[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freedesktop-xorg
Subject:    Re: Xorg isolation
From:       Alan Coopersmith <alan.coopersmith () oracle ! com>
Date:       2023-01-23 22:12:35
Message-ID: 4b4a9738-0939-13f6-00fa-64971d753d2d () oracle ! com
[Download RAW message or body]

On 1/22/23 04:20, Christopher Marshall wrote:
> Third, when initiating Xorg, I'd initiate with a command such as: /Xorg 
> -nolisten tcp -nolisten inet -nolisten inet6 -listen unix -nolisten local :0 
> -seat seat0 vt7 -novtswitch/
> /
> /
> Which should turn off listening on all sockets other than those on the local 
> machine - helping to further isolate the network element of it.

You don't need to list any of those -listen or -nolisten flags on modern Xorg.
-nolisten tcp has been the default since Xorg 1.17 and -listen unix has been
the default since the 1980's.

-nolisten inet & -nolisten inet6 simply duplicate what -nolisten tcp does
- you only need them if you want to listen on one form of TCP socket (IPv4
or IPv6) but not the other.

-nolisten local turns off local connections - on Linux this means Unix domain
sockets, overriding the -listen unix you listed there.

-- 
         -Alan Coopersmith-                 alan.coopersmith@oracle.com
          Oracle Solaris Engineering - https://blogs.oracle.com/solaris

[prev in list] [next in list] [prev in thread] [next in thread]