-
Notifications
You must be signed in to change notification settings - Fork 569
X11 Guide
This is a basic version that needs some polishing and fixing of the clipboard/resize issue.
Why should I use this?
X11 was not designed with security in mind, has a huge code base and thus should be considered as to be avoided for security.
Abstract unix sockets
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
This is a very commonly seen warning.
Abstract unix sockets (see man unix
) have a path name starting with the NUL character, effectively zeroing their path length. As such they are not represented in the file system. Note that these are not the regular unix sockets found in /tmp/.X11-unix/*.
On normal usage of firejail
netstat a | grep X11
shows abstract sockets @/tmp/.X11-unix/X0
that hackers can use to attach
keylogger and screenshot programs to.
Mitigations
- pass
-nolisten local
to Xorg
Trivial to add to ~/.xserverrc, cfr. https://wiki.archlinux.org/title/Xinit#xserverrc. The problem is usually with login managers (GDM) not supporting this option directly and also making it hard to pass additional arguments to the X server. Lightdm can be easily configured to disable both TCP connections + abstract X11 socket via its xserver-command configuration option. - using a firejailed x11 server or Wayland
Limitations
general
Exchanging clipboard content with X server is cumbersome and may give false sense of security.
xephyr
There are no known performance issues apart from the issue that mouse cursor occasionally stutters. Use ctrl+shift to move mouse outside of sandbox. Applications need openbox
with configuration and scripting for proper alignment and resizing.
xpra
Many dependencies, 2 python environments running and on idle 3-4% CPU usage.
xvfb
TODO testing
Usage
firejail --x11=[xpra|xephyr|xvfb] --net=NETWORKADAPTER PROGRAM
Installation
$PREFIX
is typically /
or /usr/local/
.
-
Install xephyr,openbox, (optionally tcl,tk,xclip) XOR xpra. When you installed xpra you only need to set the network adapter as explained in step 4.
-
Create an openbox configuration file, ie in
$HOME/.config/openbox/rc.xml
with content
<application class="*">
<decor>no</decor>
<maximized>yes</maximized>
</application>
- Adjust
$PREFIX/etc/firejail/firejail.config
(firejail configuration) by the according output ofsetxkbmap -query
on your main session ie
xephyr-screen 950x1024
xephyr-extra-paramts -resizeable -keybd ephyr,xkbmodel=evdev,xkblayout=de
- Create aliases for shell portability (functions are not portable)
Create
.config/shells/aliases
with entries NET being one of your network adapter (output ofip addr show
orls /sys/class/net
, falkla means falkon and lan):
alias falkla='mkdir -p $HOME/tmpFalk ; firejail --x11=xephyr --net=NET --whitelist=$HOME/tmpFalk --whitelist=$HOME/.config/openbox/rc.xml --profile=$PREFIX/etc/firejail/falkon.profile openbox --config-profile=$HOME/.config/openbox/rc.xml --startup "falkon" ; rm -fr $HOME/tmpFalk'
alias firela='mkdir -p $HOME/tmpsecFire ; firejail --x11=xephyr --net=NET --private=$HOME/tmpsecFire --whitelist=$HOME/.config/openbox/rc.xml --profile=$PREFIX/etc/firejail/firefox.profile openbox --config-profile=$HOME/.config/openbox/rc.xml --startup "firefox --no-remote"; rm -fr $HOME/tmpsecFire'
- Source your aliases ie in
.bashrc
:
. $HOME/.config/shells/aliases
- Insert this resizing script into your autostart folder (usually called like
$HOME/.config/autostart
) or use a complete copy-paste approach:
#!/bin/bash
# credits sakaki, GPLv3
declare -a XEPHYRS
rescale_displays() {
declare -a xephyrs
local display
xephyrs=($(pgrep -u $(id -u) -a Xephyr | egrep -o "[[:digit:]]+$"))
for display in ${XEPHYRS[@]}; do
xrandr --display ":$display" &> /dev/null
done
}
renice -n 19 $$ &> /dev/null
while true; do
rescale_displays
sleep 1
done
Read the man pages for further configuration.
Advanced configuration
- Attaching to existing x11 server
Attach any additional program by the display number given infiremon --x11
ie
DISPLAY=:150 PROGRAM
- TODO: xclipsync appears not to work or write cli for clipboard handling?
- TODO: Better handling of resizing