github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

Improve formatting of headings

Kelvin M. Klann 2024-07-20 15:27:56 -03:00
parent b0e73c3ee4
commit a4b6dc3f26
6 changed files with 101 additions and 79 deletions
Download patch file Download diff file Expand all files Collapse all files

6
Firejail-Universe.md

@ -1,6 +1,6 @@
An (incomplete) list of projects that use or complement firejail.
## Tools ##
## Tools
* fdns ([repo](https://github.com/netblue30/fdns)) — Firejail DNS-over-HTTPS Proxy Server
* firecfg.py ([repo](https://github.com/rusty-snake/firecfg.py)) — An improved firecfg written in python
@ -27,14 +27,14 @@ An (incomplete) list of projects that use or complement firejail.
* torjail ([repo](https://github.com/equk/torjail)) — download, verify & run torbrowser in a sandbox
* xdg-open.c ([gist](https://gist.github.com/rusty-snake/5104dc53ce3e52eef86cc34d359aa10e)) — A xdg-open drop-in wrapper to make xdg-open work nicely with firejail
## Configurations ##
## Configurations
* firejail-profiles ([repo](https://github.com/chiraag-nataraj/firejail-profiles)) — Tight Firejail profiles
* firejail-profiles ([repo](https://github.com/laomaiweng/firejail-profiles)) — My firejail profiles
* kyst ([repo](https://github.com/rusty-snake/kyst)) — Keep Your Sandbox Tight! Actually just a collection of my own tight sandbox configurations.
* Xe1phix-Firejail ([repo](https://gitlab.com/xe1phix/Xe1phix-Firejail)) My custom firejail configurations, profiles, menus, syntax, etc.
### Guides ###
### Guides
* firejailed-tor-browser ([repo](https://github.com/rusty-snake/firejailed-tor-browser)) — HOWTO: Firejailed Tor Browser
* zoom-firejail ([repo](https://github.com/t-wissmann/zoom-firejail)) — My zoom setup in firejail that requires no global zoom installation

78
Frequently-Asked-Questions.md

@ -1,4 +1,6 @@
## Technology
## TOC
Technology:
* [Why on earth should I use Firejail?](#why-on-earth-should-i-use-firejail)
* [How does it compare with AppArmor?](#how-does-it-compare-with-apparmor)
@ -6,7 +8,7 @@
* [What is the overhead of the sandbox?](#what-is-the-overhead-of-the-sandbox)
* [Can I sandbox a full OS?](#can-i-sandbox-a-full-os)
## Applications
Applications:
* [Firefox doesnt open in a new sandbox.](#firefox-doesnt-open-in-a-new-sandbox-instead-it-opens-a-new-tab-in-an-existing-firefox-instance)
* [How do I run two instances of Firefox?](#how-do-i-run-two-instances-of-firefox)
@ -18,12 +20,12 @@
* [How can I enable fcitx?](#how-can-i-enable-fcitx)
* [How do I sandbox applications started via systemd or D-Bus services?](#how-do-i-sandbox-applications-started-via-systemd-or-d-bus-services)
## Usage
Usage:
* [How do I undo `firecfg`?](#how-do-i-undo-firecfg)
* [How do I bypass firejail on a one-off basis?](#how-do-i-bypass-firejail-on-a-one-off-basis)
## Known Problems
Known Problems:
* [OverlayFS features disabled for Linux kernel 4.19 and newer](#overlayfs-features-disabled-for-linux-kernel-419-and-newer)
* [A program isn't firejailed](#a-program-isnt-firejailed)
@ -40,9 +42,9 @@
* [Ive noticed the title bar in Firefox shows “(as superuser)”, is this normal?](#ive-noticed-the-title-bar-in-firefox-shows-as-superuser-is-this-normal)
* [Media issues with firejail 0.9.62 under Arch](#media-issues-with-firejail-0962-under-arch)
# Technology
## Technology
## Why on earth should I use Firejail?
### Why on earth should I use Firejail?
Some existing Linux security solutions are easily defeated from internal and/or external threats. Other solutions are just too difficult to put in place. Firejails approach is radically different.
@ -50,7 +52,7 @@ For us, the user always comes first. We manage to keep the learning curve down.
We use the latest Linux kernel security features, such as namespaces and seccomp-bpf. In our view these features are mature, and have been extensively tested in the market place by products such as Google Chrome or Docker.
## How does it compare with AppArmor?
### How does it compare with AppArmor?
Firejail uses private mount namespaces to achieve similar access controls compared to AppArmor and capability restrictions are also similar. In addition to those, Firejail can set up system call filtering with seccomp and restrict networking. Unlike Firejail, AppArmor can restrict mapping of files to memory. AppArmor's available features can vary widely across kernel versions and distros. Firejail also is executing SUID, elevating user's privileges temporarily, e.g. for setting up mounts, which can be an attack vector.
@ -60,7 +62,7 @@ In general to use both for a particular app, you will need to modify the pre-pac
Keep in mind that AppArmor is mandatory when enabled while Firejail can be easily circumvented (intentionally or not). It should be possible to use Firejail just for seccomp and network control, those can not conflict with prepackaged AppArmor. See [#2248](https://github.com/netblue30/firejail/issues/2248) for a discussion on this.
## How does it compare with Docker, LXC, nspawn, bubblewrap?
### How does it compare with Docker, LXC, nspawn, bubblewrap?
Docker, LXC and nspawn are container managers. A container is a separate root filesystem. The software runs in this new filesystem. Firejail and bubblewrap are security sandboxes. Firejail works on your existing filesystem. It is modeled after the security sandbox distributed with Google Chrome.
@ -85,21 +87,21 @@ Comparison of Firejail features vs. bubblewrap:
* easy to use flags like `novideo`, `no3d`, `nodvd`, `notv`, `nogroups`, `noroot`, `nou2f`, `noexec` mount flag
* easier seccomp filtering (compared to loading cBPF programs) with deny-listing and allow-listing, 32-bit support, `memory-deny-write-execute`, `protocol`
## What is the overhead of the sandbox?
### What is the overhead of the sandbox?
The sandbox itself is a very small process. The setup is fast, typically several milliseconds. After the application is started, the sandbox process goes to sleep and doesnt consume any resources. All the security features are implemented inside the kernel, and run at kernel speed.
## Can I sandbox a full OS?
### Can I sandbox a full OS?
The idea so far was to target specific applications, such as Firefox and Chromium, or closed source apps like Steam and Skype. We are moving in the direction of sandboxing a full OS, but it will take some time to get there.
# Usage
## Usage
## How do I undo firecfg?
### How do I undo firecfg?
Run `sudo firecfg --clean`.
## How do I bypass firejail on a one-off basis?
### How do I bypass firejail on a one-off basis?
`firecfg` works by simply creating symlinks in '/usr/local/bin' to the `/usr/bin/firejail` binary, which will then search for the app's binary (usually in `/usr/bin`). Because `/usr/local/bin/` comes before `/usr/bin` in `$PATH`, running `<app>` (e.g. `vlc`) will run `firejail`, so the app will start jailed by default. If you want to start it without a jail, run `/usr/bin/vlc`.
@ -113,13 +115,13 @@ See also:
- https://github.com/netblue30/firejail/issues/3665#issuecomment-707689049
- https://github.com/netblue30/firejail/pull/5876
# Applications
## Applications
## Firefox doesnt open in a new sandbox. Instead, it opens a new tab in an existing Firefox instance
### Firefox doesnt open in a new sandbox. Instead, it opens a new tab in an existing Firefox instance
By default, Firefox browser uses a single process to handle multiple windows. When you start the browser, if another Firefox process is already running, the existing process opens a new tab or a new window. Make sure Firefox is not already running when you start it in Firejail sandbox.
## How do I run two instances of Firefox?
### How do I run two instances of Firefox?
Open `about:profiles` and create the new profile NAME.
@ -135,11 +137,11 @@ Then, start the second sandbox:
firejail firefox -P "NAME" --no-remote
```
## How do I run tor browser?
### How do I run tor browser?
See [Tor Browser home install](https://github.com/netblue30/firejail/wiki/Sandboxing-Binary-Software#tor-browser-home-install).
## How do I run VLC in a sandbox without network access?
### How do I run VLC in a sandbox without network access?
`--net=none` command line switch installs a new TCP/IP stack in your sandbox. The stack is not connected to any external interface. For the programs running inside, the sandbox looks like a computer without any Ethernet interface.
@ -156,18 +158,18 @@ net none
See also: https://github.com/netblue30/firejail/wiki/Creating-overrides
## Can you sandbox Steam games and Skype?
### Can you sandbox Steam games and Skype?
Support for Steam, Wine and Skype has been around since version 0.9.34. Quite a number of other closed-source programs are supported.
Running `ls /etc/firejail/*.profile` will list all the security profiles distributed with Firejail. Applications that do not have a profile will use the default profile (`/etc/firejail/default.profile`).
## How do I enable plasma browser integration in Firefox?
### How do I enable plasma browser integration in Firefox?
Create a new file `~/.config/firejail/firefox.local` and add `ignore nodbus`.
If you have `private-bin` enabled, you must also add `private-bin plasma-browser-integration-host`.
## How do I integrate firecfg into my package manager?
### How do I integrate firecfg into my package manager?
Arch Linux: https://wiki.archlinux.org/index.php/Firejail#Using_Firejail_by_default
@ -181,7 +183,7 @@ Fedora: Install `python3-dnf-plugin-post-transaction-actions` and create `/etc/d
/usr/share/applications/*:any:firecfg
```
## How can I enable fcitx?
### How can I enable fcitx?
Depending on the dbus-policy of the profile you need to add different command to its local.
If the dbus-policy is set to `filter`, it is enough to add `dbus-user.talk org.freedesktop.portal.Fcitx`.
@ -193,7 +195,7 @@ dbus-user.talk org.freedesktop.portal.Fcitx
ignore dbus-user none
```
## How do I sandbox applications started via systemd or D-Bus services?
### How do I sandbox applications started via systemd or D-Bus services?
By default distributions ship service files to start applications with a full path. This effectively runs those applications `non-sandboxed`. If you use Firejail it's assumed you'd prefer to run applications sandboxed. Firecfg does its best to help achieve that by creating symlinks that have path-priority, changing .desktop files to point at those, etcetera. But it doesn't support changing these service files. If you want to "fix" this, you'll need to create overrides that `force` apps to run `firejailed`. How to proceed depends on the specifics, we'll show you here. Although systemd depends on D-Bus and makes heavy usage of it, both have distinct configurations.
@ -207,23 +209,23 @@ systemd --user
Currently the firecfg command doesn't do any of this automatically. For an alternative implementation that supports these features, see [firecfg.py](https://github.com/rusty-snake/firecfg.py).
# Known Problems
## Known Problems
## OverlayFS features disabled for Linux kernel 4.19 and newer
### OverlayFS features disabled for Linux kernel 4.19 and newer
Something changed in the kernel code, and we are not able to mount / filesystem in overlay. We are working on a fix.
## A program isn't firejailed
### A program isn't firejailed
`firejail --list` does not show the running program to be inside a Firejail sandbox.
First make sure you have run `firecfg` with `sudo`. If you run this as root without sudo, it will not fix your `.desktop` files. If this did not work, create a symlink manually (`ln -s /usr/bin/firejail /usr/local/bin/PROGRAM`). Additionally, adding an alias in your shell or modifying the `Exec` line in your `.desktop` file will work, too. Only edit the `.desktop` file if you know what you are doing.
If your program is installed under `/opt` you need to use `firejail /opt/foo/bar` in the terminal/`.desktop` file for example.
## RTNETLINK error
### RTNETLINK error
`firejail --net=eth1 firefox` yields in `RTNETLINK answers: Operation not supported`. Missing modules, kernel update without reboot are cause. Look at issue [#2046](https://github.com/netblue30/firejail/issues/2046) or [#2387](https://github.com/netblue30/firejail/issues/2387).
## PulseAudio 7.0/8.0 issue
### PulseAudio 7.0/8.0 issue
The srbchannel IPC mechanism, introduced in PulseAudio 6.0, was enabled by default in release 7.0. Many Linux users are reporting sound problems when running applications in Firejail sandbox. It affects among others Ubuntu 16.04 and Mint users. This problem was fixed PulseAudio version 9.0. Run `firecfg --fix` in a terminal or apply the following configuration to mask the problem:
@ -238,27 +240,27 @@ A logout/login is required for the changes to take effect.
If you have problems with PulseAudio 9.x use the previous fix, or configure `enable-memfd = yes` in `/etc/pulse/daemon.conf`.
## Browser mailto and mail programs attachments do not work
### Browser mailto and mail programs attachments do not work
Mailto usually uses dbus and is thus disabled by default. [Create a local override](https://github.com/netblue30/firejail/wiki/Creating-overrides#ignore-a-specific-directive) and add `ignore nodbus` to the Firefox or Chromium override file as in [#2795](https://github.com/netblue30/firejail/issues/2795) and [#1718](https://github.com/netblue30/firejail/issues/1718).
Mail programs do not need to interact with the entirety of the filesystem. You may want to [allow access](https://github.com/netblue30/firejail/wiki/Creating-overrides#allow-access-to-a-file-or-directory) to a single directory for attachments and other downloads.
## Cannot open hyperlink with web browser using another application
### Cannot open hyperlink with web browser using another application
It is recommended to copy-paste links from with application with the hyperlink into an already running web browser. This will always be the safest bet, albeit not very user-friendly. See [#2228](https://github.com/netblue30/firejail/issues/2228) and [#2047](https://github.com/netblue30/firejail/issues/2047)
## Firefox 60 problems
### Firefox 60 problems
Firefox 60 doesnt work with Firejail version 0.9.52 or older. Patched security profiles for are available for Firejail versions 0.9.38.x (LST) and 0.9.52. You can find them in our [profile fixes section]. Another option is to install a [newer version of Firejail](https://github.com/netblue30/firejail#installing).
## LibreOffice on Ubuntu 18.04
### LibreOffice on Ubuntu 18.04
LibreOffice crashes when sandboxed with Firejail version 0.9.52 in Ubuntu 18.04. A patched security profile for Firejail 0.9.52 is available in our [profile fixes section]. Another option is to install a [newer version of Firejail](https://github.com/netblue30/firejail#installing).
[profile fixes section]: https://github.com/netblue30/firejail/tree/master/etc-fixes
## Cannot install new software while Firejail is running
### Cannot install new software while Firejail is running
Files blacklisted in a running jail cannot be removed from outside of jail. This causes a serious inconvenience when using Firejail with long time running processes. For example, preventing user from updating system normally, as files like `/bin/su`, `/bin/mount`, `/usr/bin/sudo` are blacklisted by default. Also, admin commands for adding users and groups will fail.
@ -266,15 +268,15 @@ Firejail implements blacklisting by mounting an empty, read-only file or directo
The problem is fixed in Linux kernels 3.18 or newer.
## Cannot connect to ibus-daemon in a new network namespace
### Cannot connect to ibus-daemon in a new network namespace
`ibus-daemon` is used to change the system language, for example to switch between English (US) input and Japanese inputs. In a sandbox using a new network namespace ibus-daemon socket is disabled and keyboard switching capability is lost.
## Cannot kill firejailed program
### Cannot kill firejailed program
Check namespace support like for killall (command option `--ns`) and adapt the command for `firejail --tree` output.
## Firefox crashing on Netflix, AMDGPU PRO, Nvidia closed source drivers
### Firefox crashing on Netflix, AMDGPU PRO, Nvidia closed source drivers
You should first set `browser-allow-drm` to `yes` in `/etc/firejail/firejail.config` or add `ignore noexec ${HOME}` to your `firefox.local`.
If you are using a firejail version older than 0.9.68 and NVIDIA proprietary drivers, you must also set `ignore noroot` in your `firefox.local`.
@ -294,13 +296,13 @@ firejail --allow-debuggers --ignore=seccomp --ignore=protocol --ignore=noroot \
</details>
## Ive noticed the title bar in Firefox shows “(as superuser)”, is this normal?
### Ive noticed the title bar in Firefox shows “(as superuser)”, is this normal?
The sandbox process itself runs as root. The application inside the sandbox runs as a regular user. `ps aux | grep firefox` reports Firefox process running as a regular user.
The same problem was seen on other programs as well (VLC, Audacious, Transmission), and it is believed to be a bug in the window manager. You can find a very long discussion on the development site: https://github.com/netblue30/firejail/issues/258
## Media issues with firejail 0.9.62 under Arch
### Media issues with firejail 0.9.62 under Arch
Fix: Add `ld.so.conf,ld.so.conf.d,ld.so.preload` to the `private-etc` line of the profile,
you can do this by creating a `.local` file in `~/.config/firejail/PROFILE_NAME.local` with the following content:

10
Home.md

@ -1,8 +1,8 @@
# Welcome to the firejail wiki!
## Welcome to the firejail wiki!
This is a space to document frequently asked questions, tips and tricks, and anything else people think is worth documenting! If you have suggestions, please don't hesitate to reach out by creating an Issue or Pull Request.
# Table of Contents
## Table of Contents
- [Home](./Home) &mdash; [discussion](https://github.com/netblue30/firejail/discussions/4441)
- [Comparison of firejail and systemd's hardening options](./Comparison-of-firejail-and-systemd's-hardening-options) &mdash; [discussion](https://github.com/netblue30/firejail/discussions/4466)
@ -17,15 +17,15 @@ This is a space to document frequently asked questions, tips and tricks, and any
- [Using firejail from git](./Using-firejail-from-git) &mdash; [discussion](https://github.com/netblue30/firejail/discussions/4450)
- [X11 Guide](./X11-Guide) &mdash; [discussion](https://github.com/netblue30/firejail/discussions/4451)
# Editing this wiki
## Editing this wiki
You are highly encouraged to add your own tips and tricks!
## Adding a new page
### Adding a new page
When you add a new page to the wiki, please link to it from this page under the Table of Contents. **Additionally**, please create an discussion for the page and link to it from here as well. Thanks!
## Editing an existing page
### Editing an existing page
If you intend to edit an existing page, please discuss the proposed
changes on the linked issue. Minor edits such as typos can, of course, be corrected directly.

10
Sandboxing-Binary-Software.md

@ -28,7 +28,7 @@ We also have an AppImage example in Kdenlive. For a command-line application che
If you install software by yourself and not with a package-manager, _you_ need to update the software.
To have the actual security-patches installed is even more important for a secure system than sandboxing and hardening.
# Applications
## Applications
1. [Mozilla Firefox](https://github.com/netblue30/firejail/wiki/Sandboxing-Binary-Software#mozilla-firefox-opt-install)
2. [Tor Browser](https://github.com/netblue30/firejail/wiki/Sandboxing-Binary-Software#tor-browser-home-install)
@ -37,7 +37,7 @@ To have the actual security-patches installed is even more important for a secur
Hint: See [Wiki: Profiles](https://github.com/netblue30/firejail/wiki/Creating-Profiles#general) for Firejail's paths.
## Mozilla Firefox (/opt install)
### Mozilla Firefox (/opt install)
1. Download the latest version of Firefox from https://www.mozilla.org/en-US/firefox/new/
@ -62,7 +62,7 @@ Type=Application
To start the browser click on the new desktop icon.
## Tor Browser (/home install)
### Tor Browser (/home install)
The archive distributed by Tor project is structured as a self-contained system,
similar to portable-apps on Windows. Unpack the archive in your home directory.
@ -95,7 +95,7 @@ Replace username with your current user name on Icon line above.
`~/tor-browser_en-US` directory acts as your new home directory inside the sandbox.
To start the browser click on the new desktop icon.
## Kdenlive (appimage)
### Kdenlive (appimage)
The Kdenlive video editor is distributed by the developers in the AppImage format. Download the archive, move it to `/opt` and build a desktop file.
@ -121,7 +121,7 @@ Icon=/opt/kdenlive-icon.png
Drop an icon for the program in `/opt` or any other directory. The official Kdenlive icon is here: https://github.com/KDE/kdenlive/blob/master/data/icons/128-apps-kdenlive.png
## youtube-dl (command-line program)
### youtube-dl (command-line program)
[youtube-dl](https://github.com/ytdl-org/youtube-dl/) is a command-line program to download videos from YouTube.com and few other sites. Google changes YouTube quite often, breaking youtube-dl application. A few days later, the youtube-dl developers release a new version. You are interested in downloading "youtube-dl" file from the [release](https://github.com/ytdl-org/youtube-dl/releases) page:

12
Using-firejail-from-git.md

@ -6,7 +6,7 @@ You want to have the latest profiles and features, and/or you want to contribute
+ [Debian/Ubuntu](#debianubuntu)
+ [Fedora](#Fedora)
# Makefile
## Makefile
The easiest way to install firejail from git is to clone the repo and use the 'traditional' configure+make steps to build and install it:
@ -52,12 +52,12 @@ sudo rm /usr/local/bin/VirtualBox
If you ever want to uninstall firejail, run `sudo make uninstall` in your local copy of the repository.
## Pros
### Pros
- Simple
- Works on any distro
## Cons
### Cons
- It is generally disadvised to bypass your package manager when installing software
- WARNING: make install `overwrites firejail.config`
@ -65,11 +65,11 @@ If you ever want to uninstall firejail, run `sudo make uninstall` in your local
- Occasionally things might break
- Uninstalling can be complicated if you delete the repo or run `./configure` with other flags
# Arch Linux
## Arch Linux
The [AUR firejail-git](https://aur.archlinux.org/packages/firejail-git/) package enables [AppArmor](https://wiki.archlinux.org/index.php/AppArmor) by default.
# Debian/Ubuntu
## Debian/Ubuntu
- Prepare your build environment
@ -109,7 +109,7 @@ cd firejail
Copy [update_deb.sh](https://github.com/netblue30/firejail/blob/master/contrib/update_deb.sh) script from contrib to a local directory and make it executable. The script enables AppArmor support by default and installs the firejail deb file via dpkg. If you need/want other configuration options, edit the script accordingly. You can use this script for updating your firejail from git installation.
# Fedora
## Fedora
maintained by **@rusty-snake**

64
X11-Guide.md

@ -1,38 +1,57 @@
This is a basic version that needs some polishing and fixing of the clipboard/resize issue.
**Why should I use this?**
## Why should I use this?
X11 was not [designed with security in mind](https://en.wikipedia.org/wiki/Wayland_(display_server_protocol)#Differences_between_Wayland_and_X), has a [huge code base](https://wayland.freedesktop.org/faq.html#heading_toc_j_6) and thus should be considered as to be avoided for security.
X11 was not [designed with security in mind](https://en.wikipedia.org/wiki/Wayland_(display_server_protocol)#Differences_between_Wayland_and_X), has a [huge code base](https://wayland.freedesktop.org/faq.html#heading_toc_j_6) and thus should be considered as to be avoided for security.
**Abstract unix sockets**
## Abstract unix sockets
```console
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
```
This is a very commonly seen warning.
Abstract unix sockets (see `man unix`) have a path name starting with the NUL character, effectively zeroing their path length. As such they are not represented in the file system. Note that these are not the regular unix sockets found in /tmp/.X11-unix/*.
Abstract unix sockets (see `man unix`) have a path name starting with the NUL character, effectively zeroing their path length. As such they are not represented in the file system. Note that these are not the regular unix sockets found in /tmp/.X11-unix/*.
On normal usage of `firejail` `netstat a | grep X11` shows abstract sockets `@/tmp/.X11-unix/X0` that hackers can use to attach
keylogger and screenshot programs to.
Mitigations
- pass `-nolisten local` to Xorg
keylogger and screenshot programs to.
Mitigations:
- Pass `-nolisten local` to Xorg
Trivial to add to ~/.xserverrc, cfr. https://wiki.archlinux.org/title/Xinit#xserverrc. The problem is usually with login managers (GDM) not supporting this option directly and also making it hard to pass additional arguments to the X server. Lightdm can be easily configured to disable both TCP connections + abstract X11 socket via its xserver-command configuration option.
- using a *firejailed x11 server* or *Wayland*
**Limitations**
*general*
Exchanging clipboard content with X server is cumbersome and may give false sense of security.
*xephyr*
There are no known performance issues apart from the issue that mouse cursor occasionally stutters. Use ctrl+shift to move mouse outside of sandbox. Applications need `openbox` with configuration and scripting for proper alignment and resizing.
*xpra*
Many dependencies, 2 python environments running and on idle 3-4% CPU usage.
*xvfb*
TODO testing
- Use a *firejailed x11 server* or *Wayland*
**Usage**
`firejail --x11=[xpra|xephyr|xvfb] --net=NETWORKADAPTER PROGRAM`
## Sanboxing servers
Supported ways to firejail X11 servers and their limitations.
### General
Exchanging clipboard content with X server is cumbersome and may give false sense of security.
### xephyr
There are no known performance issues apart from the issue that mouse cursor occasionally stutters. Use ctrl+shift to move mouse outside of sandbox. Applications need `openbox` with configuration and scripting for proper alignment and resizing.
### xpra
Many dependencies, 2 python environments running and on idle 3-4% CPU usage.
### xvfb
TODO testing
## Usage
```sh
firejail --x11=[xpra|xephyr|xvfb] --net=NETWORKADAPTER PROGRAM
```
## Installation
**Installation**
`$PREFIX` is typically `/` or `/usr/local/`.
1. Install xephyr,openbox, (optionally tcl,tk,xclip) **XOR** xpra. When you installed xpra you only need to set the network adapter as explained in step 4.
@ -100,9 +119,10 @@ done
Read the man pages for further configuration.
**Advanced configuration**
## Advanced configuration
1. Attaching to existing x11 server
1. Attaching to existing x11 server
Attach any additional program by the display number given in `firemon --x11` ie
```sh