--X11=xephyr broken on Mint 21.1 or other Ubuntu 22.04 based OS

[bluesky-ca]

Description

Running firejail --x11=xephyr xeyes

does not work on Mint 21.1 - the issue is with Xephyr and how it reads the mouse and kbd

Steps to Reproduce

Using --x11=xephyr will generate input errors for /dev/input/...

See the discussion in link - not sure if the startup of Xephyr can be changed by firejail as to use a different input method - looking at the Xephyr man page the only option that I can see is -no-host-grab - not sure if that would work or if it offers a secure solution.

Is there another way to have good X11 app isolation ?

Expected behavior

Kbd and mouse input working correctly.

Actual behavior

The mouse and kbd do not work.

Behavior without a profile

--noprofile does not change the issue.

Environment

• Linux distribution and version Mint 21.1 Cinnamon
• Firejail version: tried 0.9.66 (default with the OS) and 0.9.70 from ppa:deki/firejail

Checklist

• [ ] The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
• [ x] I can reproduce the issue without custom modifications (e.g. globals.local).
• [ ] The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
• [ ] The profile (and redirect profile if exists) hasn't already been fixed upstream.
• [ x] I have performed a short search for similar issues (to avoid opening a duplicate).
  • [ ] I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
• [ ] I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /path/to/program

``` unrecognised device identifier: /dev/input/event1 unrecognised device identifier: /dev/input/event2 unrecognised device identifier: /dev/input/event0 unrecognised device identifier: /dev/input/event8 unrecognised device identifier: /dev/input/event9 unrecognised device identifier: /dev/input/event6 unrecognised device identifier: /dev/input/event7 Kbd option key (_source) of value (server/udev) not assigned! Kbd option key (major) of value (13) not assigned! Kbd option key (minor) of value (67) not assigned! Kbd option key (config_info) of value (udev:/sys/devices/pci0000:00/0000:00:08.1/0000:04:00.4/usb3/3-4/3-4:1.0/0003:099A:7202.0001/input/input4/event3) not assigned! couldn't find driver for keyboard device "Wireless Keyboard/Mouse" (/dev/input/event3) Pointer option key (_source) of value (server/udev) not assigned! Pointer option key (major) of value (13) not assigned! Pointer option key (minor) of value (68) not assigned! Pointer option key (config_info) of value (udev:/sys/devices/pci0000:00/0000:00:08.1/0000:04:00.4/usb3/3-4/3-4:1.1/0003:099A:7202.0002/input/input5/event4) not assigned! couldn't find driver for pointer device "Wireless Keyboard/Mouse" (/dev/input/event4) Pointer option key (_source) of value (server/udev) not assigned! Pointer option key (major) of value (13) not assigned! Pointer option key (minor) of value (32) not assigned! Pointer option key (config_info) of value (udev:/sys/devices/pci0000:00/0000:00:08.1/0000:04:00.4/usb3/3-4/3-4:1.1/0003:099A:7202.0002/input/input5/mouse0) not assigned! couldn't find driver for pointer device "Wireless Keyboard/Mouse" (/dev/input/mouse0) unrecognised device identifier: /dev/input/event5 unrecognised device identifier: /dev/input/event10 unrecognised device identifier: /dev/input/event11 Parent pid 63088, child pid 63089 Child process initialized in 7.84 ms Parent received signal 2, shutting down the child process... Child received signal 2, shutting down the sandbox... Parent is shutting down, bye... ```

[rusty-snake]

-no-host-grab

You can try to add xephyr-extra-params -no-host-grab in /etc/firejail/firejail.config.

Is there another way to have good X11 app isolation ?

Wayland 🙊