From 80cd3af35894fe587c626d8d25da407cb980bbb0 Mon Sep 17 00:00:00 2001
From: Matt McClaskey <matt@kasmweb.com>
Date: Thu, 14 Dec 2023 05:56:38 -0500
Subject: [PATCH] KASM-5317 remove terminals, KASM-5318 restrict local file
 urls

---
 dockerfile-kasm-brave                         |  5 +++
 dockerfile-kasm-chrome                        |  5 +++
 dockerfile-kasm-chromium                      |  5 +++
 dockerfile-kasm-edge                          |  5 +++
 dockerfile-kasm-firefox                       |  4 +++
 dockerfile-kasm-tor-browser                   |  4 +++
 dockerfile-kasm-vivaldi                       |  5 +++
 .../chrome-managed-policies/urlblocklist.json |  3 ++
 .../install/misc/single_app_security.sh       | 31 +++++++++++++++++++
 9 files changed, 67 insertions(+)
 create mode 100644 src/common/chrome-managed-policies/urlblocklist.json
 create mode 100644 src/ubuntu/install/misc/single_app_security.sh

diff --git a/dockerfile-kasm-brave b/dockerfile-kasm-brave
index 3ef8f32..c3e4133 100644
--- a/dockerfile-kasm-brave
+++ b/dockerfile-kasm-brave
@@ -20,6 +20,11 @@ RUN cp $HOME/.config/xfce4/xfconf/single-application-xfce-perchannel-xml/* $HOME
 RUN cp /usr/share/extra/backgrounds/bg_kasm.png /usr/share/extra/backgrounds/bg_default.png
 RUN apt-get remove -y xfce4-panel
 
+# Security modifications
+COPY ./src/ubuntu/install/misc/single_app_security.sh $INST_SCRIPTS/misc/
+RUN  bash $INST_SCRIPTS/misc/single_app_security.sh -t && rm -rf $INST_SCRIPTS/misc/
+COPY ./src/common/chrome-managed-policies/urlblocklist.json /etc/brave/policies/managed/urlblocklist.json
+
 # Setup the custom startup script that will be invoked when the container starts
 #ENV LAUNCH_URL  http://kasmweb.com
 
diff --git a/dockerfile-kasm-chrome b/dockerfile-kasm-chrome
index aaf4046..eee86f2 100644
--- a/dockerfile-kasm-chrome
+++ b/dockerfile-kasm-chrome
@@ -20,6 +20,11 @@ RUN cp $HOME/.config/xfce4/xfconf/single-application-xfce-perchannel-xml/* $HOME
 RUN cp /usr/share/extra/backgrounds/bg_kasm.png /usr/share/extra/backgrounds/bg_default.png
 RUN apt-get remove -y xfce4-panel
 
+# Security modifications
+COPY ./src/ubuntu/install/misc/single_app_security.sh $INST_SCRIPTS/misc/
+RUN  bash $INST_SCRIPTS/misc/single_app_security.sh -t && rm -rf $INST_SCRIPTS/misc/
+COPY ./src/common/chrome-managed-policies/urlblocklist.json /etc/opt/chrome/policies/managed/urlblocklist.json
+
 # Setup the custom startup script that will be invoked when the container starts
 #ENV LAUNCH_URL  http://kasmweb.com
 
diff --git a/dockerfile-kasm-chromium b/dockerfile-kasm-chromium
index 5e843de..0b10095 100644
--- a/dockerfile-kasm-chromium
+++ b/dockerfile-kasm-chromium
@@ -19,6 +19,11 @@ RUN cp $HOME/.config/xfce4/xfconf/single-application-xfce-perchannel-xml/* $HOME
 RUN cp /usr/share/extra/backgrounds/bg_kasm.png /usr/share/extra/backgrounds/bg_default.png
 RUN apt-get remove -y xfce4-panel
 
+# Security modifications
+COPY ./src/ubuntu/install/misc/single_app_security.sh $INST_SCRIPTS/misc/
+RUN  bash $INST_SCRIPTS/misc/single_app_security.sh -t && rm -rf $INST_SCRIPTS/misc/
+COPY ./src/common/chrome-managed-policies/urlblocklist.json /etc/chromium/policies/managed/urlblocklist.json
+
 # Setup the custom startup script that will be invoked when the container starts
 #ENV LAUNCH_URL  http://kasmweb.com
 
diff --git a/dockerfile-kasm-edge b/dockerfile-kasm-edge
index 20a5b28..ba13eac 100644
--- a/dockerfile-kasm-edge
+++ b/dockerfile-kasm-edge
@@ -24,6 +24,11 @@ ENV KASM_RESTRICTED_FILE_CHOOSER=1
 COPY ./src/ubuntu/install/gtk/ $INST_SCRIPTS/gtk/
 RUN bash $INST_SCRIPTS/gtk/install_restricted_file_chooser.sh
 
+# Security modifications
+COPY ./src/ubuntu/install/misc/single_app_security.sh $INST_SCRIPTS/misc/
+RUN  bash $INST_SCRIPTS/misc/single_app_security.sh -t && rm -rf $INST_SCRIPTS/misc/
+COPY ./src/common/chrome-managed-policies/urlblocklist.json /etc/opt/edge/policies/managed/urlblocklist.json
+
 # Setup the custom startup script that will be invoked when the container starts
 #ENV LAUNCH_URL  http://kasmweb.com
 
diff --git a/dockerfile-kasm-firefox b/dockerfile-kasm-firefox
index 5b118d8..1b9661c 100644
--- a/dockerfile-kasm-firefox
+++ b/dockerfile-kasm-firefox
@@ -21,6 +21,10 @@ RUN cp $HOME/.config/xfce4/xfconf/single-application-xfce-perchannel-xml/* $HOME
 RUN cp /usr/share/extra/backgrounds/bg_kasm.png /usr/share/extra/backgrounds/bg_default.png
 RUN apt-get remove -y xfce4-panel
 
+# Security modifications
+COPY ./src/ubuntu/install/misc/single_app_security.sh $INST_SCRIPTS/misc/
+RUN  bash $INST_SCRIPTS/misc/single_app_security.sh -t && rm -rf $INST_SCRIPTS/misc/
+
 # Setup the custom startup script that will be invoked when the container starts
 #ENV LAUNCH_URL  http://kasmweb.com
 
diff --git a/dockerfile-kasm-tor-browser b/dockerfile-kasm-tor-browser
index 95307aa..350d39f 100644
--- a/dockerfile-kasm-tor-browser
+++ b/dockerfile-kasm-tor-browser
@@ -20,6 +20,10 @@ RUN cp $HOME/.config/xfce4/xfconf/single-application-xfce-perchannel-xml/* $HOME
 RUN cp /usr/share/extra/backgrounds/bg_kasm.png /usr/share/extra/backgrounds/bg_default.png
 RUN apt-get remove -y xfce4-panel
 
+# Security modifications
+COPY ./src/ubuntu/install/misc/single_app_security.sh $INST_SCRIPTS/misc/
+RUN  bash $INST_SCRIPTS/misc/single_app_security.sh -t && rm -rf $INST_SCRIPTS/misc/
+
 ENV KASM_RESTRICTED_FILE_CHOOSER=1
 COPY ./src/ubuntu/install/gtk/ $INST_SCRIPTS/gtk/
 RUN bash $INST_SCRIPTS/gtk/install_restricted_file_chooser.sh
diff --git a/dockerfile-kasm-vivaldi b/dockerfile-kasm-vivaldi
index 8f15bdb..2f62747 100644
--- a/dockerfile-kasm-vivaldi
+++ b/dockerfile-kasm-vivaldi
@@ -20,6 +20,11 @@ RUN cp $HOME/.config/xfce4/xfconf/single-application-xfce-perchannel-xml/* $HOME
 RUN cp /usr/share/extra/backgrounds/bg_kasm.png /usr/share/extra/backgrounds/bg_default.png
 RUN apt-get remove -y xfce4-panel
 
+# Security modifications
+COPY ./src/ubuntu/install/misc/single_app_security.sh $INST_SCRIPTS/misc/
+RUN  bash $INST_SCRIPTS/misc/single_app_security.sh -t && rm -rf $INST_SCRIPTS/misc/
+COPY ./src/common/chrome-managed-policies/urlblocklist.json /etc/chromium/policies/managed/urlblocklist.json
+
 # Setup the custom startup script that will be invoked when the container starts
 #ENV LAUNCH_URL  http://kasmweb.com
 
diff --git a/src/common/chrome-managed-policies/urlblocklist.json b/src/common/chrome-managed-policies/urlblocklist.json
new file mode 100644
index 0000000..b148040
--- /dev/null
+++ b/src/common/chrome-managed-policies/urlblocklist.json
@@ -0,0 +1,3 @@
+{
+    "URLBlocklist": ["file://*"]
+}
\ No newline at end of file
diff --git a/src/ubuntu/install/misc/single_app_security.sh b/src/ubuntu/install/misc/single_app_security.sh
new file mode 100644
index 0000000..5359a41
--- /dev/null
+++ b/src/ubuntu/install/misc/single_app_security.sh
@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+
+REMOVE_TERMINALS=false
+
+while getopts "th" var
+do
+   case "$var" in
+       t) REMOVE_TERMINALS=true;;
+       h) echo "Valid arguments:"
+          echo "-t    Remove terminals"
+       ;;
+   esac
+done
+
+## Remote unneeded packages
+
+#Remove Terminals
+if [ "$REMOVE_TERMINALS" = true ] ; then
+    echo "Removing terminals..."
+    if [ -x "$(command -v apt-get)" ]; then
+        echo "apt package manager detected"
+        terminals=("koi8rxterm" "lxterm" "xterm" "x-terminal-emulator" "xfce4-terminal" "xfce4-terminal.wrapper")
+
+        for termapp in ${terminals[@]}; do
+            if [[ $(apt -qq list "$termapp") ]] ; then
+                echo "Removing termina all $termapp."
+                apt remove -y ${termapp}
+            fi
+        done
+    fi
+fi
\ No newline at end of file