diff options
author | rusty-snake <41237666+rusty-snake@users.noreply.github.com> | 2020-12-11 17:03:56 +0100 |
---|---|---|
committer | rusty-snake <41237666+rusty-snake@users.noreply.github.com> | 2020-12-11 17:03:56 +0100 |
commit | e8d31279d489dc09343b0c01a807c54dbb1c6ed1 (patch) | |
tree | 70dfdf68f0204a15a3d0e41f2771cf9d11f9aed1 | |
parent | fix audio/video play in yelp.profile (diff) | |
download | firejail-e8d31279d489dc09343b0c01a807c54dbb1c6ed1.tar.gz firejail-e8d31279d489dc09343b0c01a807c54dbb1c6ed1.tar.zst firejail-e8d31279d489dc09343b0c01a807c54dbb1c6ed1.zip |
Create firejail-welcome.s
fix #3797 -- Get ride of all these u2f and drm issues
-rw-r--r-- | RELNOTES | 1 | ||||
-rwxr-xr-x | contrib/firejail-welcome.sh | 119 |
2 files changed, 120 insertions, 0 deletions
@@ -2,6 +2,7 @@ firejail (0.9.65) baseline; urgency=low | |||
2 | * allow --tmpfs inside $HOME for unprivileged users | 2 | * allow --tmpfs inside $HOME for unprivileged users |
3 | * --disable-usertmpfs compile time option | 3 | * --disable-usertmpfs compile time option |
4 | * allow AF_BLUETOOTH via --protocol=bluetooth | 4 | * allow AF_BLUETOOTH via --protocol=bluetooth |
5 | * Setup guide for new users: contrib/firejail-welcome.sh | ||
5 | * new profiles: spectacle, chromium-browser-privacy, gtk-straw-viewer | 6 | * new profiles: spectacle, chromium-browser-privacy, gtk-straw-viewer |
6 | * new profiles: gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer | 7 | * new profiles: gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer |
7 | * new profiles: straw-viewer, lutris, dolphin-emu, authenticator-rs | 8 | * new profiles: straw-viewer, lutris, dolphin-emu, authenticator-rs |
diff --git a/contrib/firejail-welcome.sh b/contrib/firejail-welcome.sh new file mode 100755 index 000000000..21425562d --- /dev/null +++ b/contrib/firejail-welcome.sh | |||
@@ -0,0 +1,119 @@ | |||
1 | #!/bin/bash | ||
2 | |||
3 | # This file is part of Firejail project | ||
4 | # Copyright (C) 2014-2020 Firejail Authors | ||
5 | # License GPL v2 | ||
6 | |||
7 | export LANG=en_US.UTF8 | ||
8 | |||
9 | zenity --title=firejail-welcome.sh --text-info --width=750 --height=500 <<EOM | ||
10 | Welcome to firejail! | ||
11 | |||
12 | This is a quick setup guide for newbies. | ||
13 | |||
14 | Profiles for programs can be found in /etc/firejail. Own customizations should go in a file named | ||
15 | <proile-name>.local in ~/.config/firejal. | ||
16 | |||
17 | Firejails own configuration can be found at /etc/firejail/firejail.config. | ||
18 | |||
19 | Please note that running this script a second time can set new options, but does not unset options | ||
20 | set in a previous run. | ||
21 | |||
22 | Webiste: https://firejail.wordpress.com | ||
23 | Bug-Tracker: https://github.com/netblue30/firejail/issues | ||
24 | Documentation: | ||
25 | - https://github.com/netblue30/firejail/wiki | ||
26 | - https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions | ||
27 | - https://firejail.wordpress.com/documentation-2 | ||
28 | - man:firejail(1) and man:firejail-profile(5) | ||
29 | |||
30 | PS: If you have any improvements for this script, open a issues or pull request. | ||
31 | EOM | ||
32 | [[ $? -eq 1 ]] && exit 0 | ||
33 | |||
34 | sed_scripts=() | ||
35 | |||
36 | read -r -d $'\0' MSG_Q_BROWSER_DISABLE_U2F <<EOM | ||
37 | <big><b>Should browsers be allowed to access u2f hardware?</b></big> | ||
38 | EOM | ||
39 | |||
40 | read -r -d $'\0' MSG_Q_BROWSER_ALLOW_DRM <<EOM | ||
41 | <big><b>Should browsers be able to play DRM content?</b></big> | ||
42 | |||
43 | \$HOME is noexec,nodev,nosuid by default for the most sandboxes. This means that executing ELFs which are located in \$HOME, | ||
44 | is forbidden, the setuid attribute on files is ignored and device files inside \$HOME don't work. Browsers install proprietary | ||
45 | DRM plug-ins such as Widevine under \$HOME by default. In order to use them, \$HOME must be mounted exec inside the sandbox to | ||
46 | allow there execution. Clearly, this may help an attacker to start malicious code. | ||
47 | |||
48 | NOTE: Other software written in an interpreter language such as bash, python or java can always started from \$HOME. | ||
49 | |||
50 | TIPP: If <tt>/home</tt> has its own partition, you can mount it <tt>nodev,nosuid</tt> for all programs. | ||
51 | EOM | ||
52 | |||
53 | read -r -d $'\0' MSG_L_ADVANCED_OPTIONS <<EOM | ||
54 | You maybe want to set some of these advanced options. | ||
55 | EOM | ||
56 | |||
57 | read -r -d $'\0' MSG_Q_RUN_FIRECFG <<EOM | ||
58 | <big><b>Should the most programs started in firejail by default?</b></big> | ||
59 | EOM | ||
60 | |||
61 | read -r -d $'\0' MSG_I_ROOT_REQUIRED <<EOM | ||
62 | In order to apply these changes, root right are required. | ||
63 | You will now be asked to enter your password. | ||
64 | EOM | ||
65 | |||
66 | read -r -d $'\0' MSG_I_FINISH <<EOM | ||
67 | 🥳 | ||
68 | EOM | ||
69 | |||
70 | if zenity --title=firejail-welcome.sh --question --ellipsize --text="$MSG_Q_BROWSER_DISABLE_U2F"; then | ||
71 | sed_scripts+=("-e s/# browser-disable-u2f yes/browser-disable-u2f no/") | ||
72 | fi | ||
73 | |||
74 | if zenity --title=firejail-welcome.sh --question --ellipsize --text="$MSG_Q_BROWSER_ALLOW_DRM"; then | ||
75 | sed_scripts+=("-e s/# browser-allow-drm no/browser-allow-drm yes/") | ||
76 | fi | ||
77 | |||
78 | advanced_options=$(zenity --title=firejail-welcome.sh --list --width=800 --height=200 \ | ||
79 | --text="$MSG_L_ADVANCED_OPTIONS" --multiple --checklist --separator=" " \ | ||
80 | --column="" --column=Option --column=Description <<EOM | ||
81 | |||
82 | force-nonewprivs | ||
83 | Always set nonewprivs, this is a strong mitigation against exploits in firejail. However some programs like chromium or wireshark maybe don't work anymore. | ||
84 | |||
85 | restricted-network | ||
86 | Restrict all network related commands except 'net none' to root only. | ||
87 | |||
88 | seccomp-error-action=kill | ||
89 | Kill programs which violate seccomp rules (default: return a error). | ||
90 | EOM | ||
91 | ) | ||
92 | |||
93 | if [[ $advanced_options == *force-nonewprivs* ]]; then | ||
94 | sed_scripts+=("-e s/# force-nonewprivs no/force-nonewprivs yes/") | ||
95 | fi | ||
96 | if [[ $advanced_options == *restricted-network* ]]; then | ||
97 | sed_scripts+=("-e s/# restricted-network no/restricted-network yes/") | ||
98 | fi | ||
99 | if [[ $advanced_options == *seccomp-error-action=kill* ]]; then | ||
100 | sed_scripts+=("-e s/# seccomp-error-action EPERM/seccomp-error-action kill/") | ||
101 | fi | ||
102 | |||
103 | if zenity --title=firejail-welcome.sh --question --ellipsize --text="$MSG_Q_RUN_FIRECFG"; then | ||
104 | run_firecfg=true | ||
105 | fi | ||
106 | |||
107 | zenity --title=firejail-welcome.sh --info --ellipsize --text="$MSG_I_ROOT_REQUIRED" | ||
108 | |||
109 | passwd=$(zenity --title=firejail-welcome.sh --password --cancel-label=OK) | ||
110 | if [[ -n "${sed_scripts[*]}" ]]; then | ||
111 | sudo -S -p "" -- sed -i "${sed_scripts[@]}" /etc/firejail/firejail.config <<<"$passwd" || { zenity --title=firejail-welcome.sh --error; exit 1; }; | ||
112 | fi | ||
113 | if [[ "$run_firecfg" == "true" ]]; then | ||
114 | sudo -S -p "" -- firecfg <<<"$passwd" || { zenity --title=firejail-welcome.sh --error; exit 1; }; | ||
115 | fi | ||
116 | sudo -k | ||
117 | unset passwd | ||
118 | |||
119 | zenity --title=firejail-welcome.sh --info --icon-name=security-medium-symbolic --text="$MSG_I_FINISH" | ||