loopyd · September 2, 2019 11:47
diff --git a/sandboxed-firefox-installer.sh b/sandboxed-firefox-installer.sh
 #!/bin/bash

 # Validate cli arguments
 if [[ "$1 x" == " x" ]]; then
    >&2 echo 'Invalid argument specified:  missing username'
    exit
 fi
 if ! id -u $1 ; then
    >&2 echo 'Invalid argument specified: username does not exist'
 fi

 USERNAME="$1"

 echo 'Configuring system...'
 cat <<'EOFDOC' > /etc/portage/package.use/firefox
 www-client/firefox dbus geckodriver gmp-autoupdate hardened hwaccel screenshot system-av1 system-harfbuzz system-icu system-jpeg system-libevent system-libvpx system-sqlite system-webp wayland custom-optimization clangm gstreamer dev-db/sqlite secure-delete pulseaudio
 media-libs/libvpx postproc
 sys-devel/llvm gold
 EOFDOC
 cat <<'EOFDOC' > /etc/portage/package.accept_keywords/firefox
 ~sys-devel/clang-runtime-8.0.1 ~amd64
 ~sys-devel/llvm-8.0.1 ~amd64
 ~sys-libs/compiler-rt-8.0.1 ~amd64
 ~sys-devel/llvmgold-8 ~amd64
 ~sys-libs/compiler-rt-sanitizers-8.0.1 ~amd64
 ~sys-libs/libomp-8.0.1 ~amd64
 ~sys-devel/clang-8.0.1 ~amd64
 ~sys-devel/lld-8.0.1 ~amd64
 EOFDOC
 cat <<'EOFDOC' > /etc/portage/package.license/firefox
 >=www-plugins/adobe-flash-32.0.0.238 AdobeFlash-11.x
 EOFDOC
 bashrc="/etc/portage/env/www-client/firefox"
 mkdir -p $(dirname $bashrc)
 echo "post_src_install() {
  chmod -R u-x,g-w,o-o \${D}
  chown -R root:ff \${D}
 }" > $bashrc

 # Configure secure firefox sandbox
 echo 'Configuring sandbox for Firefox...'
 emerge x11-apps/xhost
 sudo useradd --home=/home/ff --create-home --shell /bin/false --user-group ff
 echo "$USERNAME ALL=(ff) NOPASSWD: ALL" > /etc/sudoers.d/ff
 chmod -R 770 /home/ff
 gpasswd -a ff users
 gpasswd -a ff video
 gpasswd -a ff audio

 # Emerging dependencies
 echo 'Emerging Firefox ...'
 emerge sys-devel/clang:8 =sys-devel/lld-8* dev-python/pyyaml media-libs/libwebp dev-db/sqlite media-libs/libvpx dev-libs/libevent media-libs/libjpeg-turbo dev-libs/icu media-libs/harfbuzz media-libs/dav1d gst-plugins-meta:1.0 gnome-base/gconf freshplayerplugin www-client/firefox

 # Replace desktop file with sandboxed verison
 echo 'Replacing desktop file for sandbox...'
 rm -f /usr/share/applications/firefox.desktop
 cat <<'EOFDOC' > /usr/share/applications/firefox.desktop
 [Desktop Entry]
 Name=Mozilla Firefox (Sandboxed)
 Comment=Web Browser
 Exec=sh -c 'xhost si:localuser:ff && sudo -u ff firefox %u'
 Icon=firefox
 Terminal=false
 Type=Application
 MimeType=text/html;text/xml;application/xhtml+xml;application/vnd.mozilla.xul+xml;text/mml;x-scheme-handler/http;x-scheme-handler/https;
 Categories=Network;WebBrowser;
 StartupNotify=true
 EOFDOC

 echo 'Configuring pulse sink...'
 mkdir -p /home/ff/.config/pulse
 cat <<'EOFDOC' > /home/ff/.asoundrc
 pcm.default {
        type pulse
 }

 ctl.default {
        type pulse
 }
 EOFDOC
 echo -e ".include /etc/pulse/default.pa\nload-module module-native-protocol-unix auth-anonymous=1 socket=/tmp/pulse-socket" > /home/$USERNAME/.config/pulse/default.pa
 echo -e "default-server = unix:/tmp/pulse-socket" > /home/ff/.config/pulse/client.conf
 chmod 644 /home/ff/.config/pulse/client.conf
 gconftool-2 -t string --set /system/gstreamer/0.10/default/audiosink pulsesink
 gconftool-2 -t string --set /system/gstreamer/0.10/default/audiosrc pulsesrc
 sed -i -e 's/\#load\-module\ module\-alsa\-sink.*/load\-module\ module\-alsa\-sink\ device\=dmix/g' /etc/pulse/default.pa
 sed -i -e 's/\#load\-module\ module\-alsa\-source\ device\=hw.*/load\-module\ module\-alsa\-source\ device\=dsnoop/g' /etc/pulse/default.pa

 echo 'Permissions fix for ff user...'
 mv /home/$USERNAME/.mozilla ~ff/
 chown -R ff:ff /home/ff

 # Configure firewall rules
 iptables -A OUTPUT -p TCP --dport https -m owner --uid-owner ff -j ACCEPT
 iptables -A OUTPUT -p TCP --dport http -m owner --uid-owner ff -j ACCEPT
	#!/bin/bash

	# Validate cli arguments
	if [[ "$1 x" == " x" ]]; then
	>&2 echo 'Invalid argument specified: missing username'
	exit
	fi
	if ! id -u $1 ; then
	>&2 echo 'Invalid argument specified: username does not exist'
	fi

	USERNAME="$1"

	echo 'Configuring system...'
	cat <<'EOFDOC' > /etc/portage/package.use/firefox
	www-client/firefox dbus geckodriver gmp-autoupdate hardened hwaccel screenshot system-av1 system-harfbuzz system-icu system-jpeg system-libevent system-libvpx system-sqlite system-webp wayland custom-optimization clangm gstreamer dev-db/sqlite secure-delete pulseaudio
	media-libs/libvpx postproc
	sys-devel/llvm gold
	EOFDOC
	cat <<'EOFDOC' > /etc/portage/package.accept_keywords/firefox
	~sys-devel/clang-runtime-8.0.1 ~amd64
	~sys-devel/llvm-8.0.1 ~amd64
	~sys-libs/compiler-rt-8.0.1 ~amd64
	~sys-devel/llvmgold-8 ~amd64
	~sys-libs/compiler-rt-sanitizers-8.0.1 ~amd64
	~sys-libs/libomp-8.0.1 ~amd64
	~sys-devel/clang-8.0.1 ~amd64
	~sys-devel/lld-8.0.1 ~amd64
	EOFDOC
	cat <<'EOFDOC' > /etc/portage/package.license/firefox
	>=www-plugins/adobe-flash-32.0.0.238 AdobeFlash-11.x
	EOFDOC
	bashrc="/etc/portage/env/www-client/firefox"
	mkdir -p $(dirname $bashrc)
	echo "post_src_install() {
	chmod -R u-x,g-w,o-o \${D}
	chown -R root:ff \${D}
	}" > $bashrc

	# Configure secure firefox sandbox
	echo 'Configuring sandbox for Firefox...'
	emerge x11-apps/xhost
	sudo useradd --home=/home/ff --create-home --shell /bin/false --user-group ff
	echo "$USERNAME ALL=(ff) NOPASSWD: ALL" > /etc/sudoers.d/ff
	chmod -R 770 /home/ff
	gpasswd -a ff users
	gpasswd -a ff video
	gpasswd -a ff audio

	# Emerging dependencies
	echo 'Emerging Firefox ...'
	emerge sys-devel/clang:8 =sys-devel/lld-8* dev-python/pyyaml media-libs/libwebp dev-db/sqlite media-libs/libvpx dev-libs/libevent media-libs/libjpeg-turbo dev-libs/icu media-libs/harfbuzz media-libs/dav1d gst-plugins-meta:1.0 gnome-base/gconf freshplayerplugin www-client/firefox

	# Replace desktop file with sandboxed verison
	echo 'Replacing desktop file for sandbox...'
	rm -f /usr/share/applications/firefox.desktop
	cat <<'EOFDOC' > /usr/share/applications/firefox.desktop
	[Desktop Entry]
	Name=Mozilla Firefox (Sandboxed)
	Comment=Web Browser
	Exec=sh -c 'xhost si:localuser:ff && sudo -u ff firefox %u'
	Icon=firefox
	Terminal=false
	Type=Application
	MimeType=text/html;text/xml;application/xhtml+xml;application/vnd.mozilla.xul+xml;text/mml;x-scheme-handler/http;x-scheme-handler/https;
	Categories=Network;WebBrowser;
	StartupNotify=true
	EOFDOC

	echo 'Configuring pulse sink...'
	mkdir -p /home/ff/.config/pulse
	cat <<'EOFDOC' > /home/ff/.asoundrc
	pcm.default {
	type pulse
	}

	ctl.default {
	type pulse
	}
	EOFDOC
	echo -e ".include /etc/pulse/default.pa\nload-module module-native-protocol-unix auth-anonymous=1 socket=/tmp/pulse-socket" > /home/$USERNAME/.config/pulse/default.pa
	echo -e "default-server = unix:/tmp/pulse-socket" > /home/ff/.config/pulse/client.conf
	chmod 644 /home/ff/.config/pulse/client.conf
	gconftool-2 -t string --set /system/gstreamer/0.10/default/audiosink pulsesink
	gconftool-2 -t string --set /system/gstreamer/0.10/default/audiosrc pulsesrc
	sed -i -e 's/\#load\-module\ module\-alsa\-sink.*/load\-module\ module\-alsa\-sink\ device\=dmix/g' /etc/pulse/default.pa
	sed -i -e 's/\#load\-module\ module\-alsa\-source\ device\=hw.*/load\-module\ module\-alsa\-source\ device\=dsnoop/g' /etc/pulse/default.pa

	echo 'Permissions fix for ff user...'
	mv /home/$USERNAME/.mozilla ~ff/
	chown -R ff:ff /home/ff

	# Configure firewall rules
	iptables -A OUTPUT -p TCP --dport https -m owner --uid-owner ff -j ACCEPT
	iptables -A OUTPUT -p TCP --dport http -m owner --uid-owner ff -j ACCEPT