
Firejail now supports X11 sandboxing - rahiel
https://firejail.wordpress.com/documentation-2/x11-guide/
======
Jasper_
Reminder that this breaks basic features like copy/paste, drag-and-drop, and a
lot of applications that spawn helper applications and expect them to be on
the same display.

There is a reason that the general Linux desktop camp is _not_ adopting
solutions like this and instead preferring Wayland, and that's that these
systems can never be production ready and support the featureset that
traditional X11 can support.

Also, I tested my keylogger [0] on this setup, and it still got through. Oops.
They're proxying through XRecord and XTest it seems.

[https://github.com/magcius/keylog](https://github.com/magcius/keylog)

~~~
the8472
That's probably worth an issue?

------
cm3
This is sorely needed as part of mainstream desktops due to the extended power
of APIs available to web pages like file access for instance.

~~~
MajesticHobo
Aren't those already sandboxed browser-local filesystems?

~~~
keeperofdakeys
The browser can still access your disk though, so any vulnerability in your
browser means arbitrary access. An example from last year
[https://blog.mozilla.org/security/2015/08/06/firefox-
exploit...](https://blog.mozilla.org/security/2015/08/06/firefox-exploit-
found-in-the-wild/). That's the reason that I decided to use firejail myself.

~~~
MajesticHobo
Okay. So it's a protection against browser exploits, not overreaching web
APIs.

~~~
koolba
Good security has layers. That way if one falls through, hopefully the next
layer will catch it.

------
edwintorok
Could similar results be achieved with (x)wayland by spawning a separate X
server for each application? IIUC xwayland spawns an X server on demand, but
just one (so X applications can spy on each-other while wayland apps cannot,
and X cannot spy on wayland apps).

