github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #736] what to do if --x11 wont work, and which browser? #496

New issue
Closed
opened 2026-05-05 05:58:56 -06:00 by gitea-mirror · 5 comments
gitea-mirror commented 2026-05-05 05:58:56 -06:00
Owner
Copy link

Originally created by @xahare on GitHub (Aug 21, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/736

Is there anything you can do for gui isolation (short of virtual machines) if xpra wont work? for example with Xwayland in fedra24.

also, in this context, do firefox or chrome try to anything to mitigate or at least prevent itself from abusing x11? would -net still help given that the browser already has access to the x server?

it seems like chrome(ium) is safer, but i could be missing something.

Originally created by @xahare on GitHub (Aug 21, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/736 Is there anything you can do for gui isolation (short of virtual machines) if xpra wont work? for example with Xwayland in fedra24. also, in this context, do firefox or chrome try to anything to mitigate or at least prevent itself from abusing x11? would -net still help given that the browser already has access to the x server? it seems like chrome(ium) is safer, but i could be missing something.
gitea-mirror 2026-05-05 05:58:56 -06:00
gitea-mirror commented 2026-05-05 05:59:04 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Aug 22, 2016):

Hopefully they will bring Xpra in Fedora. I can see a package in Copr: https://copr.fedorainfracloud.org/coprs/jgu/xpra/

You can try Xephyr, is not as nice as Xpra, but it will do the job.

also, in this context, do firefox or chrome try to anything to mitigate or at least prevent itself from abusing x11? would -net still help given that the browser already has access to the x server?

No, they just disregard any X11 problems. Chrome sandbox disables X11, but only a portion of Chrome code runs in the sandbox.

<!-- gh-comment-id:241386004 --> @netblue30 commented on GitHub (Aug 22, 2016): Hopefully they will bring Xpra in Fedora. I can see a package in Copr: https://copr.fedorainfracloud.org/coprs/jgu/xpra/ You can try Xephyr, is not as nice as Xpra, but it will do the job. > also, in this context, do firefox or chrome try to anything to mitigate or at least prevent itself from abusing x11? would -net still help given that the browser already has access to the x server? No, they just disregard any X11 problems. Chrome sandbox disables X11, but only a portion of Chrome code runs in the sandbox.
gitea-mirror commented 2026-05-05 05:59:06 -06:00
Author
Owner
Copy link

@xahare commented on GitHub (Aug 22, 2016):

i tried xpra from the main and winswitch.org repos. both crashed when using xwayland. xephyr worked as expected, but could use a -resizable flag.

<!-- gh-comment-id:241487605 --> @xahare commented on GitHub (Aug 22, 2016): i tried xpra from the main and winswitch.org repos. both crashed when using xwayland. xephyr worked as expected, but could use a -resizable flag.
gitea-mirror commented 2026-05-05 05:59:09 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Aug 22, 2016):

I've tried --resize, it crashes.

<!-- gh-comment-id:241550400 --> @netblue30 commented on GitHub (Aug 22, 2016): I've tried --resize, it crashes.
gitea-mirror commented 2026-05-05 05:59:11 -06:00
Author
Owner
Copy link

@xahare commented on GitHub (Aug 22, 2016):

How do you know what they sandbox? did you trace them? or some other way?

<!-- gh-comment-id:241559052 --> @xahare commented on GitHub (Aug 22, 2016): How do you know what they sandbox? did you trace them? or some other way?
gitea-mirror commented 2026-05-05 05:59:15 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Aug 22, 2016):

@xahare If I'm not mistaken, the design of the Google Chrome/Chromium sandbox is given here and the Firefox one is given here. Basically, the Firefox one relies heavily on the Chromium one for Windows and on seccomp-bpf for Linux. Neither of these actually address the huge glaring security vulnerabilities in X11 that are too hard to fix given the way it's been designed, hence the need for extra filtering through something like firejail (or a redesign of the graphical subsystem such as Wayland).

<!-- gh-comment-id:241581443 --> @chiraag-nataraj commented on GitHub (Aug 22, 2016): @xahare If I'm not mistaken, the design of the Google Chrome/Chromium sandbox is given [here](https://chromium.googlesource.com/chromium/src/+/master/docs/linux_sandboxing.md) and the Firefox one is given [here](https://wiki.mozilla.org/Security/Sandbox). Basically, the Firefox one relies heavily on the Chromium one for Windows and on seccomp-bpf for Linux. Neither of these actually address the huge glaring security vulnerabilities in X11 that are too hard to fix given the way it's been designed, hence the need for extra filtering through something like firejail (or a redesign of the graphical subsystem such as Wayland).
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#496
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?