This allows a jail to have a VPN config associated and as a result we start
a new net namespace, completely isolating the jails networking.
We then start an openVPN client to route between the main network and the
jails' network.
The main limitation here is that we don't setup DNS, which basically means
that the VPN will route DNS calls to the other side, but since we don't
remount resolv.conf this depends on the vpn provider actually mapping the
nameserver we use. For people that use a nameserver like 192.168.100.1,
this most of the time works just fine.
Improvement is possible.
We resolve a symlink to an exe now only at the time we start the
application, avoiding the target being the one ending up in the config
file instead of the symlink.
The same now happens with the insertion of '/shared/' in the path
should the (resolved) exe path be in the users' homedir.
The audio permission allows hiding of pulse audio and pipewire sockets.
The kde session (ksmserver) socket and state files allowing some more
apps to run properly.
When starting a new application for the first time you can
start them with these two feature.
Autodelete:
this waits until the iso-pipe file is removed by the jailer,
which it does when all processes stopped,
and then proceeds to remove all files for the jail.
Secure:
Puts all known rights in the 'denied' list, making the jail
quite secure. Not a VM or a docker, but close.
This moves the primary key for a 'jail' to no longer be the executable
path, but instead a name.
In many cases that string will be based on the executable path, for
instance it will take the filename if the exe lives in /bin or /usr/bin
so in that respect nothing will change.
What this does allow is that you can have two different profiles that
both map to the same executabe. Allowing for instance having two
completely isolated instances running of telegram or of firefox.
The defaults are not 'secure', as they would be annoying to the max.
This is an isolation runner, removing a lot of attack vectors, for sure
but the name would give the wrong impression with defaults like we have
now.
This introduces the command execute-apprules which behaves like
an 'include' as it recurses into the app specific file.
If there is no app specific one, it will load the default.rules
Notable too is that in an app specific rules file the usage of
execute-apprules will always go to default.rules, to avoid
copy / paste of rules.
tomFlowee