From 53a91c6f24c61d5428a4d500392bccb15e7b0a0d Mon Sep 17 00:00:00 2001
From: "Lucas S. Beiler" <lucasbeiler@protonmail.com>
Date: Fri, 8 Jan 2021 13:55:13 -0300
Subject: [PATCH] Remove firejail entirely

Currently, I create my own sandboxing mechanisms using bubblewrap, seccomp-bpf and AppArmor. Also, Firejail is supposed to be somewhat insecure: https://github.com/netblue30/firejail/issues/3046
---
 arch_install.sh | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/arch_install.sh b/arch_install.sh
index c6f6d2d..1b27d1f 100755
--- a/arch_install.sh
+++ b/arch_install.sh
@@ -23,7 +23,7 @@ CPU_PACKAGES="${CPU_VENDOR}-ucode" # Microcode - Change it accordingly
 LATEST_TORBROWSER_VERSION=$(curl -s 'https://www.torproject.org/download/' | grep -m1 -oP '(?<=/dist/torbrowser/).*?(?=/tor-browser-linux64)')
 TORBROWSER_DEPENDS="mozilla-common libxt startup-notification mime-types dbus-glib alsa-lib desktop-file-utils hicolor-icon-theme libvpx icu libevent nss hunspell sqlite"
 KERNEL="linux-hardened"
-PACSTRAP_PACKAGES="base base-devel vim ${KERNEL} ${KERNEL}-headers linux-firmware lvm2 ${CPU_PACKAGES} ${GPU_PACKAGES} iwd zip openssh docker-compose xorg-server xorg-xinit xorg-xrandr xorg-xsetroot feh picom apparmor neofetch git man unzip code flameshot unrar ttf-opensans terminus-font ttf-font-awesome gptfdisk dmenu pulseaudio pavucontrol alsa-utils telegram-desktop bubblewrap-suid irssi tor neomutt virtualbox openbsd-netcat ttf-liberation sqlmap nano firejail ${TORBROWSER_DEPENDS}"
+PACSTRAP_PACKAGES="base base-devel vim ${KERNEL} ${KERNEL}-headers linux-firmware lvm2 ${CPU_PACKAGES} ${GPU_PACKAGES} iwd zip openssh docker-compose xorg-server xorg-xinit xorg-xrandr xorg-xsetroot feh picom apparmor neofetch git man unzip code flameshot unrar ttf-opensans terminus-font ttf-font-awesome gptfdisk dmenu pulseaudio pavucontrol alsa-utils telegram-desktop bubblewrap-suid irssi tor neomutt virtualbox openbsd-netcat ttf-liberation sqlmap nano ${TORBROWSER_DEPENDS}"
 ADDITIONAL_INITRD="initrd /${CPU_VENDOR}-ucode.img"
 DISK_BY_ID="$(ls /dev/disk/by-id/nvme-Force_MP510*)" # You will surely need to change this one.
 LVM_VG_LABEL="vg0"
@@ -253,10 +253,6 @@ arch-chroot /mnt systemctl enable apparmor iptables iwd
 # initcpio creation
 arch-chroot /mnt mkinitcpio -p ${KERNEL}
 
-## Parse and enforce firejail's AppArmor profile.
-arch-chroot /mnt apparmor_parser -r /etc/apparmor.d/firejail-default
-arch-chroot /mnt aa-enforce firejail-default
-
 # Let's save the sha256sum of the files from /boot 
 # and save/copy this installation script from here to somewhere in the installed system)
 sh -c "arch-chroot /mnt find /boot -type f -exec sha256sum {} \;" > /mnt/home/hashes.txt