From 2c2d0978c64de8d8d9f9820a548eaee2eaf73c39 Mon Sep 17 00:00:00 2001 From: valoq Date: Mon, 31 Aug 2020 13:13:45 +0200 Subject: [PATCH] cleanup --- profiles/firefox-wayland | 70 ---------------------------------------- profiles/mupdf | 42 ------------------------ 2 files changed, 112 deletions(-) delete mode 100644 profiles/firefox-wayland delete mode 100644 profiles/mupdf diff --git a/profiles/firefox-wayland b/profiles/firefox-wayland deleted file mode 100644 index e0a8949..0000000 --- a/profiles/firefox-wayland +++ /dev/null @@ -1,70 +0,0 @@ -#!/usr/bin/env bash -set -euo pipefail -( - exec bwrap \ - --ro-bind /usr/bin/apulse /usr/bin/apulse \ - --ro-bind /usr/bin/sh /usr/bin/sh \ - --ro-bind /usr/share /usr/share/ \ - --ro-bind /usr/lib /usr/lib \ - --ro-bind /usr/lib64 /usr/lib64 \ - --symlink /usr/lib64 /lib64 \ - --symlink /usr/lib /lib \ - --symlink /usr/bin /bin \ - --symlink /usr/bin /sbin \ - --tmpfs /usr/lib/modules \ - --tmpfs /usr/lib/systemd \ - --tmpfs /usr/lib/gcc \ - --proc /proc \ - --dev /dev \ - --dev-bind /dev/snd /dev/snd \ - --ro-bind /etc/passwd /etc/passwd \ - --ro-bind /etc/group /etc/group \ - --ro-bind /etc/hostname /etc/hostname \ - --ro-bind /etc/hosts /etc/hosts \ - --ro-bind /etc/localtime /etc/localtime \ - --ro-bind /etc/nsswitch.conf /etc/nsswitch.conf \ - --ro-bind /etc/resolv.conf /etc/resolv.conf \ - --ro-bind /etc/xdg /etc/xdg \ - --ro-bind /etc/gtk-2.0 /etc/gtk-2.0 \ - --ro-bind /etc/gtk-3.0 /etc/gtk-3.0 \ - --ro-bind /etc/fonts /etc/fonts \ - --ro-bind /etc/mime.types /etc/mime.types \ - --ro-bind /etc/pulse /etc/pulse \ - --ro-bind /etc/asound.conf /etc/asound.conf \ - --tmpfs /run \ - --ro-bind /run/user/"$(id -u)"/wayland-0 /run/user/"$(id -u)"/wayland-0 \ - --bind ~/.mozilla /home/jail/.mozilla \ - --bind ~/.cache/mozilla /home/jail/.cache/mozilla \ - --bind ~/Downloads /home/jail/Downloads \ - --chdir /home/jail \ - --unsetenv DBUS_SESSION_BUS_ADDRESS \ - --setenv SHELL /bin/false \ - --setenv HOME /home/jail \ - --setenv USER nobody \ - --setenv LOGNAME nobody \ - --setenv MOZ_ENABLE_WAYLAND 1 \ - --unshare-user-try \ - --unshare-pid \ - --unshare-uts \ - --unshare-cgroup \ - --new-session \ - --seccomp 10 \ - 10< /usr/local/bin/seccomp_default_filter.bpf \ - apulse /usr/lib/firefox/firefox -) - -# note: running firefox on wayland like this should make a complete sandbox - -# todo: - -# --ro-bind /usr/share/locale /usr/share/locale \ -# --ro-bind /usr/share/X11 /usr/share/X11 \ -# --ro-bind /usr/share/gtk-3.0 /usr/share/gtk-3.0 \ -# --ro-bind /usr/share/fonts /usr/share/fonts \ -# --ro-bind /usr/share/ca-certificates /usr/share/ca-certificates \ -# --ro-bind /usr/share/icons /usr/share/icons \ -# --ro-bind /usr/share/pixmaps /usr/share/pixmaps \ -# --ro-bind /usr/share/mime /usr/share/mime \ -# --ro-bind /usr/share/applications /usr/share/applications \ -# --ro-bind /usr/share/glib-2.0 /usr/share/glib-2.0 \ -# --bind /var/cache/fontconfig diff --git a/profiles/mupdf b/profiles/mupdf deleted file mode 100644 index 0fea870..0000000 --- a/profiles/mupdf +++ /dev/null @@ -1,42 +0,0 @@ -#!/usr/bin/env bash -set -euo pipefail -( - exec bwrap \ - --ro-bind /usr/bin/mupdf /usr/bin/mupdf \ - --ro-bind /usr/share /usr/share \ - --ro-bind /usr/lib /usr/lib \ - --ro-bind /usr/lib64 /usr/lib64 \ - --symlink /usr/lib64 /lib64 \ - --tmpfs /usr/lib/modules \ - --tmpfs /usr/lib/systemd \ - --tmpfs /usr/lib/gcc \ - --proc /proc \ - --ro-bind /tmp/.X11-unix /tmp/.X11-unix \ - --ro-bind /etc/fonts /etc/fonts \ - --ro-bind ~/.Xauthority /home/jail/.Xauthority \ - --ro-bind "${@: -1}" /home/jail/"$(basename "${@: -1}")" \ - --chdir /home/jail \ - --unsetenv MOZ_PLUGIN_PATH \ - --unsetenv XTERM_LOCALE \ - --unsetenv TERM \ - --unsetenv XTERM_VERSION \ - --unsetenv XTERM_SHELL \ - --unsetenv DBUS_SESSION_BUS_ADDRESS \ - --unsetenv XDG_RUNTIME_DIR \ - --unsetenv MAIL \ - --setenv SHELL /bin/false \ - --setenv PATH /usr/bin \ - --setenv HOME /home/jail \ - --setenv XAUTHORITY /home/jail/.Xauthority \ - --setenv USER nobody \ - --unshare-user-try \ - --unshare-pid \ - --unshare-net \ - --unshare-uts \ - --unshare-cgroup \ - --unshare-ipc \ - --new-session \ - --seccomp 10 \ - 10< /usr/local/bin/seccomp_default_filter.bpf \ - /usr/bin/mupdf "$(basename "${@: -1}")" &>/dev/null -)