diff options
author | netblue30 <netblue30@protonmail.com> | 2022-04-21 11:41:40 -0400 |
---|---|---|
committer | netblue30 <netblue30@protonmail.com> | 2022-04-21 11:41:40 -0400 |
commit | 62e33cfc37635d985c186c8e5aaf1101070f9ccf (patch) | |
tree | c65e64d5b425c2689446d583fc531f27a0b4701d | |
parent | firecfg --guide (diff) | |
download | firejail-62e33cfc37635d985c186c8e5aaf1101070f9ccf.tar.gz firejail-62e33cfc37635d985c186c8e5aaf1101070f9ccf.tar.zst firejail-62e33cfc37635d985c186c8e5aaf1101070f9ccf.zip |
more on firecfg --guide
-rwxr-xr-x | src/firecfg/firejail-welcome.sh | 217 | ||||
-rw-r--r-- | src/firecfg/main.c | 19 |
2 files changed, 162 insertions, 74 deletions
diff --git a/src/firecfg/firejail-welcome.sh b/src/firecfg/firejail-welcome.sh index c9b6c450b..a3e9713e4 100755 --- a/src/firecfg/firejail-welcome.sh +++ b/src/firecfg/firejail-welcome.sh | |||
@@ -3,126 +3,203 @@ | |||
3 | # This file is part of Firejail project | 3 | # This file is part of Firejail project |
4 | # Copyright (C) 2020-2022 Firejail Authors | 4 | # Copyright (C) 2020-2022 Firejail Authors |
5 | # License GPL v2 | 5 | # License GPL v2 |
6 | 6 | # | |
7 | if ! command -v zenity >/dev/null; then | 7 | # Usage: firejail-welcome PROGRAM SYSCONFDIR |
8 | echo "Please install zenity." | 8 | # where PROGRAM is detected and driven by firecfg. |
9 | exit 1 | 9 | # SYSCONFDIR is most of the time /etc/firejail. |
10 | fi | 10 | # |
11 | if ! command -v sudo >/dev/null; then | 11 | # The plan is to go with zenity by default. If zenity is not installed |
12 | echo "Please install sudo." | 12 | # we will provide a console-only replacement in /usr/lib/firejail/fzenity |
13 | # | ||
14 | |||
15 | PROGRAM=$1 | ||
16 | SYSCONFDIR=$2 | ||
17 | |||
18 | if ! command -v $PROGRAM >/dev/null; then | ||
19 | echo "Please install $PROGRAM." | ||
13 | exit 1 | 20 | exit 1 |
14 | fi | 21 | fi |
15 | 22 | ||
16 | export LANG=en_US.UTF8 | 23 | export LANG=en_US.UTF8 |
17 | 24 | ||
18 | zenity --title=firejail-welcome.sh --text-info --width=750 --height=500 <<EOM | 25 | TITLE="Firejail Configuration Guide" |
19 | Welcome to firejail! | 26 | sed_scripts=() |
27 | run_firecfg=false | ||
28 | enable_u2f=false | ||
29 | enable_drm=false | ||
30 | enable_seccomp_kill=false | ||
31 | enable_restricted_net=false | ||
32 | enable_nonewprivs=false | ||
20 | 33 | ||
21 | This is a quick setup guide for newbies. | 34 | #****************************************************** |
35 | # Intro | ||
36 | #****************************************************** | ||
37 | read -r -d $'\0' MSG_INTRO <<EOM | ||
38 | <big><b>Welcome to Firejail!</b></big> | ||
22 | 39 | ||
23 | Profiles for programs can be found in /etc/firejail. Own customizations should go in a file named | ||
24 | <profile-name>.local in ~/.config/firejal. | ||
25 | 40 | ||
26 | Firejail's own configuration can be found at /etc/firejail/firejail.config. | 41 | This guide will walk you through some of the most common sandbox customizations. At the end of the guide you'll have the option to save your changes in Firejail's global config file at <b>/etc/firejail/firejail.config</b>. A copy of the original file is stored as <b>/etc/firejal/firejail.config-</b>. |
27 | 42 | ||
28 | Please note that running this script a second time can set new options, but does not unset options | 43 | Please note that running this script a second time can set new options, but does not clear options set in a previous run. |
29 | set in a previous run. | ||
30 | 44 | ||
31 | Website: https://firejail.wordpress.com | 45 | Press OK to continue, or close this window to stop the program. |
32 | Bug-Tracker: https://github.com/netblue30/firejail/issues | ||
33 | Documentation: | ||
34 | - https://github.com/netblue30/firejail/wiki | ||
35 | - https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions | ||
36 | - https://firejail.wordpress.com/documentation-2 | ||
37 | - man:firejail(1) and man:firejail-profile(5) | ||
38 | 46 | ||
39 | PS: If you have any improvements for this script, open an issue or pull request. | ||
40 | EOM | 47 | EOM |
48 | $PROGRAM --title="$TITLE" --info --width=600 --height=40 --text="$MSG_INTRO" | ||
41 | [[ $? -eq 1 ]] && exit 0 | 49 | [[ $? -eq 1 ]] && exit 0 |
42 | 50 | ||
43 | sed_scripts=() | 51 | #****************************************************** |
52 | # symlinks | ||
53 | #****************************************************** | ||
54 | read -r -d $'\0' MSG_Q_RUN_FIRECFG <<EOM | ||
55 | <big><b>Should most programs be sandboxed by default?</b></big> | ||
56 | |||
57 | Currently, Firejail recognizes more than 1000 regular desktop programs. These programs | ||
58 | can be sandboxed automatically when you start them. | ||
59 | |||
60 | EOM | ||
61 | |||
62 | if $PROGRAM --title="$TITLE" --question --ellipsize --text="$MSG_Q_RUN_FIRECFG"; then | ||
63 | run_firecfg=true | ||
64 | fi | ||
65 | [[ $? -eq 1 ]] && exit 0 | ||
44 | 66 | ||
67 | #****************************************************** | ||
68 | # U2F | ||
69 | #****************************************************** | ||
45 | read -r -d $'\0' MSG_Q_BROWSER_DISABLE_U2F <<EOM | 70 | read -r -d $'\0' MSG_Q_BROWSER_DISABLE_U2F <<EOM |
46 | <big><b>Should browsers be allowed to access u2f hardware?</b></big> | 71 | <big><b>Should browsers be allowed to access u2f hardware?</b></big> |
72 | |||
73 | Universal Two-Factor (U2F) devices are used as a password store for online | ||
74 | accounts. These devices usually come in a form of a USB key. | ||
75 | |||
47 | EOM | 76 | EOM |
48 | 77 | ||
78 | if $PROGRAM --title="$TITLE" --question --ellipsize --text="$MSG_Q_BROWSER_DISABLE_U2F"; then | ||
79 | enable_u2f=true | ||
80 | sed_scripts+=("-e s/# browser-disable-u2f yes/browser-disable-u2f no/") | ||
81 | fi | ||
82 | |||
83 | #****************************************************** | ||
84 | # DRM | ||
85 | #****************************************************** | ||
49 | read -r -d $'\0' MSG_Q_BROWSER_ALLOW_DRM <<EOM | 86 | read -r -d $'\0' MSG_Q_BROWSER_ALLOW_DRM <<EOM |
50 | <big><b>Should browsers be able to play DRM content?</b></big> | 87 | <big><b>Should browsers be able to play DRM content?</b></big> |
51 | 88 | ||
52 | \$HOME is noexec,nodev,nosuid by default for the most sandboxes. This means that executing programs which are located in \$HOME, | 89 | The home directory is <tt>noexec,nodev,nosuid</tt> by default for most applications. |
53 | is forbidden, the setuid attribute on files is ignored and device files inside \$HOME don't work. Browsers install proprietary | 90 | This means that executing programs located in your home directory is forbidden. |
54 | DRM plug-ins such as Widevine under \$HOME by default. In order to use them, \$HOME must be mounted exec inside the sandbox to | 91 | |
55 | allow their execution. Clearly, this may help an attacker to start malicious code. | 92 | Browsers install proprietary DRM plug-ins such as Widevine in your home directory. |
93 | In order to use them, your home must be mounted <tt>exec</tt> inside the sandbox. This | ||
94 | may give the people developing and distributing the plug-in access to your private | ||
95 | data. | ||
56 | 96 | ||
57 | NOTE: Other software written in an interpreter language such as bash, python or java can always be started from \$HOME. | 97 | NOTE: Software written in an interpreted language such as bash, python or java can |
98 | always be started from home directory. | ||
58 | 99 | ||
59 | HINT: If <tt>/home</tt> has its own partition, you can mount it <tt>nodev,nosuid</tt> for all programs. | 100 | HINT: If <tt>/home</tt> has its own partition, you can mount it <tt>nodev,nosuid</tt> for all programs. |
60 | EOM | ||
61 | 101 | ||
62 | read -r -d $'\0' MSG_L_ADVANCED_OPTIONS <<EOM | ||
63 | You maybe want to set some of these advanced options. | ||
64 | EOM | 102 | EOM |
65 | 103 | ||
66 | read -r -d $'\0' MSG_Q_RUN_FIRECFG <<EOM | 104 | if $PROGRAM --title="$TITLE" --question --ellipsize --text="$MSG_Q_BROWSER_ALLOW_DRM"; then |
67 | <big><b>Should most programs be started in firejail by default?</b></big> | 105 | enable_drm=true |
68 | EOM | 106 | sed_scripts+=("-e s/# browser-allow-drm no/browser-allow-drm yes/") |
107 | fi | ||
108 | |||
109 | #****************************************************** | ||
110 | # nonewprivs | ||
111 | #****************************************************** | ||
112 | read -r -d $'\0' MSG_Q_NONEWPRIVS <<EOM | ||
113 | <big><b>Should we force nonweprivs by default?</b></big> | ||
114 | |||
115 | nonewprivs is a Linux kernel feature that prevents programs from rising privileges. | ||
116 | It is also a strong mitigation against exploits in Firejail. However, some programs | ||
117 | like chromium, wireshark, or even ping might not work. | ||
118 | |||
119 | NOTE: seccomp enables nonewprivs automatically. Most applications supported by | ||
120 | default by Firejail are using seccomp. | ||
69 | 121 | ||
70 | read -r -d $'\0' MSG_I_ROOT_REQUIRED <<EOM | ||
71 | In order to apply these changes, root privileges are required. | ||
72 | You will now be asked to enter your password. | ||
73 | EOM | 122 | EOM |
74 | 123 | ||
75 | read -r -d $'\0' MSG_I_FINISH <<EOM | 124 | if $PROGRAM --title="$TITLE" --question --ellipsize --text="$MSG_Q_NONEWPRIVS"; then |
76 | 🥳 | 125 | enable_nonewprivs=true |
126 | sed_scripts+=("-e s/# force-nonewprivs no/force-nonewprivs yes/") | ||
127 | fi | ||
128 | |||
129 | #****************************************************** | ||
130 | # restricted network | ||
131 | #****************************************************** | ||
132 | read -r -d $'\0' MSG_Q_NETWORK <<EOM | ||
133 | <big><b>Should we restrict network functionality?</b></big> | ||
134 | |||
135 | Restrict all network related commands except '<tt>net none</tt>' to root only. | ||
136 | |||
77 | EOM | 137 | EOM |
78 | 138 | ||
79 | if zenity --title=firejail-welcome.sh --question --ellipsize --text="$MSG_Q_BROWSER_DISABLE_U2F"; then | 139 | if $PROGRAM --title="$TITLE" --question --ellipsize --text="$MSG_Q_NETWORK"; then |
80 | sed_scripts+=("-e s/# browser-disable-u2f yes/browser-disable-u2f no/") | 140 | enable_restricted_net=true |
141 | sed_scripts+=("-e s/# restricted-network no/restricted-network yes/") | ||
81 | fi | 142 | fi |
82 | 143 | ||
83 | if zenity --title=firejail-welcome.sh --question --ellipsize --text="$MSG_Q_BROWSER_ALLOW_DRM"; then | 144 | #****************************************************** |
84 | sed_scripts+=("-e s/# browser-allow-drm no/browser-allow-drm yes/") | 145 | # seccomp kill |
146 | #****************************************************** | ||
147 | read -r -d $'\0' MSG_Q_SECCOMP <<EOM | ||
148 | <big><b>Should we kill programs that violate seccomp rules?</b></big> | ||
149 | |||
150 | By default seccomp prevents the program from running the syscall and returns an error. | ||
151 | |||
152 | EOM | ||
153 | |||
154 | if $PROGRAM --title="$TITLE" --question --ellipsize --text="$MSG_Q_SECCOMP"; then | ||
155 | enable_seccomp_kill=true | ||
156 | sed_scripts+=("-e s/# seccomp-error-action EPERM/seccomp-error-action kill/") | ||
85 | fi | 157 | fi |
86 | 158 | ||
87 | advanced_options=$(zenity --title=firejail-welcome.sh --list --width=800 --height=200 \ | ||
88 | --text="$MSG_L_ADVANCED_OPTIONS" --multiple --checklist --separator=" " \ | ||
89 | --column="" --column=Option --column=Description <<EOM | ||
90 | 159 | ||
91 | force-nonewprivs | ||
92 | Always set nonewprivs, this is a strong mitigation against exploits in firejail. However some programs like chromium or wireshark maybe don't work anymore. | ||
93 | 160 | ||
94 | restricted-network | ||
95 | Restrict all network related commands except 'net none' to root only. | ||
96 | 161 | ||
97 | seccomp-error-action=kill | 162 | #****************************************************** |
98 | Kill programs which violate seccomp rules (default: return a error). | 163 | # root |
164 | #****************************************************** | ||
165 | read -r -d $'\0' MSG_RUN <<EOM | ||
166 | Now, I will apply the changes. This is what I will do: | ||
99 | EOM | 167 | EOM |
100 | ) | ||
101 | 168 | ||
102 | if [[ $advanced_options == *force-nonewprivs* ]]; then | 169 | MSG_RUN+="\\n\\n" |
103 | sed_scripts+=("-e s/# force-nonewprivs no/force-nonewprivs yes/") | 170 | if [[ "$run_firecfg" == "true" ]]; then |
171 | MSG_RUN+=" * enable Firejail for all recognized programs\\n" | ||
104 | fi | 172 | fi |
105 | if [[ $advanced_options == *restricted-network* ]]; then | 173 | if [[ "$enable_u2f" == "true" ]]; then |
106 | sed_scripts+=("-e s/# restricted-network no/restricted-network yes/") | 174 | MSG_RUN+=" * allow browsers to access U2F devices\\n" |
107 | fi | 175 | fi |
108 | if [[ $advanced_options == *seccomp-error-action=kill* ]]; then | 176 | if [[ "$enable_drm" == "true" ]]; then |
109 | sed_scripts+=("-e s/# seccomp-error-action EPERM/seccomp-error-action kill/") | 177 | MSG_RUN+=" * allow browsers to play DRM content\\n" |
110 | fi | 178 | fi |
111 | 179 | if [[ "$enable_nonewprivs" == "true" ]]; then | |
112 | if zenity --title=firejail-welcome.sh --question --ellipsize --text="$MSG_Q_RUN_FIRECFG"; then | 180 | MSG_RUN+=" * enable nonewprivs globally\\n" |
113 | run_firecfg=true | ||
114 | fi | 181 | fi |
182 | if [[ "$enable_restricted_net" == "true" ]]; then | ||
183 | MSG_RUN+=" * restrict networking features\\n" | ||
184 | fi | ||
185 | if [[ "$enable_seccomp_kill" == "true" ]]; then | ||
186 | MSG_RUN+=" * enable seccomp kill\\n" | ||
187 | fi | ||
188 | MSG_RUN+="\\n\\nPress OK to continue, or close this window to stop the program." | ||
115 | 189 | ||
116 | zenity --title=firejail-welcome.sh --info --ellipsize --text="$MSG_I_ROOT_REQUIRED" | 190 | $PROGRAM --title="$TITLE" --info --width=600 --height=40 --text="$MSG_RUN" |
191 | [[ $? -eq 1 ]] && exit 0 | ||
117 | 192 | ||
118 | passwd=$(zenity --title=firejail-welcome.sh --password --cancel-label=OK) | ||
119 | if [[ -n "${sed_scripts[*]}" ]]; then | 193 | if [[ -n "${sed_scripts[*]}" ]]; then |
120 | sudo -S -p "" -- sed -i "${sed_scripts[@]}" /etc/firejail/firejail.config <<<"$passwd" || { zenity --title=firejail-welcome.sh --error; exit 1; }; | 194 | cp $SYSCONFDIR/firejail.config $SYSCONFDIR/firejail.config- |
195 | sed -i "${sed_scripts[@]}" $SYSCONFDIR/firejail.config | ||
121 | fi | 196 | fi |
122 | if [[ "$run_firecfg" == "true" ]]; then | 197 | if [[ "$run_firecfg" == "true" ]]; then |
123 | sudo -S -p "" -- firecfg <<<"$passwd" || { zenity --title=firejail-welcome.sh --error; exit 1; }; | 198 | # return 55 to inform firecfg symlinks are desired |
199 | exit 55 | ||
124 | fi | 200 | fi |
125 | sudo -k | ||
126 | unset passwd | ||
127 | 201 | ||
128 | zenity --title=firejail-welcome.sh --info --icon-name=security-medium-symbolic --text="$MSG_I_FINISH" | 202 | #****************************************************** |
203 | # all done | ||
204 | #****************************************************** | ||
205 | exit 0 | ||
diff --git a/src/firecfg/main.c b/src/firecfg/main.c index 0072c2768..19f2573f3 100644 --- a/src/firecfg/main.c +++ b/src/firecfg/main.c | |||
@@ -22,6 +22,7 @@ | |||
22 | #include "../include/firejail_user.h" | 22 | #include "../include/firejail_user.h" |
23 | int arg_debug = 0; | 23 | int arg_debug = 0; |
24 | char *arg_bindir = "/usr/local/bin"; | 24 | char *arg_bindir = "/usr/local/bin"; |
25 | int arg_guide = 0; | ||
25 | 26 | ||
26 | static char *usage_str = | 27 | static char *usage_str = |
27 | "Firecfg is the desktop configuration utility for Firejail software. The utility\n" | 28 | "Firecfg is the desktop configuration utility for Firejail software. The utility\n" |
@@ -375,8 +376,7 @@ int main(int argc, char **argv) { | |||
375 | return 0; | 376 | return 0; |
376 | } | 377 | } |
377 | else if (strcmp(argv[i], "--guide") == 0) { | 378 | else if (strcmp(argv[i], "--guide") == 0) { |
378 | return system(LIBDIR "/firejail/firejail-welcome.sh"); | 379 | arg_guide = 1; |
379 | return 0; | ||
380 | } | 380 | } |
381 | else if (strcmp(argv[i], "--list") == 0) { | 381 | else if (strcmp(argv[i], "--list") == 0) { |
382 | list(); | 382 | list(); |
@@ -442,6 +442,19 @@ int main(int argc, char **argv) { | |||
442 | umask(orig_umask); | 442 | umask(orig_umask); |
443 | } | 443 | } |
444 | 444 | ||
445 | if (arg_guide) { | ||
446 | int status = system("sudo "LIBDIR "/firejail/firejail-welcome.sh zenity " SYSCONFDIR); | ||
447 | if (status == -1) { | ||
448 | fprintf(stderr, "Error: cannot run firejail-welcome.sh\n"); | ||
449 | exit(1); | ||
450 | } | ||
451 | |||
452 | // the last 8 bits of the status is the return value of the command executed by system() | ||
453 | // firejail-welcome.sh returns 55 if setting sysmlinks is required | ||
454 | if (WEXITSTATUS(status) != 55) | ||
455 | return 0; | ||
456 | } | ||
457 | |||
445 | // clear all symlinks | 458 | // clear all symlinks |
446 | clean(); | 459 | clean(); |
447 | 460 | ||
@@ -473,8 +486,6 @@ int main(int argc, char **argv) { | |||
473 | #endif | 486 | #endif |
474 | } | 487 | } |
475 | 488 | ||
476 | |||
477 | |||
478 | // set new symlinks based on ~/.config/firejail directory | 489 | // set new symlinks based on ~/.config/firejail directory |
479 | set_links_homedir(home); | 490 | set_links_homedir(home); |
480 | 491 | ||