Browse Source

Update .desktop and .profile

Aqua-sama 1 week ago
parent
commit
4acf3ad913
Signed by: Aqua-sama <aqua@iserlohn-fortress.net> GPG Key ID: 5378B8349C1D5ADA
5 changed files with 148 additions and 9 deletions
  1. 108
    0
      linux/poi-debug.profile
  2. 7
    3
      linux/poi.desktop.in
  3. 9
    2
      linux/poi.profile
  4. 13
    0
      linux/poi_ps.desktop.in
  5. 11
    4
      src/meson.build

+ 108
- 0
linux/poi-debug.profile View File

@@ -0,0 +1,108 @@
1
+# Firejail profile for poi
2
+# This file is overwritten after every install/update
3
+# Persistent local customizations
4
+include /etc/firejail/poi.local
5
+# Persistent global definitions
6
+include /etc/firejail/globals.local
7
+
8
+# noblacklist: exclude from blacklist
9
+noblacklist ${HOME}/.cache/smolbote
10
+noblacklist ${HOME}/.config/smolbote
11
+noblacklist ${HOME}/.local/share/smolbote
12
+
13
+include /etc/firejail/disable-common.inc
14
+include /etc/firejail/disable-devel.inc
15
+include /etc/firejail/disable-interpreters.inc
16
+include /etc/firejail/disable-passwdmgr.inc
17
+include /etc/firejail/disable-programs.inc
18
+include /etc/firejail/disable-xdg.inc
19
+
20
+mkdir ${HOME}/.cache/smolbote
21
+mkdir ${HOME}/.config/smolbote
22
+mkdir ${HOME}/.local/share/smolbote
23
+
24
+# whitelist: only show folders that are whitelisted
25
+#whitelist ${DOWNLOADS}
26
+#whitelist ${HOME}/.cache/smolbote
27
+#whitelist ${HOME}/.config/smolbote
28
+#whitelist ${HOME}/.local/share/smolbote
29
+#include /etc/firejail/whitelist-common.inc
30
+
31
+## caps.drop all - Removes the ability to call programs usually run only by root. Ex - chown, setuid
32
+caps.drop all
33
+
34
+## ipc-namespace - Enable a new IPC namespace if the sandbox was started as a regular user.
35
+# Breaks audio
36
+# ipc-namespace
37
+
38
+## machine-id - Generates a random machine-id each time the program is run, rather than using the static system machine-id.
39
+# Breaks audio
40
+# machine-id
41
+
42
+## netfilter - Creates a simple but restrictive iptables firewall for any --net device created. Does nothing if --net is not used.
43
+netfilter
44
+
45
+## nodbus - Disable access to dbus.
46
+nodbus
47
+
48
+## nodvd - Disable access to optical disk drives.
49
+nodvd
50
+
51
+## nogroups - The program can only see the current user's main group. Always applied if the program is run as root.
52
+nogroups
53
+
54
+##  nownewprivs - Prevents Child processes from requesting additional priviledges. If --seccomp is enabled, --nonewprivs is redundant.
55
+nonewprivs
56
+
57
+## noroot - The program can only see the current user. Requires kernel 3.8 or higher. Mutually exclusive with --chroot or --overlay or running as root.
58
+noroot
59
+
60
+## notv - Disable access to DVB TV devices.
61
+notv
62
+
63
+# novideo - Disable access to video devices.
64
+novideo
65
+
66
+## protocol - Only allows sockets of the following types. Not supported on i386 architecture.
67
+protocol unix,inet,inet6,netlink
68
+
69
+## seccomp - Blacklists a large swath of syscalls from being accessible.
70
+#seccomp
71
+## Use seccomp.drop for now as seccomp is broken with many programs.
72
+seccomp.drop @clock,@cpu-emulation,@module,@obsolete,@privileged,@raw-io,@reboot,@resources,@swap,ptrace
73
+
74
+## shell - Run the program directly, without a user shell.
75
+# breaks secondary instances when using join-or-start after shell=none
76
+#shell none
77
+
78
+## tracelog - Log all viloations to syslog.
79
+tracelog
80
+
81
+
82
+## disable-mnt - Deny access to /mnt, /media, /run/mount, and /run/media
83
+disable-mnt
84
+
85
+## private-bin - Creates a virtual /bin directory containing only temporary copies of the following executables.
86
+# bash required to launch from kde kickoff menu
87
+#private-bin bash,poi
88
+
89
+## private-dev - Create a virtual /dev directory. Only dri,  null,  full,  zero,  tty,  pts, ptmx, random, snd, urandom, video, log and shm devices are available.
90
+private-dev
91
+
92
+## private-etc - Creates a virtual /etc directory containing only temporary copies of the following files and directories.
93
+# Experimental support for only fonts, alsa audio, and dns resolution.
94
+private-etc fonts,group,machine-id,resolv.conf
95
+
96
+## private-tmp - Creates a virtual /tmp directory to prevent the program from accessing the /tmp files from other programs.
97
+# breaks SingleApplication without join-or-start set
98
+private-tmp
99
+
100
+
101
+## noexec - Prevent execution of files in the specified locations
102
+#noexec ${HOME}
103
+noexec /tmp
104
+
105
+
106
+# join-or-start - Join the sandbox identified by name or start a new one
107
+join-or-start poi
108
+

linux/poi.desktop → linux/poi.desktop.in View File

@@ -3,7 +3,7 @@ Version=1.0
3 3
 Name=poi
4 4
 GenericName=Web Browser
5 5
 Comment=yet another no-frills browser
6
-Exec=/usr/local/bin/poi %u
6
+Exec=@exec_poi@ %u
7 7
 Icon=poi
8 8
 Terminal=false
9 9
 Type=Application
@@ -12,10 +12,14 @@ Categories=Network;WebBrowser;
12 12
 Keywords=web;browser;internet;
13 13
 Actions=configure;firejail
14 14
 
15
+[Desktop Action pickSession]
16
+Name=Pick Session
17
+Exec=@exec_poi@ --pick-session
18
+
15 19
 [Desktop Action configure]
16 20
 Name=Configure smolbote
17
-Exec=/usr/local/bin/poi configure
21
+Exec=@exec_poi@ configure
18 22
 
19 23
 [Desktop Action firejail]
20 24
 Name=Start instance in firejail
21
-Exec=/usr/bin/firejail --profile=/usr/local/lib/smolbote/poi.profile poi --socket=/tmp/smolbote-firejail.socket
25
+Exec=/usr/bin/firejail --profile=@profile_path@ @exec_poi@

data/poi.profile → linux/poi.profile View File

@@ -5,7 +5,7 @@ include /etc/firejail/poi.local
5 5
 # Persistent global definitions
6 6
 include /etc/firejail/globals.local
7 7
 
8
-
8
+# noblacklist: exclude from blacklist
9 9
 noblacklist ${HOME}/.cache/smolbote
10 10
 noblacklist ${HOME}/.config/smolbote
11 11
 noblacklist ${HOME}/.local/share/smolbote
@@ -72,7 +72,8 @@ protocol unix,inet,inet6,netlink
72 72
 seccomp.drop @clock,@cpu-emulation,@module,@obsolete,@privileged,@raw-io,@reboot,@resources,@swap,ptrace
73 73
 
74 74
 ## shell - Run the program directly, without a user shell.
75
-shell none
75
+# breaks secondary instances when using join-or-start after shell=none
76
+#shell none
76 77
 
77 78
 ## tracelog - Log all viloations to syslog.
78 79
 tracelog
@@ -93,9 +94,15 @@ private-dev
93 94
 private-etc fonts,group,machine-id,resolv.conf
94 95
 
95 96
 ## private-tmp - Creates a virtual /tmp directory to prevent the program from accessing the /tmp files from other programs.
97
+# breaks SingleApplication without join-or-start set
96 98
 private-tmp
97 99
 
98 100
 
99 101
 ## noexec - Prevent execution of files in the specified locations
100 102
 noexec ${HOME}
101 103
 noexec /tmp
104
+
105
+
106
+# join-or-start - Join the sandbox identified by name or start a new one
107
+join-or-start poi
108
+

+ 13
- 0
linux/poi_ps.desktop.in View File

@@ -0,0 +1,13 @@
1
+[Desktop Entry]
2
+Version=1.0
3
+Name=smolbote (Pick Session)
4
+GenericName=Web Browser
5
+Comment=yet another no-frills browser
6
+Exec=@exec_poi@ --pick-session
7
+Icon=poi
8
+Terminal=false
9
+Type=Application
10
+MimeType=text/html;text/xml;application/xhtml+xml;text/mml;x-scheme-handler/http;x-scheme-handler/https;
11
+Categories=Network;WebBrowser;
12
+Keywords=web;browser;internet;
13
+

+ 11
- 4
src/meson.build View File

@@ -49,9 +49,16 @@ poi = executable(get_option('poiName'), install: true,
49 49
     'wallet/wallet.cpp', 'wallet/wallet.h']
50 50
 )
51 51
 
52
-# install .desktop file and firejail profile
53
-if ['linux', 'freebsd', 'netbsd', 'dragonflybsd'].contains(host_machine.system())
52
+# install .desktop file and firejail profile for systems in this array
53
+if ['linux'].contains(host_machine.system())
54
+    conf = configuration_data()
55
+    conf.set('exec_poi', join_paths(get_option('prefix'), get_option('bindir'), get_option('poiName')))
56
+    conf.set('profile_path', join_paths(get_option('prefix'), get_option('libdir'), 'smolbote', 'poi.profile'))
57
+
54 58
     install_data('../data/poi.svg', install_dir: join_paths(get_option('datadir'), 'icons/hicolor/scalable/apps'))
55
-    install_data('../linux/poi.desktop', install_dir: join_paths(get_option('datadir'), 'applications'))
56
-    install_data('../data/poi.profile', install_dir: join_paths(get_option('libdir'), 'smolbote'))
59
+    install_data('../linux/poi.profile', install_dir: join_paths(get_option('libdir'), 'smolbote'))
60
+
61
+    configure_file(input: '../linux/poi.desktop.in', output: 'poi.desktop', configuration: conf, install_dir: join_paths(get_option('datadir'), 'applications'))
62
+    configure_file(input: '../linux/poi_ps.desktop.in', output: 'poi_ps.desktop', configuration: conf, install_dir: join_paths(get_option('datadir'), 'applications'))
63
+
57 64
 endif

Loading…
Cancel
Save