--X11=xephyr broken on Mint 21.1 or other Ubuntu 22.04 based OS

[bluesky-ca]

Description

Running
firejail --x11=xephyr xeyes

does not work on Mint 21.1 - the issue is with Xephyr and how it reads the mouse and kbd

Steps to Reproduce

Using --x11=xephyr will generate input errors for /dev/input/...

See the discussion in link - not sure if the startup of Xephyr can be changed by firejail as to use a different input method - looking at the Xephyr man page the only option that I can see is -no-host-grab - not sure if that would work or if it offers a secure solution.

Is there another way to have good X11 app isolation ?

Expected behavior

Kbd and mouse input working correctly.

Actual behavior

The mouse and kbd do not work.

Behavior without a profile

--noprofile does not change the issue.

Environment

• Linux distribution and version Mint 21.1 Cinnamon
• Firejail version: tried 0.9.66 (default with the OS) and 0.9.70 from ppa:deki/firejail

Checklist

• The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
• [ x] I can reproduce the issue without custom modifications (e.g. globals.local).
• The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
• The profile (and redirect profile if exists) hasn't already been fixed upstream.
• [ x] I have performed a short search for similar issues (to avoid opening a duplicate).
  • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
• I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /path/to/program

unrecognised device identifier: /dev/input/event1
unrecognised device identifier: /dev/input/event2
unrecognised device identifier: /dev/input/event0
unrecognised device identifier: /dev/input/event8
unrecognised device identifier: /dev/input/event9
unrecognised device identifier: /dev/input/event6
unrecognised device identifier: /dev/input/event7
Kbd option key (_source) of value (server/udev) not assigned!
Kbd option key (major) of value (13) not assigned!
Kbd option key (minor) of value (67) not assigned!
Kbd option key (config_info) of value (udev:/sys/devices/pci0000:00/0000:00:08.1/0000:04:00.4/usb3/3-4/3-4:1.0/0003:099A:7202.0001/input/input4/event3) not assigned!
couldn't find driver for keyboard device "Wireless Keyboard/Mouse" (/dev/input/event3)
Pointer option key (_source) of value (server/udev) not assigned!
Pointer option key (major) of value (13) not assigned!
Pointer option key (minor) of value (68) not assigned!
Pointer option key (config_info) of value (udev:/sys/devices/pci0000:00/0000:00:08.1/0000:04:00.4/usb3/3-4/3-4:1.1/0003:099A:7202.0002/input/input5/event4) not assigned!
couldn't find driver for pointer device "Wireless Keyboard/Mouse" (/dev/input/event4)
Pointer option key (_source) of value (server/udev) not assigned!
Pointer option key (major) of value (13) not assigned!
Pointer option key (minor) of value (32) not assigned!
Pointer option key (config_info) of value (udev:/sys/devices/pci0000:00/0000:00:08.1/0000:04:00.4/usb3/3-4/3-4:1.1/0003:099A:7202.0002/input/input5/mouse0) not assigned!
couldn't find driver for pointer device "Wireless Keyboard/Mouse" (/dev/input/mouse0)
unrecognised device identifier: /dev/input/event5
unrecognised device identifier: /dev/input/event10
unrecognised device identifier: /dev/input/event11
Parent pid 63088, child pid 63089
Child process initialized in 7.84 ms

Parent received signal 2, shutting down the child process...

Child received signal 2, shutting down the sandbox...

Parent is shutting down, bye...

[rusty-snake]

-no-host-grab

You can try to add xephyr-extra-params -no-host-grab in /etc/firejail/firejail.config.

Is there another way to have good X11 app isolation ?

Wayland 🙊