Remove firejail entirely

Currently, I create my own sandboxing mechanisms using bubblewrap, seccomp-bpf and AppArmor. Also, Firejail is supposed to be somewhat insecure: netblue30/firejail#3046
lucasbeiler · Jan 8, 2021 · b247395 · b247395
1 parent c4da01a
commit b247395
Showing 1 changed file with 1 addition and 5 deletions.
diff --git a/arch_install.sh b/arch_install.sh
@@ -23,7 +23,7 @@ CPU_PACKAGES="${CPU_VENDOR}-ucode" # Microcode - Change it accordingly
 LATEST_TORBROWSER_VERSION=$(curl -s 'https://www.torproject.org/download/' | grep -m1 -oP '(?<=/dist/torbrowser/).*?(?=/tor-browser-linux64)')
 TORBROWSER_DEPENDS="mozilla-common libxt startup-notification mime-types dbus-glib alsa-lib desktop-file-utils hicolor-icon-theme libvpx icu libevent nss hunspell sqlite"
 KERNEL="linux-hardened"
-PACSTRAP_PACKAGES="base base-devel vim ${KERNEL} ${KERNEL}-headers linux-firmware lvm2 ${CPU_PACKAGES} ${GPU_PACKAGES} iwd zip openssh docker-compose xorg-server xorg-xinit xorg-xrandr xorg-xsetroot feh picom apparmor neofetch git man unzip code flameshot unrar ttf-opensans terminus-font ttf-font-awesome gptfdisk dmenu pulseaudio pavucontrol alsa-utils telegram-desktop bubblewrap-suid irssi tor neomutt virtualbox openbsd-netcat ttf-liberation sqlmap nano firejail ${TORBROWSER_DEPENDS}"
+PACSTRAP_PACKAGES="base base-devel vim ${KERNEL} ${KERNEL}-headers linux-firmware lvm2 ${CPU_PACKAGES} ${GPU_PACKAGES} iwd zip openssh docker-compose xorg-server xorg-xinit xorg-xrandr xorg-xsetroot feh picom apparmor neofetch git man unzip code flameshot unrar ttf-opensans terminus-font ttf-font-awesome gptfdisk dmenu pulseaudio pavucontrol alsa-utils telegram-desktop bubblewrap-suid irssi tor neomutt virtualbox openbsd-netcat ttf-liberation sqlmap nano ${TORBROWSER_DEPENDS}"
 ADDITIONAL_INITRD="initrd /${CPU_VENDOR}-ucode.img"
 DISK_BY_ID="$(ls /dev/disk/by-id/nvme-Force_MP510*)" # You will surely need to change this one.
 LVM_VG_LABEL="vg0"
@@ -253,10 +253,6 @@ arch-chroot /mnt systemctl enable apparmor iptables iwd
 # initcpio creation
 arch-chroot /mnt mkinitcpio -p ${KERNEL}
 
-## Parse and enforce firejail's AppArmor profile.
-arch-chroot /mnt apparmor_parser -r /etc/apparmor.d/firejail-default
-arch-chroot /mnt aa-enforce firejail-default
-
 # Let's save the sha256sum of the files from /boot 
 # and save/copy this installation script from here to somewhere in the installed system)
 sh -c "arch-chroot /mnt find /boot -type f -exec sha256sum {} \;" > /mnt/home/hashes.txt