From 62fc2eb9d5a8629f8c9f21195b541af571024133 Mon Sep 17 00:00:00 2001 From: valoq Date: Tue, 26 May 2020 17:10:14 +0200 Subject: [PATCH] create strict sandbox --- profiles/libreoffice | 32 +++++++++++++------------------- 1 file changed, 13 insertions(+), 19 deletions(-) diff --git a/profiles/libreoffice b/profiles/libreoffice index b132160..61761fe 100644 --- a/profiles/libreoffice +++ b/profiles/libreoffice @@ -1,5 +1,6 @@ #!/usr/bin/env bash set -euo pipefail +mkdir -p ~/.doc ( exec bwrap \ --ro-bind /usr/bin /usr/bin/ \ @@ -17,32 +18,24 @@ set -euo pipefail --ro-bind /tmp/.X11-unix /tmp/.X11-unix \ --ro-bind /etc /etc \ --ro-bind /sys /sys \ - --bind /run/user/"$(id -u)"/dconf /run/user/"$(id -u)"/dconf \ - --bind /run/user/"$(id -u)"/bus /run/user/"$(id -u)"/bus \ - --bind ~/ ~/ \ - --tmpfs ~/.gnupg \ - --tmpfs ~/.ssh \ - --tmpfs ~/.mutt \ - --tmpfs ~/.mozilla \ - --tmpfs ~/.thunderbird \ - --tmpfs ~/.mail \ - --tmpfs ~/.Mail \ - --tmpfs ~/.claws-mail \ - --tmpfs ~/.config \ - --tmpfs ~/.cache \ - --tmpfs ~/.local \ - --tmpfs ~/.pki \ - --bind ~/.cache/dconf ~/.cache/dconf \ - --bind ~/.cache/fontconfig ~/.cache/fontconfig \ - --ro-bind ~/.Xauthority ~/.Xauthority \ - --bind ~/.config/libreoffice ~/.config/libreoffice \ + --unsetenv MOZ_PLUGIN_PATH \ --unsetenv MOZ_PLUGIN_PATH \ --unsetenv XTERM_LOCALE \ --unsetenv TERM \ --unsetenv XTERM_VERSION \ --unsetenv XTERM_SHELL \ + --unsetenv DBUS_SESSION_BUS_ADDRESS \ --unsetenv XDG_RUNTIME_DIR \ --unsetenv MAIL \ + --setenv SHELL /bin/false \ + --setenv PATH /usr/bin \ + --setenv HOME /home/jail \ + --setenv USER nobody \ + --bind ~/.cache/fontconfig /home/jail/.cache/fontconfig \ + --bind ~/.config/libreoffice /home/jail/.config/libreoffice \ + --bind ~/.doc /home/jail \ + --bind "${@: -1}" /home/jail/"$(basename "${@: -1}")" \ + --chdir /home/jail \ --unshare-user-try \ --unshare-pid \ --unshare-net \ @@ -53,3 +46,4 @@ set -euo pipefail 10< /usr/local/bin/seccomp_default_filter.bpf \ /usr/bin/libreoffice "$@" ) +mv -n ~/.doc/*.* ~/