X11 security

[alxchk]

Firejail (latest master) with --x11=xorg option failed to start.

> firejail --version
firejail version 0.9.63

Compile time support:
    - AppArmor support is enabled
    - AppImage support is enabled
    - chroot support is enabled
    - file and directory whitelisting support is enabled
    - file transfer support is enabled
    - firetunnel support is disabled
    - networking support is enabled
    - overlayfs support is enabled
    - private-home support is enabled
    - SELinux support is disabled
    - user namespace support is enabled
    - X11 sandboxing support is enabled

> /usr/bin/firejail --x11=xorg /bin/bash                            
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc

** Note: you can use --noprofile to disable default.profile **

Parent pid 568591, child pid 568592
Generating a new .Xauthority file
No protocol specified
/run/firejail/mnt/xauth: (argv):1:  unable to open display ":0".
Error: failed to run /run/firejail/mnt/xauth
Error: proc 568591 cannot sync with peer: unexpected EOF
Peer 568592 unexpectedly exited with status 1

[rusty-snake]

Distro?

Looks like #1741. Can you confirm?

EDIT: see also #1065.

[alxchk]

Distro?

Gentoo

Looks like #1741. Can you confirm?

Looks similar. Disabling X authorization using xhost "fixes" this.

[rusty-snake]

Distro?

Gentoo

There is also #1197.

[alxchk]

I do have security extension enabled. Here is likely more about strange Xauthority passing to the jail

[rusty-snake]

Any progress here?

[alxchk]

I didn't make any further research about the matter after that. Same behavior with current master and I don't see easy way to troubleshoot this.