AppJail with X11 App


Initiate the AppJail

We’ll use browsers from the Quarterly package repo as an example.

sudo appjail quick x11-www alias ip4_inherit start login

Create Users and Scripts

pkg inst -y firefox librewolf chromium iridium-browser ungoogled-chromium
pkg inst -y sndio alsa-utils alsa-sndio alsa-plugins pulseaudio pulseaudio-module-sndio oss
pkg inst -y gstreamer1-plugins-sndio gstreamer1-plugins-x264 gstreamer1-plugins-x265
pkg inst -y gstreamer1-plugins-v4l2 gstreamer1-plugins-vpx gstreamer1-plugins-pulse
pkg inst -y gstreamer1-plugins-jack gstreamer1-plugins

sysrc oss_enable="YES"

# we'll loop through these user additions
#  pw useradd chromium -w random -m
#  pw useradd ungoogled -w random -m
#  pw useradd librewolf -w random -m
#  pw useradd iridium -w random -m
#  pw useradd firefox -w random -m

mkdir /tmp/.X11-unix
chmod 777 /tmp/.X11-unix
ln -s /usr/local/bin/chrome /usr/local/bin/chromium
ln -s /usr/local/bin/ungoogled-chromium /usr/local/bin/ungoogled

XAPPS="chromium firefox iridium librewolf ungoogled"
for xapp in ${XAPPS}; do
  pw useradd ${xapp} -w random -m
  cat << EOF > /home/${xapp}/run-${xapp}
export DISPLAY=:0.0
/usr/local/bin/${xapp} > /dev/null &

  chown ${xapp}:${xapp} /home/${xapp}/run-${xapp}
  chmod u+x /home/${xapp}/run-${xapp}

On the main host

xhost + sudo mount_nullfs /tmp/.X11-unix /usr/local/appjail/jails/chromium-port/jail/tmp/.X11-unix sudo jexec -U chromium chromium-port /home/chromium/run-chromium


zfs clone optane-aics/jails/containers/x11secure@base optane-aics/jails/containers/x11sec-chromium service jail start x11sec-chromium jexec -l x11sec-chromium

pkg inst -y pkg pkg inst -y vim micro pkg inst -y sndio alsa-utils alsa-sndio alsa-plugins pulseaudio pulseaudio-module-sndio oss sysrc oss_enable=”YES” pkg inst -y chromium iridium-browser ungoogled-chromium

service dbus enable service dbus start

cat< EOF>/root/login.conf.diff.patch — /etc/login.conf.dist 2024-05-15 14:52:35.662397000 -0700 +++ /etc/login.conf 2024-05-15 14:51:45.662054000 -0700 @@ -49,6 +49,7 @@ :umask=022:\ :charset=UTF-8:\ :lang=C.UTF-8: + :setenv=DISPLAY=\c0:\ EOF

patch /etc/login.conf /root/login.conf.diff.patch cap_mkdb /etc/login.conf

xhost + sudo mount_nullfs /tmp/.X11-unix /srv/jails/containers/x11sec-chromium/tmp/.X11-unix sudo jexec -U chromium chromium-port /home/chromium/run-chromium

=============================================================================================================== The new JACK server comes with a DBUS control interface:

$ jack_control help $ jack_control ds oss $ jack_control dp $ jack_control dps rate 48000 $ jack_control dps wordlength 16 $ jack_control dps capture /dev/dsp0 $ jack_control dps playback /dev/dsp0 $ jack_control eps realtime False $ jack_control start

To use real-time priority for JACK server and clients, load the mac_priority(4) module and add the JACK user to the realtime group.

Memory locking has to be allowed in /etc/login.conf or ~/.login_conf. Set the resource limit “:memorylocked=unlimited:” and don’t forget to run

cap_mkdb /etc/login.conf

It’s still possible to start JACK server as an RC service for a dedicated user. Note that only one JACK server can be run at a time. An /etc/rc.conf example:

jackd_enable=”YES” jackd_user=”joe” jackd_args=”–no-realtime -doss -r48000 -p1024 -w16 \ –capture /dev/dsp0 –playback /dev/dsp0”

Official JACK example clients and tools are available as jack-example-tools.

💗 Progressive Trance for Tuesday 💗

2 for Tuesday? Sure.

Track: Quiet Hope Artist: Farius Stream:

Track: I Believe Artist: ilan Bluestone + Giuseppe De Luca Stream: