@@ -30,6 +30,75 @@ invoked_name="$(basename "${0}")"

 # By default, invoke "firefox":

 browser_path='firefox'

+# Base directory for our crap

+work_dir_base="/run/user/$(id -u)/browser-wrapper"

+mk_dir "${work_dir_base}" 0700

+work_dir="$(mktemp --directory "${work_dir_base}/$$.XXXXXXXX")" || \

+	exit_with_message 110 "Unable to create working directory, aborting."

+

+# Directory to replace /home

+slash_home_dir="${work_dir}/slash_home"

+# Directory to replace $HOME

+home_dir="${work_dir}/home"

+# Directory to replace /tmp

+tmp_dir="${work_dir}/tmp"

+# Empty dir to replace /dev

+dev_dir="${work_dir}/dev"

+# Directory for uploads

+upload_dir="${HOME}/Uploads"

+# Directory for downloads

+download_dir="${HOME}/Downloads"

+

+for directory in {{slash_,}home,tmp,{up,down}load,dev}_dir; do

+	mk_dir "${!directory}" 0700

+done

+

+# Leverage proot to make the browser believe that:

+#   - /home is either empty or contains only our home

+slash_home_options="--bind=${slash_home_dir}:/home"

+#   - the home directory is almost empty

+home_options="--bind=${home_dir}:${HOME}"

+#   - its configuration directory is still there

+#   - its cache directory is still there

+browser_conf_options="

+	--bind=${HOME}/.mozilla/firefox:${HOME}/.mozilla/firefox \

+	--bind=${HOME}/.cache/mozilla/firefox:${HOME}/.cache/mozilla/firefox"

+#   - its download directory is still there

+#     (at least the one for English speakers)

+download_options="--bind=${download_dir}:${HOME}/Downloads"

+#   - a ~/Uploads directory is present

+upload_options="--bind=${upload_dir}:${HOME}/Uploads"

+#   - ~/.adobe and ~/.macromedia are still there

+#     (for the sake of Flash Player and other plugins)

+adobe_options="

+	--bind=${HOME}/.adobe:${HOME}/.adobe \

+	--bind=${HOME}/.macromedia:${HOME}/.macromedia"

+#   - various directories related to Java applets are still there

+#     (assuming IcedTea-Web >= 1.5 / OpenJDK)

+java_options="

+	--bind=${HOME}/.config/icedtea-web:${HOME}/.config/icedtea-web

+	--bind=${HOME}/.cache/icedtea-web:${HOME}/.cache/icedtea-web

+	--bind=${HOME}/.java:${HOME}/.java

+	--bind=${HOME}/.local/share/applications/javaws:${HOME}/.local/share/application/javaws"

+#   - /tmp is empty

+#     (as in: do not even try to mess with the Unix sockets to ssh-agent)

+tmp_options="--bind=${tmp_dir}:/tmp"

+#   - /sys is simply absent

+#     (Firefox tries to reach various things under /sys/devices/system/ but

+#     seems to cope without it)

+sys_options="--bind=/dev/null:/sys"

+#   - /proc is still there, unless you want to hit that very detailed error:

+#       too much recursion

+#   - /proc/sys is still there, unless you want to hit that charming error:

+#       FATAL: error reading `/proc/sys/crypto/fips_enabled' in libgcrypt: Not a directory

+proc_options=""

+#   - /dev is present yet minimalist

+dev_options="

+	--bind=${dev_dir}:/dev

+	--bind=/dev/null:/dev/null

+	--bind=/dev/random:/dev/random

+	--bind=/dev/urandom:/dev/urandom"

+

 # Let users override this through "configuration files":

 generic_config_path="${HOME}/.config/browser-wrapper/main.conf"

 [ -f "${generic_config_path}" ] && source "${generic_config_path}"

@@ -42,29 +111,6 @@ specific_config_path="${HOME}/.config/browser-wrapper/${invoked_name}.conf"

 if [ -x "$(which proot)" ]; then

 	echo "proot is present and will be used to mask some directories"

-	# Base directory for our crap

-	work_dir_base="/run/user/$(id -u)/browser-wrapper"

-	mk_dir "${work_dir_base}" 0700

-	work_dir="$(mktemp --directory "${work_dir_base}/$$.XXXXXXXX")" || \

-		exit_with_message 110 "Unable to create working directory, aborting."

-

-	# Directory to replace /home

-	slash_home_dir="${work_dir}/slash_home"

-	# Directory to replace $HOME

-	home_dir="${work_dir}/home"

-	# Directory to replace /tmp

-	tmp_dir="${work_dir}/tmp"

-	# Empty dir to replace /dev

-	dev_dir="${work_dir}/dev"

-	# Directory for uploads

-	upload_dir="${HOME}/Uploads"

-	# Directory for downloads

-	download_dir="${HOME}/Downloads"

-

-	for directory in {{slash_,}home,tmp,{up,down}load,dev}_dir; do

-		mk_dir "${!directory}" 0700

-	done

-

 	echo 'Tips:'

 	echo "  Your fake home is ${home_dir}"

 	echo "  Your fake /tmp is ${tmp_dir}"

@@ -73,51 +119,6 @@ if [ -x "$(which proot)" ]; then

 	echo '  Do you need to download files?'

 	echo "    They should end up in ${download_dir}"

-	# Leverage proot to make the browser believe that:

-	#   - /home is either empty or contains only our home

-	slash_home_options="--bind=${slash_home_dir}:/home"

-	#   - the home directory is almost empty

-	home_options="--bind=${home_dir}:${HOME}"

-	#   - its configuration directory is still there

-	#   - its cache directory is still there

-	browser_conf_options="

-		--bind=${HOME}/.mozilla/firefox:${HOME}/.mozilla/firefox \

-		--bind=${HOME}/.cache/mozilla/firefox:${HOME}/.cache/mozilla/firefox"

-	#   - its download directory is still there

-	#     (at least the one for English speakers)

-	download_options="--bind=${download_dir}:${HOME}/Downloads"

-	#   - a ~/Uploads directory is present

-	upload_options="--bind=${upload_dir}:${HOME}/Uploads"

-	#   - ~/.adobe and ~/.macromedia are still there

-	#     (for the sake of Flash Player and other plugins)

-	adobe_options="

-		--bind=${HOME}/.adobe:${HOME}/.adobe \

-		--bind=${HOME}/.macromedia:${HOME}/.macromedia"

-	#   - various directories related to Java applets are still there

-	#     (assuming IcedTea-Web >= 1.5 / OpenJDK)

-	java_options="

-		--bind=${HOME}/.config/icedtea-web:${HOME}/.config/icedtea-web

-		--bind=${HOME}/.cache/icedtea-web:${HOME}/.cache/icedtea-web

-		--bind=${HOME}/.java:${HOME}/.java

-		--bind=${HOME}/.local/share/applications/javaws:${HOME}/.local/share/application/javaws"

-	#   - /tmp is empty

-	#     (as in: do not even try to mess with the Unix sockets to ssh-agent)

-	tmp_options="--bind=${tmp_dir}:/tmp"

-	#   - /sys is simply absent

-	#     (Firefox tries to reach various things under /sys/devices/system/ but

-	#     seems to cope without it)

-	sys_options="--bind=/dev/null:/sys"

-	#   - /proc is still there, unless you want to hit that very detailed error:

-	#       too much recursion

-	#   - /proc/sys is still there, unless you want to hit that charming error:

-	#       FATAL: error reading `/proc/sys/crypto/fips_enabled' in libgcrypt: Not a directory

-	proc_options=""

-	#   - /dev is present yet minimalist

-	dev_options="

-		--bind=${dev_dir}:/dev

-		--bind=/dev/null:/dev/null

-		--bind=/dev/random:/dev/random

-		--bind=/dev/urandom:/dev/urandom"

 	proot \

 		${pre_options} \

 		${slash_home_options} \