Skip to content

X11 Guide

Jump to bottom Edit New page
matu3ba edited this page Sep 2, 2020 · 8 revisions

This is a basic version that needs some polishing and fixing of the clipboard/resize issue.

Why should I use this?
On normal usage of firejail netstat a | grep X11 shows abstract sockets @/tmp/.X11-unix/X0 that hackers can use to attach keylogger and screenshot programs to.
Using a firejailed x11 server or Wayland prevents this.
Limitations
general Exchanging clipboard content with X server is cumbersome and may give false sense of security.
xephyr occasionally has lags, where you cant move your mouse for a while. Need to use ctrl+shift to move mouse outside of sandbox. Applications need openbox with configuration for proper alignment.
xpra Many dependencies, 2 python environments running and on idle 3-4% CPU usage.
xvfb TODO testing

Usage firejail --x11=[xpra|xephyr|xvfb] --net=NETWORKADAPTER PROGRAM

Installation
$PREFIX is typically / or /usr/local/.

  1. Install xephyr,openbox, (optionally tcl,tk,xclip) XOR xpra. When you installed xpra you only need to set the network adapter as explained in step 4.

  2. Create an openbox configuration file, ie in $HOME/.config/openbox/rc.xml with content

<application class="*">
  <decor>no</decor>
  <maximized>yes</maximized>
</application>
  1. Adjust $PREFIX/etc/firejail/firejail.config (firejail configuration) by
xephyr-screen 950x1024
# xephyr-extra-paramts -resizeable #see at advanced configuration
  1. Create aliases for shell portability (functions are not portable) Create .config/shells/aliases with entries NET being one of your network adapter (output of ls /sys/class/net, falkla means falkon and lan):
alias falkla='mkdir -p $HOME/tmpFalk ; firejail --x11=xephyr --net=NET --whitelist=$HOME/tmpFalk --whitelist=$HOME/.config/openbox/rc.xml --profile=$PREFIX/etc/firejail/falkon.profile openbox --config-profile=$HOME/.config/openbox/rc.xml --startup "falkon" ; rm -fr $HOME/tmpFalk'
alias firela='mkdir -p $HOME/tmpsecFire ; firejail --x11=xephyr --net=NET --private=$HOME/tmpsecFire --whitelist=$HOME/.config/openbox/rc.xml --profile=$PREFIX/etc/firejail/firefox.profile openbox --config-profile=$HOME/.config/openbox/rc.xml --startup "firefox --no-remote"; rm -fr $HOME/tmpsecFire'
  1. Source your aliases ie in .bashrc:
. $HOME/.config/shells/aliases

Read the man pages for further configuration.

Advanced configuration
TODO:

  1. Attaching to existing x11 server
  2. Fixing clipboard clipboard
  3. Fixing resizing of openbox efficiently/use minimal window manager that handles this (scripting is bad practice).
  4. linking gentoo wiki and extracting some tips?
Add a custom footer
Clone this wiki locally