Xephyr fails to start with private-tmp in firejail >= 0.9.60

[Roosn]

Hello. After updating the version Firejail from 0.9.58.2 to 0.9.64.4 Xephyr does not start and gives errors:

_XSERVTransSocketCreateListener: failed to bind listener
_XSERVTransSocketUNIXCreateListener: ...SocketCreateListener() failed
_XSERVTransMakeAllCOTSServerListeners: failed to create listener for unix
Error: failed to start xephyr

When I turn off (comment) #private-tmp everything works as before. Tell me, please, why on the old version it works with private-tmp, and in a new version is not work ?

If private-tmp replaced with whitelist /tmp/.X11-unix, everything works fine.

[rusty-snake]

private-tmp is just
_{(source code)}

whitelist /tmp/$XAUTHORITY
whitelist /tmp/.X11-unix
read-only /tmp/.X11-unix
whitelist /tmp/pulse-*

Does

ignore read-only /tmp/.X11-unix
private-tmp

or

private-tmp
read-write /tmp/.X11-unix

work?

[Roosn]

In profile Xephyr.profile

[Roosn]

For example, in Xephyr.profile only one srting private-tmp and nothing more. If I run firejail --noprofile --x11=xephyr mousepad Xephyr does not start. On the Firejail version 0.9.58.2 it works

[rusty-snake]

If you add a command to a profile (for further hardening) and the program fails with it, remove it.

[Roosn]

I try not to just remove, but choose a replacement (if possible). I hope in the future Xephyr with private-tmp will work again.

[rusty-snake]

You should mention it if you added a option that causes breakage.

[rusty-snake]

private-tmp mounts /tmp/.X11-unix read-only since feae44c.
private-tmp is disable for Xephyr since a280180.

According to the tests above, there is no way to make /tmp/.X11-unix rw with private-tmp. However, as you already discovered you can use whitelist /tmp/.X11-unix to make Xephyr work with a private /tmp. As long as you don't have any xauth or pulse issues there is no further action needed.