From nobody Fri Apr 10 11:12:12 2026 X-Original-To: dev-commits-doc-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4fsYzc3bHWz6YX4J for ; Fri, 10 Apr 2026 11:12:12 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4fsYzc17m8z46qh for ; Fri, 10 Apr 2026 11:12:12 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1775819532; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=2kfbU14j8efVlcsZsXqvgN7JADoKEfCJ+zGGQR1lDWg=; b=OhuFGrCJ3VcfnHAAYQnRdQjDLtd6byepZ8MxcSAdZzFJQYgyF1zc3yc+OaNrcvCLXCCpMP Hgg9usl6jVDoD6x3zNQKQa/qhh+YLj/vpNg8381XusPMnv4xmv4PlJi0HADbXOX/rw4iqS OcP83EIx5fAWNXukpAb031d6iD9fXz5IK6S/7VO7R5rS+XbFXpguUPbuQ6Lrkvc5/zBVw1 IMgJ0/XF/mv4sxfg3wfBvmlmkM/xSg+vdpUN/HKmGLUBx5zAL3hJcPBg9m+kqsOMN/Z8L4 Jy7yKuUyVsBN/28WYzI1ZM2700FdcKGl8EpiQow/2HPbOJ1k3ZzkqR4Oj9HVdw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1775819532; a=rsa-sha256; cv=none; b=WgNmjdBd5sQ0PIZz19h1gGEr4fjKGZtM7vPT3mFRvNf2CGsaznYpvGt++X9+dTCVikJ7hA 0O++NCryK+a/uFRl9xHec0jKyecx9Hvoh8Fwn3D3oSq9V9+7nhrwRt1W2OpsWLiQy0mVKh uJUL+6kaNThAqfBZ1Jt1nsFvC9y/WENQE2h4DNbJfoRsP+Khd16vVkWfFMSgsBP8urNRBX QttjaSTyb2L3Zi/j97wtX4ChWeiKDAm/rv3RsH4uRNVPWLIRxgerJTE2bXc1/taRd6jtsO VpgsVPgobLw4wSiJ88MDuuqok8W0WvRuEzfszbHJ1HFy8pBYMqz9zB+CpHYzzA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1775819532; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=2kfbU14j8efVlcsZsXqvgN7JADoKEfCJ+zGGQR1lDWg=; b=OrFVggrn7R0RriZ7ExGERlSZyOksCl0bc+s9+rA5uWbwOfFCeVBJ8vU/1RHbrveg3Yc4M1 IbEe+YePbseJ+fdtO4aFQKqTPCn1f3UL9fciVt9ixpzMLWObxFzJ56LWgMHXMiot8YN0bE oCGsUQnlkHRrGlx2MCrd2N9pETW46f4Wt8pJpJV09ZmOjGnvIM65XTRGHrj9hxgG6l4fJf rUrG87JojboVyrJPwlvmE8XLEz8SbezVDHyWunr+bTU0Cq4Edx7xHxeQm/JIi7Nc3qg7B0 HjyxNPrxGYNwbxJnKPZl0h+wuSM1wjoTh4zysYUhvZpaXH41VL5a3e9Z2Qs4og== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4fsYzc0ZkZzj0C for ; Fri, 10 Apr 2026 11:12:12 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 2241f by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Fri, 10 Apr 2026 11:12:12 +0000 To: doc-committers@FreeBSD.org, dev-commits-doc-all@FreeBSD.org Cc: =?utf-8?Q?Jes=C3=BAs?= Daniel Colmenares Oviedo From: Lorenzo Salvadore Subject: git: a5bfce1d60 - main - Status/2026Q1/appjail.adoc: Add report List-Id: Commit messages for all branches of the doc repository List-Archive: https://lists.freebsd.org/archives/dev-commits-doc-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-doc-all@freebsd.org Sender: owner-dev-commits-doc-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: salvadore X-Git-Repository: doc X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: a5bfce1d601b0f0084587f32081dad7cb652cb50 Auto-Submitted: auto-generated Date: Fri, 10 Apr 2026 11:12:12 +0000 Message-Id: <69d8db0c.2241f.3f38b534@gitrepo.freebsd.org> The branch main has been updated by salvadore: URL: https://cgit.FreeBSD.org/doc/commit/?id=a5bfce1d601b0f0084587f32081dad7cb652cb50 commit a5bfce1d601b0f0084587f32081dad7cb652cb50 Author: Jesús Daniel Colmenares Oviedo AuthorDate: 2026-04-10 11:06:58 +0000 Commit: Lorenzo Salvadore CommitDate: 2026-04-10 11:11:51 +0000 Status/2026Q1/appjail.adoc: Add report --- .../en/status/report-2026-01-2026-03/appjail.adoc | 36 ++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/website/content/en/status/report-2026-01-2026-03/appjail.adoc b/website/content/en/status/report-2026-01-2026-03/appjail.adoc new file mode 100644 index 0000000000..8bab95991c --- /dev/null +++ b/website/content/en/status/report-2026-01-2026-03/appjail.adoc @@ -0,0 +1,36 @@ +=== AppJail, AppScripts and Sandboxed X11 Applications + +Links: + +link:https://github.com/DtxdF/AppJail[AppJail on GitHub] URL: link:https://github.com/DtxdF/AppJail[] + +link:https://github.com/DtxdF/appscript[AppScript on GitHub] URL: link:https://github.com/DtxdF/appscript[] + +link:https://github.com/DtxdF/x11appjail[x11appjail on GitHub] URL: link:https://github.com/DtxdF/x11appjail[] + + +Contact: Jesús Daniel Colmenares Oviedo + +**AppJail** is an open-source BSD-3 licensed framework entirely written in POSIX shell and C to create isolated, portable and easy to deploy environments using FreeBSD jails that behaves like an application. + +**AppScript** is a very lightweight and easy-to-use tool for creating self-extracting executables. + +OS-level virtualization is not as perfect as hardware-level virtualization: a vulnerability in a device not hidden within the jail could pose a risk to the host, but, if done correctly, it is much better than running an application directly from the host. + +Jails are the implementation of OS-level virtualization for FreeBSD. +With jails, many things can be easily restricted: link:https://appjail.readthedocs.io/en/latest/limits/[limiting resources], link:https://appjail.readthedocs.io/en/latest/DEVFS/[restricting access to /dev devices], limiting the filesystem, link:https://github.com/DtxdF/AppJail/wiki/filter[restricting the network], and many other aspects. +All transparently to the application running within the jail. +However, one issue, specifically with X11 applications, is the lack of isolation. +Users often misuse the `xhost +` trick to run an X11 application inside the jail and display the application on the host's X server. +This poses a security risk because, even though the X11 application runs inside the jail and even though it does so as an unprivileged process, it can obtain a great deal of information from the host. +Therefore, a compromised application, one with a backdoor, or simply one that collects a lot of information for «telemetry purposes» could be a nightmare with this setup and, in the worst-case scenario, compromise the host. + +A new command has recently been implemented in AppJail to solve this problem: man:appjail-x11[1]. +This command runs an application inside the jail but displays it on a new X server created by Xephyr, which is already authenticated with **MIT-MAGIC-COOKIE-1**. +This is much simpler and lightweight than setting up an SSH server inside the jail, creating a key pair for this purpose, connecting to the jail, etc. +However, this command is not limited to just that: you can resize the Xephyr window, and your DE/WM will be refreshed accordingly, as this command is capable of detecting such changes. + +However, while much has been achieved with this command, the user must install a DE/WM and the application inside the jail, and perhaps install a custom .desktop file on the host. +This can be automated using Makejails, and advanced users will be fine with that, since they love customizing everything, but for the average user (or even for me), what I wanted was to distribute applications so that users would not have to do anything more than simply run the application, and that is what x11appjail aims to solve. + +link:https://github.com/DtxdF/x11appjail[x11appjail] is a repository containing pre-made scripts for deploying certain X11 applications using appjail-x11, which automates the installation of the .desktop file, the icon, the creation of the jail via Makejails, and some reasonable default environment variables that can be easily modified at runtime. +However, the repository actually exacerbates the usability issue: now the user has to clone and pull updates, which may be enough for some users, but what I wanted was reasonably good usability of the application and the ability to easily isolate it in a jail. +Therefore, I wrote link:https://github.com/DtxdF/appscript[appscript], which creates SFX files in ELF format, and these are automatically created with each new release of that repository thanks to a GitHub workflow. + +Sponsor: https://www.patreon.com/appjail