You've already forked isolationRunner
tomFlowee
c0f579ff6d
This allows a jail to have a VPN config associated and as a result we start a new net namespace, completely isolating the jails networking. We then start an openVPN client to route between the main network and the jails' network. The main limitation here is that we don't setup DNS, which basically means that the VPN will route DNS calls to the other side, but since we don't remount resolv.conf this depends on the vpn provider actually mapping the nameserver we use. For people that use a nameserver like 192.168.100.1, this most of the time works just fine. Improvement is possible.
155 lines
4.5 KiB
Plaintext
155 lines
4.5 KiB
Plaintext
# Default ruleset to get a simple application running
|
|
# The commands are:
|
|
#
|
|
# bind <from> <to>
|
|
# take from the current filesystem a single directory and make it
|
|
# available elsewhere. See the -rbind argument on /usr/bin/mount
|
|
# tmpfs <target>
|
|
# create a tmpfs on the full path 'target'. Useful to hide sensitive
|
|
# content.
|
|
# umount <path>
|
|
# un-mount a mounted 'drive'.
|
|
#
|
|
# try
|
|
# Prefix any command with 'try' to make its failure non-fatal.
|
|
# Things like 'copy' or tmpfs also not auto-create a target
|
|
# directory if this is a 'try'
|
|
#
|
|
# ---- replacement variables.
|
|
# $HOME the actual homedir of the user
|
|
# $APPHOME the location of the app-jail
|
|
#
|
|
# Notice that those variables are set at the start, as you do binds
|
|
# etc they may change and the variables will not be auto-updated to
|
|
# follow.
|
|
#
|
|
# ---- conditionals
|
|
# if [denied|allowed] <keyword>
|
|
# # do stuff
|
|
# endif
|
|
#
|
|
|
|
copy $HOME/.config/kdedefaults/kdeglobals $APPHOME/config/kdefaults/
|
|
copy $HOME/.config/kdeglobals $APPHOME/config/
|
|
|
|
bind /tmp /var/tmp
|
|
umount /tmp
|
|
tmpfs /tmp
|
|
# x11 support
|
|
try bind /var/tmp/.X11-unix /tmp/.X11-unix
|
|
# xauth was in /tmp before wayland.
|
|
try copy /var/tmp/xauth_* /tmp/
|
|
# KDE sessions management server
|
|
try bind /var/tmp/.ICE-unix /tmp/.ICE-unix
|
|
|
|
setPermissionDefault dbus allowed
|
|
setPermissionDefault docker denied
|
|
setPermissionDefault dbus-system denied
|
|
setPermissionDefault git denied
|
|
setPermissionDefault ssh denied
|
|
# Give access to documents in homedir in the 'shared' dir.
|
|
setPermissionDefault homedir allowed
|
|
# media is 'mounts', like a USB device
|
|
setPermissionDefault media allowed
|
|
# access to things like pulseaudio and pipewire
|
|
setPermissionDefault audio allowed
|
|
|
|
# if there are specific rules for the current app,
|
|
# execute them here.
|
|
# If no rules exist for the current app, run 'default.rules'
|
|
execute-apprules
|
|
|
|
# this one is critical, move the app into its little 'jail'
|
|
bind $APPHOME $HOME
|
|
# undo the bind from above
|
|
try umount /var/tmp
|
|
|
|
# backup of /run
|
|
bind /run /var/tmp
|
|
# blank out /run
|
|
tmpfs /run
|
|
# then bring back stuff we actually need
|
|
copy /var/tmp/user/$USERID/KSMserver* /run/user/$USERID/
|
|
# wayland support
|
|
try bind /var/tmp/user/$USERID/wayland-0 /run/user/$USERID/wayland-0
|
|
try bind /var/tmp/user/$USERID/wayland-1 /run/user/$USERID/wayland-1
|
|
try bind /var/tmp/user/$USERID/wayland-0.lock /run/user/$USERID/wayland-0.lock
|
|
try bind /var/tmp/user/$USERID/wayland-1.lock /run/user/$USERID/wayland-1.lock
|
|
try copy /var/tmp/user/$USERID/xauth_* /run/user/$USERID/
|
|
|
|
if allowed dbus
|
|
bind /var/tmp/user/$USERID/bus /run/dbus/user-global
|
|
# the targets should not be changed, the runner will
|
|
# start the dbus proxy expecting these path.
|
|
endif
|
|
if allowed dbus-system
|
|
bind /var/tmp/dbus/system_bus_socket /run/dbus/system-global
|
|
# same as above, dbus proxy can be started.
|
|
endif
|
|
if allowed ssh
|
|
try copy /var/tmp/user/$USERID/ssh-agent /run/user/$USERID/ssh-agent
|
|
endif
|
|
|
|
# give access to pipewire and pulse
|
|
if allowed audio
|
|
try bind /var/tmp/user/$USERID/pipewire-0 /run/user/$USERID/pipewire-0
|
|
try bind /var/tmp/user/$USERID/pipewire-0.lock /run/user/$USERID/pipewire-0.lock
|
|
try bind /var/tmp/user/$USERID/pipewire-0-manager /run/user/$USERID/pipewire-0-manager
|
|
try bind /var/tmp/user/$USERID/pipewire-0-manager.lock /run/user/$USERID/pipewire-0-manager.lock
|
|
try bind /var/tmp/user/$USERID/pulse /run/user/$USERID/pulse
|
|
endif
|
|
|
|
if allowed media
|
|
bind /var/tmp/media /run/media
|
|
endif
|
|
if allowed docker
|
|
try bind /var/tmp/docker/ /run/docker
|
|
try bind /var/tmp/docker.pid /run/docker.pid
|
|
try bind /var/tmp/docker.sock /run/docker.sock
|
|
endif
|
|
|
|
# only relevant if there is a VPN setup, but harmless otherwise
|
|
try bind /var/tmp/run/netns/iso-jail$JAILID /var/run/netns/
|
|
|
|
try umount /var/tmp
|
|
# overwrite /var/tmp making its content invisible
|
|
tmpfs /var/tmp
|
|
|
|
if allowed homedir
|
|
# hide some stuff.
|
|
# notice that the 'try' here is so 'tmpfs'
|
|
# doesn't attempt to create a directory first.
|
|
try tmpfs $HOME/shared/.config
|
|
try tmpfs $HOME/shared/.local
|
|
try tmpfs $HOME/shared/.cache
|
|
try tmpfs $HOME/shared/.docker
|
|
try tmpfs $HOME/shared/.gnupg
|
|
endif
|
|
|
|
# env vars
|
|
|
|
setEnv XDG_CONFIG_HOME=$HOME/config
|
|
setEnv XDG_DATA_HOME=$HOME/data
|
|
setEnv XDG_CONFIG_DIRS=$HOME/config:/etc/xdg
|
|
|
|
if denied git
|
|
unsetEnv GIT_COMMITTER_NAME
|
|
unsetEnv GIT_AUTHOR_NAME
|
|
unsetEnv EMAIL
|
|
endif
|
|
unsetEnv PAM_KWALLETS_LOGIN
|
|
unsetEnv MAIL
|
|
unsetEnv SYSTEMD_EXEC_PID
|
|
|
|
if denied dbus
|
|
unsetEnv DBUS_SESSION_BUS_ADDRESS
|
|
endif
|
|
|
|
if denied ssh
|
|
unsetEnv SSH_AGENT
|
|
unsetEnv SSH_AGENT_PID
|
|
unsetEnv SSH_AUTH_SOCK
|
|
endif
|
|
|
|
tmpfs /var/log
|