile a little less flexible.

Would it be possible to bring in one new predicate and one new variable? The predicate xpra-display would let you specify the specific xpra display you want to connect to and would spawn it if it's not already started. The variable ${DISPLAY} would let you select the X11 display the program will be running under. That way, I could do something like whitelist /tmp/.X11-unix/${DISPLAY} which would keep the profile generic (if I wanted to turn off X11 sandboxing, the profile would keep working with no hiccoughs).

Originally created by @chiraag-nataraj on GitHub (Jul 22, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/2053 So currently, we can use `--x11 xpra` to dynamically start (and attach to) a new xpra display. But for some programs (e.g. terminal emulators), it might make sense to start up an xpra display beforehand and merely connect to it each time. Of course, this can be accomplished through environment variables (using env DISPLAY=:blah). But one thing I noticed is that when I use e.g. `x11 xpra`, it cleans out other existing X11 sockets, which means I can whitelist the `/tmp/.X11-unix` directory without having to specify the specific X11 display I will want to connect to. If I go the environment variable route, I will have to specify the particular X11 display I will want to connect to, which makes the profile a little less flexible. Would it be possible to bring in one new predicate and one new variable? The predicate `xpra-display` would let you specify the specific xpra display you want to connect to and would spawn it if it's not already started. The variable `${DISPLAY}` would let you select the X11 display the program will be running under. That way, I could do something like `whitelist /tmp/.X11-unix/${DISPLAY}` which would keep the profile generic (if I wanted to turn off X11 sandboxing, the profile would keep working with no hiccoughs).

gitea-mirror added the

enhancement

label 2026-05-05 08:01:45 -06:00

gitea-mirror commented

2026-05-05 08:01:50 -06:00

Author

Owner

@netblue30 commented on GitHub (Jul 24, 2018):

Sure, let's go for it.

@netblue30 commented on GitHub (Jul 24, 2018): Sure, let's go for it.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1387

No description provided.

Rows
Columns