Added Example, Dynamic userconf and clarified readme
This commit is contained in:
parent
2a4370e638
commit
b04d2b3215
17
README.md
17
README.md
|
@ -6,12 +6,14 @@ Keep in mind, this is NOT a 100% breakout-resistant thing. However it could be u
|
|||
|
||||
Userdata will be persisted so you can run a separate browser instance as well. Or create a startup script inside the new home folder of the sandbox and run it via sandbox.sh ./start.sh.
|
||||
|
||||
# Usage:
|
||||
## Usage
|
||||
|
||||
./sandbox.sh bash
|
||||
|
||||
# KNOWN PROBLEMS:
|
||||
## KNOWN PROBLEMS
|
||||
|
||||
## vscodium
|
||||
|
||||
Some tools, like vscodium, use a launcher that dies when the program starts.
|
||||
With the script dying if the first spawned child process dies this will lead
|
||||
to these tools not running in this particular config.
|
||||
|
@ -21,6 +23,11 @@ You will need to remove:
|
|||
from the Script to make it work, at the risk of tools not closing when the console/program closes.
|
||||
|
||||
## steam
|
||||
Steam will die on its second launch, due to crashing as it cant talk to dbus.
|
||||
For now this is work-around-able by starting steam via a start script instead the deletes .local/share/Steam/config in the sandbox before - but it will enforce you to reenter your password.
|
||||
I'll look into this more later.
|
||||
|
||||
Steam will die if you use the "Save Password" Option, because dbus fails.
|
||||
I get this could be pretty annoying to use, so instead you can:
|
||||
edit the steam.desktop file
|
||||
replace "Exec" with "Exec=/path/to/sandbox.sh ./steam.sh"
|
||||
And then create the file: $HOME/steam.sh/main/home/$YOUR_USERNAME_HERE/steam.sh
|
||||
with the contents: steam -login $YOURUSERNAME $PASSWORD
|
||||
Beware, this will expose your credentials to all processes that can read your other system processes, but it does make steam login flawless and avoid the crash.
|
|
@ -0,0 +1,23 @@
|
|||
# Librefox Example
|
||||
|
||||
This is a generic firefox under fedora example, but with user config for librefox overrides.
|
||||
Sadly bwrap enforces files that it overrides to already exist, but you can just add empty files to mozilla.cfg and co for example.
|
||||
|
||||
## This example assumes the "sandbox" folder is under $YOURHOME/sandbox/firefox.sh/
|
||||
|
||||
And you have to replace all placeholders in addconf.sh (even $HOME) with the full path.
|
||||
Make sure to also replace the "USERNAMEHERE" folder in main/home.
|
||||
And because of the nature of bwrap only overriding existing files add (or touch) all files mentioned in the addconf.sh.
|
||||
|
||||
Example:
|
||||
sudo -i
|
||||
mkdir -p /usr/lib64/firefox/defaults/pref
|
||||
mkdir -p /usr/lib64/firefox/defaults/distribution
|
||||
touch /usr/lib64/firefox/mozilla.cfg
|
||||
touch /usr/lib64/firefox/defaults/pref/local-settings.js
|
||||
touch /usr/lib64/firefox/defaults/distribution/policies.json
|
||||
exit
|
||||
|
||||
## All fine but what does this do? Well
|
||||
|
||||
This will get you a sandboxed firefox, default-configured for privacy, that you can update by just moving the new policy files from [the Librefox Repo](https://github.com/intika/Librefox/tree/master/librefox) into addff
|
|
@ -0,0 +1,3 @@
|
|||
--ro-bind $HOME/sandbox/firefox.sh/addff/mozilla.cfg /usr/lib64/firefox/mozilla.cfg
|
||||
--ro-bind $HOME/sandbox/firefox.sh/addff/defaults/pref/local-settings.js /usr/lib64/firefox/defaults/pref/local-settings.js
|
||||
--ro-bind $HOME/sandbox/firefox.sh/addff/distribution/policies.json /usr/lib64/firefox/defaults/distribution/policies.json
|
|
@ -0,0 +1,21 @@
|
|||
//
|
||||
|
||||
// ============================================================================================================================================
|
||||
// Librefox Version : 2.1
|
||||
// ==============================
|
||||
//
|
||||
// Metrics available on mozilla.cfg
|
||||
//
|
||||
// ============================================================================================================================================
|
||||
|
||||
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
|
||||
// Section : General Settings
|
||||
// Bench Diff : ++/5000
|
||||
// >>>>>>>>>>>>>>>>>>>>
|
||||
|
||||
// Librefox MoD
|
||||
pref("general.config.filename", "mozilla.cfg");
|
||||
|
||||
// Default Firefox
|
||||
// ROT13 Settings primitive encryption routing that
|
||||
pref("general.config.obscure_value", 0);
|
|
@ -0,0 +1,16 @@
|
|||
{
|
||||
"policies": {
|
||||
"AppUpdateURL": "",
|
||||
"DisableAppUpdate": true,
|
||||
"OverridePostUpdatePage": "",
|
||||
"DisableMasterPasswordCreation": true,
|
||||
"DisableFeedbackCommands": true,
|
||||
"DisableFirefoxAccounts": true,
|
||||
"DisableFirefoxStudies": true,
|
||||
"DisablePocket": true,
|
||||
"DisableProfileImport": true,
|
||||
"DisableSetDesktopBackground": true,
|
||||
"DisableSystemAddonUpdate": true,
|
||||
"DisableTelemetry": true
|
||||
}
|
||||
}
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,2 @@
|
|||
#!/bin/bash
|
||||
firefox
|
101
sandbox.sh
101
sandbox.sh
|
@ -9,66 +9,73 @@ NATIVEUSERID=`id -u`
|
|||
#GROUPID=123456
|
||||
#NEW_HOME=/home/123456
|
||||
|
||||
env=()
|
||||
# This is actually a nicety for users so they can add custom configs in sandbox/$1/addconf.sh
|
||||
if [ -e $HOME/sandbox/$1/addconf.sh ]
|
||||
then
|
||||
ADDITIONALLINES=`cat $HOME/sandbox/$1/addconf.sh`
|
||||
else
|
||||
ADDITIONALLINES=""
|
||||
fi
|
||||
|
||||
env=()
|
||||
# With this we add every known environment variable to be unset, to minimize data leaks
|
||||
# This is not secured against the keys being malicious.
|
||||
for line in `compgen -v`; do
|
||||
# With this we add every known environment variable to be unset, to minimize data leaks
|
||||
# This is not secured against the keys being malicious.
|
||||
env+=("--unsetenv $line")
|
||||
done
|
||||
|
||||
pci=()
|
||||
|
||||
# This is needed to give access for pci devices, so gpu acceleration (should mostly) work
|
||||
for line in `ls /sys/devices/ | grep pci`; do
|
||||
# This is needed to give access for pci devices, so gpu acceleration (should mostly) work
|
||||
pci+=("--dev-bind /sys/devices/$line /sys/devices/$line")
|
||||
done
|
||||
|
||||
# Same here, the calling tool needs to ensure $HOME and the passed arguments are not malicious.
|
||||
|
||||
# This creates the sandbox target directories
|
||||
mkdir -p $HOME/sandbox/$1/main/$NEW_HOME
|
||||
mkdir -p $HOME/sandbox/$1/tmp
|
||||
|
||||
bwrap \
|
||||
--bind $HOME/sandbox/$1/main/ / \
|
||||
--bind $HOME/sandbox/$1/tmp/ /tmp \
|
||||
--ro-bind /bin /bin \
|
||||
--ro-bind /etc /etc \
|
||||
--ro-bind /usr /usr \
|
||||
--ro-bind /usr/sbin /sbin \
|
||||
--ro-bind /usr/lib64 /lib64 \
|
||||
--ro-bind /usr/lib /lib \
|
||||
--proc /proc \
|
||||
--dev /dev \
|
||||
--dev-bind /dev/dri /dev/dri \
|
||||
--tmpfs /var \
|
||||
--tmpfs /run --dir /run/user/$USERID \
|
||||
--bind $HOME/sandbox/$1/main/$NEW_HOME $NEW_HOME \
|
||||
--dev-bind /sys/dev/char /sys/dev/char \
|
||||
--dev-bind /run/user/$NATIVEUSERID/pulse /run/user/$USERID/pulse \
|
||||
${pci[@]} \
|
||||
--unshare-all \
|
||||
--unshare-user \
|
||||
--share-net \
|
||||
--new-session \
|
||||
--hostname sb \
|
||||
--uid $USERID \
|
||||
--gid $GROUPID \
|
||||
--die-with-parent \
|
||||
--as-pid-1 \
|
||||
--cap-drop ALL \
|
||||
--chdir $NEW_HOME \
|
||||
${env[@]} \
|
||||
--unsetenv 'BASH_FUNC_module%%' \
|
||||
bwrap `#The base bwrap` \
|
||||
--bind $HOME/sandbox/$1/main/ / `#this re-binds the virtual / in the users home to the bubblewrapped /` \
|
||||
--bind $HOME/sandbox/$1/tmp/ /tmp `#Allow writing to a virtual /tmp as well` \
|
||||
--ro-bind /bin /bin `#allow access to systems binaries` \
|
||||
--ro-bind /etc /etc `#allow access to shared config etc` \
|
||||
--ro-bind /usr /usr `#lots of .so files and executables here as well` \
|
||||
--ro-bind /usr/sbin /sbin `#These are just compat rebinds` \
|
||||
--ro-bind /usr/lib64 /lib64 `#compat` \
|
||||
--ro-bind /usr/lib /lib `#compat` \
|
||||
--proc /proc `#adds a virtual proc dir` \
|
||||
--dev /dev `#adds a virtual dev dir` \
|
||||
--dev-bind /dev/dri /dev/dri `#we have to bind this so tools can access accelerated rendering` \
|
||||
--tmpfs /var `#allow writing from and to var, but a new empty one` \
|
||||
--tmpfs /run --dir /run/user/$USERID `#same for run, but make sure the virtual user run dir exists` \
|
||||
--bind $HOME/sandbox/$1/main/$NEW_HOME $NEW_HOME `#binding the user home to our wanted directory` \
|
||||
--dev-bind /sys/dev/char /sys/dev/char `#more bindings for gpu accel access` \
|
||||
--dev-bind /run/user/$NATIVEUSERID/pulse /run/user/$USERID/pulse `#allows applications to have sound` \
|
||||
${pci[@]} `#this will add all gpus in the system as dev-bind, so we can access them (gpu accel)` \
|
||||
--unshare-all `#even if in the future more can be unshared, auto-do it` \
|
||||
--unshare-user `#dont just try to unshare the user, enforce doing so!` \
|
||||
--share-net `#bwrap override: allow network access` \
|
||||
--new-session `#separates the called shell so the tool running cant inject into the calling cli` \
|
||||
--hostname sb `#sets the virtual hostname` \
|
||||
--uid $USERID `#force this virtual user id` \
|
||||
--gid $GROUPID `#force this virtual group id` \
|
||||
--die-with-parent `#if the first calling process dies - kill all children` \
|
||||
--as-pid-1 `#the virtual process will get pid1 and think its the init process, to hide PIDs` \
|
||||
--cap-drop ALL `#drops capabilities even if you run this as root (you likely shouldnt)` \
|
||||
--chdir $NEW_HOME `#change working dir in the virtual env to this` \
|
||||
${env[@]} `#get rid of all env vars, as they can expose host information` \
|
||||
--unsetenv 'BASH_FUNC_module%%' `#bash internal function unset x3` \
|
||||
--unsetenv 'BASH_FUNC__module_raw%%' \
|
||||
--unsetenv 'BASH_FUNC_switchml%%' \
|
||||
--setenv HOME "$NEW_HOME" \
|
||||
--setenv PWD "$NEW_HOME" \
|
||||
--setenv LC_ALL "en_US.UTF-8" \
|
||||
--setenv DISPLAY ":0" \
|
||||
--setenv XDG_RUNTIME_DIR "/tmp" \
|
||||
--setenv TERM "xterm-256color" \
|
||||
--setenv COLORTERM "truecolor" \
|
||||
--setenv DEFAULT_USER $USERID \
|
||||
--setenv PATH "/usr/local/bin:/usr/share/Modules/bin:/usr/lib64/ccache:/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin" \
|
||||
$1
|
||||
--setenv HOME "$NEW_HOME" `#tricks some applications to accept the virtual home` \
|
||||
--setenv PWD "$NEW_HOME" `#same` \
|
||||
--setenv LC_ALL "en_US.UTF-8" `#set common lang - likely should get this from main os but no bug reports for it so far. :P` \
|
||||
--setenv DISPLAY ":0" `#let there be display` \
|
||||
--setenv XDG_RUNTIME_DIR "/tmp" `#put desktop app temp files here if they rely on xdg` \
|
||||
--setenv TERM "xterm-256color" `#enforce full color terms` \
|
||||
--setenv COLORTERM "truecolor" `#not setting this can crash some term emulators` \
|
||||
--setenv DEFAULT_USER $USERID `#more user trickery` \
|
||||
--setenv PATH "/usr/local/bin:/usr/share/Modules/bin:/usr/lib64/ccache:/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin" `#make tools aware of our modified preferred paths` \
|
||||
$ADDITIONALLINES `#add user config` \
|
||||
$1 `#run the actual tool`
|
Loading…
Reference in New Issue