This allows a jail to have a VPN config associated and as a result we start
a new net namespace, completely isolating the jails networking.
We then start an openVPN client to route between the main network and the
jails' network.
The main limitation here is that we don't setup DNS, which basically means
that the VPN will route DNS calls to the other side, but since we don't
remount resolv.conf this depends on the vpn provider actually mapping the
nameserver we use. For people that use a nameserver like 192.168.100.1,
this most of the time works just fine.
Improvement is possible.
The audio permission allows hiding of pulse audio and pipewire sockets.
The kde session (ksmserver) socket and state files allowing some more
apps to run properly.
We re-route the dbus socket to a different location and then start
the dbus proxy in order to provide a filtered view of the world for our
jailed application.
DBus is a fantastic and a horrible system at the same time. It provides
only basic concepts and features which others can build on top of. Which
is great as many have done that building on top of it.
Unfortunately many apps have completely missed the idea of security and
hierarchy so its a mess now and you can't really open up most to apps...
Favourite stupid design, the org.freedesktop.Notifications has under
there the 'klipper' app. With an endpoint to destroy all its historical
data. Making 'just open the notifications, what could go wrong' end with
pain.
This introduces the command execute-apprules which behaves like
an 'include' as it recurses into the app specific file.
If there is no app specific one, it will load the default.rules
Notable too is that in an app specific rules file the usage of
execute-apprules will always go to default.rules, to avoid
copy / paste of rules.
This moves the final mounts to the rules file and creates the default
setup where the app has the users homedir available under a 'shared'
subdir.
This also introduces environment variables support, filtering out all
easy targets and additionally setting the config / data dirs to not be
hidden dirs.
tomFlowee