Download:
Patch
child 185:8a11bbe68b67
parent 183:9119f0c58317
184:5e3ee9d17ca9
Anton Shestakov <av6@dwimlabs.net>, Sat, 27 Jul 2019 23:32:36 +0800
.bashrc: a script to set up sandbox using firejail to run random stuff
4 файлов изменено, 83 вставок(+), 0 удалений(-) [+]
.bashrc file | annotate | diff | comparison | revisions
fj/template.net file | annotate | diff | comparison | revisions
fj/template.profile file | annotate | diff | comparison | revisions
fj/template.sh file | annotate | diff | comparison | revisions 
--- a/.bashrc	Fri Apr 12 13:28:38 2019 +0800
+++ b/.bashrc	Sat Jul 27 23:32:36 2019 +0800
@@ -68,6 +68,15 @@
 #     qrencode "$@" -o - | feh -
 # }
 
+fj() {
+    for ext in net profile sh; do
+        sed -e 's/template.\(net\|profile\|sh\)/'"$1"'.\1/g' \
+            -e 's/wine-template/wine-'"$1"'/g' \
+            ~/.dotfiles/fj/template.$ext > "$1".$ext
+    done
+    chmod +x "$1".sh
+}
+
 # Makes C-S visible to bash, so C-R and C-S search through history back and
 # forward
 stty -ixon
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/fj/template.net	Sat Jul 27 23:32:36 2019 +0800
@@ -0,0 +1,25 @@
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT DROP [0:0]
+
+#allow all loopback traffic
+-A INPUT -i lo -j ACCEPT
+
+# no incoming connections
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+# allow ping etc.
+-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
+-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
+-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
+
+# allow incoming ping
+-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
+-A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
+
+# allow outgoing DNS
+-A OUTPUT -p udp --dport 53 -j ACCEPT
+-A INPUT -p udp --sport 53 -j ACCEPT
+
+COMMIT
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/fj/template.profile	Sat Jul 27 23:32:36 2019 +0800
@@ -0,0 +1,41 @@
+include globals.local
+
+#noblacklist ${HOME}/.cache/chromium
+# with >=llvm-4 mesa drivers need llvm stuff
+noblacklist /usr/lib/llvm*
+
+#mkdir ${HOME}/.cache/chromium
+#whitelist ${HOME}/.cache/chromium
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-interpreters.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-xdg.inc
+
+#apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+netfilter template.net
+#no3d
+#nodbus
+nodvd
+#nogroups
+nonewprivs
+noroot
+#nosound
+notv
+nou2f
+#novideo
+protocol unix,netlink
+#seccomp
+shell none
+tracelog
+#x11 xorg
+
+disable-mnt
+private-dev
+private-tmp
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/fj/template.sh	Sat Jul 27 23:32:36 2019 +0800
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+LC_ALL=en_US.UTF-8
+export LC_ALL
+WINEPREFIX=~/.wine-template/
+export WINEPREFIX
+
+firejail --profile=template.profile -- winecfg-development