glitsj16/README.md

## README.md

      
    Raw
  

              README.md
            
          
    Inspired by netblue30/firejail#5525.
The sandbox is very restrictive (whitelisting type) and in my preliminary tests everything seems to be working as expected. There is one (minor) glitch though. It concerns the dead.letter file that MTA's produce when something went wrong in processing mail requests. Which is a good thing. Using the mkfile ${HOME}/dead.letter option in ssmtp.profile that file is _always_created in the filesystem, regardless of the processing being succesful or not. Having the choice between (1) creating a weaker sandbox (by ditching the whitelisting and avoiding the potential false positive) and (2) a more hardened sandbox, I opted for the latter. If you happen to create a shell wrapper to sandbox ssmtp via Firejail anyway, it's only a few extra lines to check for a zero-sized ${HOME}/dead.letter file and remove it after ssmtp is done. See the provided ssmtp file for an example.
NOTES:
The restricted-namespaces option is currently not available in any released Firejail version. Either comment it out or build/install firejail from git.
There are considerable ssmtp packaging differences between distributions if you want to use

(1) SSL/TLS to send secure messages to server [UseTLS=Yes +TLS_CA_File=/etc/ssl/certs/ca-certificates.crt] and
(2) SSL/TLS before starting negotiation [UseSTARTTLS=Yes].

On Arch Linux the AUR's ssmtp package works well.
For Ubuntu I had to install ssmtp from this PPA.
I didn't check/test any other Linux OS, be advised.

  
## disable-programs.local
# Firejail :: persistent local customizations for disable-programs.inc

# ssmtp
blacklist /etc/ssmtp

## ssmtp
#!/bin/sh
#
## wrapper for ssmtp
#+ sandbox support via firejail

### vars
_app="ssmtp"
_bin="/usr/bin/${_app}"
# OS-detection (Debian/Ubuntu)
[ -x "/usr/bin/apt" ] && _bin="/usr/sbin/${_app}"
_debug="no"

# sandboxing
_sbox_mode="quiet"
[ "$_sbox_mode" = "quiet" ] && _bin="firejail --quiet ${_bin}"
[ "$_sbox_mode" = "verbose" ] && _bin="firejail --ignore=quiet ${_bin}"


### logic
# run
${_bin} "$@"

# dead.letter support
if [ -f "${HOME}/dead.letter" ]; then
    if [ ! -s "${HOME}/dead.letter" ]; then
        #+ 'false positive' due to mkfile in firejail profile
        if [ "$_debug" = "yes" ]; then
            echo
            echo "[DEBUG] Empty dead.letter detected. This would get removed in production..."
        else
            rm -f "${HOME}/dead.letter"
        fi
    else
        #+ error processing mail
        echo
        echo "[DEBUG] Empty dead.letter detected. This would get removed in production..."
        exit 1
    fi
fi

exit 0

## ssmtp.profile
# Firejail profile for ssmtp
# Description: Extremely simple MTA to get mail off the system to a mailhub
# This file is overwritten after every install/update
quiet
# Persistent local customizations
include ssmtp.local
# Persistent global definitions
include globals.local

blacklist ${RUNUSER}
blacklist /tmp/.X11-unix
blacklist /usr/libexec

noblacklist ${DOCUMENTS}
noblacklist /etc/logcheck
noblacklist /etc/ssmtp
noblacklist /usr/sbin
include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-proc.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc

mkfile ${HOME}/dead.letter
whitelist ${HOME}/dead.letter
whitelist ${DOCUMENTS}
whitelist ${DOWNLOADS}
include whitelist-common.inc
include whitelist-run-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

apparmor
caps.drop all
ipc-namespace
machine-id
netfilter
no3d
nodvd
#nogroups breaks app
noinput
nonewprivs
noprinters
#noroot breaks app
nosound
notv
nou2f
novideo
protocol unix,inet,inet6
seccomp
seccomp.block-secondary
tracelog

disable-mnt
# private works but we loose ${HOME}/dead.letter
# which is useful to get notified on mail issues
#private
private-bin mailq,newaliases,sendmail,ssmtp
private-cache
private-dev
private-tmp

dbus-user none
dbus-system none

memory-deny-write-execute
restrict-namespaces
read-only ${HOME}
read-write ${HOME}/dead.letter
	# Firejail :: persistent local customizations for disable-programs.inc

	# ssmtp
	blacklist /etc/ssmtp
	#!/bin/sh
	#
	## wrapper for ssmtp
	#+ sandbox support via firejail

	### vars
	_app="ssmtp"
	_bin="/usr/bin/${_app}"
	# OS-detection (Debian/Ubuntu)
	[ -x "/usr/bin/apt" ] && _bin="/usr/sbin/${_app}"
	_debug="no"

	# sandboxing
	_sbox_mode="quiet"
	[ "$_sbox_mode" = "quiet" ] && _bin="firejail --quiet ${_bin}"
	[ "$_sbox_mode" = "verbose" ] && _bin="firejail --ignore=quiet ${_bin}"


	### logic
	# run
	${_bin} "$@"

	# dead.letter support
	if [ -f "${HOME}/dead.letter" ]; then
	if [ ! -s "${HOME}/dead.letter" ]; then
	#+ 'false positive' due to mkfile in firejail profile
	if [ "$_debug" = "yes" ]; then
	echo
	echo "[DEBUG] Empty dead.letter detected. This would get removed in production..."
	else
	rm -f "${HOME}/dead.letter"
	fi
	else
	#+ error processing mail
	echo
	echo "[DEBUG] Empty dead.letter detected. This would get removed in production..."
	exit 1
	fi
	fi

	exit 0
	# Firejail profile for ssmtp
	# Description: Extremely simple MTA to get mail off the system to a mailhub
	# This file is overwritten after every install/update
	quiet
	# Persistent local customizations
	include ssmtp.local
	# Persistent global definitions
	include globals.local

	blacklist ${RUNUSER}
	blacklist /tmp/.X11-unix
	blacklist /usr/libexec

	noblacklist ${DOCUMENTS}
	noblacklist /etc/logcheck
	noblacklist /etc/ssmtp
	noblacklist /usr/sbin
	include disable-common.inc
	include disable-devel.inc
	include disable-exec.inc
	include disable-interpreters.inc
	include disable-proc.inc
	include disable-programs.inc
	include disable-shell.inc
	include disable-xdg.inc

	mkfile ${HOME}/dead.letter
	whitelist ${HOME}/dead.letter
	whitelist ${DOCUMENTS}
	whitelist ${DOWNLOADS}
	include whitelist-common.inc
	include whitelist-run-common.inc
	include whitelist-runuser-common.inc
	include whitelist-usr-share-common.inc
	include whitelist-var-common.inc

	apparmor
	caps.drop all
	ipc-namespace
	machine-id
	netfilter
	no3d
	nodvd
	#nogroups breaks app
	noinput
	nonewprivs
	noprinters
	#noroot breaks app
	nosound
	notv
	nou2f
	novideo
	protocol unix,inet,inet6
	seccomp
	seccomp.block-secondary
	tracelog

	disable-mnt
	# private works but we loose ${HOME}/dead.letter
	# which is useful to get notified on mail issues
	#private
	private-bin mailq,newaliases,sendmail,ssmtp
	private-cache
	private-dev
	private-tmp

	dbus-user none
	dbus-system none

	memory-deny-write-execute
	restrict-namespaces
	read-only ${HOME}
	read-write ${HOME}/dead.letter