ruf-puppy4-flask.sh (attackpup on GrovyPup32)

#!/bin/sh
#ROUTER_IP=192.168.100.1
# Rufwoof Jan 2021 (updated May 2019 version). Comments at end
set -x
[[ "$-" = *"x"* ]] && TRACE=yes
WM=jwm
cd "$(realpath "${0%/*}")" #added by s243a (4 lines)
CWD="$(realpath .)" #"$PWD"
SFS_NAME="$(ls -1 ../puppy_*.sfs | head -n 1 | sed -r 's#^[.][.]/##g' | sed -r 's#[.]sfs##g')"
Parent_WD="$(realpath "$CWD/..")"
SFS_PATH="$Parent_WD/$SFS_NAME".sfs #End Adds by s243a


xterm & # added so have at least one window I can alt-tab to out of the container
disown

#[ ! -d /mnt/sda4/shared ] && mkdir /mnt/sda4/shared # as a shared folder
SHARED_LOC="$CWD"/shared #For a more portable container script add shared folder relative to script path.


#Uncomment the following to use a shared folder:
#SHARED="$SHARED_LOC"

#CHANGES_LOC=/mnt/sda4/changes        # Non pre-existing ext fs work folder
CHANGES_LOC="$CWD"/container #For a more portable container script add changes folder relative to script path.

#MAIN_SFS=/mnt/sda1/FATDOG811-FINAL/fd64.sfs # Where the main sfs is located
MAIN_SFS="$SFS_PATH" #s243a: Replaces above line

# Xephyr parameters
   XP="-fullscreen -title container -name Xephyr2 -dpi 144 -nolisten tcp"
#XEPHYR="-fullscreen -name Xephyr2 -dpi 144 -nolisten tcp"
XEPHYR="$XP"

#MOUNTS="--mount=bind:/dev/snd:/dev/snd \
#        --mount=bind:/dev/mixer:/dev/mixer"

MOUNTS="--mount=bind:/dev/snd:/dev/snd"

[ ! -z "${SHARED}" ] && MOUNTS="$MOUNTS -mount=bind:${SHARED}:/home/shared"

CAPS="--caps=all,-sys_admin,-sys_boot,-sys_chroot,-sys_ptrace,-sys_time,\
-sys_tty_config,-chown,-kill,-dac_override,-dac_read_search,\
-fowner,-setfcap,-setpcap,-net_admin,-mknod,-sys_module,\
-sys_nice,-sys_resource"
#PF="${PF} --chroot=${CHANGES_LOC}/top"
PFLASK="--keepenv --no-ipcns --no-netns ${MOUNTS} ${CAPS} \
        --chroot=${CHANGES_LOC}/top"
unset PsfsSD
unset ZDRV_PATH
declare -a options="$(getopt -o b:: --long browser-cmd::,browser-command,pup_sfs-subdir:,zdrv:: -- "$@")"
eval set --"$options"
while [ $# -gt 0 ]; do
  case "$1" in
  -b|--browser-cmd|--browser-command)
    if [ $# -gt 1 ] && [[ ! $2 = 1* ]]; then
      BROWSER_CMD="$2"
    else
      BROWSER_CMD=""
    fi
    ;;
  --zdrv)
    if [ $# -gt 1 ] && [[ ! "$2" = --* ]] && [ ! -z "$2" ]; then
      ZDRV_PATH="$2"
      shift 2
    else
      ZDRV_PATH=""
      shift 1
    fi; ;;
  --pup_sfs-subdir)
    PsfsSD="$2"
    shift 2
    ;;
  --)
    shift
    break
    ;;
  *)
    shift
    ;;
  esac
done

if [ ! ${ZDRV_NAME+x} ]; then
  ZDRV_NAME="$(ls -1 ../zdrv_*.sfs 2>/dev/null | head -n 1 | sed -r 's#^[.][.]/##g' | sed -r 's#[.]sfs##g')"
  [ ! -z "$ZDRV_NAME" ] && ZDRV_PATH="$Parent_WD/$ZDRV_NAME".sfs
fi
if [ -z ${BROWSER_CMD+x} ]; then
 case "${PsfsSD}" in
 /cont)
    BROWSER_CMD=/opt/Ungoogled_Chromium-portable/chromium/chromium-pup-nosb
    ;;
 *)
    BROWSER_CMD=/opt/Seamonkey-portable64/LAUNCH
    ;;
 esac
fi
function umountall(){
  set -x
  read -p "Entering umount all. Press enter to continue"
  set +x
  if [ ! -z "$PID" ]; then
    kill "$PID"
  else
    killall Xephyr
  fi
  cd ${CHANGES_LOC}
  #umount top sfs
  umount -l top/dev/shm
  umount -l top/dev/pts
  umount -l top/dev
  umount -l top
  [ ! -z "${sfs_MP_o}" ] && umount -l "${sfs_MP_o}"
  umount -l sfs
  umount -l zdrv
  rm -rf changes
  rmdir top sfs zdrv container.log
  [ ! -z "${sfs_MP_o}" ] && rmdir "${sfs_MP_o}"
  [ -d "$SHARED/flags" ] && [ ! -z "$HOSTGRAB" ] && kill $HOSTGRAB
  rm /tmp/container.run
  pkill -P $$ #Warning this will kill xterm.
}

# Avoid double click 2 instances
N=`date +%s` # Seconds since January 1970
if [ -f /tmp/container.run ];then
        L=`cat /tmp/container.run`
        D=`expr $N - $L`
        if [ $D -lt 2 ];then
            exit # quick 2 launches (doubled clicked ignore second click)
        fi
fi

trap 'umountall' 1


echo $N >/tmp/container.run

# Create a separate X instance so isolated from the main real root X
T=`ps -ef | grep Xephyr2 | wc -l`
if [ $T -ne 2 ];then
        Xephyr :2 ${XP} &
else
        exit # Xephyr2 already running
fi

if [ ! -z "${ROUTER_IP}" ]; then
  iptables -A INPUT -s ${ROUTER_IP} -j DROP     # Drop access to router admin
fi

# Prepare and launch 'container' and shared folder

if [ ! -z "$SHARED" ]; then
  [ ! -d $SHARED ] && mkdir $SHARED
  [ ! -d ${SHARED}/flags ] && mkdir ${SHARED}/flags
fi

# Create a changes folder, sfs mount point for main.sfs and top layer
# folders and aufs mount to combine changes and sfs folders -> top
mkdir -p "${CHANGES_LOC}"
cd "${CHANGES_LOC}"
# Check for possible hangover - such as if restarted X and clean out if so
if [ -d top ] || [ -d sfs ] || [ -d changes ]; then
        umount top sfs sfs.*
        rm -rf changes
        rmdir top sfs sfs.*
fi
mkdir top sfs changes

#s243a: added append_mnt_id_awk (bellow). See: https://forum.puppylinux.com/viewtopic.php?f=136&t=1932
append_mnt_id_awk='
function get_mnt_id(mnt_pt,loop){
  if (length(mnt_pt) > 0 && length(loop)>0){
    cmd="cat /proc/self/mountinfo | sort | grep '" loop "' | grep " mnt_pt " | head -n 1"
  } else if (length(mnt_pt) > 0){
    cmd="cat /proc/self/mountinfo | sort | grep '" mnt_pt "' | head -n 1"
  } else if (length(loop)>0){
    cmd="cat /proc/self/mountinfo | sort | grep '" loop "' | head -n 1"
  }
  while ((cmd | getline )){
    mnt_id=$1
    break
  }
  close(cmd)
  return mnt_id
}
{
  mnt_pt=$1
  loop=$2
  mnt_id=get_mnt_id(mnt_pt,loop)
  print mnt_id "|" mnt_pt "|" loop
}'
loop=$(losetup -a | grep  "${MAIN_SFS}"  | sed "s/:.*$//" )
if [ ! -z "$loop" ]; then #
  sfs_MP="$(findmnt -o TARGET,SOURCE -D -n | grep $loop\$ | awk "$append_mnt_id_awk" | sort -t '|' -k1 | cut -d'|' -f2 | head -n 1)"
else
  sfs_MP="${CHANGES_LOC}"/sfs
  mount -r -t squashfs ${MAIN_SFS} "$sfs_MP"
fi
if [ ! -z "${PsfsSD}" ]; then
  sfs_MP_o="$sfs_MP"
  PsfsSD=/${PsfsSD#/}
  sfs_MP=$(mktemp -d -p "${CHANGES_LOC}" sfs.XXXXXXX)
  mount --bind ${sfs_MP_o}${PsfsSD} "$sfs_MP"
fi
BRANCHES=changes:"$sfs_MP"

if [ ! -z "$ZDRV_PATH" ]; then
  loop=$(losetup -a | grep  "${ZDRV_PATH}"  | sed "s/:.*$//" )
  if [ ! -z "$loop" ]; then #
    zdrv_MP="$(findmnt -o TARGET,SOURCE -D -n | grep $loop\$ | awk "$append_mnt_id_awk" | sort -t '|' -k1 | cut -d'|' -f2 | head -n 1)"
  else
    zdrv_MP="${CHANGES_LOC}"/zdrv
    mkdir -p "${CHANGES_LOC}"/zdrv
    mount -r -t squashfs "${ZDRV_PATH}" "$zdrv_MP"
  fi
  BRANCHES="$BRANCHES":"$zdrv_MP"
fi

cd ${CHANGES_LOC}
mount -t aufs -o br="$BRANCHES" aufs top
cp /var/lib/dbus/machine-id top/var/lib/dbus/machine-id
cp /etc/resolv.conf top/etc/resolv.conf
ln -s top/var/lib/dbus/machine-id top/etc/machine-id

#http://www.linuxfromscratch.org/lfs/view/6.1/chapter06/devices.html
#mount -n -t tmpfs none top/dev
#mknod -m 622 top/dev/console c 5 1
#mknod -m 666 top/dev/null c 1 3
#mknod -m 666 top/dev/zero c 1 5
#mknod -m 666 top/dev/ptmx c 5 2
#mknod -m 666 top/dev/tty c 5 0
#mknod -m 444 top/dev/random c 1 8
#mknod -m 444 top/dev/urandom c 1 9
#chown root:tty top/dev/{console,ptmx,tty}
#ln -s top/proc/self/fd /dev/fd
#ln -s top/proc/self/fd/0 /dev/stdin
#ln -s top/proc/self/fd/1 /dev/stdout
#ln -s top/proc/self/fd/2 /dev/stderr
#ln -s top/proc/kcore /dev/core
#mkdir top/dev/pts
#mkdir top/dev/shm
#mount -n -t devpts -o gid=4,mode=620 none /dev/pts
#mount -n -t tmpfs none /dev/shm


#echo >$SHARED/flags/host-grab

[ -d "$SHARED/flags" ] && echo >$SHARED/flags/host-grab
if [ -d "$SHARED/flags" ]; then #TODO add more conditions to execute this code.
  cat <<EOF >top/tmp/hostgrab
  #!/bin/bash
  xsetroot -bg \#ff0000 -mod 5 5
  while inotifywait -e modify /home/shared/flags; do
    C=\$(tail -1 /home/shared/flags/host-grab | grep release)
    if [ ! -z "\${C}" ]; then
        xsetroot -bg \#0000ff -mod 5 5
    else
        xsetroot -bg \#ff0000 -mod 5 5
    fi
  done
EOF
chmod +x top/tmp/hostgrab
fi

# # create a script to run inside the chroot (i.e. must be a script, not a bin)

CMD_FP=top"$BROWSER_CMD"

if [ ! -f "$CHROOT_FOLDER/opt/Ungoogled_Chromium-portable/chromium/chromium-pup-nosb" ] && \
   [ -f "$CHROOT_FOLDER/opt/Ungoogled_Chromium-portable/chromium/chromium-pup" ] ; then
  (cd "$CHROOT_FOLDER/opt/Ungoogled_Chromium-portable/chromium/"; cp -a  chromium-pup chromium-pup-nosb;
   cat chromium-pup | sed -rn \
'/run-as-spot "$HERE\/chrome"/ {s#^(.*)$#"$HERE/chrome" --no-sandbox --user-data-dir=$HERE/PROFILE --disable-infobars "$@"#g;p}
/run-as-spot "$HERE\/chrome"/! {p}' > chromium-pup-nosb )
fi

# s243a: puppy doesn't have lxqt-panel
# echo "lxqt-panel &" >>top/init
# echo "openbox" >>top/init
case "$WM" in
jwm)
echo '
#!/bin/sh
export DISPLAY=:2
. /etc/DISTRO_SPECS
if [ "$DISTRO_ARCHDIR" ] ; then
    ARCHDIR="/$DISTRO_ARCHDIR"
fi
ldconfig
iconvconfig
#update-pango-querymodules
#Failed to create file /usr/lib/i86/-linux-gnu/pango/1.8.0/modules.cache.8P0KX0 No such file or directory
gdk-pixbuf-query-loaders --update-cache
update-mime-database -V /usr/share/mime/
#status_func $?
UPDATE_MIME_DATABASE_DONE=1

source /etc/profile
fixmenus #probably not necessary
keymap-set --update
userresources=$HOME/.Xresources
usermodmap=$HOME/.Xmodmap
sysresources=/usr/lib/X11/xinit/Xresources
sysmodmap=/usr/lib/X11/xinit/.Xmodmap

# merge in defaults and keymaps

if [ -f $sysresources ]; then
    xrdb -merge -nocpp $sysresources
fi

if [ -f $sysmodmap ]; then
    xmodmap $sysmodmap
fi

if [ -f $userresources ]; then
    xrdb -merge -nocpp $userresources
fi

if [ -f $usermodmap ]; then
    xmodmap $usermodmap
fi
setxkbmap -option keypad:pointerkeys
#DISPLAY=:2 xterm
/strip_jwm.sh
DISPLAY=:2 jwm &
DISPLAY=:2 roxfiler &
'"$(if [ ! -z "$BROWSER_CMD" ]; then
  echo "DISPLAY=:2 xterm -e $BROWSER_CMD"
   fi )"'
' >top/init
echo '
#!/bin/sh
source /etc/profile
export PATH="$PATH:/usr/local/bin/"
ldconfig
#gdk-pixbuf-query-loaders --update-cache
/usr/bin/gtk-update-icon-cache -f /usr/share/icons/hicolor/
DEFAULT_DESK_ICONS="JQ8flat"
#[ $NEWPVERSION -ge 500 ] && DEFAULT_DESK_ICONS="JQ8flat"
[ ! -d /usr/local/lib/X11/themes/JQ8flat ] && DEFAULT_DESK_ICONS="Stardust"
[ -f /etc/desktop_icon_theme ] && DEFAULT_DESK_ICONS="`cat /etc/desktop_icon_theme`" #w477
/usr/sbin/icon_switcher_cli $DEFAULT_DESK_ICONS
fixmenus #probably not necessary
DISPLAY=:2 rox -n &
/strip_jwm.sh
DISPLAY=:2 jwm &
PID=$!
'"#$(if [ ! -z "$BROWSER_CMD" ]; then
  echo "DISPLAY=:2 xterm -e $BROWSER_CMD"
   fi )"'
wait "$PID"
' >top/init_basic
;;
cwm)
cat <<EOF >top/init
#!/bin/sh
$(if [ -d "$SHARED/flags" ]; then
echo '/tmp/hostgrab &
/usr/bin/help &'
fi )
cwm -c /root/.cwmrc
EOF
cat <<EOF >top/usr/bin/help
#!/bin/sh
message() {
    Xdialog --title Information --msgbox "\$1" 0 0
}
M="This is a Xephyr X session window where cwm is the window manager.\n"
M="\${M}cwm is great for laptops (nearly all OpenBSD developer use cwm) and is relatively easy to learn.\n"
M="\${M}Whilst you run as 'root' within Xephyr, root is actually a highly restricted userid that is running\n"
M="\${M}in a contained environment, as such some programs may not run as expected.\n"
M="\${M}\nLeft mouse press on desktop shows windows menu, right mouse press for applications menu\n"
M="\${M}(a gap is left around the screen edges so the desktop is still accessible even if a window is maximised)\n\n"
M="\${M}Ctrl Alt Enter : terminal. Alt m : toggles maximise. Ctrl Alt x : close window. Alt ? : Open exec launcher\n"
M="\${M}\nCtrl Shift : toggles mouse/keyboard focus (desktop changes between red and blue)\n"
M="\${M}Alt Tab : if desktop is red - steps between main session windows\n"
M="\${M}OR if desktop is blue - steps between windows within the Xephyr container\n"
M="\${M}\nWHEN THE DESKTOP IS BLUE (mouse/keyboard locked into Xephyr) ...\n"
M="\${M}Alt middle mouse drag: resizes window. Alt left mouse drag : moves window\n"
M="\${M}\nWHEN THE DESKTOP IS RED (mouse/keyboard unlocked from Xephyr) ...\n"
M="\${M}you can use usual main system controls such as Alt-F1 for menu, Alt-F4 to close the Xephyr ...etc.\n"
M="\${M}\nRevisit this list again at any time by running 'help', or search online for the cwm manual"
message "\${M}"
EOF
chmod +x top/usr/bin/help
;;
esac

#for a_autostart in dunst.desktop firewallstatus.desktop flsynclient.desktop freememapplet.desktop netmon_wce.desktop powerapplet.desktop retrovol.desktop; do
#  mv top/root/.config/autostart/"$a_autostart" top/root/.config/autostart/"$a_autostart"-disable
#done
cat << "EOF" >top/strip_jwm.sh
#!bin/sh
cat /root/.jwmrc | sed -nr '$! {H};$ {H;x;s#(<StartupCommand>)(.*)(</StartupCommand>)##g;p}' > /root/.jwmrc-new
mv /root/.jwmrc-new /root/.jwmrc

cat /root/.jwmrc-tray | sed -nr '/.*xload*./! {p}' > /root/.jwmrc-tray-new
mv /root/.jwmrc-tray-new /root/.jwmrc-tray
EOF
chmod +x top/strip_jwm.sh

chmod +x top/init
chmod +x top/init_basic
# The big Xephyr capabilities dropped chroot switch
#DISPLAY=:2 empty  -L container.log -f unshare -m pflask ${PFLASK} -- /init
#DISPLAY=:2 empty -L file.log -f unshare -m pflask ${PFLASK} -- /init_basic

DISPLAY=:2 empty -L file.log -f unshare -m pflask ${PFLASK} -- /init_basic
PID=$!

[ "$TRACE" = yes ] && set -x
if [ -d "$SHARED/flags" ]; then
  function _hostgrabstate() {

    local WID=""

    while [ -z "${WID}" ]; do
        WID=$(wmctrl -lp | grep Xephyr | cut -d ' ' -f 1)
        sleep 1
    done
    sleep 2
    xprop -id ${WID} -spy WM_NAME >>$SHARED/flags/host-grab
  }
  _hostgrabstate &
  HOSTGRAB=$!
fi

#DISPLAY=:2 pflask ${PF} -- /init
wait $PID # above backgrounds, so we wait until that ends

# Clean up
set -x

umountall
#rmdir top sfs


############################################################################
# FOR FATDOG 811 ... (Draft Modifications by s243a for other platforms)
#
# Aufs mounts changes (initial empty rw folder), main sfs, that combined
# is visible/accessed via folder 'top', that we chroot into
#
# chroot with chroot capability dropped (to prevent chroot out of the chroot)
# using another X session (Xephyr) to isolate it from the main X session.
# We chroot using pflask as that makes things easier into the top folder
# applying further restrictions. We use the main sfs as our base for the
# chroot, so very low overheads.
#
# alt-F4    closes the Xephyr container (if not then ctrl-shift to unfocus
#           mouse/keyboard.
# alt Tab   to step to another window in main system, but if use
#           xdotool keydown alt key Tab;xdotool keyup alt .... it doesn't
#           work (as intended i.e. it's locked into the "container").
# seamonkey from menu doesn't work, run seamonkey from within urxvt
# We use DISPLAY :2 for the Xephyr server
#
# Requires empty, pflask and a ext filesystem to create/work within
#
# I use fatdog multi-session save type frugal boot, and periodically I've
# re-merged the save files into fd64.sfs so my fd64.sfs isn't the standard
# version (merging changes and not copying fd64.sfs to ram helps keep ram
# usage low).
############################################################################