-
-
Notifications
You must be signed in to change notification settings - Fork 7
/
tinfoil-firejail
executable file
·117 lines (100 loc) · 3.03 KB
/
tinfoil-firejail
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
#!/usr/bin/env zsh
# Tinfoil
#
# A tool to manage multiple profiles for web browsers
#
# {{{ License
#
# Copyright (C) 2017-2018 Dyne.org Foundation
#
# Tinfoil is designed, written and maintained by Denis Roio <[email protected]>
#
# This source code is free software; you can redistribute it and/or
# modify it under the terms of the GNU Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This source code is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Please refer
# to the GNU Public License for more details.
#
# You should have received a copy of the GNU Public License along with
# this source code; if not, write to: Free Software Foundation, Inc.,
# 675 Mass Ave, Cambridge, MA 02139, USA.
# }}} - License
[[ "$2" = "" ]] && {
print "usage: $0 browser profile"
return 1
}
# read the config
eval `tinfoil conf $1 $2`
# browser="$browser"
# profile="$profile"
# profilepath="$HOME/.tinfoil/profiles/$browser.$profile"
# familypath="$HOME/.${vendor[$browser]}"
# cachepath="$HOME/.cache/${vendor[$browser]}"
# browser_executable="$cmd"
# generate the firejail profile
tmp=$(mktemp)
# use stock firejail profiles except for palemoon
# this solves recent problems with chromium
# but still our own setup for palemoon works better
[[ "$browser" = "palemoon" ]] ||
cat /etc/firejail/$browser.profile >> $tmp
cat <<EOF >> $tmp
whitelist $familypath
whitelist $profilepath
whitelist $cachepath
whitelist /opt/firefox
whitelist /opt/palemoon
whitelist /opt/chrome
EOF
[[ "$browser" = "palemoon" ]] && {
# add audio and video devices
for i in ${(f)"$(find /dev/snd -type c)"}; do
print "whitelist $i" >> $tmp
done
for i in ${(f)"$(find /dev -name 'video*' -type c)"}; do
print "whitelist $i" >> $tmp
done
for i in ${(f)"$(find /dev -name 'audio*' -type c)"}; do
print "whitelist $i" >> $tmp
done
cat <<EOF >> $tmp
whitelist /dev/drm
whitelist /dev/random
whitelist /dev/urandom
whitelist /dev/null
EOF
}
# user configurations and installed profiles
for i in $firejail_templates; do
cat <<EOF >> $tmp
include $i
EOF
done
# delete the firejail configuration after launch
(sleep 5; rm -f $tmp) &
if [[ $DEBUG = 1 ]]; then
cat $tmp
FIREJAIL=1 firejail --debug --debug-whitelists --profile=$tmp tinfoil \
-e $browser_executable $browser $profile "$3"
else
FIREJAIL=1 firejail --profile=$tmp tinfoil \
-e $browser_executable $browser $profile "$3" &
fi
sleep 1
command -v wmctrl > /dev/null && {
# parse last window open using wmctrl and rename it
local lw=$(wmctrl -l | awk '/^0x/ { print $1; exit }')
# echo "wmctrl -i -r ${lw} -T ${profile}.${browser}"
wmctrl -i -r ${lw} -T ${profile}.${browser}
}
# option.is_set --audit-firejail && {
# warning "Firejail audit mode"
# act "CMD: firejail --profile=$ztmpfile --audit $cmd ${=browser_opts}"
# firejail --profile=$ztmpfile --audit $cmd ${=browser_opts}
# act ""
# return 0
# }