Yes. It’s going to be a looong time before the wayland problems are ironed out and the protocol gains the needed extension and then have the necessary libs baked in to XFCE:
When Wayland comes along I don’t believe GUI isolation needs to be explicitly handled by firejail since it is all done properly by the compositor?
2 Likes
Why use --seccomp
? Why not use the default firejail profile?
The default firejail profile would be used in combination with the --seccomp
flag. But the default profile already uses seccomp so that flag would be redundant.
1 Like
Anyone managed to make firejail gui isolation work?
firejail --x11
1 Like
I have. It’s pretty simple but it might be a bit annoying to use as the external X server has to be set at a specific resolution which may be better or worse depending on the users monitor.
2 Likes
Which helper package (required as far as I understand) would be better/recommended/easier/safer/whatnot?
Which did you use?
1 Like
I prefer to use Xephyr. Xpra seems a bit more complicated.
1 Like
What about…?
--x11=xorg
Seems to have zero usability impact?
1 Like
--x11=xephyr --xephyr-screen=1366x768
is also interesting since then we could get a better web fingerprint by using the most popular screen resolution on desktop computers? But xephyr looks weird in Qubes. All window contents on the left and then a lot black area on the right side. Looks incompatible. And xephyr breaks copy/paste of text from and to the browser window?
--x11=xpra
crashed for me in a Qubes VM.
So for Qubes --x11=xorg
seems like the way to go for now.
2 Likes
--x11=xorg
uses the X security extension which is poorly documented.
https://www.x.org/wiki/Development/Documentation/Security/
It will also allow applications which both use the security extension to interact with eachother as if there was no sandbox at all.
I found some discussion here What is up with the X11 SECURITY extension? : linux
1 Like
That’s to be expected since X handles the clipboard.
1 Like
I’ve been messing around with xpra and bubblewrap and xpra seems to be a better choice than xephyr. It allows for near seamless X11 sandboxing.
Although xpra has really large attack surface. It has webcam forwarding, mic forwarding, mDNS, its own web server, printing support, it can be accessed over SSH, TCP, UDP and a whole bunch of other things.
Luckily, many of these things can be disabled through flags. e.g. the --mdns=no
flag can be used to disable mDNS. There doesn’t seem to be a flag to explicitly disallow any connections over the network so I used an AppArmor profile to explicitly deny network access.
Dunno how firejail deals with these.
2 Likes
It doesn’t look like firejail disables any of these which is a bit worrying firejail/src/firejail/x11.c at master · netblue30/firejail · GitHub
2 Likes