isolated-protonmail-bridge/isolated-protonmail-bridge.sh

#!/usr/bin/env bash
set -euo pipefail

HERE="$(dirname "$(readlink -f "${BASH_SOURCE[0]}")")"
JAIL_HOME=/home/proton
BIN="${BIN:-entrypoint.sh}"

if [[ -z "${BRIDGE_HOME:-}" ]]; then
    echo "Please set the BRIDGE_HOME envvar!"
    exit 1
else
    BRIDGE_HOME="$(realpath "${BRIDGE_HOME}")"
fi

exec nsjail -Mo                                                                                \
       --disable_clone_newnet                                                                  \
       --disable_rlimits                                                                       \
       --cwd "${JAIL_HOME}"                                                                    \
       --tmpfsmount /tmp --tmpfsmount /run                                                     \
       --bindmount "${BRIDGE_HOME}:${JAIL_HOME}"                                               \
       --symlink /proc/self/fd:/dev/fd                                                         \
       --bindmount_ro "${HERE}/entrypoint.sh:${JAIL_HOME}/entrypoint.sh"                       \
       --bindmount_ro "${HERE}/gpg-keygen-params.txt:${JAIL_HOME}/gpg-keygen-params.txt"       \
       --bindmount_ro /bin --bindmount_ro /sbin                                                \
       --bindmount_ro /usr --bindmount_ro /lib --bindmount_ro /lib64                           \
       --bindmount_ro /dev/null --bindmount_ro /dev/urandom --bindmount_ro /dev/random         \
       --bindmount_ro /etc/resolv.conf                                                         \
       --env HOME=/home/proton                                                                 \
       --env PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin                 \
       --env BRIDGE_USER                                                                       \
       --env BRIDGE_PASS                                                                       \
       -- ${BIN} "${1:-}"
Initial commit 2020-05-21 15:11:31 +00:00			`#!/usr/bin/env bash`
			`set -euo pipefail`

			`HERE="$(dirname "$(readlink -f "${BASH_SOURCE[0]}")")"`
			`JAIL_HOME=/home/proton`
Implement persistent storage and start mode 2020-05-22 22:31:37 +00:00			`BIN="${BIN:-entrypoint.sh}"`

Mount root as tmpfs, allow real rw in home directory only 2020-05-22 23:14:50 +00:00			`if [[ -z "${BRIDGE_HOME:-}" ]]; then`
			`echo "Please set the BRIDGE_HOME envvar!"`
Implement persistent storage and start mode 2020-05-22 22:31:37 +00:00			`exit 1`
			`else`
Mount root as tmpfs, allow real rw in home directory only 2020-05-22 23:14:50 +00:00			`BRIDGE_HOME="$(realpath "${BRIDGE_HOME}")"`
Implement persistent storage and start mode 2020-05-22 22:31:37 +00:00			`fi`

Exec nsjail to reduce process clutter 2020-05-23 01:24:28 +00:00			`exec nsjail -Mo \`
Initial commit 2020-05-21 15:11:31 +00:00			`--disable_clone_newnet \`
Disable rlimits 2020-05-26 16:23:20 +00:00			`--disable_rlimits \`
Initial commit 2020-05-21 15:11:31 +00:00			`--cwd "${JAIL_HOME}" \`
			`--tmpfsmount /tmp --tmpfsmount /run \`
Mount root as tmpfs, allow real rw in home directory only 2020-05-22 23:14:50 +00:00			`--bindmount "${BRIDGE_HOME}:${JAIL_HOME}" \`
Fix bash process substitution by symlinking /dev/fd 2020-05-22 13:35:24 +00:00			`--symlink /proc/self/fd:/dev/fd \`
Initial commit 2020-05-21 15:11:31 +00:00			`--bindmount_ro "${HERE}/entrypoint.sh:${JAIL_HOME}/entrypoint.sh" \`
			`--bindmount_ro "${HERE}/gpg-keygen-params.txt:${JAIL_HOME}/gpg-keygen-params.txt" \`
			`--bindmount_ro /bin --bindmount_ro /sbin \`
			`--bindmount_ro /usr --bindmount_ro /lib --bindmount_ro /lib64 \`
			`--bindmount_ro /dev/null --bindmount_ro /dev/urandom --bindmount_ro /dev/random \`
Fix DNS resolution by including /etc/resolv.conf in jail 2020-05-22 13:34:40 +00:00			`--bindmount_ro /etc/resolv.conf \`
Initial commit 2020-05-21 15:11:31 +00:00			`--env HOME=/home/proton \`
			`--env PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin \`
Implement login workflow 2020-05-22 21:26:34 +00:00			`--env BRIDGE_USER \`
			`--env BRIDGE_PASS \`
Implement persistent storage and start mode 2020-05-22 22:31:37 +00:00			`-- ${BIN} "${1:-}"`
Initial commit 2020-05-21 15:11:31 +00:00