Last active
August 13, 2021 09:58
-
-
Save rusty-snake/95e40fb9449b6b36c8371d77e7048683 to your computer and use it in GitHub Desktop.
Build a firejail rpm and install it.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Copyright © 2020,2021 rusty-snake | |
# | |
# Permission is hereby granted, free of charge, to any person obtaining a copy | |
# of this software and associated documentation files (the "Software"), to deal | |
# in the Software without restriction, including without limitation the rights | |
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell | |
# copies of the Software, and to permit persons to whom the Software is | |
# furnished to do so, subject to the following conditions: | |
# | |
# The above copyright notice and this permission notice shall be included in all | |
# copies or substantial portions of the Software. | |
# | |
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR | |
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, | |
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE | |
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | |
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, | |
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE | |
# SOFTWARE. | |
set -eo pipefail | |
NAME=firejail | |
VERSION=$(./configure -V | head -n1 | cut -d" " -f3) | |
COMMIT=$(git rev-parse --short HEAD) | |
set +e | |
installed_release=$(rpm -q --qf="%{RELEASE}" $NAME) | |
if [ $? -ne 0 ]; then | |
RELEASE=1 | |
else | |
RELEASE=$(($(grep -oE "^[[:digit:]]+" <<<"$installed_release") + 1)) | |
fi | |
installed_version=$(rpm -q --qf="%{VERSION}" $NAME) | |
if [ $? -ne 0 ] && [ "$installed_version" != "$VERSION" ]; then | |
RELEASE=1 | |
fi | |
set -e | |
# NOTE: mktemp uses $TMPDIR and /tmp as fallback. | |
TOPDIR=$(mktemp -dt $NAME-build.XXXXXX) | |
BUILDDIR=$(rpm --define "_topdir $TOPDIR" --eval %_builddir) | |
RPMDIR=$(rpm --define "_topdir $TOPDIR" --eval %_rpmdir) | |
SOURCEDIR=$(rpm --define "_topdir $TOPDIR" --eval %_sourcedir) | |
SPECDIR=$(rpm --define "_topdir $TOPDIR" --eval %_specdir) | |
SRPMDIR=$(rpm --define "_topdir $TOPDIR" --eval %_srcrpmdir) | |
mkdir -p "$BUILDDIR" "$RPMDIR" "$SOURCEDIR" "$SPECDIR" "$SRPMDIR" | |
# shellcheck disable=SC2064 | |
trap "rm -rf '$TOPDIR'" EXIT | |
cat <<EOF > "$SPECDIR/$NAME.spec" | |
Name: $NAME | |
Version: $VERSION | |
Release: $RELEASE.git$COMMIT%{?dist} | |
Summary: Linux namespaces sandbox program | |
License: GPLv2+ | |
URL: https://github.com/netblue30/firejail | |
Source0: %{name}.tar.gz | |
Recommends: xdg-dbus-proxy | |
BuildRequires: libselinux-devel | |
BuildRequires: vim-filesystem | |
BuildRequires: gcc | |
%description | |
Firejail is a SUID sandbox program that reduces the risk of security | |
breaches by restricting the running environment of untrusted applications | |
using Linux namespaces. It includes a sandbox profile for Mozilla Firefox. | |
%prep | |
%autosetup -c | |
%build | |
%configure \ | |
--enable-selinux \ | |
--enable-force-nonewprivs \ | |
--disable-chroot \ | |
--disable-file-transfer \ | |
--disable-firetunnel \ | |
--disable-network \ | |
--disable-output \ | |
--disable-overlayfs \ | |
--disable-private-home \ | |
--disable-x11 | |
%make_build | |
echo "Appending the following to firejail.config for hardening ..." | |
cat << _EOF_ | tee -a etc/firejail.config | |
############# | |
# Hardening # | |
############# | |
# Disable bind features | |
bind no | |
# Disable cgroup features | |
cgroup no | |
# Disable chroot features | |
chroot no | |
# Disable dbus features | |
#dbus no | |
# Force disable-mnt | |
#disable-mnt yes | |
# Disable file transfer support | |
file-transfer no | |
# Force nonewprivs | |
force-nonewprivs yes | |
# Disable join support | |
#join no | |
# Disable network features | |
network no | |
# Disable overlayfs features | |
overlayfs no | |
# Disable private-bin feature | |
#private-bin no | |
# Disable private-cache feature | |
#private-cache no | |
# Disable private-etc feature | |
#private-etc no | |
# Disable private-home feature | |
#private-home no | |
# Enable or disable private-lib feature | |
#private-lib no | |
# Disable private-opt feature | |
#private-opt no | |
# Disable private-srv feature | |
#private-srv no | |
# Resrict network features to root only | |
restricted-network yes | |
# Deny seccomp | |
#seccomp no | |
# Deny noroot | |
#userns no | |
# Disable whitelist top level directories | |
#whitelist-disable-topdir /foo | |
# Deny x11 | |
x11 no | |
_EOF_ | |
%install | |
make install-strip DESTDIR=\$RPM_BUILD_ROOT | |
%post | |
firecfg.py || echo "WARNING: firecfg.py failed!" | |
%preun | |
if [[ "\$1" == "0" ]]; then | |
#firecfg.py --clean | |
rm -r /etc/firecfg.py/overrides | |
fi | |
exit 0 | |
%files | |
%config(noreplace) %{_sysconfdir}/firejail/firejail.config | |
%config(noreplace) %{_sysconfdir}/firejail/ids.config | |
%config(noreplace) %{_sysconfdir}/firejail/login.users | |
%config %{_sysconfdir}/firejail/*.inc | |
%config %{_sysconfdir}/firejail/*.net | |
%config %{_sysconfdir}/firejail/*.profile | |
%{_bindir}/firecfg | |
%{_bindir}/firejail | |
%{_bindir}/firemon | |
%{_bindir}/jailcheck | |
%{_libdir}/firejail | |
%{_datadir}/bash-completion/completions/firejail | |
%{_datadir}/bash-completion/completions/firecfg | |
%{_datadir}/bash-completion/completions/firemon | |
%{_datadir}/zsh/site-functions/_firejail | |
%{_docdir}/firejail/COPYING | |
%{_docdir}/firejail/README | |
%{_docdir}/firejail/RELNOTES | |
%{_docdir}/firejail/profile.template | |
%{_docdir}/firejail/redirect_alias-profile.template | |
%{_docdir}/firejail/syscalls.txt | |
%{_mandir}/man1/firecfg.1.gz | |
%{_mandir}/man1/firejail.1.gz | |
%{_mandir}/man1/firemon.1.gz | |
%{_mandir}/man1/jailcheck.1.gz | |
%{_mandir}/man5/firejail-login.5.gz | |
%{_mandir}/man5/firejail-profile.5.gz | |
%{_mandir}/man5/firejail-users.5.gz | |
%{vimfiles_root}/ftdetect/firejail.vim | |
%{vimfiles_root}/syntax/firejail.vim | |
%license COPYING | |
EOF | |
tar --exclude-vcs-ignore --exclude="./.git" --create --gzip --file "$SOURCEDIR/$NAME.tar.gz" . | |
rpmbuild --nodebuginfo --quiet --define "_topdir $TOPDIR" -bb "$SPECDIR"/$NAME.spec | |
#rpmbuild --nodebuginfo --define "_topdir $TOPDIR" -bb "$SPECDIR"/$NAME.spec | |
# shellcheck disable=SC1083 | |
RPM="$NAME-$VERSION-$RELEASE.git$COMMIT$(rpm -E %{?dist}).$(rpm -E %_arch).rpm" | |
mv "$RPMDIR/$(rpm -E %_arch)/$RPM" . | |
mpv --msg-level=all=fatal /usr/share/sounds/freedesktop/stereo/complete.oga | |
sudo dnf install "$RPM" | |
rm "$RPM" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment