From e3b05391d12a7c695153b9ec5a557675fdcf5564 Mon Sep 17 00:00:00 2001
From: Aqua-sama <aqua@iserlohn-fortress.net>
Date: Sun, 17 Jun 2018 20:55:38 +0200
Subject: .desktop: add run with firejail action

---
 data/poi.profile       | 93 ++++++++++++++++++++++++++++++++++++++++++++++++++
 linux/makepkg/PKGBUILD |  4 +++
 linux/poi.desktop      |  6 +++-
 test/poi.profile       | 93 --------------------------------------------------
 4 files changed, 102 insertions(+), 94 deletions(-)
 create mode 100644 data/poi.profile
 delete mode 100644 test/poi.profile

diff --git a/data/poi.profile b/data/poi.profile
new file mode 100644
index 0000000..acc49a0
--- /dev/null
+++ b/data/poi.profile
@@ -0,0 +1,93 @@
+# Firejail profile for poi
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/poi.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+
+noblacklist ${HOME}/.cache/smolbote
+noblacklist ${HOME}/.config/smolbote
+noblacklist ${HOME}/.local/share/smolbote
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+blacklist /run/user/*/bus
+
+mkdir ${HOME}/.cache/smolbote
+mkdir ${HOME}/.config/smolbote
+mkdir ${HOME}/.local/share/smolbote
+
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.cache/smolbote
+whitelist ${HOME}/.config/smolbote
+whitelist ${HOME}/.local/share/smolbote
+include /etc/firejail/whitelist-common.inc
+
+
+## caps.drop all - Removes the ability to call programs usually run only by root. Ex - chown, setuid
+caps.drop all
+
+## machine-id - Generates a random machine-id each time the program is run, rather than using the static system machine-id.
+# Breaks audio
+# machine-id
+
+## netfilter - Creates a simple but restrictive iptables firewall for any --net device created. Does nothing if --net is not used.
+netfilter
+
+## nodvd - Disable access to optical disk drives.
+nodvd
+
+## nogroups - The program can only see the current user's main group. Always applied if the program is run as root.
+nogroups
+
+##  nownewprivs - Prevents Child processes from requesting additional priviledges. If --seccomp is enabled, --nonewprivs is redundant.
+nonewprivs
+
+## noroot - The program can only see the current user. Requires kernel 3.8 or higher. Mutually exclusive with --chroot or --overlay or running as root.
+noroot
+
+## notv - Disable access to DVB TV devices.
+notv
+
+# novideo - Disable access to video devices.
+novideo
+
+## protocol - Only allows sockets of the following types. Not supported on i386 architecture.
+protocol unix,inet,inet6,netlink
+
+## seccomp - Blacklists a large swath of syscalls from being accessible.
+seccomp
+
+## shell - Run the program directly, without a user shell.
+shell none
+
+## tracelog - Log all viloations to syslog
+tracelog
+
+
+## disable-mnt - Deny access to /mnt, /media, /run/mount, and /run/media
+disable-mnt
+
+## private-bin - Creates a virtual /bin directory containing only temporary copies of the following executables.
+# bash required to launch from kde kickoff menu
+# QtWebEngine executes from /usr/lib which prevents usage of this option for now
+#private-bin bash,poi
+
+## private-dev - Create a virtual /dev directory. Only dri,  null,  full,  zero,  tty,  pts, ptmx, random, snd, urandom, video, log and shm devices are available.
+private-dev
+
+## private-etc - Creates a virtual /etc directory containing only temporary copies of the following files and directories.
+# Experimental support for only fonts, alsa audio, and dns resolution.
+private-etc fonts,machine-id,resolv.conf
+
+## private-tmp - Creates a virtual /tmp directory to prevent the program from accessing the /tmp files from other programs.
+private-tmp
+
+
+## noexec - Prevent execution of files in the specified locations
+noexec ${HOME}
+noexec /tmp
diff --git a/linux/makepkg/PKGBUILD b/linux/makepkg/PKGBUILD
index e1ce4c8..d0e3b7f 100644
--- a/linux/makepkg/PKGBUILD
+++ b/linux/makepkg/PKGBUILD
@@ -13,6 +13,7 @@ license=('GPL3')
 replaces=('smolbote-git')
 
 depends=('qt5-webengine>=5.10.1' 'boost-libs>=1.66.0')
+optdepends=('firejail: launch a sandboxed instance')
 makedepends=('mercurial' 'cmake' 'pkg-config' 'ninja')
 
 # this is the central repository
@@ -94,6 +95,9 @@ package() {
     install -Dm644 "${srcdir}/smolbote-hg/data/poi.svg" "${pkgdir}/usr/share/icons/hicolor/scalable/apps/poi.svg"
     install -Dm644 "${srcdir}/smolbote-hg/linux/poi.desktop" "${pkgdir}/usr/share/applications/poi.desktop"
 
+    # firejail profile
+    install -Dm644 "${srcdir}/smolbote-hg/data/poi.profile" "${pkgdir}/usr/local/lib/smolbote/poi.profile"
+
     # man page
     _man_dir="$pkgdir/usr/local/man/man7"
     test -d $_man_dir || mkdir -p $_man_dir
diff --git a/linux/poi.desktop b/linux/poi.desktop
index 92fd7f3..4b25ccc 100644
--- a/linux/poi.desktop
+++ b/linux/poi.desktop
@@ -10,8 +10,12 @@ Type=Application
 MimeType=text/html;text/xml;application/xhtml+xml;text/mml;x-scheme-handler/http;x-scheme-handler/https;
 Categories=Network;WebBrowser;
 Keywords=web;browser;internet;
-Actions=configure;
+Actions=configure;firejail
 
 [Desktop Action configure]
 Name=Configure smolbote
 Exec=/usr/local/bin/poi-config %u
+
+[Desktop Action firejail]
+Name=Start instance in firejail
+Exec=/usr/bin/firejail --profile=/usr/local/lib/smolbote/poi.profile poi --socket=/tmp/smolbote-firejail.socket
diff --git a/test/poi.profile b/test/poi.profile
deleted file mode 100644
index acc49a0..0000000
--- a/test/poi.profile
+++ /dev/null
@@ -1,93 +0,0 @@
-# Firejail profile for poi
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/poi.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-
-noblacklist ${HOME}/.cache/smolbote
-noblacklist ${HOME}/.config/smolbote
-noblacklist ${HOME}/.local/share/smolbote
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-blacklist /run/user/*/bus
-
-mkdir ${HOME}/.cache/smolbote
-mkdir ${HOME}/.config/smolbote
-mkdir ${HOME}/.local/share/smolbote
-
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.cache/smolbote
-whitelist ${HOME}/.config/smolbote
-whitelist ${HOME}/.local/share/smolbote
-include /etc/firejail/whitelist-common.inc
-
-
-## caps.drop all - Removes the ability to call programs usually run only by root. Ex - chown, setuid
-caps.drop all
-
-## machine-id - Generates a random machine-id each time the program is run, rather than using the static system machine-id.
-# Breaks audio
-# machine-id
-
-## netfilter - Creates a simple but restrictive iptables firewall for any --net device created. Does nothing if --net is not used.
-netfilter
-
-## nodvd - Disable access to optical disk drives.
-nodvd
-
-## nogroups - The program can only see the current user's main group. Always applied if the program is run as root.
-nogroups
-
-##  nownewprivs - Prevents Child processes from requesting additional priviledges. If --seccomp is enabled, --nonewprivs is redundant.
-nonewprivs
-
-## noroot - The program can only see the current user. Requires kernel 3.8 or higher. Mutually exclusive with --chroot or --overlay or running as root.
-noroot
-
-## notv - Disable access to DVB TV devices.
-notv
-
-# novideo - Disable access to video devices.
-novideo
-
-## protocol - Only allows sockets of the following types. Not supported on i386 architecture.
-protocol unix,inet,inet6,netlink
-
-## seccomp - Blacklists a large swath of syscalls from being accessible.
-seccomp
-
-## shell - Run the program directly, without a user shell.
-shell none
-
-## tracelog - Log all viloations to syslog
-tracelog
-
-
-## disable-mnt - Deny access to /mnt, /media, /run/mount, and /run/media
-disable-mnt
-
-## private-bin - Creates a virtual /bin directory containing only temporary copies of the following executables.
-# bash required to launch from kde kickoff menu
-# QtWebEngine executes from /usr/lib which prevents usage of this option for now
-#private-bin bash,poi
-
-## private-dev - Create a virtual /dev directory. Only dri,  null,  full,  zero,  tty,  pts, ptmx, random, snd, urandom, video, log and shm devices are available.
-private-dev
-
-## private-etc - Creates a virtual /etc directory containing only temporary copies of the following files and directories.
-# Experimental support for only fonts, alsa audio, and dns resolution.
-private-etc fonts,machine-id,resolv.conf
-
-## private-tmp - Creates a virtual /tmp directory to prevent the program from accessing the /tmp files from other programs.
-private-tmp
-
-
-## noexec - Prevent execution of files in the specified locations
-noexec ${HOME}
-noexec /tmp
-- 
cgit v1.2.1