1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
|
#!/bin/bash
# This file is part of Firejail project
# Copyright (C) 2014-2024 Firejail Authors
# License GPL v2
#
# Usage: firejail-welcome PROGRAM SYSCONFDIR USER_NAME
# where PROGRAM is detected and driven by firecfg.
# SYSCONFDIR is most of the time /etc/firejail.
#
# The plan is to go with zenity by default. If zenity is not installed
# we will provide a console-only replacement in /usr/lib/firejail/fzenity
#
if ! command -v "$1" >/dev/null; then
echo "Please install $1."
exit 1
fi
PROGRAM="sudo -u $3 $1"
SYSCONFDIR=$2
export LANG=en_US.UTF8
TITLE="Firejail Configuration Guide"
sed_scripts=()
run_firecfg=false
enable_u2f=false
enable_drm=false
enable_seccomp_kill=false
enable_restricted_net=false
enable_nonewprivs=false
#******************************************************
# Intro
#******************************************************
read -r -d $'\0' MSG_INTRO <<EOM
<big><b>Welcome to Firejail!</b></big>
This guide will walk you through some of the most common sandbox customizations.
At the end of the guide you'll have the option to save your changes in Firejail's
global config file at <b>/etc/firejail/firejail.config</b>. A copy of the original file is saved
as <b>/etc/firejal/firejail.config-</b>.
Please note that running this script a second time can set new options, but does
not clear options set in a previous run.
Press OK to continue, or close this window to stop the program.
EOM
$PROGRAM --title="$TITLE" --info --width=600 --height=40 --text="$MSG_INTRO"
[[ $? -eq 1 ]] && exit 0
#******************************************************
# symlinks
#******************************************************
read -r -d $'\0' MSG_Q_RUN_FIRECFG <<EOM
<big><b>Should most programs be sandboxed by default?</b></big>
Currently, Firejail recognizes more than 1000 regular desktop programs. These programs
can be sandboxed automatically when you start them.
EOM
if $PROGRAM --title="$TITLE" --question --ellipsize --text="$MSG_Q_RUN_FIRECFG"; then
run_firecfg=true
fi
#******************************************************
# U2F
#******************************************************
read -r -d $'\0' MSG_Q_BROWSER_DISABLE_U2F <<EOM
<big><b>Should browsers be allowed to access u2f hardware?</b></big>
Universal Two-Factor (U2F) devices are used as a password store for online
accounts. These devices usually come in a form of a USB key.
EOM
if $PROGRAM --title="$TITLE" --question --ellipsize --text="$MSG_Q_BROWSER_DISABLE_U2F"; then
enable_u2f=true
sed_scripts+=("-e s/# browser-disable-u2f yes/browser-disable-u2f no/")
fi
#******************************************************
# DRM
#******************************************************
read -r -d $'\0' MSG_Q_BROWSER_ALLOW_DRM <<EOM
<big><b>Should browsers be able to play DRM content?</b></big>
The home directory is <tt>noexec,nodev,nosuid</tt> by default for most applications.
This means that executing programs located in your home directory is forbidden.
Browsers install proprietary DRM plug-ins such as Widevine in your home directory.
In order to use them, your home must be mounted <tt>exec</tt> inside the sandbox. This
may give the people developing and distributing the plug-in access to your private
data.
NOTE: Software written in an interpreted language such as bash, python or java can
always be started from home directory.
HINT: If <tt>/home</tt> has its own partition, you can mount it <tt>nodev,nosuid</tt> for all programs.
EOM
if $PROGRAM --title="$TITLE" --question --ellipsize --text="$MSG_Q_BROWSER_ALLOW_DRM"; then
enable_drm=true
sed_scripts+=("-e s/# browser-allow-drm no/browser-allow-drm yes/")
fi
#******************************************************
# nonewprivs
#******************************************************
read -r -d $'\0' MSG_Q_NONEWPRIVS <<EOM
<big><b>Should we force nonewprivs by default?</b></big>
nonewprivs is a Linux kernel feature that prevents programs from rising privileges.
It is also a strong mitigation against exploits in Firejail. However, some programs
like chromium, wireshark, or even ping might not work.
NOTE: seccomp enables nonewprivs automatically. Most applications supported by
default by Firejail are using seccomp.
EOM
if $PROGRAM --title="$TITLE" --question --ellipsize --text="$MSG_Q_NONEWPRIVS"; then
enable_nonewprivs=true
sed_scripts+=("-e s/# force-nonewprivs no/force-nonewprivs yes/")
fi
#******************************************************
# restricted network
#******************************************************
read -r -d $'\0' MSG_Q_NETWORK <<EOM
<big><b>Should we restrict network functionality?</b></big>
Restrict all network related commands except '<tt>net none</tt>' to root only.
EOM
if $PROGRAM --title="$TITLE" --question --ellipsize --text="$MSG_Q_NETWORK"; then
enable_restricted_net=true
sed_scripts+=("-e s/# restricted-network no/restricted-network yes/")
fi
#******************************************************
# seccomp kill
#******************************************************
read -r -d $'\0' MSG_Q_SECCOMP <<EOM
<big><b>Should we kill programs that violate seccomp rules?</b></big>
By default seccomp prevents the program from running the syscall and returns an error.
EOM
if $PROGRAM --title="$TITLE" --question --ellipsize --text="$MSG_Q_SECCOMP"; then
enable_seccomp_kill=true
sed_scripts+=("-e s/# seccomp-error-action EPERM/seccomp-error-action kill/")
fi
#******************************************************
# root
#******************************************************
read -r -d $'\0' MSG_RUN <<EOM
Now, I will apply the changes. This is what I will do:
EOM
MSG_RUN+="\n\n"
if [[ "$run_firecfg" == "true" ]]; then
MSG_RUN+=" * enable Firejail for all recognized programs\n"
fi
if [[ "$enable_u2f" == "true" ]]; then
MSG_RUN+=" * allow browsers to access U2F devices\n"
fi
if [[ "$enable_drm" == "true" ]]; then
MSG_RUN+=" * allow browsers to play DRM content\n"
fi
if [[ "$enable_nonewprivs" == "true" ]]; then
MSG_RUN+=" * enable nonewprivs globally\n"
fi
if [[ "$enable_restricted_net" == "true" ]]; then
MSG_RUN+=" * restrict networking features\n"
fi
if [[ "$enable_seccomp_kill" == "true" ]]; then
MSG_RUN+=" * enable seccomp kill\n"
fi
MSG_RUN+="\n\nPress OK to continue, or close this window to stop the program."
$PROGRAM --title="$TITLE" --info --width=600 --height=40 --text="$MSG_RUN"
[[ $? -eq 1 ]] && exit 0
if [[ -n "${sed_scripts[*]}" ]]; then
cp "$SYSCONFDIR"/firejail.config "$SYSCONFDIR"/firejail.config-
sed -i "${sed_scripts[@]}" "$SYSCONFDIR"/firejail.config
fi
if [[ "$run_firecfg" == "true" ]]; then
# return 55 to inform firecfg symlinks are desired
exit 55
fi
#******************************************************
# all done
#******************************************************
exit 0
|
