diff options
-rw-r--r-- | linux/poi-debug.profile | 108 | ||||
-rw-r--r-- | linux/poi.desktop.in (renamed from linux/poi.desktop) | 10 | ||||
-rw-r--r-- | linux/poi.profile (renamed from data/poi.profile) | 11 | ||||
-rw-r--r-- | linux/poi_ps.desktop.in | 13 | ||||
-rw-r--r-- | src/meson.build | 15 |
5 files changed, 148 insertions, 9 deletions
diff --git a/linux/poi-debug.profile b/linux/poi-debug.profile new file mode 100644 index 0000000..18ef37d --- /dev/null +++ b/linux/poi-debug.profile @@ -0,0 +1,108 @@ +# Firejail profile for poi +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/poi.local +# Persistent global definitions +include /etc/firejail/globals.local + +# noblacklist: exclude from blacklist +noblacklist ${HOME}/.cache/smolbote +noblacklist ${HOME}/.config/smolbote +noblacklist ${HOME}/.local/share/smolbote + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-xdg.inc + +mkdir ${HOME}/.cache/smolbote +mkdir ${HOME}/.config/smolbote +mkdir ${HOME}/.local/share/smolbote + +# whitelist: only show folders that are whitelisted +#whitelist ${DOWNLOADS} +#whitelist ${HOME}/.cache/smolbote +#whitelist ${HOME}/.config/smolbote +#whitelist ${HOME}/.local/share/smolbote +#include /etc/firejail/whitelist-common.inc + +## caps.drop all - Removes the ability to call programs usually run only by root. Ex - chown, setuid +caps.drop all + +## ipc-namespace - Enable a new IPC namespace if the sandbox was started as a regular user. +# Breaks audio +# ipc-namespace + +## machine-id - Generates a random machine-id each time the program is run, rather than using the static system machine-id. +# Breaks audio +# machine-id + +## netfilter - Creates a simple but restrictive iptables firewall for any --net device created. Does nothing if --net is not used. +netfilter + +## nodbus - Disable access to dbus. +nodbus + +## nodvd - Disable access to optical disk drives. +nodvd + +## nogroups - The program can only see the current user's main group. Always applied if the program is run as root. +nogroups + +## nownewprivs - Prevents Child processes from requesting additional priviledges. If --seccomp is enabled, --nonewprivs is redundant. +nonewprivs + +## noroot - The program can only see the current user. Requires kernel 3.8 or higher. Mutually exclusive with --chroot or --overlay or running as root. +noroot + +## notv - Disable access to DVB TV devices. +notv + +# novideo - Disable access to video devices. +novideo + +## protocol - Only allows sockets of the following types. Not supported on i386 architecture. +protocol unix,inet,inet6,netlink + +## seccomp - Blacklists a large swath of syscalls from being accessible. +#seccomp +## Use seccomp.drop for now as seccomp is broken with many programs. +seccomp.drop @clock,@cpu-emulation,@module,@obsolete,@privileged,@raw-io,@reboot,@resources,@swap,ptrace + +## shell - Run the program directly, without a user shell. +# breaks secondary instances when using join-or-start after shell=none +#shell none + +## tracelog - Log all viloations to syslog. +tracelog + + +## disable-mnt - Deny access to /mnt, /media, /run/mount, and /run/media +disable-mnt + +## private-bin - Creates a virtual /bin directory containing only temporary copies of the following executables. +# bash required to launch from kde kickoff menu +#private-bin bash,poi + +## private-dev - Create a virtual /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, snd, urandom, video, log and shm devices are available. +private-dev + +## private-etc - Creates a virtual /etc directory containing only temporary copies of the following files and directories. +# Experimental support for only fonts, alsa audio, and dns resolution. +private-etc fonts,group,machine-id,resolv.conf + +## private-tmp - Creates a virtual /tmp directory to prevent the program from accessing the /tmp files from other programs. +# breaks SingleApplication without join-or-start set +private-tmp + + +## noexec - Prevent execution of files in the specified locations +#noexec ${HOME} +noexec /tmp + + +# join-or-start - Join the sandbox identified by name or start a new one +join-or-start poi + diff --git a/linux/poi.desktop b/linux/poi.desktop.in index ea656a4..c6f77b2 100644 --- a/linux/poi.desktop +++ b/linux/poi.desktop.in @@ -3,7 +3,7 @@ Version=1.0 Name=poi GenericName=Web Browser Comment=yet another no-frills browser -Exec=/usr/local/bin/poi %u +Exec=@exec_poi@ %u Icon=poi Terminal=false Type=Application @@ -12,10 +12,14 @@ Categories=Network;WebBrowser; Keywords=web;browser;internet; Actions=configure;firejail +[Desktop Action pickSession] +Name=Pick Session +Exec=@exec_poi@ --pick-session + [Desktop Action configure] Name=Configure smolbote -Exec=/usr/local/bin/poi configure +Exec=@exec_poi@ configure [Desktop Action firejail] Name=Start instance in firejail -Exec=/usr/bin/firejail --profile=/usr/local/lib/smolbote/poi.profile poi --socket=/tmp/smolbote-firejail.socket +Exec=/usr/bin/firejail --profile=@profile_path@ @exec_poi@ diff --git a/data/poi.profile b/linux/poi.profile index 02c0ec4..d12e86a 100644 --- a/data/poi.profile +++ b/linux/poi.profile @@ -5,7 +5,7 @@ include /etc/firejail/poi.local # Persistent global definitions include /etc/firejail/globals.local - +# noblacklist: exclude from blacklist noblacklist ${HOME}/.cache/smolbote noblacklist ${HOME}/.config/smolbote noblacklist ${HOME}/.local/share/smolbote @@ -72,7 +72,8 @@ protocol unix,inet,inet6,netlink seccomp.drop @clock,@cpu-emulation,@module,@obsolete,@privileged,@raw-io,@reboot,@resources,@swap,ptrace ## shell - Run the program directly, without a user shell. -shell none +# breaks secondary instances when using join-or-start after shell=none +#shell none ## tracelog - Log all viloations to syslog. tracelog @@ -93,9 +94,15 @@ private-dev private-etc fonts,group,machine-id,resolv.conf ## private-tmp - Creates a virtual /tmp directory to prevent the program from accessing the /tmp files from other programs. +# breaks SingleApplication without join-or-start set private-tmp ## noexec - Prevent execution of files in the specified locations noexec ${HOME} noexec /tmp + + +# join-or-start - Join the sandbox identified by name or start a new one +join-or-start poi + diff --git a/linux/poi_ps.desktop.in b/linux/poi_ps.desktop.in new file mode 100644 index 0000000..7cfb7a9 --- /dev/null +++ b/linux/poi_ps.desktop.in @@ -0,0 +1,13 @@ +[Desktop Entry] +Version=1.0 +Name=smolbote (Pick Session) +GenericName=Web Browser +Comment=yet another no-frills browser +Exec=@exec_poi@ --pick-session +Icon=poi +Terminal=false +Type=Application +MimeType=text/html;text/xml;application/xhtml+xml;text/mml;x-scheme-handler/http;x-scheme-handler/https; +Categories=Network;WebBrowser; +Keywords=web;browser;internet; + diff --git a/src/meson.build b/src/meson.build index 209fb5c..c539fff 100644 --- a/src/meson.build +++ b/src/meson.build @@ -49,9 +49,16 @@ poi = executable(get_option('poiName'), install: true, 'wallet/wallet.cpp', 'wallet/wallet.h'] ) -# install .desktop file and firejail profile -if ['linux', 'freebsd', 'netbsd', 'dragonflybsd'].contains(host_machine.system()) +# install .desktop file and firejail profile for systems in this array +if ['linux'].contains(host_machine.system()) + conf = configuration_data() + conf.set('exec_poi', join_paths(get_option('prefix'), get_option('bindir'), get_option('poiName'))) + conf.set('profile_path', join_paths(get_option('prefix'), get_option('libdir'), 'smolbote', 'poi.profile')) + install_data('../data/poi.svg', install_dir: join_paths(get_option('datadir'), 'icons/hicolor/scalable/apps')) - install_data('../linux/poi.desktop', install_dir: join_paths(get_option('datadir'), 'applications')) - install_data('../data/poi.profile', install_dir: join_paths(get_option('libdir'), 'smolbote')) + install_data('../linux/poi.profile', install_dir: join_paths(get_option('libdir'), 'smolbote')) + + configure_file(input: '../linux/poi.desktop.in', output: 'poi.desktop', configuration: conf, install_dir: join_paths(get_option('datadir'), 'applications')) + configure_file(input: '../linux/poi_ps.desktop.in', output: 'poi_ps.desktop', configuration: conf, install_dir: join_paths(get_option('datadir'), 'applications')) + endif |