mirror of
https://github.com/netblue30/firejail.git
synced 2026-05-15 14:16:14 -06:00
[GH-ISSUE #767] --x11=xpra still has full access to host X server #519
Labels
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/firejail#519
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @klampworks on GitHub (Sep 6, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/767
If I run the following:
And inside my sandboxed xterm do:
Then a new xterm window pops up on the host X server.
I noticed that Firejail will not allow
/usr/bin/xinputto be executed inside the sandbox. If we rename it to xinput2 for the sake of demonstration and then do the following (your device number may vary):Then I can capture all keystrokes from the host X server from inside the sandbox. In other words, using Firejail with Xpra is providing no GUI isolation at all.
Is this intentional? I think this should merit at least a warning message to the user that malicious X11 applications can still steal all your internet banking passwords even if you "isolate" them with Firejail.
Or have I just not set up Firejail correctly?
Thanks.
@chiraag-nataraj commented on GitHub (Sep 6, 2016):
I checked this with xephyr, and the same holds true there as well. One way, of course, is to completely prevent access to the sockets of the host X server (using
private-tmpandnet=none).[EDIT]
Never mind. Using those options prevents me from connecting to the child X server as well, as least with xephyr.
@klampworks commented on GitHub (Sep 6, 2016):
Ah yes, using
--net=nonefixes the problem for me with Xpra.Ideally I would like my Firejailed application to have regular internet access though.
@chiraag-nataraj commented on GitHub (Sep 6, 2016):
Okay. So it works with Xpra but not with Xephyr and prevents actual internet access. You could also disable the abstract socket, which would obviate the necessity of using
--net=none. You can do so by adding the parameter-nolisten localin the command in/etc/X11/xinit/xserverrc. If you're not usingstartxas your command, you can find more details here: http://tstarling.com/blog/2016/06/x11-security-isolation/@klampworks commented on GitHub (Sep 6, 2016):
Starting X with
-nolisten localfixes the problem.I'm on Gentoo so this is entirely my fault for not configuring X correctly.
If this is the default behaviour for other distros it might be worth adding a word about it to the Firejail documentation though.
Thank you very much for your help.
@chiraag-nataraj commented on GitHub (Sep 6, 2016):
The default is to enable the abstract socket in most distros (at least Debian and Ubuntu). @netblue30, you should add a note that you can disable the abstract socket using
-nolisten local:)