From 4443655c13cbc437df71afbe16e4cd22ae6892bb Mon Sep 17 00:00:00 2001 From: Aqua-sama Date: Mon, 10 Dec 2018 17:53:09 +0100 Subject: Add separate firejail .desktop --- linux/firejail/poi-debug.profile | 109 +++++++++++++++++++++++++++++++++++++++ linux/firejail/poi.profile | 109 +++++++++++++++++++++++++++++++++++++++ linux/makepkg/PKGBUILD | 16 +++--- linux/poi-debug.profile | 109 --------------------------------------- linux/poi.profile | 109 --------------------------------------- linux/poi_firejail.desktop.in | 13 +++++ linux/poi_picksession.desktop.in | 13 +++++ linux/poi_ps.desktop.in | 13 ----- 8 files changed, 252 insertions(+), 239 deletions(-) create mode 100644 linux/firejail/poi-debug.profile create mode 100644 linux/firejail/poi.profile delete mode 100644 linux/poi-debug.profile delete mode 100644 linux/poi.profile create mode 100644 linux/poi_firejail.desktop.in create mode 100644 linux/poi_picksession.desktop.in delete mode 100644 linux/poi_ps.desktop.in (limited to 'linux') diff --git a/linux/firejail/poi-debug.profile b/linux/firejail/poi-debug.profile new file mode 100644 index 0000000..2a65a69 --- /dev/null +++ b/linux/firejail/poi-debug.profile @@ -0,0 +1,109 @@ +# Firejail profile for poi +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/poi.local +# Persistent global definitions +include /etc/firejail/globals.local + +# noblacklist: exclude from blacklist +noblacklist ${HOME}/.cache/smolbote +noblacklist ${HOME}/.config/smolbote +noblacklist ${HOME}/.local/share/smolbote + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-xdg.inc + +mkdir ${HOME}/.cache/smolbote +mkdir ${HOME}/.config/smolbote +mkdir ${HOME}/.local/share/smolbote + +# whitelist: only show folders that are whitelisted +#whitelist ${DOWNLOADS} +#whitelist ${HOME}/.cache/smolbote +#whitelist ${HOME}/.config/smolbote +#whitelist ${HOME}/.local/share/smolbote +#include /etc/firejail/whitelist-common.inc + +## caps.drop all - Removes the ability to call programs usually run only by root. Ex - chown, setuid +caps.drop all + +## ipc-namespace - Enable a new IPC namespace if the sandbox was started as a regular user. +# Breaks audio +# ipc-namespace + +## machine-id - Generates a random machine-id each time the program is run, rather than using the static system machine-id. +# Breaks audio +# machine-id + +## netfilter - Creates a simple but restrictive iptables firewall for any --net device created. Does nothing if --net is not used. +netfilter + +## nodbus - Disable access to dbus. +nodbus + +## nodvd - Disable access to optical disk drives. +nodvd + +## nogroups - The program can only see the current user's main group. Always applied if the program is run as root. +nogroups + +## nownewprivs - Prevents Child processes from requesting additional priviledges. If --seccomp is enabled, --nonewprivs is redundant. +nonewprivs + +## noroot - The program can only see the current user. Requires kernel 3.8 or higher. Mutually exclusive with --chroot or --overlay or running as root. +noroot + +## notv - Disable access to DVB TV devices. +notv + +# novideo - Disable access to video devices. +novideo + +## protocol - Only allows sockets of the following types. Not supported on i386 architecture. +protocol unix,inet,inet6,netlink + +## seccomp - Blacklists a large swath of syscalls from being accessible. +#seccomp +## Use seccomp.drop for now as seccomp is broken with many programs. +seccomp.drop @clock,@cpu-emulation,@module,@obsolete,@privileged,@raw-io,@reboot,@resources,@swap,ptrace + +## shell - Run the program directly, without a user shell. +# breaks secondary instances when using join-or-start after shell=none +#shell none + +## tracelog - Log all viloations to syslog. +tracelog + + +## disable-mnt - Deny access to /mnt, /media, /run/mount, and /run/media +disable-mnt + +## private-bin - Creates a virtual /bin directory containing only temporary copies of the following executables. +# bash required to launch from kde kickoff menu +# breaks if installed to /usr/local +#private-bin bash,poi + +## private-dev - Create a virtual /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, snd, urandom, video, log and shm devices are available. +private-dev + +## private-etc - Creates a virtual /etc directory containing only temporary copies of the following files and directories. +# Experimental support for only fonts, alsa audio, and dns resolution. +private-etc fonts,group,machine-id,resolv.conf + +## private-tmp - Creates a virtual /tmp directory to prevent the program from accessing the /tmp files from other programs. +# breaks SingleApplication without join-or-start set +private-tmp + + +## noexec - Prevent execution of files in the specified locations +#noexec ${HOME} +noexec /tmp + + +# join-or-start - Join the sandbox identified by name or start a new one +join-or-start poi + diff --git a/linux/firejail/poi.profile b/linux/firejail/poi.profile new file mode 100644 index 0000000..5b8073d --- /dev/null +++ b/linux/firejail/poi.profile @@ -0,0 +1,109 @@ +# Firejail profile for poi +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/poi.local +# Persistent global definitions +include /etc/firejail/globals.local + +# noblacklist: exclude from blacklist +noblacklist ${HOME}/.cache/smolbote +noblacklist ${HOME}/.config/smolbote +noblacklist ${HOME}/.local/share/smolbote + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-xdg.inc + +mkdir ${HOME}/.cache/smolbote +mkdir ${HOME}/.config/smolbote +mkdir ${HOME}/.local/share/smolbote + +whitelist ${DOWNLOADS} +whitelist ${HOME}/.cache/smolbote +whitelist ${HOME}/.config/smolbote +whitelist ${HOME}/.local/share/smolbote +include /etc/firejail/whitelist-common.inc + + +## caps.drop all - Removes the ability to call programs usually run only by root. Ex - chown, setuid +caps.drop all + +## ipc-namespace - Enable a new IPC namespace if the sandbox was started as a regular user. +# Breaks audio +# ipc-namespace + +## machine-id - Generates a random machine-id each time the program is run, rather than using the static system machine-id. +# Breaks audio +# machine-id + +## netfilter - Creates a simple but restrictive iptables firewall for any --net device created. Does nothing if --net is not used. +netfilter + +## nodbus - Disable access to dbus. +nodbus + +## nodvd - Disable access to optical disk drives. +nodvd + +## nogroups - The program can only see the current user's main group. Always applied if the program is run as root. +nogroups + +## nownewprivs - Prevents Child processes from requesting additional priviledges. If --seccomp is enabled, --nonewprivs is redundant. +nonewprivs + +## noroot - The program can only see the current user. Requires kernel 3.8 or higher. Mutually exclusive with --chroot or --overlay or running as root. +noroot + +## notv - Disable access to DVB TV devices. +notv + +# novideo - Disable access to video devices. +novideo + +## protocol - Only allows sockets of the following types. Not supported on i386 architecture. +protocol unix,inet,inet6,netlink + +## seccomp - Blacklists a large swath of syscalls from being accessible. +#seccomp +## Use seccomp.drop for now as seccomp is broken with many programs. +seccomp.drop @clock,@cpu-emulation,@module,@obsolete,@privileged,@raw-io,@reboot,@resources,@swap,ptrace + +## shell - Run the program directly, without a user shell. +# breaks secondary instances when using join-or-start after shell=none +#shell none + +## tracelog - Log all viloations to syslog. +tracelog + + +## disable-mnt - Deny access to /mnt, /media, /run/mount, and /run/media +disable-mnt + +## private-bin - Creates a virtual /bin directory containing only temporary copies of the following executables. +# bash required to launch from kde kickoff menu +# breaks if installed to /usr/local +#private-bin bash,poi + +## private-dev - Create a virtual /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, snd, urandom, video, log and shm devices are available. +private-dev + +## private-etc - Creates a virtual /etc directory containing only temporary copies of the following files and directories. +# Experimental support for only fonts, alsa audio, and dns resolution. +private-etc fonts,group,machine-id,resolv.conf + +## private-tmp - Creates a virtual /tmp directory to prevent the program from accessing the /tmp files from other programs. +# breaks SingleApplication without join-or-start set +private-tmp + + +## noexec - Prevent execution of files in the specified locations +noexec ${HOME} +noexec /tmp + + +# join-or-start - Join the sandbox identified by name or start a new one +join-or-start poi + diff --git a/linux/makepkg/PKGBUILD b/linux/makepkg/PKGBUILD index 67b0245..55eb000 100644 --- a/linux/makepkg/PKGBUILD +++ b/linux/makepkg/PKGBUILD @@ -75,13 +75,13 @@ package() { cd $srcdir/build DESTDIR="$pkgdir" ninja install - msg Creating signing key in $srcdir/build/gpg - mkdir $srcdir/build/gpg - gpg2 --homedir=$srcdir/build/gpg --batch --generate-key $srcdir/smolbote/tools/gpgkey.preset - - msg Signing plugins - for so in $pkgdir/usr/local/lib/smolbote/plugins/*.so; do - gpg2 --homedir=$srcdir/build/gpg --batch --yes --local-user=smolbote@localhost --detach-sign --output=$so.sig $so - done + #msg Creating signing key in $srcdir/build/gpg + #mkdir $srcdir/build/gpg + #gpg2 --homedir=$srcdir/build/gpg --batch --generate-key $srcdir/smolbote/tools/gpgkey.preset + + #msg Signing plugins + #for so in $pkgdir/usr/local/lib/smolbote/plugins/*.so; do + # gpg2 --homedir=$srcdir/build/gpg --batch --yes --local-user=smolbote@localhost --detach-sign --output=$so.sig $so + #done } diff --git a/linux/poi-debug.profile b/linux/poi-debug.profile deleted file mode 100644 index 2a65a69..0000000 --- a/linux/poi-debug.profile +++ /dev/null @@ -1,109 +0,0 @@ -# Firejail profile for poi -# This file is overwritten after every install/update -# Persistent local customizations -include /etc/firejail/poi.local -# Persistent global definitions -include /etc/firejail/globals.local - -# noblacklist: exclude from blacklist -noblacklist ${HOME}/.cache/smolbote -noblacklist ${HOME}/.config/smolbote -noblacklist ${HOME}/.local/share/smolbote - -include /etc/firejail/disable-common.inc -include /etc/firejail/disable-devel.inc -include /etc/firejail/disable-interpreters.inc -include /etc/firejail/disable-passwdmgr.inc -include /etc/firejail/disable-programs.inc -include /etc/firejail/disable-xdg.inc - -mkdir ${HOME}/.cache/smolbote -mkdir ${HOME}/.config/smolbote -mkdir ${HOME}/.local/share/smolbote - -# whitelist: only show folders that are whitelisted -#whitelist ${DOWNLOADS} -#whitelist ${HOME}/.cache/smolbote -#whitelist ${HOME}/.config/smolbote -#whitelist ${HOME}/.local/share/smolbote -#include /etc/firejail/whitelist-common.inc - -## caps.drop all - Removes the ability to call programs usually run only by root. Ex - chown, setuid -caps.drop all - -## ipc-namespace - Enable a new IPC namespace if the sandbox was started as a regular user. -# Breaks audio -# ipc-namespace - -## machine-id - Generates a random machine-id each time the program is run, rather than using the static system machine-id. -# Breaks audio -# machine-id - -## netfilter - Creates a simple but restrictive iptables firewall for any --net device created. Does nothing if --net is not used. -netfilter - -## nodbus - Disable access to dbus. -nodbus - -## nodvd - Disable access to optical disk drives. -nodvd - -## nogroups - The program can only see the current user's main group. Always applied if the program is run as root. -nogroups - -## nownewprivs - Prevents Child processes from requesting additional priviledges. If --seccomp is enabled, --nonewprivs is redundant. -nonewprivs - -## noroot - The program can only see the current user. Requires kernel 3.8 or higher. Mutually exclusive with --chroot or --overlay or running as root. -noroot - -## notv - Disable access to DVB TV devices. -notv - -# novideo - Disable access to video devices. -novideo - -## protocol - Only allows sockets of the following types. Not supported on i386 architecture. -protocol unix,inet,inet6,netlink - -## seccomp - Blacklists a large swath of syscalls from being accessible. -#seccomp -## Use seccomp.drop for now as seccomp is broken with many programs. -seccomp.drop @clock,@cpu-emulation,@module,@obsolete,@privileged,@raw-io,@reboot,@resources,@swap,ptrace - -## shell - Run the program directly, without a user shell. -# breaks secondary instances when using join-or-start after shell=none -#shell none - -## tracelog - Log all viloations to syslog. -tracelog - - -## disable-mnt - Deny access to /mnt, /media, /run/mount, and /run/media -disable-mnt - -## private-bin - Creates a virtual /bin directory containing only temporary copies of the following executables. -# bash required to launch from kde kickoff menu -# breaks if installed to /usr/local -#private-bin bash,poi - -## private-dev - Create a virtual /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, snd, urandom, video, log and shm devices are available. -private-dev - -## private-etc - Creates a virtual /etc directory containing only temporary copies of the following files and directories. -# Experimental support for only fonts, alsa audio, and dns resolution. -private-etc fonts,group,machine-id,resolv.conf - -## private-tmp - Creates a virtual /tmp directory to prevent the program from accessing the /tmp files from other programs. -# breaks SingleApplication without join-or-start set -private-tmp - - -## noexec - Prevent execution of files in the specified locations -#noexec ${HOME} -noexec /tmp - - -# join-or-start - Join the sandbox identified by name or start a new one -join-or-start poi - diff --git a/linux/poi.profile b/linux/poi.profile deleted file mode 100644 index 5b8073d..0000000 --- a/linux/poi.profile +++ /dev/null @@ -1,109 +0,0 @@ -# Firejail profile for poi -# This file is overwritten after every install/update -# Persistent local customizations -include /etc/firejail/poi.local -# Persistent global definitions -include /etc/firejail/globals.local - -# noblacklist: exclude from blacklist -noblacklist ${HOME}/.cache/smolbote -noblacklist ${HOME}/.config/smolbote -noblacklist ${HOME}/.local/share/smolbote - -include /etc/firejail/disable-common.inc -include /etc/firejail/disable-devel.inc -include /etc/firejail/disable-interpreters.inc -include /etc/firejail/disable-passwdmgr.inc -include /etc/firejail/disable-programs.inc -include /etc/firejail/disable-xdg.inc - -mkdir ${HOME}/.cache/smolbote -mkdir ${HOME}/.config/smolbote -mkdir ${HOME}/.local/share/smolbote - -whitelist ${DOWNLOADS} -whitelist ${HOME}/.cache/smolbote -whitelist ${HOME}/.config/smolbote -whitelist ${HOME}/.local/share/smolbote -include /etc/firejail/whitelist-common.inc - - -## caps.drop all - Removes the ability to call programs usually run only by root. Ex - chown, setuid -caps.drop all - -## ipc-namespace - Enable a new IPC namespace if the sandbox was started as a regular user. -# Breaks audio -# ipc-namespace - -## machine-id - Generates a random machine-id each time the program is run, rather than using the static system machine-id. -# Breaks audio -# machine-id - -## netfilter - Creates a simple but restrictive iptables firewall for any --net device created. Does nothing if --net is not used. -netfilter - -## nodbus - Disable access to dbus. -nodbus - -## nodvd - Disable access to optical disk drives. -nodvd - -## nogroups - The program can only see the current user's main group. Always applied if the program is run as root. -nogroups - -## nownewprivs - Prevents Child processes from requesting additional priviledges. If --seccomp is enabled, --nonewprivs is redundant. -nonewprivs - -## noroot - The program can only see the current user. Requires kernel 3.8 or higher. Mutually exclusive with --chroot or --overlay or running as root. -noroot - -## notv - Disable access to DVB TV devices. -notv - -# novideo - Disable access to video devices. -novideo - -## protocol - Only allows sockets of the following types. Not supported on i386 architecture. -protocol unix,inet,inet6,netlink - -## seccomp - Blacklists a large swath of syscalls from being accessible. -#seccomp -## Use seccomp.drop for now as seccomp is broken with many programs. -seccomp.drop @clock,@cpu-emulation,@module,@obsolete,@privileged,@raw-io,@reboot,@resources,@swap,ptrace - -## shell - Run the program directly, without a user shell. -# breaks secondary instances when using join-or-start after shell=none -#shell none - -## tracelog - Log all viloations to syslog. -tracelog - - -## disable-mnt - Deny access to /mnt, /media, /run/mount, and /run/media -disable-mnt - -## private-bin - Creates a virtual /bin directory containing only temporary copies of the following executables. -# bash required to launch from kde kickoff menu -# breaks if installed to /usr/local -#private-bin bash,poi - -## private-dev - Create a virtual /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, snd, urandom, video, log and shm devices are available. -private-dev - -## private-etc - Creates a virtual /etc directory containing only temporary copies of the following files and directories. -# Experimental support for only fonts, alsa audio, and dns resolution. -private-etc fonts,group,machine-id,resolv.conf - -## private-tmp - Creates a virtual /tmp directory to prevent the program from accessing the /tmp files from other programs. -# breaks SingleApplication without join-or-start set -private-tmp - - -## noexec - Prevent execution of files in the specified locations -noexec ${HOME} -noexec /tmp - - -# join-or-start - Join the sandbox identified by name or start a new one -join-or-start poi - diff --git a/linux/poi_firejail.desktop.in b/linux/poi_firejail.desktop.in new file mode 100644 index 0000000..aab41b4 --- /dev/null +++ b/linux/poi_firejail.desktop.in @@ -0,0 +1,13 @@ +[Desktop Entry] +Version=1.0 +Name=poi (in firejail) +GenericName=Web Browser +Comment=yet another no-frills browser +Exec=/usr/bin/firejail --profile=@profile_path@ @exec_poi@ %u +Icon=poi +Terminal=false +Type=Application +MimeType=text/html;text/xml;application/xhtml+xml;text/mml;x-scheme-handler/http;x-scheme-handler/https; +Categories=Network;WebBrowser; +Keywords=web;browser;internet; + diff --git a/linux/poi_picksession.desktop.in b/linux/poi_picksession.desktop.in new file mode 100644 index 0000000..7cfb7a9 --- /dev/null +++ b/linux/poi_picksession.desktop.in @@ -0,0 +1,13 @@ +[Desktop Entry] +Version=1.0 +Name=smolbote (Pick Session) +GenericName=Web Browser +Comment=yet another no-frills browser +Exec=@exec_poi@ --pick-session +Icon=poi +Terminal=false +Type=Application +MimeType=text/html;text/xml;application/xhtml+xml;text/mml;x-scheme-handler/http;x-scheme-handler/https; +Categories=Network;WebBrowser; +Keywords=web;browser;internet; + diff --git a/linux/poi_ps.desktop.in b/linux/poi_ps.desktop.in deleted file mode 100644 index 7cfb7a9..0000000 --- a/linux/poi_ps.desktop.in +++ /dev/null @@ -1,13 +0,0 @@ -[Desktop Entry] -Version=1.0 -Name=smolbote (Pick Session) -GenericName=Web Browser -Comment=yet another no-frills browser -Exec=@exec_poi@ --pick-session -Icon=poi -Terminal=false -Type=Application -MimeType=text/html;text/xml;application/xhtml+xml;text/mml;x-scheme-handler/http;x-scheme-handler/https; -Categories=Network;WebBrowser; -Keywords=web;browser;internet; - -- cgit v1.2.1