1 files changed, 204 insertions, 0 deletions
diff --git a/src/firecfg/firejail-welcome.sh b/src/firecfg/firejail-welcome.sh
new file mode 100755
index 000000000..a7e74ebc3
--- /dev/null
+++ b/src/firecfg/firejail-welcome.sh
@@ -0,0 +1,204 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2020-2022 Firejail Authors
+# License GPL v2
+#
+# Usage: firejail-welcome PROGRAM SYSCONFDIR USER_NAME
+# where PROGRAM is detected and driven by firecfg.
+# SYSCONFDIR is most of the time /etc/firejail.
+#
+# The plan is to go with zenity by default. If zenity is not installed
+# we will provide a console-only replacement in /usr/lib/firejail/fzenity
+#
+if ! command -v "$1" >/dev/null; then
+        echo "Please install $1."
+        exit 1
+fi
+PROGRAM="sudo -u $3 $1"
+SYSCONFDIR=$2
+export LANG=en_US.UTF8
+TITLE="Firejail Configuration Guide"
+sed_scripts=()
+run_firecfg=false
+enable_u2f=false
+enable_drm=false
+enable_seccomp_kill=false
+enable_restricted_net=false
+enable_nonewprivs=false
+#******************************************************
+# Intro
+#******************************************************
+read -r -d $'\0' MSG_INTRO <<EOM
+<big><b>Welcome to Firejail!</b></big>
+This guide will walk you through some of the most common sandbox customizations.
+At the end of the guide you'll have the option to save your changes in Firejail's
+global config file at <b>/etc/firejail/firejail.config</b>. A copy of the original file is saved
+as <b>/etc/firejal/firejail.config-</b>.
+Please note that running this script a second time can set new options, but does
+not clear options set in a previous run.
+Press OK to continue, or close this window to stop the program.
+EOM
+$PROGRAM --title="$TITLE" --info --width=600 --height=40 --text="$MSG_INTRO"
+[[ $? -eq 1 ]] && exit 0
+#******************************************************
+# symlinks
+#******************************************************
+read -r -d $'\0' MSG_Q_RUN_FIRECFG <<EOM
+<big><b>Should most programs be sandboxed by default?</b></big>
+Currently, Firejail recognizes more than 1000 regular desktop programs. These programs
+can be sandboxed automatically when you start them.
+EOM
+if $PROGRAM --title="$TITLE" --question --ellipsize --text="$MSG_Q_RUN_FIRECFG"; then
+        run_firecfg=true
+fi
+#******************************************************
+# U2F
+#******************************************************
+read -r -d $'\0' MSG_Q_BROWSER_DISABLE_U2F <<EOM
+<big><b>Should browsers be allowed to access u2f hardware?</b></big>
+Universal Two-Factor (U2F) devices are used as a password store for online
+accounts. These devices usually come in a form of a USB key.
+EOM
+if $PROGRAM --title="$TITLE" --question --ellipsize --text="$MSG_Q_BROWSER_DISABLE_U2F"; then
+        enable_u2f=true
+        sed_scripts+=("-e s/# browser-disable-u2f yes/browser-disable-u2f no/")
+fi
+#******************************************************
+# DRM
+#******************************************************
+read -r -d $'\0' MSG_Q_BROWSER_ALLOW_DRM <<EOM
+<big><b>Should browsers be able to play DRM content?</b></big>
+The home directory is <tt>noexec,nodev,nosuid</tt> by default for most applications.
+This means that executing programs located in your home directory is forbidden.
+Browsers install proprietary DRM plug-ins such as Widevine in your home directory.
+In order to use them, your home must be mounted <tt>exec</tt> inside the sandbox. This
+may give the people developing and distributing the plug-in access to your private
+data.
+NOTE: Software written in an interpreted language such as bash, python or java can
+always be started from home directory.
+HINT: If <tt>/home</tt> has its own partition, you can mount it <tt>nodev,nosuid</tt> for all programs.
+EOM
+if $PROGRAM --title="$TITLE" --question --ellipsize --text="$MSG_Q_BROWSER_ALLOW_DRM"; then
+        enable_drm=true
+        sed_scripts+=("-e s/# browser-allow-drm no/browser-allow-drm yes/")
+fi
+#******************************************************
+# nonewprivs
+#******************************************************
+read -r -d $'\0' MSG_Q_NONEWPRIVS <<EOM
+<big><b>Should we force nonweprivs by default?</b></big>
+nonewprivs is a Linux kernel feature that prevents programs from rising privileges.
+It is also a strong mitigation against exploits in Firejail. However, some programs
+like chromium, wireshark, or even ping might not work.
+NOTE: seccomp enables nonewprivs automatically. Most applications supported by
+default by Firejail are using seccomp.
+EOM
+if $PROGRAM --title="$TITLE" --question --ellipsize --text="$MSG_Q_NONEWPRIVS"; then
+        enable_nonewprivs=true
+        sed_scripts+=("-e s/# force-nonewprivs no/force-nonewprivs yes/")
+fi
+#******************************************************
+# restricted network
+#******************************************************
+read -r -d $'\0' MSG_Q_NETWORK <<EOM
+<big><b>Should we restrict network functionality?</b></big>
+Restrict all network related commands except '<tt>net none</tt>' to root only.
+EOM
+if $PROGRAM --title="$TITLE" --question --ellipsize --text="$MSG_Q_NETWORK"; then
+        enable_restricted_net=true
+        sed_scripts+=("-e s/# restricted-network no/restricted-network yes/")
+fi
+#******************************************************
+# seccomp kill
+#******************************************************
+read -r -d $'\0' MSG_Q_SECCOMP <<EOM
+<big><b>Should we kill programs that violate seccomp rules?</b></big>
+By default seccomp prevents the program from running the syscall and returns an error.
+EOM
+if $PROGRAM --title="$TITLE" --question --ellipsize --text="$MSG_Q_SECCOMP"; then
+        enable_seccomp_kill=true
+        sed_scripts+=("-e s/# seccomp-error-action EPERM/seccomp-error-action kill/")
+fi
+#******************************************************
+# root
+#******************************************************
+read -r -d $'\0' MSG_RUN <<EOM
+Now, I will apply the changes. This is what I will do:
+EOM
+MSG_RUN+="\n\n"
+if [[ "$run_firecfg" == "true" ]]; then
+        MSG_RUN+="     * enable Firejail for all recognized programs\n"
+fi
+if [[ "$enable_u2f" == "true" ]]; then
+        MSG_RUN+="     * allow browsers to access U2F devices\n"
+fi
+if [[ "$enable_drm" == "true" ]]; then
+        MSG_RUN+="     * allow browsers to play DRM content\n"
+fi
+if [[ "$enable_nonewprivs" == "true" ]]; then
+        MSG_RUN+="     * enable nonewprivs globally\n"
+fi
+if [[ "$enable_restricted_net" == "true" ]]; then
+        MSG_RUN+="     * restrict networking features\n"
+fi
+if [[ "$enable_seccomp_kill" == "true" ]]; then
+        MSG_RUN+="     * enable seccomp kill\n"
+fi
+MSG_RUN+="\n\nPress OK to continue, or close this window to stop the program."
+$PROGRAM --title="$TITLE" --info --width=600 --height=40 --text="$MSG_RUN"
+[[ $? -eq 1 ]] && exit 0
+if [[ -n "${sed_scripts[*]}" ]]; then
+        cp "$SYSCONFDIR"/firejail.config "$SYSCONFDIR"/firejail.config-
+        sed -i "${sed_scripts[@]}" "$SYSCONFDIR"/firejail.config
+fi
+if [[ "$run_firecfg" == "true" ]]; then
+        # return 55 to inform firecfg symlinks are desired
+        exit 55
+fi
+#******************************************************
+# all done
+#******************************************************
+exit 0

diff --git a/src/firecfg/firejail-welcome.sh b/src/firecfg/firejail-welcome.sh new file mode 100755 index 000000000..a7e74ebc3 --- /dev/null +++ b/src/firecfg/firejail-welcome.sh
@@ -0,0 +1,204 @@
	1	#!/bin/bash
	2
	3	# This file is part of Firejail project
	4	# Copyright (C) 2020-2022 Firejail Authors
	5	# License GPL v2
	6	#
	7	# Usage: firejail-welcome PROGRAM SYSCONFDIR USER_NAME
	8	# where PROGRAM is detected and driven by firecfg.
	9	# SYSCONFDIR is most of the time /etc/firejail.
	10	#
	11	# The plan is to go with zenity by default. If zenity is not installed
	12	# we will provide a console-only replacement in /usr/lib/firejail/fzenity
	13	#
	14
	15	if ! command -v "$1" >/dev/null; then
	16	echo "Please install $1."
	17	exit 1
	18	fi
	19
	20	PROGRAM="sudo -u $3 $1"
	21	SYSCONFDIR=$2
	22	export LANG=en_US.UTF8
	23
	24	TITLE="Firejail Configuration Guide"
	25	sed_scripts=()
	26	run_firecfg=false
	27	enable_u2f=false
	28	enable_drm=false
	29	enable_seccomp_kill=false
	30	enable_restricted_net=false
	31	enable_nonewprivs=false
	32
	33	#******************************************************
	34	# Intro
	35	#******************************************************
	36	read -r -d $'\0' MSG_INTRO <<EOM
	37	<big><b>Welcome to Firejail!</b></big>
	38
	39	This guide will walk you through some of the most common sandbox customizations.
	40	At the end of the guide you'll have the option to save your changes in Firejail's
	41	global config file at <b>/etc/firejail/firejail.config</b>. A copy of the original file is saved
	42	as <b>/etc/firejal/firejail.config-</b>.
	43
	44	Please note that running this script a second time can set new options, but does
	45	not clear options set in a previous run.
	46
	47	Press OK to continue, or close this window to stop the program.
	48
	49	EOM
	50	$PROGRAM --title="$TITLE" --info --width=600 --height=40 --text="$MSG_INTRO"
	51	[[ $? -eq 1 ]] && exit 0
	52
	53	#******************************************************
	54	# symlinks
	55	#******************************************************
	56	read -r -d $'\0' MSG_Q_RUN_FIRECFG <<EOM
	57	<big><b>Should most programs be sandboxed by default?</b></big>
	58
	59	Currently, Firejail recognizes more than 1000 regular desktop programs. These programs
	60	can be sandboxed automatically when you start them.
	61
	62	EOM
	63
	64	if $PROGRAM --title="$TITLE" --question --ellipsize --text="$MSG_Q_RUN_FIRECFG"; then
	65	run_firecfg=true
	66	fi
	67
	68	#******************************************************
	69	# U2F
	70	#******************************************************
	71	read -r -d $'\0' MSG_Q_BROWSER_DISABLE_U2F <<EOM
	72	<big><b>Should browsers be allowed to access u2f hardware?</b></big>
	73
	74	Universal Two-Factor (U2F) devices are used as a password store for online
	75	accounts. These devices usually come in a form of a USB key.
	76
	77	EOM
	78
	79	if $PROGRAM --title="$TITLE" --question --ellipsize --text="$MSG_Q_BROWSER_DISABLE_U2F"; then
	80	enable_u2f=true
	81	sed_scripts+=("-e s/# browser-disable-u2f yes/browser-disable-u2f no/")
	82	fi
	83
	84	#******************************************************
	85	# DRM
	86	#******************************************************
	87	read -r -d $'\0' MSG_Q_BROWSER_ALLOW_DRM <<EOM
	88	<big><b>Should browsers be able to play DRM content?</b></big>
	89
	90	The home directory is <tt>noexec,nodev,nosuid</tt> by default for most applications.
	91	This means that executing programs located in your home directory is forbidden.
	92
	93	Browsers install proprietary DRM plug-ins such as Widevine in your home directory.
	94	In order to use them, your home must be mounted <tt>exec</tt> inside the sandbox. This
	95	may give the people developing and distributing the plug-in access to your private
	96	data.
	97
	98	NOTE: Software written in an interpreted language such as bash, python or java can
	99	always be started from home directory.
	100
	101	HINT: If <tt>/home</tt> has its own partition, you can mount it <tt>nodev,nosuid</tt> for all programs.
	102
	103	EOM
	104
	105	if $PROGRAM --title="$TITLE" --question --ellipsize --text="$MSG_Q_BROWSER_ALLOW_DRM"; then
	106	enable_drm=true
	107	sed_scripts+=("-e s/# browser-allow-drm no/browser-allow-drm yes/")
	108	fi
	109
	110	#******************************************************
	111	# nonewprivs
	112	#******************************************************
	113	read -r -d $'\0' MSG_Q_NONEWPRIVS <<EOM
	114	<big><b>Should we force nonweprivs by default?</b></big>
	115
	116	nonewprivs is a Linux kernel feature that prevents programs from rising privileges.
	117	It is also a strong mitigation against exploits in Firejail. However, some programs
	118	like chromium, wireshark, or even ping might not work.
	119
	120	NOTE: seccomp enables nonewprivs automatically. Most applications supported by
	121	default by Firejail are using seccomp.
	122
	123	EOM
	124
	125	if $PROGRAM --title="$TITLE" --question --ellipsize --text="$MSG_Q_NONEWPRIVS"; then
	126	enable_nonewprivs=true
	127	sed_scripts+=("-e s/# force-nonewprivs no/force-nonewprivs yes/")
	128	fi
	129
	130	#******************************************************
	131	# restricted network
	132	#******************************************************
	133	read -r -d $'\0' MSG_Q_NETWORK <<EOM
	134	<big><b>Should we restrict network functionality?</b></big>
	135
	136	Restrict all network related commands except '<tt>net none</tt>' to root only.
	137
	138	EOM
	139
	140	if $PROGRAM --title="$TITLE" --question --ellipsize --text="$MSG_Q_NETWORK"; then
	141	enable_restricted_net=true
	142	sed_scripts+=("-e s/# restricted-network no/restricted-network yes/")
	143	fi
	144
	145	#******************************************************
	146	# seccomp kill
	147	#******************************************************
	148	read -r -d $'\0' MSG_Q_SECCOMP <<EOM
	149	<big><b>Should we kill programs that violate seccomp rules?</b></big>
	150
	151	By default seccomp prevents the program from running the syscall and returns an error.
	152
	153	EOM
	154
	155	if $PROGRAM --title="$TITLE" --question --ellipsize --text="$MSG_Q_SECCOMP"; then
	156	enable_seccomp_kill=true
	157	sed_scripts+=("-e s/# seccomp-error-action EPERM/seccomp-error-action kill/")
	158	fi
	159
	160	#******************************************************
	161	# root
	162	#******************************************************
	163	read -r -d $'\0' MSG_RUN <<EOM
	164	Now, I will apply the changes. This is what I will do:
	165
	166
	167	EOM
	168	MSG_RUN+="\n\n"
	169	if [[ "$run_firecfg" == "true" ]]; then
	170	MSG_RUN+=" * enable Firejail for all recognized programs\n"
	171	fi
	172	if [[ "$enable_u2f" == "true" ]]; then
	173	MSG_RUN+=" * allow browsers to access U2F devices\n"
	174	fi
	175	if [[ "$enable_drm" == "true" ]]; then
	176	MSG_RUN+=" * allow browsers to play DRM content\n"
	177	fi
	178	if [[ "$enable_nonewprivs" == "true" ]]; then
	179	MSG_RUN+=" * enable nonewprivs globally\n"
	180	fi
	181	if [[ "$enable_restricted_net" == "true" ]]; then
	182	MSG_RUN+=" * restrict networking features\n"
	183	fi
	184	if [[ "$enable_seccomp_kill" == "true" ]]; then
	185	MSG_RUN+=" * enable seccomp kill\n"
	186	fi
	187	MSG_RUN+="\n\nPress OK to continue, or close this window to stop the program."
	188
	189	$PROGRAM --title="$TITLE" --info --width=600 --height=40 --text="$MSG_RUN"
	190	[[ $? -eq 1 ]] && exit 0
	191
	192	if [[ -n "${sed_scripts[*]}" ]]; then
	193	cp "$SYSCONFDIR"/firejail.config "$SYSCONFDIR"/firejail.config-
	194	sed -i "${sed_scripts[@]}" "$SYSCONFDIR"/firejail.config
	195	fi
	196	if [[ "$run_firecfg" == "true" ]]; then
	197	# return 55 to inform firecfg symlinks are desired
	198	exit 55
	199	fi
	200
	201	#******************************************************
	202	# all done
	203	#******************************************************
	204	exit 0