seffs/#sloppywolf.md

## #sloppywolf.md

      
    Raw
  

              #sloppywolf.md
            
          
    SloppyWolf: Volatile Canid


Motivation

As I delve my interest more and more into IT Security, I had to invent a ridiculous scenario for myself: If I ever run out of Live USBs and the only machine available comes from an untrustworthy acquintance, how could I carry on with a (very) urgent critical operation without giving up any details to their host machine and most importantly, without wasting ANY time?
Thanks to Flatpak, this idea is not hard to execute. At all.
Saddly I don't have enough time to explain myself, but taking advantage of Flatpak sandbox and permissions system, one can also make ALL relevant directories underneath work with a volatile filesystem!
Requisites


LibreWolf from Flathub
Create /mnt/librewolf-downloads if you plan on using a volatile downloads folder too
Systemd (in case you have swap and/or hibernate activated)

Instructions

Put sloppywolf.sh under /usr/local/bin and make it executable. This is the main script. It mounts/unmounts the ramfs accordingly.
Put sloppywolf-handler.sh under /lib/systemd/system-sleep/ and make it executable. This will take care of unmounting everything before hibernating
Put sloppywolf.desktop under ~/.local/share/applications/. This will create a desktop launcher for Sloppy and even use its custom icon.
Put sloppywolf.png under /home/<your-username>/.local/share/icons/hicolor/128x128/apps/
Replace your username where necessary aaaand profit!
Notes

*If Flatpak ever becomes widely used, it might be plausible to think my acquintance would have it already installed.
Credits

https://ubuntuforums.org/showthread.php?t=2473907&p=14090900#post14090900

  
## sloppywolf-handler.sh
#!/bin/sh

PATH=/sbin:/usr/sbin:/bin:/usr/bin

case "$1" in
    pre) case $2 in
        hibernate)
                if df -h /home/<your-username>/.var/app/io.gitlab.librewolf-community | grep -q none ; then
                        if pgrep librewolf ; then
                                killall librewolf
                        fi
                        # Shred
                        sudo find /run/user/1000/app/io.gitlab.librewolf-community -depth -type f -exec shred -v -n 1 -z -u {} \;
                        sudo find /mnt/librewolf-downloads -depth -type f -exec shred -v -n 1 -z -u {} \;
                        sudo find /home/<your-username>/.var/app/io.gitlab.librewolf-community -depth -type f -exec shred -v -n 1 -z -u {} \;
                        # Unmount
                        sudo umount /run/user/1000/app/io.gitlab.librewolf-community
                        sudo umount /mnt/librewolf-downloads
                        sudo umount /home/<your-username>/.var/app/io.gitlab.librewolf-community
                fi
                ;;
        suspend)
                # Duplicate code above if desired, although unnecessary for ramfs
                ;;
        esac

    ;;
    post)
        #Your code here
    ;;
esac

exit 0

## sloppywolf.desktop
[Desktop Entry]
Name=SloppyWolf
Exec=/usr/local/bin/sloppywolf
Comment=A fork of Firefox, focused on privacy, security and freedom.
Icon=/home/<your-username>/.local/share/icons/hicolor/128x128/apps/sloppywolf.png
Type=Application
MimeType=text/html;text/xml;application/xhtml+xml;x-scheme-handler/http;x-scheme-handler/https;application/x-xpinstall;application/pdf;application/json;
StartupWMClass=SloppyWolf
Categories=Network;WebBrowser;
StartupNotify=true
Terminal=false
X-MultipleArgs=false
Keywords=Internet;WWW;Browser;Web;Explorer;

## sloppywolf.png

      
    Raw
  

              sloppywolf.png
            
          
## sloppywolf.sh
#!/bin/bash

export user=$(logname)

exit_cleanup() {
  #Post: unmount ramfs in all relevant directories
  pkexec sh -c 'find /run/user/1000/app/io.gitlab.librewolf-community -depth -type f -exec shred -v -n 1 -z -u {} \; && find /mnt/librewolf-downloads -depth -type f -exec shred -v -n 1 -z -u {} \; && find /home/<your-username>/.var/app/io.gitlab.librewolf-community -depth -type f -exec shred -v -n 1 -z -u {} \; && umount /home/"$1"/.var/app/io.gitlab.librewolf-community && umount /run/user/1000/app/io.gitlab.librewolf-community && umount /mnt/librewolf-downloads' post "$user"
  exit $x
}


if ! df -h /home/$user/.var/app/io.gitlab.librewolf-community | grep -q none && pgrep librewolf ; then
	notify-send 'Close all running instances of LibreWolf before launching SloppyWolf!'
	exit 1
fi

#Pre: Mount ramfs in directories
trap exit_cleanup EXIT

mkdir -p /run/user/1000/app/io.gitlab.librewolf-community && pkexec sh -c 'mount -t ramfs -o mode=777 ramfs /home/"$1"/.var/app/io.gitlab.librewolf-community && mount -t ramfs -o mode=755 ramfs /run/user/1000/app/io.gitlab.librewolf-community && mount -t ramfs -o mode=766 ramfs /mnt/librewolf-downloads' pre "$user" &&
#While: Change privileges to 755 for security reasons & run
sh -c 'pkexec chmod 755 /home/"$1"/.var/app/io.gitlab.librewolf-community & /usr/bin/flatpak run --branch=stable --arch=x86_64 --command=librewolf --file-forwarding io.gitlab.librewolf-community' pre "$user"
x=$?
	#!/bin/sh

	PATH=/sbin:/usr/sbin:/bin:/usr/bin

	case "$1" in
	pre) case $2 in
	hibernate)
	if df -h /home/<your-username>/.var/app/io.gitlab.librewolf-community \| grep -q none ; then
	if pgrep librewolf ; then
	killall librewolf
	fi
	# Shred
	sudo find /run/user/1000/app/io.gitlab.librewolf-community -depth -type f -exec shred -v -n 1 -z -u {} \;
	sudo find /mnt/librewolf-downloads -depth -type f -exec shred -v -n 1 -z -u {} \;
	sudo find /home/<your-username>/.var/app/io.gitlab.librewolf-community -depth -type f -exec shred -v -n 1 -z -u {} \;
	# Unmount
	sudo umount /run/user/1000/app/io.gitlab.librewolf-community
	sudo umount /mnt/librewolf-downloads
	sudo umount /home/<your-username>/.var/app/io.gitlab.librewolf-community
	fi
	;;
	suspend)
	# Duplicate code above if desired, although unnecessary for ramfs
	;;
	esac

	;;
	post)
	#Your code here
	;;
	esac

	exit 0
	[Desktop Entry]
	Name=SloppyWolf
	Exec=/usr/local/bin/sloppywolf
	Comment=A fork of Firefox, focused on privacy, security and freedom.
	Icon=/home/<your-username>/.local/share/icons/hicolor/128x128/apps/sloppywolf.png
	Type=Application
	MimeType=text/html;text/xml;application/xhtml+xml;x-scheme-handler/http;x-scheme-handler/https;application/x-xpinstall;application/pdf;application/json;
	StartupWMClass=SloppyWolf
	Categories=Network;WebBrowser;
	StartupNotify=true
	Terminal=false
	X-MultipleArgs=false
	Keywords=Internet;WWW;Browser;Web;Explorer;
	#!/bin/bash

	export user=$(logname)

	exit_cleanup() {
	#Post: unmount ramfs in all relevant directories
	pkexec sh -c 'find /run/user/1000/app/io.gitlab.librewolf-community -depth -type f -exec shred -v -n 1 -z -u {} \; && find /mnt/librewolf-downloads -depth -type f -exec shred -v -n 1 -z -u {} \; && find /home/<your-username>/.var/app/io.gitlab.librewolf-community -depth -type f -exec shred -v -n 1 -z -u {} \; && umount /home/"$1"/.var/app/io.gitlab.librewolf-community && umount /run/user/1000/app/io.gitlab.librewolf-community && umount /mnt/librewolf-downloads' post "$user"
	exit $x
	}


	if ! df -h /home/$user/.var/app/io.gitlab.librewolf-community \| grep -q none && pgrep librewolf ; then
	notify-send 'Close all running instances of LibreWolf before launching SloppyWolf!'
	exit 1
	fi

	#Pre: Mount ramfs in directories
	trap exit_cleanup EXIT

	mkdir -p /run/user/1000/app/io.gitlab.librewolf-community && pkexec sh -c 'mount -t ramfs -o mode=777 ramfs /home/"$1"/.var/app/io.gitlab.librewolf-community && mount -t ramfs -o mode=755 ramfs /run/user/1000/app/io.gitlab.librewolf-community && mount -t ramfs -o mode=766 ramfs /mnt/librewolf-downloads' pre "$user" &&
	#While: Change privileges to 755 for security reasons & run
	sh -c 'pkexec chmod 755 /home/"$1"/.var/app/io.gitlab.librewolf-community & /usr/bin/flatpak run --branch=stable --arch=x86_64 --command=librewolf --file-forwarding io.gitlab.librewolf-community' pre "$user"
	x=$?