aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--config.dot/firejail/chromium.profile.link35
-rw-r--r--config.dot/firejail/git.profile.link3
-rw-r--r--config.dot/firejail/libreoffice.local.link4
-rw-r--r--config.dot/firejail/mutt.profile.link66
-rw-r--r--config.dot/firejail/ranger.profile.link33
-rw-r--r--config.dot/firejail/whitelist-common.local.link8
6 files changed, 58 insertions, 91 deletions
diff --git a/config.dot/firejail/chromium.profile.link b/config.dot/firejail/chromium.profile.link
index c169f4d..fbcb58c 100644
--- a/config.dot/firejail/chromium.profile.link
+++ b/config.dot/firejail/chromium.profile.link
@@ -1,33 +1,2 @@
-# Chromium browser profile
-noblacklist ~/.config/chromium
-noblacklist ~/.cache/chromium
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-programs.inc
-
-# chromium is distributed with a perl script on Arch
-# include /etc/firejail/disable-devel.inc
-#
-
-netfilter
-
-whitelist ${DOWNLOADS}
-mkdir ~/.config/chromium
-whitelist ~/.config/chromium
-mkdir ~/.cache/chromium
-whitelist ~/.cache/chromium
-mkdir ~/.config/chromium-profiles
-whitelist ~/.config/chromium-profiles
-mkdir ~/.pki
-whitelist ~/.pki
-
-# lastpass, keepassx
-whitelist ~/.keepassx
-whitelist ~/.config/keepassx
-whitelist ~/keepassx.kdbx
-whitelist ~/.lastpass
-whitelist ~/.config/lastpass
-
-# specific to Arch
-whitelist ~/.config/chromium-flags.conf
-
-include /etc/firejail/whitelist-common.inc
+include /etc/firejail/chromium.profile
+quiet
diff --git a/config.dot/firejail/git.profile.link b/config.dot/firejail/git.profile.link
index ef8bec2..3a5913a 100644
--- a/config.dot/firejail/git.profile.link
+++ b/config.dot/firejail/git.profile.link
@@ -24,6 +24,9 @@ include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
+# allow write operations in non-default folders
+include whitelist-common.local
+
# allow git to work with dotfiles
read-write ${HOME}/.dotfiles
diff --git a/config.dot/firejail/libreoffice.local.link b/config.dot/firejail/libreoffice.local.link
index 3a8cff9..29f7cba 100644
--- a/config.dot/firejail/libreoffice.local.link
+++ b/config.dot/firejail/libreoffice.local.link
@@ -1,3 +1 @@
-whitelist ${HOME}/file
-whitelist ${HOME}/load
-whitelist /var/data/load
+include whitelist-common.local
diff --git a/config.dot/firejail/mutt.profile.link b/config.dot/firejail/mutt.profile.link
index 58e126d..a78ce4b 100644
--- a/config.dot/firejail/mutt.profile.link
+++ b/config.dot/firejail/mutt.profile.link
@@ -1,26 +1,29 @@
-# mutt email client profile
+# mutt profile
+blacklist /tmp/.X11-unix
-noblacklist ~/.muttrc
-noblacklist ~/.mutt
-noblacklist ~/.mutt/muttrc
-noblacklist ~/.mailcap
-noblacklist ~/.gnupg
-noblacklist ~/.mail
-noblacklist ~/.Mail
-noblacklist ~/mail
-noblacklist ~/Mail
-noblacklist ~/sent
-noblacklist ~/postponed
-noblacklist ~/.cache/mutt
-noblacklist ~/.w3m
-noblacklist ~/.elinks
-noblacklist ~/.vim
-noblacklist ~/.vimrc
-noblacklist ~/.viminfo
-noblacklist ~/.emacs
-noblacklist ~/.emacs.d
-noblacklist ~/.signature
-noblacklist ~/.bogofilter
+noblacklist /var/mail
+noblacklist /var/spool/mail
+noblacklist ${HOME}/.Mail
+noblacklist ${HOME}/.bogofilter
+noblacklist ${HOME}/.cache/mutt
+noblacklist ${HOME}/.elinks
+noblacklist ${HOME}/.emacs
+noblacklist ${HOME}/.emacs.d
+noblacklist ${HOME}/.gnupg
+noblacklist ${HOME}/.mail
+noblacklist ${HOME}/.mailcap
+noblacklist ${HOME}/.msmtprc
+noblacklist ${HOME}/.mutt
+noblacklist ${HOME}/.muttrc
+noblacklist ${HOME}/.signature
+noblacklist ${HOME}/.vim
+noblacklist ${HOME}/.viminfo
+noblacklist ${HOME}/.vimrc
+noblacklist ${HOME}/.w3m
+noblacklist ${HOME}/Mail
+noblacklist ${HOME}/mail
+noblacklist ${HOME}/postponed
+noblacklist ${HOME}/sent
# custom
quiet
@@ -28,24 +31,33 @@ noblacklist ~/.custom
noblacklist ~/.msmtprc
noblacklist ~/.procmailrc
noblacklist ~/.fetchmailrc
+noblacklist /usr/bin/procmail
+noblacklist /usr/bin/fetchmail
noblacklist /usr/bin/perl
-#noblacklist /usr/bin/cpan*
+noblacklist /usr/bin/cpan*
noblacklist /usr/share/perl*
noblacklist /usr/lib/perl*
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-programs.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-devel.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
caps.drop all
netfilter
+no3d
+nodvd
nogroups
nonewprivs
noroot
nosound
+notv
+nou2f
+novideo
protocol unix,inet,inet6
seccomp
shell none
+writable-run-user
private-dev
diff --git a/config.dot/firejail/ranger.profile.link b/config.dot/firejail/ranger.profile.link
index 738bc3c..78ab30c 100644
--- a/config.dot/firejail/ranger.profile.link
+++ b/config.dot/firejail/ranger.profile.link
@@ -1,10 +1,11 @@
# ranger file manager profile
quiet
-noblacklist /usr/bin/perl
-#noblacklist /usr/bin/cpan*
-noblacklist /usr/share/perl*
-noblacklist /usr/lib/perl*
-noblacklist ${HOME}/.config/ranger
+
+# include the default profile
+include /etc/firejail/ranger.profile
+
+# allow write operations in non-default folders
+include whitelist-common.local
# from fbreader ebook reader profile
noblacklist ${HOME}/.FBReader
@@ -13,28 +14,8 @@ noblacklist ${HOME}/.FBReader
noblacklist ~/.config/zathura
noblacklist ~/.local/share/zathura
-# from gimp profile
+## from gimp profile
noblacklist ${HOME}/.gimp*
# from mpv profile
noblacklist ${HOME}/.config/mpv
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-programs.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-
-caps.drop all
-netfilter
-net none
-nonewprivs
-noroot
-nogroups
-protocol unix
-seccomp
-
-# We need sound support to play media files
-#nosound
-
-private-tmp
-private-dev
diff --git a/config.dot/firejail/whitelist-common.local.link b/config.dot/firejail/whitelist-common.local.link
index 108f322..6b3c4df 100644
--- a/config.dot/firejail/whitelist-common.local.link
+++ b/config.dot/firejail/whitelist-common.local.link
@@ -1,2 +1,6 @@
-whitelist ${HOME}/load
-whitelist /var/data/load
+#whitelist ${HOME}/file
+#whitelist ${HOME}/load
+#whitelist /var/data/load
+read-write ${HOME}/file
+read-write ${HOME}/load
+read-write /var/data/load