Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
APPJAIL-X11(1)		    General Commands Manual		APPJAIL-X11(1)

NAME
       appjail-x11 -- Execute x11 applications in jails

SYNOPSIS
       appjail x11 name	[options ...]

DESCRIPTION
       The  appjail  x11  utility is designed to run an	x11 application	inside
       the jail	with  MIT-MAGIC-COOKIE-1  authentication  already  configured.
       With this approach, even	if the /tmp/.X11-unix directory	is shared with
       other sockets, an x11 application inside	the jail cannot	access other X
       servers.

       This  utility  uses Xephyr(1) as	the X server, so you will have the ad-
       vantage that the	window will behave like	 any  other  application,  but
       running	inside	the  isolated environment as if	it were	running	on the
       host. This utility also "refreshes" the server when the main window  is
       resized,	 so  the  -resizeable parameter	of Xephyr(1) works quite well,
       providing an experience similar to that of xpra(1).

       The other advantage of using this utility is that it automatically  re-
       serves  a free display number, so you don't need	to keep	track of this,
       which is	 not  very  practical  from  a	human  perspective.  See  "X11
       PARAMETERS"  in	appjail.conf(5)	 for details on	configuration, but the
       default settings	work well in many cases.

       This utility is designed	not to touch the Xauthority file you  specify,
       so  you	don't  have to worry about messing up your precious authoriza-
       tions with jails	that may even be ephemeral.

       The cookie is only created if no	entry is found in the  Xauthority  you
       specify.	This cookie is ephemeral, so it	is replaced by a new one after
       the  next  execution. If	you want to use	other useful utilities such as
       xclip(1), you must create an entry in Xauthority	for the	 display  used
       inside  the  jail.  Of course, this is a	chicken-egg problem, since you
       don't know which	display	to use before it  is  assigned,	 so  run  this
       utility	at  least  once	 and  the display number will be assigned. See
       appjail-jail(1) to obtain the display number assigned to	the  jail,  or
       better yet, use the assign_only option, designed	to solve this problem.

       Optionally,  if	you  have installed x11/xdotool	and x11/xseticon, this
       utility changes Xephyr(1)'s window icon to easily  identify  which  x11
       applications are	isolated from the rest.	This does not affect other in-
       stances of Xephyr(1) not	created	by this	utility.

OPTIONS
       assign_only
	   This	 option	 is  designed to just reserve the display for the jail
	   and nothing else, and when this utility finishes running, the  dis-
	   play	is displayed via stdout.

       display="display"
	   The main server for painting	the Xephyr(1)'s	window.
       you  specify,  which  is	supposed to allow access to Xephyr(1).	By de-
	   fault, the DISPLAY environment variable is used, and	if it  is  not
	   defined, :0 is used as an alternative.

       exec_env="name=value"
	   Pass	an environment variable	to the command executed	by exec_start.
	   Can be specified multiple times.

       exec_start="command [args ...]"
	   Application	to  be	run  after starting Xephyr(1).	In most	cases,
	   this	is the window manager or desktop environment. You can  run  an
	   individual  application  that is not	a window manager, but for cer-
	   tain	applications that rely heavily on at least a  window  manager,
	   you should run your application with	the window manager.

	   The	value  of  this	 parameter may contain some keywords that have
	   special meaning:
	   -   %d <Assigned display>

	   If you want to escape a keyword, use	%%, e.g. %%d.

       exec_user="user"
	   Run the application inside the jail as the specified	user. The user
	   must	exist inside the jail and have a home directory	 for  xauth(1)
	   to work correctly.

       xauthority="file"
	   Specify an alternative Xauthority file other	than the one specified
	   by the X11_XAUTHORITY parameter in appjail.conf(5).

       xephyr_args="args ..."
	   Pass	 any  valid  parameter for Xephyr(1) and Xserver(1).  The only
	   parameters that are implicitly added	 are  -auth,  -name  (used  to
	   distinguish	 between   multiple   instances	  of  Xephyr  and  set
	   customizations such as the icon) and	the display  used  within  the
	   jail. Specifying a parameter	such as	-ac is undefined.

       xephyr_user="user"
	   Run	Xephyr(1)  as  another	user.  For this	to work, you must have
	   security/su-exec installed.

       xrandr_refresh="number"
	   Specify the number of seconds in decimal or an integer to wait  be-
	   fore	re-running xrandr(1) within the	jail. Of course, the jail must
	   have	x11/xrandr installed for this to work.

	   If  you have	x11/xev	and x11/xdotool	installed on your system, this
	   parameter will be  ignored,	since  appjail-x11  will  not  perform
	   polling  to call xrandr(1).	Instead, it will simply	call xrandr(1)
	   when	the window size	changes, which is much more  efficient.	  How-
	   ever,  this	parameter should be set	to a value other than 0	to en-
	   able	this feature.

EXIT STATUS
       The appjail x11 utility exits 0 on success, and >0 if an	error occurs.

SEE ALSO
       Xephyr(1) Xserver(1) xauth(1) Xsecurity(7)

AUTHORS
       Jess Daniel Colmenares Oviedo <DtxdF@disroot.org>

BUGS
       Please note that	if you plan to run an x11 jail,	you  should  also  use
       keepenv	in  your  doas.conf(5) or similar for sudo(8), or at least ex-
       plicitly	set options that depend	on environment variables  affected  by
       your current environment, such as xauthority, xephyr_user, etc.

FreeBSD	ports 15.quarterly	April 11, 2026			APPJAIL-X11(1)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=appjail-x11&sektion=1&manpath=FreeBSD+Ports+15.1.quarterly>

home | help