github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #322] X-server de-isolation (reverse to #57) #223

New issue
Closed
opened 2026-05-05 05:21:18 -06:00 by gitea-mirror · 6 comments
gitea-mirror commented 2026-05-05 05:21:18 -06:00
Owner
Copy link

Originally created by @msva on GitHub (Feb 25, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/322

Hi!
I'm trying to achieve something, that looks like opposite to the things discussing in #57: I want to use "private-home" and "private-tmpfs" for application (so, it can't look in real $HOME and /tmp, but has it's own), but on the other hand, be able to connect to my X.org server and render it's interface. So, I'm thinking about some option like "userspace bind", that will bind files, specified in commandline (and/or profile) into created tmpfs.

And, actually, same for private home dir: I'd like to bind some files/dirs from it to app's private home dir, but I don't want to give them access to full home dir.

Isn't it something for that already (except for bind option, that requires root access)? And can it be implemented at all?

Originally created by @msva on GitHub (Feb 25, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/322 Hi! I'm trying to achieve something, that looks like opposite to the things discussing in #57: I want to use "private-home" and "private-tmpfs" for application (so, it can't look in real $HOME and /tmp, but has it's own), but on the other hand, be able to connect to my X.org server and render it's interface. So, I'm thinking about some option like "userspace bind", that will bind files, specified in commandline (and/or profile) into created tmpfs. And, actually, same for private home dir: I'd like to bind some files/dirs from it to app's private home dir, but I don't want to give them access to full home dir. Isn't it something for that already (except for bind option, that requires root access)? And can it be implemented at all?
gitea-mirror 2026-05-05 05:21:18 -06:00
gitea-mirror commented 2026-05-05 05:21:24 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Feb 26, 2016):

I want to use "private-home" and "private-tmpfs

Try this:

$ firejail --private --private-tmp program-name

It will connect to X11 socket. There are two X11 sockets, one in /tmp discarded by the sandbox, and an abstract socket. If you do "netstat -a | grep X11" the abstract socket is printed as @/tmp/.X11-unix/X0. This socket is visible even if you disable /tmp directory.

I'd like to bind some files/dirs from it to app's private home dir, but I don't want to give them access to full home dir.

You can use --whitelist:

$ firejail --whitelist=~/.mozilla firefox
<!-- gh-comment-id:189269335 --> @netblue30 commented on GitHub (Feb 26, 2016): > I want to use "private-home" and "private-tmpfs Try this: ``` $ firejail --private --private-tmp program-name ``` It will connect to X11 socket. There are two X11 sockets, one in /tmp discarded by the sandbox, and an abstract socket. If you do "netstat -a | grep X11" the abstract socket is printed as @/tmp/.X11-unix/X0. This socket is visible even if you disable /tmp directory. > I'd like to bind some files/dirs from it to app's private home dir, but I don't want to give them access to full home dir. You can use --whitelist: ``` $ firejail --whitelist=~/.mozilla firefox ```
gitea-mirror commented 2026-05-05 05:21:26 -06:00
Author
Owner
Copy link

@msva commented on GitHub (Feb 26, 2016):

  1. unfortunatelly, no :(
$ cat ~/.config/firejail/slack.profile
noblacklist ~/.config/Slack
noblacklist ~/Downloads
include /etc/firejail/generic.profile
protocol unix,inet,inet6,netlink
private-dev
private-tmp
private-etc fonts,resolv.conf,ld.so.conf,ld.so.cache,localtime
private ~/.jails/slack
name slack
blacklist /var
$  firejail slack
Reading profile /home/mva/.config/firejail/slack.profile
Reading profile /etc/firejail/generic.profile
Reading profile /etc/firejail/disable-mgmt.inc
Reading profile /etc/firejail/disable-secret.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-terminals.inc
Warning: a protocol list is present, the new list "unix,inet,inet6,netlink" will not be installed
Parent pid 307153, child pid 307154

Child process initialized
No protocol specified

parent is shutting down, bye...

No protocol specified
Talking about sockets unavailability :(

Althought,

$  netstat -na | grep X11
unix  2      [ ACC ]     STREAM     LISTENING     11669    @/tmp/.X11-unix/X0
unix  2      [ ACC ]     STREAM     LISTENING     11670    /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     2459535  @/tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     17919    @/tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     67176    @/tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     15293    @/tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     16609    @/tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     15705    @/tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     6733626  @/tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     16704    @/tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     17458    @/tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     17483    @/tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     15717    @/tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     34586    @/tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     17901    @/tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     18895    @/tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     570645   @/tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     17608    @/tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     474507   @/tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     17920    @/tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     9819150  @/tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     1755206  @/tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     17460    @/tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     16454    @/tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     18473    @/tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     15498    @/tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     18712    @/tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     16626    @/tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     1753517  @/tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     16651    @/tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     17504    @/tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     16561    @/tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     2379218  @/tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     16512    @/tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     16449    @/tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     18509    @/tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     16591    @/tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     7765976  @/tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     14328    @/tmp/.X11-unix/X0

And also when I remove private-tmp application starting fine.

By the way, after update to current git-HEAD version, if I including "general" profile (inside custom), then application doesn't start, saying:

Reading profile /home/mva/.config/firejail/slack.profile
Reading profile /etc/firejail/generic.profile
Reading profile /etc/firejail/disable-mgmt.inc
Reading profile /etc/firejail/disable-secret.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-terminals.inc
Warning: a protocol list is present, the new list "unix,inet,inet6,netlink" will not be installed
Parent pid 307430, child pid 307431

Child process initialized
[local-storage.js] - Creating local storage instance at path: /home/mva/.config/Slack/local-settings.json
[8:0226/231606:FATAL:udev_linux.cc(18)] Check failed: monitor_. 

parent is shutting down, bye...

And when I commenting out inclusion of general profile - it starts fine.

  1. I'm tried to use whitelist, but, it seems, it doesn't work together with private, because it is still empty in folder (that I whitelisted) inside jail (or, if it wasn't created before — there is no such folder at all) :(

  2. it seems, something else was broken by update :( now, I can't "join" to that jail:

$ firejail --join=slack
Switching to pid 309004, the first child process inside the sandbox
Error: seccomp file not found

:'(

<!-- gh-comment-id:189394434 --> @msva commented on GitHub (Feb 26, 2016): 1) unfortunatelly, no :( ``` $ cat ~/.config/firejail/slack.profile noblacklist ~/.config/Slack noblacklist ~/Downloads include /etc/firejail/generic.profile protocol unix,inet,inet6,netlink private-dev private-tmp private-etc fonts,resolv.conf,ld.so.conf,ld.so.cache,localtime private ~/.jails/slack name slack blacklist /var $ firejail slack Reading profile /home/mva/.config/firejail/slack.profile Reading profile /etc/firejail/generic.profile Reading profile /etc/firejail/disable-mgmt.inc Reading profile /etc/firejail/disable-secret.inc Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-terminals.inc Warning: a protocol list is present, the new list "unix,inet,inet6,netlink" will not be installed Parent pid 307153, child pid 307154 Child process initialized No protocol specified parent is shutting down, bye... ``` > No protocol specified > Talking about sockets unavailability :( Althought, ``` $ netstat -na | grep X11 unix 2 [ ACC ] STREAM LISTENING 11669 @/tmp/.X11-unix/X0 unix 2 [ ACC ] STREAM LISTENING 11670 /tmp/.X11-unix/X0 unix 3 [ ] STREAM CONNECTED 2459535 @/tmp/.X11-unix/X0 unix 3 [ ] STREAM CONNECTED 17919 @/tmp/.X11-unix/X0 unix 3 [ ] STREAM CONNECTED 67176 @/tmp/.X11-unix/X0 unix 3 [ ] STREAM CONNECTED 15293 @/tmp/.X11-unix/X0 unix 3 [ ] STREAM CONNECTED 16609 @/tmp/.X11-unix/X0 unix 3 [ ] STREAM CONNECTED 15705 @/tmp/.X11-unix/X0 unix 3 [ ] STREAM CONNECTED 6733626 @/tmp/.X11-unix/X0 unix 3 [ ] STREAM CONNECTED 16704 @/tmp/.X11-unix/X0 unix 3 [ ] STREAM CONNECTED 17458 @/tmp/.X11-unix/X0 unix 3 [ ] STREAM CONNECTED 17483 @/tmp/.X11-unix/X0 unix 3 [ ] STREAM CONNECTED 15717 @/tmp/.X11-unix/X0 unix 3 [ ] STREAM CONNECTED 34586 @/tmp/.X11-unix/X0 unix 3 [ ] STREAM CONNECTED 17901 @/tmp/.X11-unix/X0 unix 3 [ ] STREAM CONNECTED 18895 @/tmp/.X11-unix/X0 unix 3 [ ] STREAM CONNECTED 570645 @/tmp/.X11-unix/X0 unix 3 [ ] STREAM CONNECTED 17608 @/tmp/.X11-unix/X0 unix 3 [ ] STREAM CONNECTED 474507 @/tmp/.X11-unix/X0 unix 3 [ ] STREAM CONNECTED 17920 @/tmp/.X11-unix/X0 unix 3 [ ] STREAM CONNECTED 9819150 @/tmp/.X11-unix/X0 unix 3 [ ] STREAM CONNECTED 1755206 @/tmp/.X11-unix/X0 unix 3 [ ] STREAM CONNECTED 17460 @/tmp/.X11-unix/X0 unix 3 [ ] STREAM CONNECTED 16454 @/tmp/.X11-unix/X0 unix 3 [ ] STREAM CONNECTED 18473 @/tmp/.X11-unix/X0 unix 3 [ ] STREAM CONNECTED 15498 @/tmp/.X11-unix/X0 unix 3 [ ] STREAM CONNECTED 18712 @/tmp/.X11-unix/X0 unix 3 [ ] STREAM CONNECTED 16626 @/tmp/.X11-unix/X0 unix 3 [ ] STREAM CONNECTED 1753517 @/tmp/.X11-unix/X0 unix 3 [ ] STREAM CONNECTED 16651 @/tmp/.X11-unix/X0 unix 3 [ ] STREAM CONNECTED 17504 @/tmp/.X11-unix/X0 unix 3 [ ] STREAM CONNECTED 16561 @/tmp/.X11-unix/X0 unix 3 [ ] STREAM CONNECTED 2379218 @/tmp/.X11-unix/X0 unix 3 [ ] STREAM CONNECTED 16512 @/tmp/.X11-unix/X0 unix 3 [ ] STREAM CONNECTED 16449 @/tmp/.X11-unix/X0 unix 3 [ ] STREAM CONNECTED 18509 @/tmp/.X11-unix/X0 unix 3 [ ] STREAM CONNECTED 16591 @/tmp/.X11-unix/X0 unix 3 [ ] STREAM CONNECTED 7765976 @/tmp/.X11-unix/X0 unix 3 [ ] STREAM CONNECTED 14328 @/tmp/.X11-unix/X0 ``` And also when I remove `private-tmp` application starting fine. # By the way, after update to current git-HEAD version, if I including "general" profile (inside custom), then application doesn't start, saying: ``` Reading profile /home/mva/.config/firejail/slack.profile Reading profile /etc/firejail/generic.profile Reading profile /etc/firejail/disable-mgmt.inc Reading profile /etc/firejail/disable-secret.inc Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-terminals.inc Warning: a protocol list is present, the new list "unix,inet,inet6,netlink" will not be installed Parent pid 307430, child pid 307431 Child process initialized [local-storage.js] - Creating local storage instance at path: /home/mva/.config/Slack/local-settings.json [8:0226/231606:FATAL:udev_linux.cc(18)] Check failed: monitor_. parent is shutting down, bye... ``` And when I commenting out inclusion of general profile - it starts fine. 2) I'm tried to use whitelist, but, it seems, it doesn't work together with `private`, because it is still empty in folder (that I whitelisted) inside jail (or, if it wasn't created before — there is no such folder at all) :( 3) it seems, something else was broken by update :( now, I can't "join" to that jail: ``` $ firejail --join=slack Switching to pid 309004, the first child process inside the sandbox Error: seccomp file not found ``` :'(
gitea-mirror commented 2026-05-05 05:21:28 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Feb 27, 2016):

What exactly are you trying to do? First, I would try "firejail --noprofile slack". If this works I would use the default profile: "firejail slack". What do you mean by "de-isolation"?

<!-- gh-comment-id:189652351 --> @netblue30 commented on GitHub (Feb 27, 2016): What exactly are you trying to do? First, I would try "firejail --noprofile slack". If this works I would use the default profile: "firejail slack". What do you mean by "de-isolation"?
gitea-mirror commented 2026-05-05 05:21:31 -06:00
Author
Owner
Copy link

@vn971 commented on GitHub (Feb 28, 2016):

@msva I don't know whether that's generally recommended, but might this work for you?:

firejail --whitelist=/tmp/.X11-unix --private

<!-- gh-comment-id:189899490 --> @vn971 commented on GitHub (Feb 28, 2016): @msva I don't know whether that's generally recommended, but might this work for you?: `firejail --whitelist=/tmp/.X11-unix --private`
gitea-mirror commented 2026-05-05 05:21:33 -06:00
Author
Owner
Copy link

@msva commented on GitHub (Feb 28, 2016):

@netblue30, I'm trying to jail slack (or let it even be skype) program, and: hide entire homedir from it (contains many sensitive data), but store all changes it made in homedir in it's personal storage (to not interfere wit oter software); and hide other things like dev and tmp from it.

And at the same time I want to "bind" (or watever) some files/directories from real FS inside the jail's private ones (copying is not the case, and symlinks will not work).

@vn971 nope, anyway No protocol specified.

<!-- gh-comment-id:189945595 --> @msva commented on GitHub (Feb 28, 2016): @netblue30, I'm trying to jail `slack` (or let it even be `skype`) program, and: hide entire homedir from it (contains many sensitive data), but store all changes it made in homedir in it's personal storage (to not interfere wit oter software); and hide other things like dev and tmp from it. And at the same time I want to "bind" (or watever) some files/directories from real FS inside the jail's private ones (copying is not the case, and symlinks will not work). # @vn971 nope, anyway `No protocol specified`.
gitea-mirror commented 2026-05-05 05:21:34 -06:00
Author
Owner
Copy link

@msva commented on GitHub (Feb 29, 2016):

And, rephrasing my issues:
1) private-tmp makes X application unable to start because of No protocol is specified. Even with --noprofile. Probably, there are no X sockets binded inside private /tmp and it can't connect to abstract ones, but it is hard to properly debug it, since firejail destroys right after jailed app reports fail.

^^ fixed by --whitelist=/tmp/xauth-1000-_0 instead of private-tmp

  1. whitelist doesn't bind directory, specified as argument inside the jail, if that path inside the jail is "private" (will it be effect of private-tmp, private-etc, private-dev or private). While that is what I want to achieve.

// Although, it can be fixed in same way as 1), i.e by not using private-{whatever} and using just whitelist=bla instead, it is not the case I want: I want to have isolated (fake), but persistent (!) homedir, but containing some specified dirs/files from the real homedir. Although, it is possible to just copy them in the directory, specified as argument to private, I'd very like to have them binded, to not constanty merge changes made in that dirs/files

<!-- gh-comment-id:190344613 --> @msva commented on GitHub (Feb 29, 2016): And, rephrasing my issues: ~~1) private-tmp makes X application unable to start because of `No protocol is specified`. Even with `--noprofile`. Probably, there are no X sockets binded inside private /tmp and it can't connect to abstract ones, but it is hard to properly debug it, since firejail destroys right after jailed app reports fail.~~ ^^ fixed by `--whitelist=/tmp/xauth-1000-_0` instead of `private-tmp` # 2) `whitelist` doesn't bind directory, specified as argument inside the jail, if that path inside the jail is "private" (will it be effect of `private-tmp`, `private-etc`, `private-dev` or `private`). While that is what I want to achieve. // Although, it can be fixed in same way as `1)`, i.e by not using `private-{whatever}` and using just `whitelist=bla` instead, it is not the case I want: I want to have isolated (fake), but persistent (!) homedir, but containing some specified dirs/files from the real homedir. Although, it is possible to just copy them in the directory, specified as argument to `private`, I'd very like to have them binded, to not constanty merge changes made in that dirs/files
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#223
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?