loopyd/sandboxed-firefox-installer.sh

## sandboxed-firefox-installer.sh
#!/bin/bash

# Validate cli arguments
if [[ "$1 x" == " x" ]]; then
    >&2 echo 'Invalid argument specified:  missing username'
    exit
fi
if ! id -u $1 ; then
    >&2 echo 'Invalid argument specified: username does not exist'
fi

USERNAME="$1"

echo 'Configuring system...'
cat <<'EOFDOC' > /etc/portage/package.use/firefox
www-client/firefox dbus geckodriver gmp-autoupdate hardened hwaccel screenshot system-av1 system-harfbuzz system-icu system-jpeg system-libevent system-libvpx system-sqlite system-webp wayland custom-optimization clangm gstreamer dev-db/sqlite secure-delete pulseaudio
media-libs/libvpx postproc
sys-devel/llvm gold
EOFDOC
cat <<'EOFDOC' > /etc/portage/package.accept_keywords/firefox
~sys-devel/clang-runtime-8.0.1 ~amd64
~sys-devel/llvm-8.0.1 ~amd64
~sys-libs/compiler-rt-8.0.1 ~amd64
~sys-devel/llvmgold-8 ~amd64
~sys-libs/compiler-rt-sanitizers-8.0.1 ~amd64
~sys-libs/libomp-8.0.1 ~amd64
~sys-devel/clang-8.0.1 ~amd64
~sys-devel/lld-8.0.1 ~amd64
EOFDOC
cat <<'EOFDOC' > /etc/portage/package.license/firefox
>=www-plugins/adobe-flash-32.0.0.238 AdobeFlash-11.x
EOFDOC
bashrc="/etc/portage/env/www-client/firefox"
mkdir -p $(dirname $bashrc)
echo "post_src_install() {
  chmod -R u-x,g-w,o-o \${D}
  chown -R root:ff \${D}
}" > $bashrc

# Configure secure firefox sandbox
echo 'Configuring sandbox for Firefox...'
emerge x11-apps/xhost
sudo useradd --home=/home/ff --create-home --shell /bin/false --user-group ff
echo "$USERNAME ALL=(ff) NOPASSWD: ALL" > /etc/sudoers.d/ff
chmod -R 770 /home/ff
gpasswd -a ff users
gpasswd -a ff video
gpasswd -a ff audio

# Emerging dependencies
echo 'Emerging Firefox ...'
emerge sys-devel/clang:8 =sys-devel/lld-8* dev-python/pyyaml media-libs/libwebp dev-db/sqlite media-libs/libvpx dev-libs/libevent media-libs/libjpeg-turbo dev-libs/icu media-libs/harfbuzz media-libs/dav1d gst-plugins-meta:1.0 gnome-base/gconf freshplayerplugin www-client/firefox

# Replace desktop file with sandboxed verison
echo 'Replacing desktop file for sandbox...'
rm -f /usr/share/applications/firefox.desktop
cat <<'EOFDOC' > /usr/share/applications/firefox.desktop
[Desktop Entry]
Name=Mozilla Firefox (Sandboxed)
Comment=Web Browser
Exec=sh -c 'xhost si:localuser:ff && sudo -u ff firefox %u'
Icon=firefox
Terminal=false
Type=Application
MimeType=text/html;text/xml;application/xhtml+xml;application/vnd.mozilla.xul+xml;text/mml;x-scheme-handler/http;x-scheme-handler/https;
Categories=Network;WebBrowser;
StartupNotify=true
EOFDOC

echo 'Configuring pulse sink...'
mkdir -p /home/ff/.config/pulse
cat <<'EOFDOC' > /home/ff/.asoundrc
pcm.default {
        type pulse
}

ctl.default {
        type pulse
}
EOFDOC
echo -e ".include /etc/pulse/default.pa\nload-module module-native-protocol-unix auth-anonymous=1 socket=/tmp/pulse-socket" > /home/$USERNAME/.config/pulse/default.pa
echo -e "default-server = unix:/tmp/pulse-socket" > /home/ff/.config/pulse/client.conf
chmod 644 /home/ff/.config/pulse/client.conf
gconftool-2 -t string --set /system/gstreamer/0.10/default/audiosink pulsesink
gconftool-2 -t string --set /system/gstreamer/0.10/default/audiosrc pulsesrc
sed -i -e 's/\#load\-module\ module\-alsa\-sink.*/load\-module\ module\-alsa\-sink\ device\=dmix/g' /etc/pulse/default.pa
sed -i -e 's/\#load\-module\ module\-alsa\-source\ device\=hw.*/load\-module\ module\-alsa\-source\ device\=dsnoop/g' /etc/pulse/default.pa

echo 'Permissions fix for ff user...'
mv /home/$USERNAME/.mozilla ~ff/
chown -R ff:ff /home/ff

# Configure firewall rules
iptables -A OUTPUT -p TCP --dport https -m owner --uid-owner ff -j ACCEPT
iptables -A OUTPUT -p TCP --dport http -m owner --uid-owner ff -j ACCEPT
	#!/bin/bash

	# Validate cli arguments
	if [[ "$1 x" == " x" ]]; then
	>&2 echo 'Invalid argument specified: missing username'
	exit
	fi
	if ! id -u $1 ; then
	>&2 echo 'Invalid argument specified: username does not exist'
	fi

	USERNAME="$1"

	echo 'Configuring system...'
	cat <<'EOFDOC' > /etc/portage/package.use/firefox
	www-client/firefox dbus geckodriver gmp-autoupdate hardened hwaccel screenshot system-av1 system-harfbuzz system-icu system-jpeg system-libevent system-libvpx system-sqlite system-webp wayland custom-optimization clangm gstreamer dev-db/sqlite secure-delete pulseaudio
	media-libs/libvpx postproc
	sys-devel/llvm gold
	EOFDOC
	cat <<'EOFDOC' > /etc/portage/package.accept_keywords/firefox
	~sys-devel/clang-runtime-8.0.1 ~amd64
	~sys-devel/llvm-8.0.1 ~amd64
	~sys-libs/compiler-rt-8.0.1 ~amd64
	~sys-devel/llvmgold-8 ~amd64
	~sys-libs/compiler-rt-sanitizers-8.0.1 ~amd64
	~sys-libs/libomp-8.0.1 ~amd64
	~sys-devel/clang-8.0.1 ~amd64
	~sys-devel/lld-8.0.1 ~amd64
	EOFDOC
	cat <<'EOFDOC' > /etc/portage/package.license/firefox
	>=www-plugins/adobe-flash-32.0.0.238 AdobeFlash-11.x
	EOFDOC
	bashrc="/etc/portage/env/www-client/firefox"
	mkdir -p $(dirname $bashrc)
	echo "post_src_install() {
	chmod -R u-x,g-w,o-o \${D}
	chown -R root:ff \${D}
	}" > $bashrc

	# Configure secure firefox sandbox
	echo 'Configuring sandbox for Firefox...'
	emerge x11-apps/xhost
	sudo useradd --home=/home/ff --create-home --shell /bin/false --user-group ff
	echo "$USERNAME ALL=(ff) NOPASSWD: ALL" > /etc/sudoers.d/ff
	chmod -R 770 /home/ff
	gpasswd -a ff users
	gpasswd -a ff video
	gpasswd -a ff audio

	# Emerging dependencies
	echo 'Emerging Firefox ...'
	emerge sys-devel/clang:8 =sys-devel/lld-8* dev-python/pyyaml media-libs/libwebp dev-db/sqlite media-libs/libvpx dev-libs/libevent media-libs/libjpeg-turbo dev-libs/icu media-libs/harfbuzz media-libs/dav1d gst-plugins-meta:1.0 gnome-base/gconf freshplayerplugin www-client/firefox

	# Replace desktop file with sandboxed verison
	echo 'Replacing desktop file for sandbox...'
	rm -f /usr/share/applications/firefox.desktop
	cat <<'EOFDOC' > /usr/share/applications/firefox.desktop
	[Desktop Entry]
	Name=Mozilla Firefox (Sandboxed)
	Comment=Web Browser
	Exec=sh -c 'xhost si:localuser:ff && sudo -u ff firefox %u'
	Icon=firefox
	Terminal=false
	Type=Application
	MimeType=text/html;text/xml;application/xhtml+xml;application/vnd.mozilla.xul+xml;text/mml;x-scheme-handler/http;x-scheme-handler/https;
	Categories=Network;WebBrowser;
	StartupNotify=true
	EOFDOC

	echo 'Configuring pulse sink...'
	mkdir -p /home/ff/.config/pulse
	cat <<'EOFDOC' > /home/ff/.asoundrc
	pcm.default {
	type pulse
	}

	ctl.default {
	type pulse
	}
	EOFDOC
	echo -e ".include /etc/pulse/default.pa\nload-module module-native-protocol-unix auth-anonymous=1 socket=/tmp/pulse-socket" > /home/$USERNAME/.config/pulse/default.pa
	echo -e "default-server = unix:/tmp/pulse-socket" > /home/ff/.config/pulse/client.conf
	chmod 644 /home/ff/.config/pulse/client.conf
	gconftool-2 -t string --set /system/gstreamer/0.10/default/audiosink pulsesink
	gconftool-2 -t string --set /system/gstreamer/0.10/default/audiosrc pulsesrc
	sed -i -e 's/\#load\-module\ module\-alsa\-sink.*/load\-module\ module\-alsa\-sink\ device\=dmix/g' /etc/pulse/default.pa
	sed -i -e 's/\#load\-module\ module\-alsa\-source\ device\=hw.*/load\-module\ module\-alsa\-source\ device\=dsnoop/g' /etc/pulse/default.pa

	echo 'Permissions fix for ff user...'
	mv /home/$USERNAME/.mozilla ~ff/
	chown -R ff:ff /home/ff

	# Configure firewall rules
	iptables -A OUTPUT -p TCP --dport https -m owner --uid-owner ff -j ACCEPT
	iptables -A OUTPUT -p TCP --dport http -m owner --uid-owner ff -j ACCEPT