Add option to block X11

[manevich]

Add --x11=block command line option, x11 block, x11 xephyr, x11 xpra profile options.

X11 blacklisting implemented simplest way:

• Blacklist /tmp/.X11-unix and .Xauthority
• It's up to user to decide how to deal with abstract sockets, just stop with explanatory error message if abstract socket will be accessible in jail.

[xahare]

some distros also use abstract sockets for x11. tried this on ubuntu 16.04 running unity

firejail --blacklist=/tmp/.X11-unix --blacklist=${HOME}/.Xauthority xlogo
(xlogo displays on screen)

[manevich]

@xahare

some distros also use abstract sockets for x11. tried this on ubuntu 16.04 running unity

AFAIK there no way firejail can block abstract sockets without breaking other things.
So it's up to user to decide how to do this.
My implementation stops with error message if it detects that X11 abstract sockets will be accessible in jail.

$ firejail --x11=block
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-passwdmgr.inc

** Note: you can use --noprofile to disable default.profile **

ERROR: --x11=block specified, but abstract X11 socket still accessible.
Additional setup required. To block abstract X11 socket you need either:
 * use network namespace (--net=none, --net=...)
 * add "-nolisten local" to xserver options (eg. /etc/X11/xinit/xserverrc)

Suggestions appreciated.

[netblue30]

All merged, thanks.

[xahare]

for most linux desktops this is handled by the display manager. for example in lightdm on ubuntu its /usr/share/lightdm/lightdm.conf.d/50-xserver-command.conf

[manevich]

@xahare Thanks, will update the message to mention display managers.