aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--linux/poi-debug.profile108
-rw-r--r--linux/poi.desktop.in (renamed from linux/poi.desktop)10
-rw-r--r--linux/poi.profile (renamed from data/poi.profile)11
-rw-r--r--linux/poi_ps.desktop.in13
-rw-r--r--src/meson.build15
5 files changed, 148 insertions, 9 deletions
diff --git a/linux/poi-debug.profile b/linux/poi-debug.profile
new file mode 100644
index 0000000..18ef37d
--- /dev/null
+++ b/linux/poi-debug.profile
@@ -0,0 +1,108 @@
+# Firejail profile for poi
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/poi.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+# noblacklist: exclude from blacklist
+noblacklist ${HOME}/.cache/smolbote
+noblacklist ${HOME}/.config/smolbote
+noblacklist ${HOME}/.local/share/smolbote
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-interpreters.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-xdg.inc
+
+mkdir ${HOME}/.cache/smolbote
+mkdir ${HOME}/.config/smolbote
+mkdir ${HOME}/.local/share/smolbote
+
+# whitelist: only show folders that are whitelisted
+#whitelist ${DOWNLOADS}
+#whitelist ${HOME}/.cache/smolbote
+#whitelist ${HOME}/.config/smolbote
+#whitelist ${HOME}/.local/share/smolbote
+#include /etc/firejail/whitelist-common.inc
+
+## caps.drop all - Removes the ability to call programs usually run only by root. Ex - chown, setuid
+caps.drop all
+
+## ipc-namespace - Enable a new IPC namespace if the sandbox was started as a regular user.
+# Breaks audio
+# ipc-namespace
+
+## machine-id - Generates a random machine-id each time the program is run, rather than using the static system machine-id.
+# Breaks audio
+# machine-id
+
+## netfilter - Creates a simple but restrictive iptables firewall for any --net device created. Does nothing if --net is not used.
+netfilter
+
+## nodbus - Disable access to dbus.
+nodbus
+
+## nodvd - Disable access to optical disk drives.
+nodvd
+
+## nogroups - The program can only see the current user's main group. Always applied if the program is run as root.
+nogroups
+
+## nownewprivs - Prevents Child processes from requesting additional priviledges. If --seccomp is enabled, --nonewprivs is redundant.
+nonewprivs
+
+## noroot - The program can only see the current user. Requires kernel 3.8 or higher. Mutually exclusive with --chroot or --overlay or running as root.
+noroot
+
+## notv - Disable access to DVB TV devices.
+notv
+
+# novideo - Disable access to video devices.
+novideo
+
+## protocol - Only allows sockets of the following types. Not supported on i386 architecture.
+protocol unix,inet,inet6,netlink
+
+## seccomp - Blacklists a large swath of syscalls from being accessible.
+#seccomp
+## Use seccomp.drop for now as seccomp is broken with many programs.
+seccomp.drop @clock,@cpu-emulation,@module,@obsolete,@privileged,@raw-io,@reboot,@resources,@swap,ptrace
+
+## shell - Run the program directly, without a user shell.
+# breaks secondary instances when using join-or-start after shell=none
+#shell none
+
+## tracelog - Log all viloations to syslog.
+tracelog
+
+
+## disable-mnt - Deny access to /mnt, /media, /run/mount, and /run/media
+disable-mnt
+
+## private-bin - Creates a virtual /bin directory containing only temporary copies of the following executables.
+# bash required to launch from kde kickoff menu
+#private-bin bash,poi
+
+## private-dev - Create a virtual /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, snd, urandom, video, log and shm devices are available.
+private-dev
+
+## private-etc - Creates a virtual /etc directory containing only temporary copies of the following files and directories.
+# Experimental support for only fonts, alsa audio, and dns resolution.
+private-etc fonts,group,machine-id,resolv.conf
+
+## private-tmp - Creates a virtual /tmp directory to prevent the program from accessing the /tmp files from other programs.
+# breaks SingleApplication without join-or-start set
+private-tmp
+
+
+## noexec - Prevent execution of files in the specified locations
+#noexec ${HOME}
+noexec /tmp
+
+
+# join-or-start - Join the sandbox identified by name or start a new one
+join-or-start poi
+
diff --git a/linux/poi.desktop b/linux/poi.desktop.in
index ea656a4..c6f77b2 100644
--- a/linux/poi.desktop
+++ b/linux/poi.desktop.in
@@ -3,7 +3,7 @@ Version=1.0
Name=poi
GenericName=Web Browser
Comment=yet another no-frills browser
-Exec=/usr/local/bin/poi %u
+Exec=@exec_poi@ %u
Icon=poi
Terminal=false
Type=Application
@@ -12,10 +12,14 @@ Categories=Network;WebBrowser;
Keywords=web;browser;internet;
Actions=configure;firejail
+[Desktop Action pickSession]
+Name=Pick Session
+Exec=@exec_poi@ --pick-session
+
[Desktop Action configure]
Name=Configure smolbote
-Exec=/usr/local/bin/poi configure
+Exec=@exec_poi@ configure
[Desktop Action firejail]
Name=Start instance in firejail
-Exec=/usr/bin/firejail --profile=/usr/local/lib/smolbote/poi.profile poi --socket=/tmp/smolbote-firejail.socket
+Exec=/usr/bin/firejail --profile=@profile_path@ @exec_poi@
diff --git a/data/poi.profile b/linux/poi.profile
index 02c0ec4..d12e86a 100644
--- a/data/poi.profile
+++ b/linux/poi.profile
@@ -5,7 +5,7 @@ include /etc/firejail/poi.local
# Persistent global definitions
include /etc/firejail/globals.local
-
+# noblacklist: exclude from blacklist
noblacklist ${HOME}/.cache/smolbote
noblacklist ${HOME}/.config/smolbote
noblacklist ${HOME}/.local/share/smolbote
@@ -72,7 +72,8 @@ protocol unix,inet,inet6,netlink
seccomp.drop @clock,@cpu-emulation,@module,@obsolete,@privileged,@raw-io,@reboot,@resources,@swap,ptrace
## shell - Run the program directly, without a user shell.
-shell none
+# breaks secondary instances when using join-or-start after shell=none
+#shell none
## tracelog - Log all viloations to syslog.
tracelog
@@ -93,9 +94,15 @@ private-dev
private-etc fonts,group,machine-id,resolv.conf
## private-tmp - Creates a virtual /tmp directory to prevent the program from accessing the /tmp files from other programs.
+# breaks SingleApplication without join-or-start set
private-tmp
## noexec - Prevent execution of files in the specified locations
noexec ${HOME}
noexec /tmp
+
+
+# join-or-start - Join the sandbox identified by name or start a new one
+join-or-start poi
+
diff --git a/linux/poi_ps.desktop.in b/linux/poi_ps.desktop.in
new file mode 100644
index 0000000..7cfb7a9
--- /dev/null
+++ b/linux/poi_ps.desktop.in
@@ -0,0 +1,13 @@
+[Desktop Entry]
+Version=1.0
+Name=smolbote (Pick Session)
+GenericName=Web Browser
+Comment=yet another no-frills browser
+Exec=@exec_poi@ --pick-session
+Icon=poi
+Terminal=false
+Type=Application
+MimeType=text/html;text/xml;application/xhtml+xml;text/mml;x-scheme-handler/http;x-scheme-handler/https;
+Categories=Network;WebBrowser;
+Keywords=web;browser;internet;
+
diff --git a/src/meson.build b/src/meson.build
index 209fb5c..c539fff 100644
--- a/src/meson.build
+++ b/src/meson.build
@@ -49,9 +49,16 @@ poi = executable(get_option('poiName'), install: true,
'wallet/wallet.cpp', 'wallet/wallet.h']
)
-# install .desktop file and firejail profile
-if ['linux', 'freebsd', 'netbsd', 'dragonflybsd'].contains(host_machine.system())
+# install .desktop file and firejail profile for systems in this array
+if ['linux'].contains(host_machine.system())
+ conf = configuration_data()
+ conf.set('exec_poi', join_paths(get_option('prefix'), get_option('bindir'), get_option('poiName')))
+ conf.set('profile_path', join_paths(get_option('prefix'), get_option('libdir'), 'smolbote', 'poi.profile'))
+
install_data('../data/poi.svg', install_dir: join_paths(get_option('datadir'), 'icons/hicolor/scalable/apps'))
- install_data('../linux/poi.desktop', install_dir: join_paths(get_option('datadir'), 'applications'))
- install_data('../data/poi.profile', install_dir: join_paths(get_option('libdir'), 'smolbote'))
+ install_data('../linux/poi.profile', install_dir: join_paths(get_option('libdir'), 'smolbote'))
+
+ configure_file(input: '../linux/poi.desktop.in', output: 'poi.desktop', configuration: conf, install_dir: join_paths(get_option('datadir'), 'applications'))
+ configure_file(input: '../linux/poi_ps.desktop.in', output: 'poi_ps.desktop', configuration: conf, install_dir: join_paths(get_option('datadir'), 'applications'))
+
endif