From 62e33cfc37635d985c186c8e5aaf1101070f9ccf Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@protonmail.com>
Date: Thu, 21 Apr 2022 11:41:40 -0400
Subject: more on firecfg --guide

---
 src/firecfg/firejail-welcome.sh | 217 +++++++++++++++++++++++++++-------------
 src/firecfg/main.c              |  19 +++-
 2 files changed, 162 insertions(+), 74 deletions(-)

diff --git a/src/firecfg/firejail-welcome.sh b/src/firecfg/firejail-welcome.sh
index c9b6c450b..a3e9713e4 100755
--- a/src/firecfg/firejail-welcome.sh
+++ b/src/firecfg/firejail-welcome.sh
@@ -3,126 +3,203 @@
 # This file is part of Firejail project
 # Copyright (C) 2020-2022 Firejail Authors
 # License GPL v2
-
-if ! command -v zenity >/dev/null; then
-	echo "Please install zenity."
-	exit 1
-fi
-if ! command -v sudo >/dev/null; then
-	echo "Please install sudo."
+#
+# Usage: firejail-welcome PROGRAM SYSCONFDIR
+# where PROGRAM is detected and driven by firecfg.
+# SYSCONFDIR is most of the time /etc/firejail.
+#
+# The plan is to go with zenity by default. If zenity is not installed
+# we will provide a console-only replacement in /usr/lib/firejail/fzenity
+#
+
+PROGRAM=$1
+SYSCONFDIR=$2
+
+if ! command -v $PROGRAM >/dev/null; then
+	echo "Please install $PROGRAM."
 	exit 1
 fi
 
 export LANG=en_US.UTF8
 
-zenity --title=firejail-welcome.sh --text-info --width=750 --height=500 <<EOM
-Welcome to firejail!
+TITLE="Firejail Configuration Guide"
+sed_scripts=()
+run_firecfg=false
+enable_u2f=false
+enable_drm=false
+enable_seccomp_kill=false
+enable_restricted_net=false
+enable_nonewprivs=false
 
-This is a quick setup guide for newbies.
+#******************************************************
+# Intro
+#******************************************************
+read -r -d $'\0' MSG_INTRO <<EOM
+<big><b>Welcome to Firejail!</b></big>
 
-Profiles for programs can be found in /etc/firejail. Own customizations should go in a file named
-<profile-name>.local in ~/.config/firejal.
 
-Firejail's own configuration can be found at /etc/firejail/firejail.config.
+This guide will walk you through some of the most common sandbox customizations. At the end of the guide you'll have the option to save your changes in Firejail's global config file at <b>/etc/firejail/firejail.config</b>. A copy of the original file is stored as <b>/etc/firejal/firejail.config-</b>.
 
-Please note that running this script a second time can set new options, but does not unset options
-set in a previous run.
+Please note that running this script a second time can set new options, but does not clear options set in a previous run.
 
-Website: https://firejail.wordpress.com
-Bug-Tracker: https://github.com/netblue30/firejail/issues
-Documentation:
-- https://github.com/netblue30/firejail/wiki
-- https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions
-- https://firejail.wordpress.com/documentation-2
-- man:firejail(1) and man:firejail-profile(5)
+Press OK to continue, or close this window to stop the program.
 
-PS: If you have any improvements for this script, open an issue or pull request.
 EOM
+$PROGRAM --title="$TITLE" --info --width=600 --height=40 --text="$MSG_INTRO"
 [[ $? -eq 1 ]] && exit 0
 
-sed_scripts=()
+#******************************************************
+# symlinks
+#******************************************************
+read -r -d $'\0' MSG_Q_RUN_FIRECFG <<EOM
+<big><b>Should most programs be sandboxed by default?</b></big>
+
+Currently, Firejail recognizes more than 1000 regular desktop programs. These programs
+can be sandboxed automatically when you start them.
+
+EOM
+
+if $PROGRAM --title="$TITLE" --question --ellipsize --text="$MSG_Q_RUN_FIRECFG"; then
+	run_firecfg=true
+fi
+[[ $? -eq 1 ]] && exit 0
 
+#******************************************************
+# U2F
+#******************************************************
 read -r -d $'\0' MSG_Q_BROWSER_DISABLE_U2F <<EOM
 <big><b>Should browsers be allowed to access u2f hardware?</b></big>
+
+Universal Two-Factor (U2F) devices are used as a password store for online
+accounts. These devices usually come in a form of a USB key.
+
 EOM
 
+if $PROGRAM --title="$TITLE" --question --ellipsize --text="$MSG_Q_BROWSER_DISABLE_U2F"; then
+	enable_u2f=true
+	sed_scripts+=("-e s/# browser-disable-u2f yes/browser-disable-u2f no/")
+fi
+
+#******************************************************
+# DRM
+#******************************************************
 read -r -d $'\0' MSG_Q_BROWSER_ALLOW_DRM <<EOM
 <big><b>Should browsers be able to play DRM content?</b></big>
 
-\$HOME is noexec,nodev,nosuid by default for the most sandboxes. This means that executing programs which are located in \$HOME,
-is forbidden, the setuid attribute on files is ignored and device files inside \$HOME don't work. Browsers install proprietary
-DRM plug-ins such as Widevine under \$HOME by default. In order to use them, \$HOME must be mounted exec inside the sandbox to
-allow their execution. Clearly, this may help an attacker to start malicious code.
+The home directory is <tt>noexec,nodev,nosuid</tt> by default for most applications.
+This means that executing programs located in your home directory is forbidden.
+
+Browsers install proprietary DRM plug-ins such as Widevine in your home directory.
+In order to use them, your home must be mounted <tt>exec</tt> inside the sandbox. This
+may give the people developing and distributing the plug-in access to your private
+data.
 
-NOTE: Other software written in an interpreter language such as bash, python or java can always be started from \$HOME.
+NOTE: Software written in an interpreted language such as bash, python or java can
+always be started from home directory.
 
 HINT: If <tt>/home</tt> has its own partition, you can mount it <tt>nodev,nosuid</tt> for all programs.
-EOM
 
-read -r -d $'\0' MSG_L_ADVANCED_OPTIONS <<EOM
-You maybe want to set some of these advanced options.
 EOM
 
-read -r -d $'\0' MSG_Q_RUN_FIRECFG <<EOM
-<big><b>Should most programs be started in firejail by default?</b></big>
-EOM
+if $PROGRAM --title="$TITLE" --question --ellipsize --text="$MSG_Q_BROWSER_ALLOW_DRM"; then
+	enable_drm=true
+	sed_scripts+=("-e s/# browser-allow-drm no/browser-allow-drm yes/")
+fi
+
+#******************************************************
+# nonewprivs
+#******************************************************
+read -r -d $'\0' MSG_Q_NONEWPRIVS <<EOM
+<big><b>Should we force nonweprivs by default?</b></big>
+
+nonewprivs is a Linux kernel feature that prevents programs from rising privileges.
+It is also a strong mitigation against exploits in Firejail. However, some programs
+like chromium, wireshark, or even ping might not work.
+
+NOTE: seccomp enables nonewprivs automatically. Most applications supported by
+default by Firejail are using seccomp.
 
-read -r -d $'\0' MSG_I_ROOT_REQUIRED <<EOM
-In order to apply these changes, root privileges are required.
-You will now be asked to enter your password.
 EOM
 
-read -r -d $'\0' MSG_I_FINISH <<EOM
-🥳
+if $PROGRAM --title="$TITLE" --question --ellipsize --text="$MSG_Q_NONEWPRIVS"; then
+	enable_nonewprivs=true
+	sed_scripts+=("-e s/# force-nonewprivs no/force-nonewprivs yes/")
+fi
+
+#******************************************************
+# restricted network
+#******************************************************
+read -r -d $'\0' MSG_Q_NETWORK <<EOM
+<big><b>Should we restrict network functionality?</b></big>
+
+Restrict all network related commands except '<tt>net none</tt>' to root only.
+
 EOM
 
-if zenity --title=firejail-welcome.sh --question --ellipsize --text="$MSG_Q_BROWSER_DISABLE_U2F"; then
-	sed_scripts+=("-e s/# browser-disable-u2f yes/browser-disable-u2f no/")
+if $PROGRAM --title="$TITLE" --question --ellipsize --text="$MSG_Q_NETWORK"; then
+	enable_restricted_net=true
+	sed_scripts+=("-e s/# restricted-network no/restricted-network yes/")
 fi
 
-if zenity --title=firejail-welcome.sh --question --ellipsize --text="$MSG_Q_BROWSER_ALLOW_DRM"; then
-	sed_scripts+=("-e s/# browser-allow-drm no/browser-allow-drm yes/")
+#******************************************************
+# seccomp kill
+#******************************************************
+read -r -d $'\0' MSG_Q_SECCOMP <<EOM
+<big><b>Should we kill programs that violate seccomp rules?</b></big>
+
+By default seccomp prevents the program from running the syscall and returns an error.
+
+EOM
+
+if $PROGRAM --title="$TITLE" --question --ellipsize --text="$MSG_Q_SECCOMP"; then
+	enable_seccomp_kill=true
+	sed_scripts+=("-e s/# seccomp-error-action EPERM/seccomp-error-action kill/")
 fi
 
-advanced_options=$(zenity --title=firejail-welcome.sh --list --width=800 --height=200 \
-	--text="$MSG_L_ADVANCED_OPTIONS" --multiple --checklist --separator=" " \
-	--column="" --column=Option --column=Description <<EOM
 
-force-nonewprivs
-Always set nonewprivs, this is a strong mitigation against exploits in firejail. However some programs like chromium or wireshark maybe don't work anymore.
 
-restricted-network
-Restrict all network related commands except 'net none' to root only.
 
-seccomp-error-action=kill
-Kill programs which violate seccomp rules (default: return a error).
+#******************************************************
+# root
+#******************************************************
+read -r -d $'\0' MSG_RUN <<EOM
+Now, I will apply the changes. This is what I will do:
 EOM
-)
 
-if [[ $advanced_options == *force-nonewprivs* ]]; then
-	sed_scripts+=("-e s/# force-nonewprivs no/force-nonewprivs yes/")
+MSG_RUN+="\\n\\n"
+if [[ "$run_firecfg" == "true" ]]; then
+	MSG_RUN+="     * enable Firejail for all recognized programs\\n"
 fi
-if [[ $advanced_options == *restricted-network* ]]; then
-	sed_scripts+=("-e s/# restricted-network no/restricted-network yes/")
+if [[ "$enable_u2f" == "true" ]]; then
+	MSG_RUN+="     * allow browsers to access U2F devices\\n"
 fi
-if [[ $advanced_options == *seccomp-error-action=kill* ]]; then
-	sed_scripts+=("-e s/# seccomp-error-action EPERM/seccomp-error-action kill/")
+if [[ "$enable_drm" == "true" ]]; then
+	MSG_RUN+="     * allow browsers to play DRM content\\n"
 fi
-
-if zenity --title=firejail-welcome.sh --question --ellipsize --text="$MSG_Q_RUN_FIRECFG"; then
-	run_firecfg=true
+if [[ "$enable_nonewprivs" == "true" ]]; then
+	MSG_RUN+="     * enable nonewprivs globally\\n"
 fi
+if [[ "$enable_restricted_net" == "true" ]]; then
+	MSG_RUN+="     * restrict networking features\\n"
+fi
+if [[ "$enable_seccomp_kill" == "true" ]]; then
+	MSG_RUN+="     * enable seccomp kill\\n"
+fi
+MSG_RUN+="\\n\\nPress OK to continue, or close this window to stop the program."
 
-zenity --title=firejail-welcome.sh --info --ellipsize --text="$MSG_I_ROOT_REQUIRED"
+$PROGRAM --title="$TITLE" --info --width=600 --height=40 --text="$MSG_RUN"
+[[ $? -eq 1 ]] && exit 0
 
-passwd=$(zenity --title=firejail-welcome.sh --password --cancel-label=OK)
 if [[ -n "${sed_scripts[*]}" ]]; then
-	sudo -S -p "" -- sed -i "${sed_scripts[@]}" /etc/firejail/firejail.config <<<"$passwd" || { zenity --title=firejail-welcome.sh --error; exit 1; };
+	cp $SYSCONFDIR/firejail.config $SYSCONFDIR/firejail.config-
+	sed -i "${sed_scripts[@]}" $SYSCONFDIR/firejail.config
 fi
 if [[ "$run_firecfg" == "true" ]]; then
-	sudo -S -p "" -- firecfg <<<"$passwd" || { zenity --title=firejail-welcome.sh --error; exit 1; };
+	# return 55 to inform firecfg symlinks are desired
+	exit 55
 fi
-sudo -k
-unset passwd
 
-zenity --title=firejail-welcome.sh --info --icon-name=security-medium-symbolic --text="$MSG_I_FINISH"
+#******************************************************
+# all done
+#******************************************************
+exit 0
diff --git a/src/firecfg/main.c b/src/firecfg/main.c
index 0072c2768..19f2573f3 100644
--- a/src/firecfg/main.c
+++ b/src/firecfg/main.c
@@ -22,6 +22,7 @@
 #include "../include/firejail_user.h"
 int arg_debug = 0;
 char *arg_bindir = "/usr/local/bin";
+int arg_guide = 0;
 
 static char *usage_str =
 	"Firecfg is the desktop configuration utility for Firejail software. The utility\n"
@@ -375,8 +376,7 @@ int main(int argc, char **argv) {
 			return 0;
 		}
 		else if (strcmp(argv[i], "--guide") == 0) {
-			return system(LIBDIR "/firejail/firejail-welcome.sh");
-			return 0;
+			arg_guide = 1;
 		}
 		else if (strcmp(argv[i], "--list") == 0) {
 			list();
@@ -442,6 +442,19 @@ int main(int argc, char **argv) {
 		umask(orig_umask);
 	}
 
+	if (arg_guide) {
+		int status = system("sudo "LIBDIR "/firejail/firejail-welcome.sh zenity " SYSCONFDIR);
+		if (status == -1) {
+			fprintf(stderr, "Error: cannot run firejail-welcome.sh\n");
+			exit(1);
+		}
+
+		// the last 8 bits of the status is the return value of the command executed by system()
+		// firejail-welcome.sh returns 55 if setting sysmlinks is required
+		if (WEXITSTATUS(status)  != 55)
+			return 0;
+	}
+
 	// clear all symlinks
 	clean();
 
@@ -473,8 +486,6 @@ int main(int argc, char **argv) {
 #endif
 	}
 
-
-
 	// set new symlinks based on ~/.config/firejail directory
 	set_links_homedir(home);
 
-- 
cgit v1.2.3-70-g09d2