Add a --pid-file options like dnsmasq for example

[rusty-snake]

Add a --pid-file options like dnsmasq for example. Presumable it's better to treat the argument as filename in /run/fdns rather then a path becuase of the systemd/apparmor sandbox.

Why?

In #51 was a discussion on how to start different fdns instances with block/whitelist for firejail sandboxes. However, stopping those instances is difficult, because you can not kill processes belonging to an other user and allowing unprivileged users to kill arbitrary processes is a security-hole. But a polkit rule to allow a user to start pkill with a path to a pid-file should be safe.

Polkit rule:

polkit.addRule(function(action, subject) {
    const USER = "john";
    const PROGRAM = "/usr/bin/pkill";

    const RE = new RegExp(`^${PROGRAM} -F /run/fdns/[A-Za-z0-9._-]+-[0-9]+$`);

    // Debugging: uncomment to see the final RegExp
    //polkit.log(RE.toString());

    if (action.id === "org.freedesktop.policykit.exec" &&
        action.lookup("program") === PROGRAM &&
        RE.test(action.lookup("command_line")) &&
        subject.user === USER && subject.local && subject.active) {
        return polkit.Result.YES;
    }
});

So at the end you could have a script that looks like this:

#!/bin/bash

PROGRAM="openshot-qt"
FIREJAIL_ARGS=()
PROXY_ADDR="127.70.74.68"
ALLOWED_DOMAINS=()
BLOCKED_DOMAINS=(google-analytics.com)
# TODO: unique logfile
FDNS_LOG_FILE="$HOME/fdns-log.txt"

whitelist=()
for domain in "${ALLOWED_DOMAINS[@]}"; do
        whitelist+=("--whitelist=$domain")
done

blocklist=()
for domain in "${BLOCKED_DOMAINS[@]}"; do
        blocklist+=("--blocklist=$domain")
done

echo -e "\n\n===> fdns --proxy-addr=$PROXY_ADDR ${whitelist[@]} ${blocklist[@]} <===\n" >> $FDNS_LOG_FILE
pkexec fdns --pid-file="$PROGRAM-$$" "--proxy-addr=$PROXY_ADDR" "${whitelist[@]}" ${blocklist[@]} >> $FDNS_LOG_FILE &

sleep 10s

firejail --dns=$PROXY_ADDR "${FIREJAIL_ARGS[@]}" "$PROGRAM"

pkexec pkill -F "/run/fdns/$PROGRAM-$$"

[netblue30]

OK, I'll put a something in!