One of the well-documented effects of Coronavirus is the move to video conferencing from home. This means more Zoom, Google Meet/Hangouts, Jitsi, etc. - programs I don't necessarily trust to have full access to my home directory. Using the fish shell and systemd-run, I made the following utility to ensure certain processes don't see my $HOME directory while still having the convenience of running them as myself without too much hassle. You can find the updated source here:
#! /usr/bin/env fish ################################################################################ # Poor-man's "jail" for untrusted processes, or at least untrusted to read/write # to $HOME. Uses systemd-run to run an untrusted command such that $HOME is # mapped to $HOME/.local/share/jail/<program name> instead, thus ensuring that # program can't read/write your real $HOME directory. # # Usage: make sure this file is executable, then from somewhere in your $PATH # but before the actual path to the program, symlink names of the # programs you want to "jail" to this file. # # Example for Google Chrome, assuming $HOME/bin is in your PATH before /usr/bin: # # $ cd $HOME/bin # $ ln -s <path to this file> google-chrome-stable # $ google-chrome-stable # Runs Google Chrome with $HOME really set to # $HOME/.local/share/jail/google-chrome-stable # ################################################################################ # Default arguments to systemd-run set systemd_run_args --uid=(id -u) --gid=(id -g) --wait # Connect stdin if available isatty and set -a systemd_run_args --pty # Loop through all exported variables for use with systemd-run -E for var in (set -xn) test (count $$var) -gt 1 # Array/PATH variable, flatten and join with : and set -a systemd_run_args -E $var=(string join : $$var) # Single value variable or set -a systemd_run_args -E $var=$$var end set program_to_run (basename (status filename)) set path_to_me (dirname (status filename)) # Find the real executable to run for dir in $PATH test $dir = $path_to_me and continue test -x $dir/$program_to_run and set exe $dir/$program_to_run and break end set -q exe or begin echo Unable to find $program_to_run in $PATH exit 1 end # Create our jail if it doesn't exist set jail $HOME/.local/share/jail/$program_to_run test -d $jail or mkdir -p $jail test -d $jail or begin echo Unable to create/use jail at $jail exit 1 end set -a systemd_run_args -p BindPaths=$jail:$HOME # If we are below $HOME when invoked use $HOME as the working directory, # otherwise use the directory where we currently are if string match --regex "$HOME/?" (pwd -P) >/dev/null set -a systemd_run_args --working-directory=$HOME else set -a systemd_run_args --same-dir end # Must be root to bind-mount, use sudo if necessary if test (id -u) -ne 0 exec sudo systemd-run $systemd_run_args $exe $argv else exec systemd-run $systemd_run_args $exe $argv end