git: a5bfce1d60 - main - Status/2026Q1/appjail.adoc: Add report

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Lorenzo Salvadore <salvadore_at_FreeBSD.org>
Date: Fri, 10 Apr 2026 11:12:12 UTC
The branch main has been updated by salvadore:

URL: https://cgit.FreeBSD.org/doc/commit/?id=a5bfce1d601b0f0084587f32081dad7cb652cb50

commit a5bfce1d601b0f0084587f32081dad7cb652cb50
Author:     Jesús Daniel Colmenares Oviedo <dtxdf@FreeBSD.org>
AuthorDate: 2026-04-10 11:06:58 +0000
Commit:     Lorenzo Salvadore <salvadore@FreeBSD.org>
CommitDate: 2026-04-10 11:11:51 +0000

    Status/2026Q1/appjail.adoc: Add report
---
 .../en/status/report-2026-01-2026-03/appjail.adoc  | 36 ++++++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/website/content/en/status/report-2026-01-2026-03/appjail.adoc b/website/content/en/status/report-2026-01-2026-03/appjail.adoc
new file mode 100644
index 0000000000..8bab95991c
--- /dev/null
+++ b/website/content/en/status/report-2026-01-2026-03/appjail.adoc
@@ -0,0 +1,36 @@
+=== AppJail, AppScripts and Sandboxed X11 Applications
+
+Links: +
+link:https://github.com/DtxdF/AppJail[AppJail on GitHub] URL: link:https://github.com/DtxdF/AppJail[] +
+link:https://github.com/DtxdF/appscript[AppScript on GitHub] URL: link:https://github.com/DtxdF/appscript[] +
+link:https://github.com/DtxdF/x11appjail[x11appjail on GitHub] URL: link:https://github.com/DtxdF/x11appjail[] +
+
+Contact: Jesús Daniel Colmenares Oviedo <dtxdf@FreeBSD.org>
+
+**AppJail** is an open-source BSD-3 licensed framework entirely written in POSIX shell and C to create isolated, portable and easy to deploy environments using FreeBSD jails that behaves like an application.
+
+**AppScript** is a very lightweight and easy-to-use tool for creating self-extracting executables.
+
+OS-level virtualization is not as perfect as hardware-level virtualization: a vulnerability in a device not hidden within the jail could pose a risk to the host, but, if done correctly, it is much better than running an application directly from the host.
+
+Jails are the implementation of OS-level virtualization for FreeBSD.
+With jails, many things can be easily restricted: link:https://appjail.readthedocs.io/en/latest/limits/[limiting resources], link:https://appjail.readthedocs.io/en/latest/DEVFS/[restricting access to /dev devices], limiting the filesystem, link:https://github.com/DtxdF/AppJail/wiki/filter[restricting the network], and many other aspects.
+All transparently to the application running within the jail.
+However, one issue, specifically with X11 applications, is the lack of isolation.
+Users often misuse the `xhost +` trick to run an X11 application inside the jail and display the application on the host's X server.
+This poses a security risk because, even though the X11 application runs inside the jail and even though it does so as an unprivileged process, it can obtain a great deal of information from the host.
+Therefore, a compromised application, one with a backdoor, or simply one that collects a lot of information for «telemetry purposes» could be a nightmare with this setup and, in the worst-case scenario, compromise the host.
+
+A new command has recently been implemented in AppJail to solve this problem: man:appjail-x11[1].
+This command runs an application inside the jail but displays it on a new X server created by Xephyr, which is already authenticated with **MIT-MAGIC-COOKIE-1**.
+This is much simpler and lightweight than setting up an SSH server inside the jail, creating a key pair for this purpose, connecting to the jail, etc.
+However, this command is not limited to just that: you can resize the Xephyr window, and your DE/WM will be refreshed accordingly, as this command is capable of detecting such changes.
+
+However, while much has been achieved with this command, the user must install a DE/WM and the application inside the jail, and perhaps install a custom .desktop file on the host.
+This can be automated using Makejails, and advanced users will be fine with that, since they love customizing everything, but for the average user (or even for me), what I wanted was to distribute applications so that users would not have to do anything more than simply run the application, and that is what x11appjail aims to solve.
+
+link:https://github.com/DtxdF/x11appjail[x11appjail] is a repository containing pre-made scripts for deploying certain X11 applications using appjail-x11, which automates the installation of the .desktop file, the icon, the creation of the jail via Makejails, and some reasonable default environment variables that can be easily modified at runtime.
+However, the repository actually exacerbates the usability issue: now the user has to clone and pull updates, which may be enough for some users, but what I wanted was reasonably good usability of the application and the ability to easily isolate it in a jail.
+Therefore, I wrote link:https://github.com/DtxdF/appscript[appscript], which creates SFX files in ELF format, and these are automatically created with each new release of that repository thanks to a GitHub workflow.
+
+Sponsor: https://www.patreon.com/appjail