AppJail with X11 App

References

Initiate the AppJail

We’ll use browsers from the Quarterly package repo as an example. 

sudo appjail quick x11-www alias ip4_inherit start login

Create Users and Scripts

pkg inst -y firefox librewolf chromium iridium-browser ungoogled-chromium
pkg inst -y sndio alsa-utils alsa-sndio alsa-plugins pulseaudio pulseaudio-module-sndio oss
pkg inst -y gstreamer1-plugins-sndio gstreamer1-plugins-x264 gstreamer1-plugins-x265
pkg inst -y gstreamer1-plugins-v4l2 gstreamer1-plugins-vpx gstreamer1-plugins-pulse
pkg inst -y gstreamer1-plugins-jack gstreamer1-plugins

sysrc oss_enable="YES"

# we'll loop through these user additions
#  pw useradd chromium -w random -m
#  pw useradd ungoogled -w random -m
#  pw useradd librewolf -w random -m
#  pw useradd iridium -w random -m
#  pw useradd firefox -w random -m

mkdir /tmp/.X11-unix
chmod 777 /tmp/.X11-unix
ln -s /usr/local/bin/chrome /usr/local/bin/chromium
ln -s /usr/local/bin/ungoogled-chromium /usr/local/bin/ungoogled

XAPPS="chromium firefox iridium librewolf ungoogled"
for xapp in ${XAPPS}; do
  pw useradd ${xapp} -w random -m
  cat << EOF > /home/${xapp}/run-${xapp}
#!/bin/sh
export DISPLAY=:0.0
/usr/local/bin/${xapp} > /dev/null &
EOF

  chown ${xapp}:${xapp} /home/${xapp}/run-${xapp}
  chmod u+x /home/${xapp}/run-${xapp}
done

On the main host

xhost +
sudo mount_nullfs /tmp/.X11-unix  /usr/local/appjail/jails/chromium-port/jail/tmp/.X11-unix
sudo jexec -U chromium chromium-port /home/chromium/run-chromium

Alterately via Regular Jail

zfs clone optane-aics/jails/containers/x11secure@base optane-aics/jails/containers/x11sec-chromium
service jail start x11sec-chromium
jexec -l x11sec-chromium

pkg inst -y pkg
pkg inst -y vim micro
pkg inst -y sndio alsa-utils alsa-sndio alsa-plugins pulseaudio pulseaudio-module-sndio oss
sysrc oss_enable="YES"
pkg inst -y chromium iridium-browser ungoogled-chromium

service dbus enable
service dbus start

cat< EOF>/root/login.conf.diff.patch
--- /etc/login.conf.dist        2024-05-15 14:52:35.662397000 -0700
+++ /etc/login.conf     2024-05-15 14:51:45.662054000 -0700
@@ -49,6 +49,7 @@
        :umask=022:\
        :charset=UTF-8:\
        :lang=C.UTF-8:
+        :setenv=DISPLAY=\c0:\
EOF

patch /etc/login.conf /root/login.conf.diff.patch
cap_mkdb /etc/login.conf

xhost +
sudo mount_nullfs /tmp/.X11-unix  /srv/jails/containers/x11sec-chromium/tmp/.X11-unix
sudo jexec -U chromium chromium-port /home/chromium/run-chromium