github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #570] X11 Sandboxing security #405

New issue

Closed

opened 2026-05-05 05:47:47 -06:00 by gitea-mirror · 8 comments

gitea-mirror commented

2026-05-05 05:47:47 -06:00

Owner

Originally created by @ghost on GitHub (Jun 13, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/570

Originally created by @ghost on GitHub (Jun 13, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/570

gitea-mirror

2026-05-05 05:47:47 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 05:47:54 -06:00

Author

Owner

@netblue30 commented on GitHub (Jun 14, 2016):

Run it this way:

$ firejail --net=eth0 --x11 firefox

seccomp in this case is done by default, so you don't need it to put it in.

I have more information on x11 here: https://firejail.wordpress.com/documentation-2/x11-guide/

It will stop applications running in a sandbox to snoop on applications running outside the sandbox.

@netblue30 commented on GitHub (Jun 14, 2016): Run it this way: ``` $ firejail --net=eth0 --x11 firefox ``` seccomp in this case is done by default, so you don't need it to put it in. I have more information on x11 here: https://firejail.wordpress.com/documentation-2/x11-guide/ It will stop applications running in a sandbox to snoop on applications running outside the sandbox.

gitea-mirror commented

2026-05-05 05:47:56 -06:00

Author

Owner

@netblue30 commented on GitHub (Jun 14, 2016):

Do you recommend it for day-to-day use, instead of generic command firejail firefox

The external xservers (xpra and xephyr) I am using don't support hardware acceleration. Use them if you are in a hostile environment and you have reasons to believe you need this additional type of sandboxing. They also bring in their own bugs and problems. For regular browsing I wouldn't bother.

Does Firejail match AppArmor application isolation, in terms of security?

SELinux and AppArmor are as good as the security profiles you use to configure them. If you don't configure them, there will be no isolation. By default SELinux comes with 0 (zero) security profiles for desktop applications. AppArmor has 3 profiles: evince, firefox and chromium. Chromium profile is broken. I don't know how good firefox profile is.

@netblue30 commented on GitHub (Jun 14, 2016): > Do you recommend it for day-to-day use, instead of generic command firejail firefox The external xservers (xpra and xephyr) I am using don't support hardware acceleration. Use them if you are in a hostile environment and you have reasons to believe you need this additional type of sandboxing. They also bring in their own bugs and problems. For regular browsing I wouldn't bother. > Does Firejail match AppArmor application isolation, in terms of security? SELinux and AppArmor are as good as the security profiles you use to configure them. If you don't configure them, there will be no isolation. By default SELinux comes with 0 (zero) security profiles for desktop applications. AppArmor has 3 profiles: evince, firefox and chromium. Chromium profile is broken. I don't know how good firefox profile is.

gitea-mirror commented

2026-05-05 05:47:58 -06:00

Author

Owner

@netblue30 commented on GitHub (Jun 15, 2016):

In your example firefox will not be able to snoop on transmission, and transmission will not be able to snoop on firefox. Both of them are isolated by a different xserver.

@netblue30 commented on GitHub (Jun 15, 2016): In your example firefox will not be able to snoop on transmission, and transmission will not be able to snoop on firefox. Both of them are isolated by a different xserver.

gitea-mirror commented

2026-05-05 05:48:00 -06:00

Author

Owner

@Sidnioulz commented on GitHub (Jun 15, 2016):

(I'm allowing myself to comment on this since I happen to have done work on that topic in another project, and I'm somewhat familiar with the issues of X11 isolation)

For some reason, I can't seem to run git firejail with X11, but you can verify the security works as intended by first reading this article on how to spy on keyboard input and then doing this:

Open a Xterm instance with firejail --x11 and check if it gets the keyboard input when other windows have the focus
Open a sandboxed Firefox with --x11, and another sandboxed shell without --x11. In that shell, use the xinput test method and check if you get keyboard input for unsandboxed apps (normally yes), and for Firefox (according to @netblue30 , no; if yes, then this means the X11 server that isolates X11-sandboxed apps is still acting as a normal X11 client towards the rest of the system, which is the bet I would go for without having tested or read the code).

@netblue30 how do you manage X11 selections? Is the clipboard API functional inside sandboxed clients? It should normally not be at all, given how the X11 API works, since enabling it means sandboxed apps can read all the clipboard content continuously without user consent.

@Sidnioulz commented on GitHub (Jun 15, 2016): (I'm allowing myself to comment on this since I happen to have done work on that topic in another project, and I'm somewhat familiar with the issues of X11 isolation) For some reason, I can't seem to run git firejail with X11, but you can verify the security works as intended by first reading [this article on how to spy on keyboard input](http://theinvisiblethings.blogspot.co.at/2011/04/linux-security-circus-on-gui-isolation.html) and then doing this: - Open a Xterm instance with firejail --x11 and check if it gets the keyboard input when other windows have the focus - Open a sandboxed Firefox with --x11, and another sandboxed shell without --x11. In that shell, use the xinput test method and check if you get keyboard input for unsandboxed apps (normally yes), and for Firefox (according to @netblue30 , no; if yes, then this means the X11 server that isolates X11-sandboxed apps is still acting as a normal X11 client towards the rest of the system, which is the bet I would go for without having tested or read the code). @netblue30 how do you manage X11 selections? Is the clipboard API functional inside sandboxed clients? It should normally not be at all, given how the X11 API works, since enabling it means sandboxed apps can read all the clipboard content continuously without user consent.

gitea-mirror commented

2026-05-05 05:48:02 -06:00

Author

Owner

@netblue30 commented on GitHub (Jun 17, 2016):

@Sidnioulz: You need to also configure a network namespace, you have all the details here: https://firejail.wordpress.com/documentation-2/x11-guide/

@rekixex: seccomp is enabled by default, you don't need to specify it in "firejail program_and_arguments"

@netblue30 commented on GitHub (Jun 17, 2016): @Sidnioulz: You need to also configure a network namespace, you have all the details here: https://firejail.wordpress.com/documentation-2/x11-guide/ @rekixex: seccomp is enabled by default, you don't need to specify it in "firejail program_and_arguments"

gitea-mirror commented

2026-05-05 05:48:04 -06:00

Author

Owner

@Sidnioulz commented on GitHub (Jun 17, 2016):

@netblue30 ah, makes sense! May I suggest forbidding firejail --x11 without a --net argument, since that would be an incomplete form of X11 isolation?

@Sidnioulz commented on GitHub (Jun 17, 2016): @netblue30 ah, makes sense! May I suggest forbidding firejail --x11 without a --net argument, since that would be an incomplete form of X11 isolation?

gitea-mirror commented

2026-05-05 05:48:06 -06:00

Author

Owner

@netblue30 commented on GitHub (Jun 17, 2016):

I'll look into it.

@netblue30 commented on GitHub (Jun 17, 2016): I'll look into it.

gitea-mirror commented

2026-05-05 05:48:07 -06:00

Author

Owner

@netblue30 commented on GitHub (Jun 24, 2016):

I'll print a warning, just forbidding it would be very inconvenient for some users, thanks for the suggestion.

@netblue30 commented on GitHub (Jun 24, 2016): I'll print a warning, just forbidding it would be very inconvenient for some users, thanks for the suggestion.

gitea-mirror referenced this issue

2026-05-05 10:04:37 -06:00

[PR #405] [MERGED] "/etc/password" -> "/etc/passwd" #3611

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#405

No description provided.

Rows
Columns