神刀安全网

Firejail now supports X11 sandboxing

Note: X11 support will be available in upcoming 0.9.40 Firejail version. The first release candidate is available in our download section or on GitHub . The feature is still under testing and it will probably be released in the next few weeks.

Contents:

Attaching new sandboxes to an existing X11 server

Firejail X11 sandboxing support is built around an external X11 server software package. Both Xpra and Xephyr are supported ( apt-get install xpra xserver-xephyr on Debian). To allow people to use the sandbox on headless systems, Firejail compile and install is not be dependent on Xpra or Xephyr packages.

The sandbox replaces the regular X11 server with Xpra or Xephyr server. This prevents X11 keyboard loggers and screenshot utilities from accessing the main X11 server.

Firejail now supports X11 sandboxing

Mozilla Firefox running in a X11 sandbox. The regular X11 server (X0 Unix socket) is not visible, and it was replaced by another X11 server (X723 Unix socket).

The commands are as follows:

$ firejail --x11=xpra --net=eth0 program-and-arguments $ firejail --x11=xephyr --net=eth0 program-and-arguments

A shorter form is also available:

$ firejail --x11 --net=eth0 program-and-arguments

In this case, Firejail will try first Xpra, and if Xpra is not installed on the system, it will try to find Xephyr. For various reasons, X11 sandboxing features are not supported if the sandbox is started as root user.

The main X11 server running on a Linux computer has two sockets active:

Firejail now supports X11 sandboxing

Regular X11 server sockets

/tmp/.X11-unix/X0 is disabled using a temporary filesystem mounted on /tmp/.X11-unix directory. The only way to disable the abstract socket @/tmp/.X11-unix/X0

is by using a network namespace. If for any reasons you cannot use a network namespace, the abstract socket will still be visible inside the sandbox. Hackers can attach keylogger and screenshot programs to this socket.

Configuring Xpra

Xpra is a persistent remote display server and client for forwarding X11 applications and desktop screens. The default configuration of the software package works fine in most cases, text configuration files are located in /etc/xpra directory.

Firejail now supports X11 sandboxing

The current running session adds a small icon in the system tray. This can be used to enable or disable at run time the clipboard and a number of other parameters. It also provides statistics for the current session. Each active sandbox can be configured independently in such a window.

Configuring Xephyr

Xephyr runs in its own window just like any other X application, but it is an X server itself. Firejail sandboxed applications are started in this window. The default Xephyr window size is 800×600. This can be modified in /etc/firejail/firejail.config file, see man 5 firejail-config for more details.

The recommended way to use this feature is to run a window manager inside the sandbox. This is the only way to resize or minimize the windows running on Xephyr server. Lots of light window managers are available on Linux platform, Firejail software provides a security profile for Openbox ( apt-get install openbox ) as a reference in /etc/firejail/openbox.profile .

$ firejail --x11=xephyr --net=eth0 openbox

Firejail now supports X11 sandboxing

Openbox running in a Firejail sandbox – right-click to access the application menu.

Applications can be started using the window manager – right-click on an empty area of the window to open the application menu in Openbox. All apps started this way share the same sandbox with the window manager.

How to test

Start a sandboxed terminal ( firejail –x11 –net=eth0 xterm ) and run netstat command. /tmp/.X11-unix/X0 sockets should not be visible:

Firejail now supports X11 sandboxing

X11 server sockets visible in a Firejail sandbox.

To test the keyboard, I start an xterm sandbox ( firejail –x11 –net=eth0 –noprofile xterm ) and use xinput ( sudo apt-get install xinput ).

Firejail now supports X11 sandboxing

Testing keyboard events in a Firejail sandbox

Testing screenshots is even easier: firejail –x11 –net=none gimp .

Attaching new sandboxes to an existing X11 server

Drag and drop between windows running on different X11 servers is not possible. The way to get around this limitation is to run multiple sandboxed applications on the same server.

firemon command was enhanced to print X11 display information:

$ firemon --x11 2142:netblue:firejail --x11 --net=eth0 firefox    DISPLAY :470

We have Firefox already running in a sandbox, on X11 display server :470. We start a new sandbox and place it on the same server:

$ DISPLAY:=470 firejail --net=eth0 transmission-gtk

Please note, a –x11 option is not necessary when the second sandbox is started, DISPLAY environment variable does all the magic.

–net command line option is still required for both sandboxes in order to disable access to the main X11 server. Each sandbox has a different IP addresses and different container filesystems, but they share the X11 socket in /tmp/.X11-unix directory. UserDownloadsdirectory is also shared between the sandboxes. Drag and drop between the two sandboxes is possible.

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » Firejail now supports X11 sandboxing

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址