diff options
author | netblue30 <netblue30@protonmail.com> | 2020-12-12 20:52:50 -0500 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-12-12 20:52:50 -0500 |
commit | e634257a855b7dd1b8852272b1507bc4677724b0 (patch) | |
tree | eec05a4373fcfb6b350530f816ebd02932f22fe3 | |
parent | drill profile (diff) | |
parent | Update firejail-welcome.sh (diff) | |
download | firejail-e634257a855b7dd1b8852272b1507bc4677724b0.tar.gz firejail-e634257a855b7dd1b8852272b1507bc4677724b0.tar.zst firejail-e634257a855b7dd1b8852272b1507bc4677724b0.zip |
Merge pull request #3812 from rusty-snake/fix-3797--firejail-welcome.sh
Create firejail-welcome.s
-rw-r--r-- | RELNOTES | 1 | ||||
-rwxr-xr-x | contrib/firejail-welcome.sh | 128 |
2 files changed, 129 insertions, 0 deletions
@@ -2,6 +2,7 @@ firejail (0.9.65) baseline; urgency=low | |||
2 | * allow --tmpfs inside $HOME for unprivileged users | 2 | * allow --tmpfs inside $HOME for unprivileged users |
3 | * --disable-usertmpfs compile time option | 3 | * --disable-usertmpfs compile time option |
4 | * allow AF_BLUETOOTH via --protocol=bluetooth | 4 | * allow AF_BLUETOOTH via --protocol=bluetooth |
5 | * Setup guide for new users: contrib/firejail-welcome.sh | ||
5 | * new profiles: spectacle, chromium-browser-privacy, gtk-straw-viewer | 6 | * new profiles: spectacle, chromium-browser-privacy, gtk-straw-viewer |
6 | * new profiles: gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer | 7 | * new profiles: gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer |
7 | * new profiles: straw-viewer, lutris, dolphin-emu, authenticator-rs | 8 | * new profiles: straw-viewer, lutris, dolphin-emu, authenticator-rs |
diff --git a/contrib/firejail-welcome.sh b/contrib/firejail-welcome.sh new file mode 100755 index 000000000..2943983e5 --- /dev/null +++ b/contrib/firejail-welcome.sh | |||
@@ -0,0 +1,128 @@ | |||
1 | #!/bin/bash | ||
2 | |||
3 | # This file is part of Firejail project | ||
4 | # Copyright (C) 2020 Firejail Authors | ||
5 | # License GPL v2 | ||
6 | |||
7 | if ! command -v zenity >/dev/null; then | ||
8 | echo "Please install zenity." | ||
9 | exit 1 | ||
10 | fi | ||
11 | if ! command -v sudo >/dev/null; then | ||
12 | echo "Please install sudo." | ||
13 | exit 1 | ||
14 | fi | ||
15 | |||
16 | export LANG=en_US.UTF8 | ||
17 | |||
18 | zenity --title=firejail-welcome.sh --text-info --width=750 --height=500 <<EOM | ||
19 | Welcome to firejail! | ||
20 | |||
21 | This is a quick setup guide for newbies. | ||
22 | |||
23 | Profiles for programs can be found in /etc/firejail. Own customizations should go in a file named | ||
24 | <profile-name>.local in ~/.config/firejal. | ||
25 | |||
26 | Firejail's own configuration can be found at /etc/firejail/firejail.config. | ||
27 | |||
28 | Please note that running this script a second time can set new options, but does not unset options | ||
29 | set in a previous run. | ||
30 | |||
31 | Website: https://firejail.wordpress.com | ||
32 | Bug-Tracker: https://github.com/netblue30/firejail/issues | ||
33 | Documentation: | ||
34 | - https://github.com/netblue30/firejail/wiki | ||
35 | - https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions | ||
36 | - https://firejail.wordpress.com/documentation-2 | ||
37 | - man:firejail(1) and man:firejail-profile(5) | ||
38 | |||
39 | PS: If you have any improvements for this script, open an issue or pull request. | ||
40 | EOM | ||
41 | [[ $? -eq 1 ]] && exit 0 | ||
42 | |||
43 | sed_scripts=() | ||
44 | |||
45 | read -r -d $'\0' MSG_Q_BROWSER_DISABLE_U2F <<EOM | ||
46 | <big><b>Should browsers be allowed to access u2f hardware?</b></big> | ||
47 | EOM | ||
48 | |||
49 | read -r -d $'\0' MSG_Q_BROWSER_ALLOW_DRM <<EOM | ||
50 | <big><b>Should browsers be able to play DRM content?</b></big> | ||
51 | |||
52 | \$HOME is noexec,nodev,nosuid by default for the most sandboxes. This means that executing programs which are located in \$HOME, | ||
53 | is forbidden, the setuid attribute on files is ignored and device files inside \$HOME don't work. Browsers install proprietary | ||
54 | DRM plug-ins such as Widevine under \$HOME by default. In order to use them, \$HOME must be mounted exec inside the sandbox to | ||
55 | allow their execution. Clearly, this may help an attacker to start malicious code. | ||
56 | |||
57 | NOTE: Other software written in an interpreter language such as bash, python or java can always be started from \$HOME. | ||
58 | |||
59 | HINT: If <tt>/home</tt> has its own partition, you can mount it <tt>nodev,nosuid</tt> for all programs. | ||
60 | EOM | ||
61 | |||
62 | read -r -d $'\0' MSG_L_ADVANCED_OPTIONS <<EOM | ||
63 | You maybe want to set some of these advanced options. | ||
64 | EOM | ||
65 | |||
66 | read -r -d $'\0' MSG_Q_RUN_FIRECFG <<EOM | ||
67 | <big><b>Should most programs be started in firejail by default?</b></big> | ||
68 | EOM | ||
69 | |||
70 | read -r -d $'\0' MSG_I_ROOT_REQUIRED <<EOM | ||
71 | In order to apply these changes, root privileges are required. | ||
72 | You will now be asked to enter your password. | ||
73 | EOM | ||
74 | |||
75 | read -r -d $'\0' MSG_I_FINISH <<EOM | ||
76 | 🥳 | ||
77 | EOM | ||
78 | |||
79 | if zenity --title=firejail-welcome.sh --question --ellipsize --text="$MSG_Q_BROWSER_DISABLE_U2F"; then | ||
80 | sed_scripts+=("-e s/# browser-disable-u2f yes/browser-disable-u2f no/") | ||
81 | fi | ||
82 | |||
83 | if zenity --title=firejail-welcome.sh --question --ellipsize --text="$MSG_Q_BROWSER_ALLOW_DRM"; then | ||
84 | sed_scripts+=("-e s/# browser-allow-drm no/browser-allow-drm yes/") | ||
85 | fi | ||
86 | |||
87 | advanced_options=$(zenity --title=firejail-welcome.sh --list --width=800 --height=200 \ | ||
88 | --text="$MSG_L_ADVANCED_OPTIONS" --multiple --checklist --separator=" " \ | ||
89 | --column="" --column=Option --column=Description <<EOM | ||
90 | |||
91 | force-nonewprivs | ||
92 | Always set nonewprivs, this is a strong mitigation against exploits in firejail. However some programs like chromium or wireshark maybe don't work anymore. | ||
93 | |||
94 | restricted-network | ||
95 | Restrict all network related commands except 'net none' to root only. | ||
96 | |||
97 | seccomp-error-action=kill | ||
98 | Kill programs which violate seccomp rules (default: return a error). | ||
99 | EOM | ||
100 | ) | ||
101 | |||
102 | if [[ $advanced_options == *force-nonewprivs* ]]; then | ||
103 | sed_scripts+=("-e s/# force-nonewprivs no/force-nonewprivs yes/") | ||
104 | fi | ||
105 | if [[ $advanced_options == *restricted-network* ]]; then | ||
106 | sed_scripts+=("-e s/# restricted-network no/restricted-network yes/") | ||
107 | fi | ||
108 | if [[ $advanced_options == *seccomp-error-action=kill* ]]; then | ||
109 | sed_scripts+=("-e s/# seccomp-error-action EPERM/seccomp-error-action kill/") | ||
110 | fi | ||
111 | |||
112 | if zenity --title=firejail-welcome.sh --question --ellipsize --text="$MSG_Q_RUN_FIRECFG"; then | ||
113 | run_firecfg=true | ||
114 | fi | ||
115 | |||
116 | zenity --title=firejail-welcome.sh --info --ellipsize --text="$MSG_I_ROOT_REQUIRED" | ||
117 | |||
118 | passwd=$(zenity --title=firejail-welcome.sh --password --cancel-label=OK) | ||
119 | if [[ -n "${sed_scripts[*]}" ]]; then | ||
120 | sudo -S -p "" -- sed -i "${sed_scripts[@]}" /etc/firejail/firejail.config <<<"$passwd" || { zenity --title=firejail-welcome.sh --error; exit 1; }; | ||
121 | fi | ||
122 | if [[ "$run_firecfg" == "true" ]]; then | ||
123 | sudo -S -p "" -- firecfg <<<"$passwd" || { zenity --title=firejail-welcome.sh --error; exit 1; }; | ||
124 | fi | ||
125 | sudo -k | ||
126 | unset passwd | ||
127 | |||
128 | zenity --title=firejail-welcome.sh --info --icon-name=security-medium-symbolic --text="$MSG_I_FINISH" | ||