2 files changed, 120 insertions, 0 deletions
diff --git a/RELNOTES b/RELNOTES
index 9fa72d1d4..4eda50bc8 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -2,6 +2,7 @@ firejail (0.9.65) baseline; urgency=low
  * allow --tmpfs inside $HOME for unprivileged users
  * --disable-usertmpfs  compile time option
  * allow AF_BLUETOOTH via --protocol=bluetooth
+  * Setup guide for new users: contrib/firejail-welcome.sh
  * new profiles: spectacle, chromium-browser-privacy, gtk-straw-viewer
  * new profiles: gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer
  * new profiles: straw-viewer, lutris, dolphin-emu, authenticator-rs
diff --git a/contrib/firejail-welcome.sh b/contrib/firejail-welcome.sh
new file mode 100755
index 000000000..21425562d
--- /dev/null
+++ b/contrib/firejail-welcome.sh
@@ -0,0 +1,119 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2020 Firejail Authors
+# License GPL v2
+export LANG=en_US.UTF8
+zenity --title=firejail-welcome.sh --text-info --width=750 --height=500 <<EOM
+Welcome to firejail!
+This is a quick setup guide for newbies.
+Profiles for programs can be found in /etc/firejail. Own customizations should go in a file named
+<proile-name>.local in ~/.config/firejal.
+Firejails own configuration can be found at /etc/firejail/firejail.config.
+Please note that running this script a second time can set new options, but does not unset options
+set in a previous run.
+Webiste: https://firejail.wordpress.com
+Bug-Tracker: https://github.com/netblue30/firejail/issues
+Documentation:
+- https://github.com/netblue30/firejail/wiki
+- https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions
+- https://firejail.wordpress.com/documentation-2
+- man:firejail(1) and man:firejail-profile(5)
+PS: If you have any improvements for this script, open a issues or pull request.
+EOM
+[[ $? -eq 1 ]] && exit 0
+sed_scripts=()
+read -r -d $'\0' MSG_Q_BROWSER_DISABLE_U2F <<EOM
+<big><b>Should browsers be allowed to access u2f hardware?</b></big>
+EOM
+read -r -d $'\0' MSG_Q_BROWSER_ALLOW_DRM <<EOM
+<big><b>Should browsers be able to play DRM content?</b></big>
+\$HOME is noexec,nodev,nosuid by default for the most sandboxes. This means that executing ELFs which are located in \$HOME,
+is forbidden, the setuid attribute on files is ignored and device files inside \$HOME don't work. Browsers install proprietary
+DRM plug-ins such as Widevine under \$HOME by default. In order to use them, \$HOME must be mounted exec inside the sandbox to
+allow there execution. Clearly, this may help an attacker to start malicious code.
+NOTE: Other software written in an interpreter language such as bash, python or java can always started from \$HOME.
+TIPP: If <tt>/home</tt> has its own partition, you can mount it <tt>nodev,nosuid</tt> for all programs.
+EOM
+read -r -d $'\0' MSG_L_ADVANCED_OPTIONS <<EOM
+You maybe want to set some of these advanced options.
+EOM
+read -r -d $'\0' MSG_Q_RUN_FIRECFG <<EOM
+<big><b>Should the most programs started in firejail by default?</b></big>
+EOM
+read -r -d $'\0' MSG_I_ROOT_REQUIRED <<EOM
+In order to apply these changes, root right are required.
+You will now be asked to enter your password.
+EOM
+read -r -d $'\0' MSG_I_FINISH <<EOM
+🥳
+EOM
+if zenity --title=firejail-welcome.sh --question --ellipsize --text="$MSG_Q_BROWSER_DISABLE_U2F"; then
+        sed_scripts+=("-e s/# browser-disable-u2f yes/browser-disable-u2f no/")
+fi
+if zenity --title=firejail-welcome.sh --question --ellipsize --text="$MSG_Q_BROWSER_ALLOW_DRM"; then
+        sed_scripts+=("-e s/# browser-allow-drm no/browser-allow-drm yes/")
+fi
+advanced_options=$(zenity --title=firejail-welcome.sh --list --width=800 --height=200 \
+        --text="$MSG_L_ADVANCED_OPTIONS" --multiple --checklist --separator=" " \
+        --column="" --column=Option --column=Description <<EOM
+force-nonewprivs
+Always set nonewprivs, this is a strong mitigation against exploits in firejail. However some programs like chromium or wireshark maybe don't work anymore.
+restricted-network
+Restrict all network related commands except 'net none' to root only.
+seccomp-error-action=kill
+Kill programs which violate seccomp rules (default: return a error).
+EOM
+)
+if [[ $advanced_options == *force-nonewprivs* ]]; then
+        sed_scripts+=("-e s/# force-nonewprivs no/force-nonewprivs yes/")
+fi
+if [[ $advanced_options == *restricted-network* ]]; then
+        sed_scripts+=("-e s/# restricted-network no/restricted-network yes/")
+fi
+if [[ $advanced_options == *seccomp-error-action=kill* ]]; then
+        sed_scripts+=("-e s/# seccomp-error-action EPERM/seccomp-error-action kill/")
+fi
+if zenity --title=firejail-welcome.sh --question --ellipsize --text="$MSG_Q_RUN_FIRECFG"; then
+        run_firecfg=true
+fi
+zenity --title=firejail-welcome.sh --info --ellipsize --text="$MSG_I_ROOT_REQUIRED"
+passwd=$(zenity --title=firejail-welcome.sh --password --cancel-label=OK)
+if [[ -n "${sed_scripts[*]}" ]]; then
+        sudo -S -p "" -- sed -i "${sed_scripts[@]}" /etc/firejail/firejail.config <<<"$passwd" || { zenity --title=firejail-welcome.sh --error; exit 1; };
+fi
+if [[ "$run_firecfg" == "true" ]]; then
+        sudo -S -p "" -- firecfg <<<"$passwd" || { zenity --title=firejail-welcome.sh --error; exit 1; };
+fi
+sudo -k
+unset passwd
+zenity --title=firejail-welcome.sh --info --icon-name=security-medium-symbolic --text="$MSG_I_FINISH"

diff --git a/RELNOTES b/RELNOTES index 9fa72d1d4..4eda50bc8 100644 --- a/RELNOTES +++ b/RELNOTES
@@ -2,6 +2,7 @@ firejail (0.9.65) baseline; urgency=low
2	* allow --tmpfs inside $HOME for unprivileged users	2	* allow --tmpfs inside $HOME for unprivileged users
3	* --disable-usertmpfs compile time option	3	* --disable-usertmpfs compile time option
4	* allow AF_BLUETOOTH via --protocol=bluetooth	4	* allow AF_BLUETOOTH via --protocol=bluetooth
		5	* Setup guide for new users: contrib/firejail-welcome.sh
5	* new profiles: spectacle, chromium-browser-privacy, gtk-straw-viewer	6	* new profiles: spectacle, chromium-browser-privacy, gtk-straw-viewer
6	* new profiles: gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer	7	* new profiles: gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer
7	* new profiles: straw-viewer, lutris, dolphin-emu, authenticator-rs	8	* new profiles: straw-viewer, lutris, dolphin-emu, authenticator-rs


diff --git a/contrib/firejail-welcome.sh b/contrib/firejail-welcome.sh new file mode 100755 index 000000000..21425562d --- /dev/null +++ b/contrib/firejail-welcome.sh
@@ -0,0 +1,119 @@
		1	#!/bin/bash
		2
		3	# This file is part of Firejail project
		4	# Copyright (C) 2014-2020 Firejail Authors
		5	# License GPL v2
		6
		7	export LANG=en_US.UTF8
		8
		9	zenity --title=firejail-welcome.sh --text-info --width=750 --height=500 <<EOM
		10	Welcome to firejail!
		11
		12	This is a quick setup guide for newbies.
		13
		14	Profiles for programs can be found in /etc/firejail. Own customizations should go in a file named
		15	<proile-name>.local in ~/.config/firejal.
		16
		17	Firejails own configuration can be found at /etc/firejail/firejail.config.
		18
		19	Please note that running this script a second time can set new options, but does not unset options
		20	set in a previous run.
		21
		22	Webiste: https://firejail.wordpress.com
		23	Bug-Tracker: https://github.com/netblue30/firejail/issues
		24	Documentation:
		25	- https://github.com/netblue30/firejail/wiki
		26	- https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions
		27	- https://firejail.wordpress.com/documentation-2
		28	- man:firejail(1) and man:firejail-profile(5)
		29
		30	PS: If you have any improvements for this script, open a issues or pull request.
		31	EOM
		32	[[ $? -eq 1 ]] && exit 0
		33
		34	sed_scripts=()
		35
		36	read -r -d $'\0' MSG_Q_BROWSER_DISABLE_U2F <<EOM
		37	<big><b>Should browsers be allowed to access u2f hardware?</b></big>
		38	EOM
		39
		40	read -r -d $'\0' MSG_Q_BROWSER_ALLOW_DRM <<EOM
		41	<big><b>Should browsers be able to play DRM content?</b></big>
		42
		43	\$HOME is noexec,nodev,nosuid by default for the most sandboxes. This means that executing ELFs which are located in \$HOME,
		44	is forbidden, the setuid attribute on files is ignored and device files inside \$HOME don't work. Browsers install proprietary
		45	DRM plug-ins such as Widevine under \$HOME by default. In order to use them, \$HOME must be mounted exec inside the sandbox to
		46	allow there execution. Clearly, this may help an attacker to start malicious code.
		47
		48	NOTE: Other software written in an interpreter language such as bash, python or java can always started from \$HOME.
		49
		50	TIPP: If <tt>/home</tt> has its own partition, you can mount it <tt>nodev,nosuid</tt> for all programs.
		51	EOM
		52
		53	read -r -d $'\0' MSG_L_ADVANCED_OPTIONS <<EOM
		54	You maybe want to set some of these advanced options.
		55	EOM
		56
		57	read -r -d $'\0' MSG_Q_RUN_FIRECFG <<EOM
		58	<big><b>Should the most programs started in firejail by default?</b></big>
		59	EOM
		60
		61	read -r -d $'\0' MSG_I_ROOT_REQUIRED <<EOM
		62	In order to apply these changes, root right are required.
		63	You will now be asked to enter your password.
		64	EOM
		65
		66	read -r -d $'\0' MSG_I_FINISH <<EOM
		67	🥳
		68	EOM
		69
		70	if zenity --title=firejail-welcome.sh --question --ellipsize --text="$MSG_Q_BROWSER_DISABLE_U2F"; then
		71	sed_scripts+=("-e s/# browser-disable-u2f yes/browser-disable-u2f no/")
		72	fi
		73
		74	if zenity --title=firejail-welcome.sh --question --ellipsize --text="$MSG_Q_BROWSER_ALLOW_DRM"; then
		75	sed_scripts+=("-e s/# browser-allow-drm no/browser-allow-drm yes/")
		76	fi
		77
		78	advanced_options=$(zenity --title=firejail-welcome.sh --list --width=800 --height=200 \
		79	--text="$MSG_L_ADVANCED_OPTIONS" --multiple --checklist --separator=" " \
		80	--column="" --column=Option --column=Description <<EOM
		81
		82	force-nonewprivs
		83	Always set nonewprivs, this is a strong mitigation against exploits in firejail. However some programs like chromium or wireshark maybe don't work anymore.
		84
		85	restricted-network
		86	Restrict all network related commands except 'net none' to root only.
		87
		88	seccomp-error-action=kill
		89	Kill programs which violate seccomp rules (default: return a error).
		90	EOM
		91	)
		92
		93	if [[ $advanced_options == force-nonewprivs ]]; then
		94	sed_scripts+=("-e s/# force-nonewprivs no/force-nonewprivs yes/")
		95	fi
		96	if [[ $advanced_options == restricted-network ]]; then
		97	sed_scripts+=("-e s/# restricted-network no/restricted-network yes/")
		98	fi
		99	if [[ $advanced_options == seccomp-error-action=kill ]]; then
		100	sed_scripts+=("-e s/# seccomp-error-action EPERM/seccomp-error-action kill/")
		101	fi
		102
		103	if zenity --title=firejail-welcome.sh --question --ellipsize --text="$MSG_Q_RUN_FIRECFG"; then
		104	run_firecfg=true
		105	fi
		106
		107	zenity --title=firejail-welcome.sh --info --ellipsize --text="$MSG_I_ROOT_REQUIRED"
		108
		109	passwd=$(zenity --title=firejail-welcome.sh --password --cancel-label=OK)
		110	if [[ -n "${sed_scripts[*]}" ]]; then
		111	sudo -S -p "" -- sed -i "${sed_scripts[@]}" /etc/firejail/firejail.config <<<"$passwd" \|\| { zenity --title=firejail-welcome.sh --error; exit 1; };
		112	fi
		113	if [[ "$run_firecfg" == "true" ]]; then
		114	sudo -S -p "" -- firecfg <<<"$passwd" \|\| { zenity --title=firejail-welcome.sh --error; exit 1; };
		115	fi
		116	sudo -k
		117	unset passwd
		118
		119	zenity --title=firejail-welcome.sh --info --icon-name=security-medium-symbolic --text="$MSG_I_FINISH"