Last active
June 10, 2017 01:21
-
-
Save glitsj16/b4ebddfdc4af93d4aeef9fd6bfcc2ca3 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# | |
## build & install firejail from git via checkinstall | |
#+ assumptions: | |
#+ expects presence of $HOME/Downloads/deb.control.firejail | |
#+ which offers a template for creating a nice .deb | |
#+ content is in comment attched to this gist | |
### vars | |
package="firejail" | |
repo_url="https://github.com/netblue30/firejail.git" | |
### logic | |
cd "$HOME" | |
# compile in tmpfs | |
bz_tmpfs="/tmp/bz-${package}" | |
[ ! -d ${bz_tmpfs} ] && mkdir -p ${bz_tmpfs} | |
cd "$bz_tmpfs" | |
git clone "$repo_url" | |
if [ ! $? -eq 0 ]; then | |
echo "O.o --> repo cloning failed - aborting" | |
exit 1 | |
fi | |
cd "$package" | |
# patches go here | |
# helpers | |
thisRelease="$(printf "r%s.%s" "$(git rev-list --count HEAD)" "$(git rev-parse --short HEAD)" | sed 's/^v//;s/-/./g')" | |
thisVersion="$(grep -m 1 firejail ./RELNOTES | awk '{split($0,a," "); print a[2]}' | sed 's/(//' | sed 's/)//')" | |
thisDebVersion="$thisVersion-$thisRelease" | |
# configure & compile | |
./configure --prefix=/usr --enable-apparmor | |
make || exit 1 | |
# initial deb | |
sudo checkinstall -y --pkgname "$package" --pkgversion "$thisVersion" --pkgrelease "$thisRelease" --install=no | |
### deb re-assembling magic | |
dpkg-deb --extract ./*.deb ./tbotnik | |
dpkg-deb --control ./*.deb ./tbotnik/DEBIAN | |
# move our template control file into place & modify the version # | |
cat "${HOME}/Downloads/deb.control.${package}" | sed "s/<version>/${thisDebVersion}/g" > ./tbotnik/DEBIAN/control | |
# add firejail profiles to DEBIAN/conffiles | |
ls -1 ./tbotnik/etc/firejail/ > ./tbotnik/DEBIAN/conffiles | |
sed -i -e 's/^/\/etc\/firejail\//' ./tbotnik/DEBIAN/conffiles | |
# correct the doc files | |
rm ./tbotnik/usr/share/doc/firejail/COPYING ./tbotnik/usr/share/doc/firejail/*.md | |
# gzip the changelog | |
gzip -c ./tbotnik/usr/share/doc/firejail/RELNOTES > ./tbotnik/usr/share/doc/firejail/changelog.Debian.gz | |
rm ./tbotnik/usr/share/doc/firejail/RELNOTES | |
# strip binaries & libs | |
strip ./tbotnik/usr/bin/firejail | |
strip ./tbotnik/usr/lib/firejail/libtrace.so | |
# set correct file ownership inside the deb | |
sudo chown -R root:root ./tbotnik | |
# the above drops the setuid root on firejail's binary! | |
#+ make sure to correct that | |
sudo chmod 4755 ./tbotnik/usr/bin/firejail | |
# re-assemble the deb in our Downloads folder | |
dpkg-deb -b ./tbotnik $HOME/Downloads | |
### install & notification | |
if [ $? -eq 0 ]; then | |
echo "installing.." | |
sudo dpkg -i ${HOME}/Downloads/${package}_*.deb | |
if [ $? -eq 0 ]; then | |
echo "" | |
echo "${package} upgraded" | |
rm -f ${HOME}/Downloads/${package}_*.deb > /dev/null 2>&1 & | |
else | |
echo "" | |
echo "${package} ready for manual install via dpkg in ~/Downloads" | |
fi | |
else | |
echo "" | |
echo "${package} build error" | |
exit 1 | |
fi | |
### post-install commands | |
cd "$HOME" | |
# remove tmpfs buildzone | |
sudo rm -fr "$bz_tmpfs" & | |
exit 0 |
@TBotNik You'll need to chmod +x the script (rename it to whatever you want) and put the content of the above comment into $HOME/Downloads/deb.control.firejail
or edit path of where you put that inside the script.
Regards
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Package: firejail
Version:
Architecture: amd64
Maintainer: netblue30 netblue30@yahoo.com
Installed-Size: 272
Depends: libc6
Section: admin
Priority: extra
Homepage: http://github.com/netblue30/firejail
Description: Linux namepaces sandbox program.
Firejail is a SUID sandbox program that reduces the risk of security
breaches by restricting the running environment of untrusted applications
using Linux namespaces and seccmp-bpf. It includes sandbox profiles for
Iceweasel/Mozilla Firefox, Chromium, Midori, Opera, Evince, Transmission
and VLC.
.
Firejail also expands the restricted shell facility found in bash by
adding Linux namespace support. It also supports sandboxing SSH users
upon login.