diff options
-rw-r--r-- | config.dot/firejail/chromium.profile.link | 35 | ||||
-rw-r--r-- | config.dot/firejail/git.profile.link | 3 | ||||
-rw-r--r-- | config.dot/firejail/libreoffice.local.link | 4 | ||||
-rw-r--r-- | config.dot/firejail/mutt.profile.link | 66 | ||||
-rw-r--r-- | config.dot/firejail/ranger.profile.link | 33 | ||||
-rw-r--r-- | config.dot/firejail/whitelist-common.local.link | 8 |
6 files changed, 58 insertions, 91 deletions
diff --git a/config.dot/firejail/chromium.profile.link b/config.dot/firejail/chromium.profile.link index c169f4d..fbcb58c 100644 --- a/config.dot/firejail/chromium.profile.link +++ b/config.dot/firejail/chromium.profile.link @@ -1,33 +1,2 @@ -# Chromium browser profile -noblacklist ~/.config/chromium -noblacklist ~/.cache/chromium -include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc - -# chromium is distributed with a perl script on Arch -# include /etc/firejail/disable-devel.inc -# - -netfilter - -whitelist ${DOWNLOADS} -mkdir ~/.config/chromium -whitelist ~/.config/chromium -mkdir ~/.cache/chromium -whitelist ~/.cache/chromium -mkdir ~/.config/chromium-profiles -whitelist ~/.config/chromium-profiles -mkdir ~/.pki -whitelist ~/.pki - -# lastpass, keepassx -whitelist ~/.keepassx -whitelist ~/.config/keepassx -whitelist ~/keepassx.kdbx -whitelist ~/.lastpass -whitelist ~/.config/lastpass - -# specific to Arch -whitelist ~/.config/chromium-flags.conf - -include /etc/firejail/whitelist-common.inc +include /etc/firejail/chromium.profile +quiet diff --git a/config.dot/firejail/git.profile.link b/config.dot/firejail/git.profile.link index ef8bec2..3a5913a 100644 --- a/config.dot/firejail/git.profile.link +++ b/config.dot/firejail/git.profile.link @@ -24,6 +24,9 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc +# allow write operations in non-default folders +include whitelist-common.local + # allow git to work with dotfiles read-write ${HOME}/.dotfiles diff --git a/config.dot/firejail/libreoffice.local.link b/config.dot/firejail/libreoffice.local.link index 3a8cff9..29f7cba 100644 --- a/config.dot/firejail/libreoffice.local.link +++ b/config.dot/firejail/libreoffice.local.link @@ -1,3 +1 @@ -whitelist ${HOME}/file -whitelist ${HOME}/load -whitelist /var/data/load +include whitelist-common.local diff --git a/config.dot/firejail/mutt.profile.link b/config.dot/firejail/mutt.profile.link index 58e126d..a78ce4b 100644 --- a/config.dot/firejail/mutt.profile.link +++ b/config.dot/firejail/mutt.profile.link @@ -1,26 +1,29 @@ -# mutt email client profile +# mutt profile +blacklist /tmp/.X11-unix -noblacklist ~/.muttrc -noblacklist ~/.mutt -noblacklist ~/.mutt/muttrc -noblacklist ~/.mailcap -noblacklist ~/.gnupg -noblacklist ~/.mail -noblacklist ~/.Mail -noblacklist ~/mail -noblacklist ~/Mail -noblacklist ~/sent -noblacklist ~/postponed -noblacklist ~/.cache/mutt -noblacklist ~/.w3m -noblacklist ~/.elinks -noblacklist ~/.vim -noblacklist ~/.vimrc -noblacklist ~/.viminfo -noblacklist ~/.emacs -noblacklist ~/.emacs.d -noblacklist ~/.signature -noblacklist ~/.bogofilter +noblacklist /var/mail +noblacklist /var/spool/mail +noblacklist ${HOME}/.Mail +noblacklist ${HOME}/.bogofilter +noblacklist ${HOME}/.cache/mutt +noblacklist ${HOME}/.elinks +noblacklist ${HOME}/.emacs +noblacklist ${HOME}/.emacs.d +noblacklist ${HOME}/.gnupg +noblacklist ${HOME}/.mail +noblacklist ${HOME}/.mailcap +noblacklist ${HOME}/.msmtprc +noblacklist ${HOME}/.mutt +noblacklist ${HOME}/.muttrc +noblacklist ${HOME}/.signature +noblacklist ${HOME}/.vim +noblacklist ${HOME}/.viminfo +noblacklist ${HOME}/.vimrc +noblacklist ${HOME}/.w3m +noblacklist ${HOME}/Mail +noblacklist ${HOME}/mail +noblacklist ${HOME}/postponed +noblacklist ${HOME}/sent # custom quiet @@ -28,24 +31,33 @@ noblacklist ~/.custom noblacklist ~/.msmtprc noblacklist ~/.procmailrc noblacklist ~/.fetchmailrc +noblacklist /usr/bin/procmail +noblacklist /usr/bin/fetchmail noblacklist /usr/bin/perl -#noblacklist /usr/bin/cpan* +noblacklist /usr/bin/cpan* noblacklist /usr/share/perl* noblacklist /usr/lib/perl* -include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc -include /etc/firejail/disable-passwdmgr.inc -include /etc/firejail/disable-devel.inc +include disable-common.inc +include disable-devel.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc caps.drop all netfilter +no3d +nodvd nogroups nonewprivs noroot nosound +notv +nou2f +novideo protocol unix,inet,inet6 seccomp shell none +writable-run-user private-dev diff --git a/config.dot/firejail/ranger.profile.link b/config.dot/firejail/ranger.profile.link index 738bc3c..78ab30c 100644 --- a/config.dot/firejail/ranger.profile.link +++ b/config.dot/firejail/ranger.profile.link @@ -1,10 +1,11 @@ # ranger file manager profile quiet -noblacklist /usr/bin/perl -#noblacklist /usr/bin/cpan* -noblacklist /usr/share/perl* -noblacklist /usr/lib/perl* -noblacklist ${HOME}/.config/ranger + +# include the default profile +include /etc/firejail/ranger.profile + +# allow write operations in non-default folders +include whitelist-common.local # from fbreader ebook reader profile noblacklist ${HOME}/.FBReader @@ -13,28 +14,8 @@ noblacklist ${HOME}/.FBReader noblacklist ~/.config/zathura noblacklist ~/.local/share/zathura -# from gimp profile +## from gimp profile noblacklist ${HOME}/.gimp* # from mpv profile noblacklist ${HOME}/.config/mpv - -include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc -include /etc/firejail/disable-devel.inc -include /etc/firejail/disable-passwdmgr.inc - -caps.drop all -netfilter -net none -nonewprivs -noroot -nogroups -protocol unix -seccomp - -# We need sound support to play media files -#nosound - -private-tmp -private-dev diff --git a/config.dot/firejail/whitelist-common.local.link b/config.dot/firejail/whitelist-common.local.link index 108f322..6b3c4df 100644 --- a/config.dot/firejail/whitelist-common.local.link +++ b/config.dot/firejail/whitelist-common.local.link @@ -1,2 +1,6 @@ -whitelist ${HOME}/load -whitelist /var/data/load +#whitelist ${HOME}/file +#whitelist ${HOME}/load +#whitelist /var/data/load +read-write ${HOME}/file +read-write ${HOME}/load +read-write /var/data/load |