[PR #1100] [CLOSED] Rewrite X11 handling and add --x11=xvfb mode. #3846

New issue

Closed

opened 2026-05-05 10:08:58 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented

2026-05-05 10:08:58 -06:00

Owner

📋 Pull Request Information

Original PR: https://github.com/netblue30/firejail/pull/1100
Author: @zackw
Created: 2/12/2017
Status: ❌ Closed

Base: master ← Head: x11-xvfb

📝 Commits (2)

49936f4 Rewrite X11 handling and add --x11=xvfb mode.
ac919de Remove C99isms.

📊 Changes

23 files changed (+2271 additions, -1909 deletions)

View changed files

📝 .gitignore (+1 -0)
📝 Makefile.in (+2 -4)
📝 configure (+14 -3)
📝 configure.ac (+1 -1)
➕ etc/Xephyr.profile (+23 -0)
➕ etc/Xvfb.profile (+22 -0)
📝 etc/firejail.config (+21 -1)
📝 etc/xpra.profile (+13 -14)
📝 platform/rpm/old-mkrpm.sh (+0 -2)
📝 src/fcopy/main.c (+272 -267)
📝 src/firejail/checkcfg.c (+50 -4)
📝 src/firejail/firejail.h (+13 -1)
📝 src/firejail/fs.c (+862 -853)
📝 src/firejail/fs_bin.c (+1 -1)
📝 src/firejail/fs_trace.c (+0 -3)
📝 src/firejail/main.c (+16 -5)
📝 src/firejail/paths.c (+121 -70)
📝 src/firejail/profile.c (+29 -12)
📝 src/firejail/sandbox.c (+10 -10)
📝 src/firejail/util.c (+211 -1)

...and 3 more files

📄 Description

This has a surprisingly large number of tentacles, partially because I
wanted the server and window manager run by --x11= to be
sandboxed themselves, and partially because I turned up an awful lot
of bugs in the process.

--x11=xvfb works for how I want to use it, and --x11=xephyr should
also work fine, but I may have broken --x11=xpra. I have no need for
that mode myself, don't know what constitutes "working" for it, and
have run out of time to debug not-really-related-to-my-actual-job
issues.

Highlights of the changes are:

New X11 mode --x11=xvfb, which runs the program in a headless X
session.
All of the X11 server modes (except --x11=xorg) now run the server in
its own, separate sandbox.
--x11=xvfb and --x11=xephyr can now optionally run a window
manager (in yet a third sandbox).
Sandbox profiles for Xephyr and Xvfb are added. The profile for
xpra is modified to match them.
Profile option 'mask-x11 no' / command line option '--mask-x11=no'
is added to make it possible to not mask out access to the real
/tmp/.X11-unix. This is needed for sandboxing of programs like
Xephyr, which are their own X server but also need to talk to a
"parent" X server.
New firejail.config options xpra-extra-params, xvfb-screen,
xfvb-extra-params, and x11-window-manager.
x11.c has been extensively refactored and is now mumblety-percent
less repetitive.
x11.c no longer insists on the programs it's trying to run being in
/usr/bin; it is enough if they are in $PATH somewhere.
The logic for acquiring an unused display number has been made more
robust.
A serious bug in the handling of "noblacklist", which could cause
memory corruption in the privileged parent process, has been
corrected.
libconnect is removed; we do not attempt to selectively mask the
abstract socket namespace anymore. This never worked 100% and
interferes with debugging.
fcopy now has a --follow-link option, in which it copies the
destination of the symlink rather than the link itself. This mode
is used when constructing private /bin directories. This is
necessary to make 'private-bin sh' work on Debian, where /bin/sh is
a symlink.
The logic for splitting xephyr-extra-params and the like into argument
vectors is now an accurate match to the behavior of Bourne shell.
In many places where an error message failed to print a relevant
file name and/or strerror(errno), or was being sent to stdout
instead of stderr, this has been corrected. I probably didn't get
all of them.

Note: In several places, there are bulk changes to whitespace. This
is because my editor is set to not use tabs and to delete trailing
whitespace on save. I apologize for the confusion, and I recommend you
pull down the changes to your local machine and then use
'git log -p -w' to see the meaningful changes.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/netblue30/firejail/pull/1100 **Author:** [@zackw](https://github.com/zackw) **Created:** 2/12/2017 **Status:** ❌ Closed **Base:** `master` ← **Head:** `x11-xvfb` --- ### 📝 Commits (2) - [`49936f4`](https://github.com/netblue30/firejail/commit/49936f4bef0d88650376fd8eba62f5fa4495507a) Rewrite X11 handling and add --x11=xvfb mode. - [`ac919de`](https://github.com/netblue30/firejail/commit/ac919deb40d3a17a7e1f59e4e2fb4ec7a170ee2c) Remove C99isms. ### 📊 Changes **23 files changed** (+2271 additions, -1909 deletions) <details> <summary>View changed files</summary> 📝 `.gitignore` (+1 -0) 📝 `Makefile.in` (+2 -4) 📝 `configure` (+14 -3) 📝 `configure.ac` (+1 -1) ➕ `etc/Xephyr.profile` (+23 -0) ➕ `etc/Xvfb.profile` (+22 -0) 📝 `etc/firejail.config` (+21 -1) 📝 `etc/xpra.profile` (+13 -14) 📝 `platform/rpm/old-mkrpm.sh` (+0 -2) 📝 `src/fcopy/main.c` (+272 -267) 📝 `src/firejail/checkcfg.c` (+50 -4) 📝 `src/firejail/firejail.h` (+13 -1) 📝 `src/firejail/fs.c` (+862 -853) 📝 `src/firejail/fs_bin.c` (+1 -1) 📝 `src/firejail/fs_trace.c` (+0 -3) 📝 `src/firejail/main.c` (+16 -5) 📝 `src/firejail/paths.c` (+121 -70) 📝 `src/firejail/profile.c` (+29 -12) 📝 `src/firejail/sandbox.c` (+10 -10) 📝 `src/firejail/util.c` (+211 -1) _...and 3 more files_ </details> ### 📄 Description This has a surprisingly large number of tentacles, partially because I wanted the server and window manager run by --x11=<server> to be sandboxed themselves, and partially because I turned up an awful lot of bugs in the process. --x11=xvfb works for how I want to use it, and --x11=xephyr should also work fine, but I may have broken --x11=xpra. I have no need for that mode myself, don't know what constitutes "working" for it, and have run out of time to debug not-really-related-to-my-actual-job issues. Highlights of the changes are: * New X11 mode --x11=xvfb, which runs the program in a headless X session. * All of the X11 server modes (except --x11=xorg) now run the server in its own, separate sandbox. * --x11=xvfb and --x11=xephyr can now optionally run a window manager (in yet a third sandbox). * Sandbox profiles for Xephyr and Xvfb are added. The profile for xpra is modified to match them. * Profile option 'mask-x11 no' / command line option '--mask-x11=no' is added to make it possible to *not* mask out access to the real /tmp/.X11-unix. This is needed for sandboxing of programs like Xephyr, which are their own X server but also need to talk to a "parent" X server. * New firejail.config options xpra-extra-params, xvfb-screen, xfvb-extra-params, and x11-window-manager. * x11.c has been extensively refactored and is now mumblety-percent less repetitive. * x11.c no longer insists on the programs it's trying to run being in /usr/bin; it is enough if they are in $PATH somewhere. * The logic for acquiring an unused display number has been made more robust. * A serious bug in the handling of "noblacklist", which could cause memory corruption in the privileged parent process, has been corrected. * libconnect is removed; we do not attempt to selectively mask the abstract socket namespace anymore. This never worked 100% and interferes with debugging. * fcopy now has a --follow-link option, in which it copies the destination of the symlink rather than the link itself. This mode is used when constructing private /bin directories. This is necessary to make 'private-bin sh' work on Debian, where /bin/sh is a symlink. * The logic for splitting xephyr-extra-params and the like into argument vectors is now an accurate match to the behavior of Bourne shell. * In many places where an error message failed to print a relevant file name and/or strerror(errno), or was being sent to stdout instead of stderr, this has been corrected. I probably didn't get all of them. Note: In several places, there are bulk changes to whitespace. This is because my editor is set to not use tabs and to delete trailing whitespace on save. I apologize for the confusion, and I recommend you pull down the changes to your local machine and then use 'git log -p -w' to see the meaningful changes. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

gitea-mirror

2026-05-05 10:08:58 -06:00

closed this issue
added the
pull-request
label

gitea-mirror referenced this issue

2026-05-05 10:28:49 -06:00

[PR #3852] [MERGED] Implement netns in profiles, closes #3846 #4910

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3846

No description provided.

Rows
Columns