X11 Guide

This is a basic version that needs some polishing and fixing of the clipboard/resize issue.

Why should I use this?
X11 was not designed with security in mind, has a huge code base and thus should be considered as to be avoided for security.

On normal usage of firejail netstat a | grep X11 shows abstract sockets @/tmp/.X11-unix/X0 that hackers can use to attach keylogger and screenshot programs to. Using a firejailed x11 server or Wayland prevents this.
Limitations
general Exchanging clipboard content with X server is cumbersome and may give false sense of security.
xephyr occasionally has lags, where you cant move your mouse for a while. Use ctrl+shift to move mouse outside of sandbox. Applications need openbox with configuration and scripting for proper alignment and resizing.
xpra Many dependencies, 2 python environments running and on idle 3-4% CPU usage.
xvfb TODO testing

Usage firejail --x11=[xpra|xephyr|xvfb] --net=NETWORKADAPTER PROGRAM

Installation
$PREFIX is typically / or /usr/local/.

1. Install xephyr,openbox, (optionally tcl,tk,xclip) XOR xpra. When you installed xpra you only need to set the network adapter as explained in step 4.

2. Create an openbox configuration file, ie in $HOME/.config/openbox/rc.xml with content

<application class="*">
  <decor>no</decor>
  <maximized>yes</maximized>
</application>

3. Adjust $PREFIX/etc/firejail/firejail.config (firejail configuration) by the according output of setxkbmap -query on your main session ie

xephyr-screen 950x1024
xephyr-extra-paramts -resizeable -keybd ephyr,xkbmodel=evdev,xkblayout=de

4. Create aliases for shell portability (functions are not portable) Create .config/shells/aliases with entries NET being one of your network adapter (output of ip addr show or ls /sys/class/net, falkla means falkon and lan):

alias falkla='mkdir -p $HOME/tmpFalk ; firejail --x11=xephyr --net=NET --whitelist=$HOME/tmpFalk --whitelist=$HOME/.config/openbox/rc.xml --profile=$PREFIX/etc/firejail/falkon.profile openbox --config-profile=$HOME/.config/openbox/rc.xml --startup "falkon" ; rm -fr $HOME/tmpFalk'
alias firela='mkdir -p $HOME/tmpsecFire ; firejail --x11=xephyr --net=NET --private=$HOME/tmpsecFire --whitelist=$HOME/.config/openbox/rc.xml --profile=$PREFIX/etc/firejail/firefox.profile openbox --config-profile=$HOME/.config/openbox/rc.xml --startup "firefox --no-remote"; rm -fr $HOME/tmpsecFire'

5. Source your aliases ie in .bashrc:

. $HOME/.config/shells/aliases

6. Insert this resizing script into your autostart folder (usually called like $HOME/.config/autostart) or use a complete copy-paste approach:

#!/bin/bash
# credits sakaki, GPLv3
declare -a XEPHYRS
rescale_displays() {
  declare -a xephyrs
  local display
  xephyrs=($(pgrep -u $(id -u) -a Xephyr | egrep -o "[[:digit:]]+$"))
  for display in ${XEPHYRS[@]}; do
    xrandr --display ":$display" &> /dev/null
  done
}
renice -n 19 $$ &> /dev/null
while true; do
  rescale_displays
  sleep 1
done

Read the man pages for further configuration.

Advanced configuration

1. Attaching to existing x11 server
   Attach any additional program by the display number given in firemon --x11 ie

DISPLAY=:150 PROGRAM

TODO: 2. xclipsync appears not to work or write cli for clipboard handling? 3. Better handling of resizing