From b6c6cfba78b597d07e383de8d5699498d385cddd Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Mon, 7 Dec 2020 07:48:23 -0300 Subject: Fix: firejail: move some profiles to their own modules --- config.dot/firejail/git.profile.link | 43 ------------------ config.dot/firejail/luakit.profile.link | 13 ------ config.dot/firejail/mutt.profile.link | 78 --------------------------------- config.dot/firejail/ranger.profile.link | 21 --------- 4 files changed, 155 deletions(-) delete mode 100644 config.dot/firejail/git.profile.link delete mode 100644 config.dot/firejail/luakit.profile.link delete mode 100644 config.dot/firejail/mutt.profile.link delete mode 100644 config.dot/firejail/ranger.profile.link diff --git a/config.dot/firejail/git.profile.link b/config.dot/firejail/git.profile.link deleted file mode 100644 index 3a5913a..0000000 --- a/config.dot/firejail/git.profile.link +++ /dev/null @@ -1,43 +0,0 @@ -# git profile -quiet -noblacklist ~/.gitconfig -noblacklist ~/.ssh -noblacklist ~/.gnupg -noblacklist ~/.emacs -noblacklist ~/.emacs.d -noblacklist ~/.viminfo -noblacklist ~/.vim - -# allow git to work with some other configs -noblacklist ${HOME}/.config/autostart -noblacklist ${HOME}/.mutt -noblacklist ${HOME}/.muttrc -noblacklist /etc/ssh - -# custom -noblacklist ~/.custom/gitconfig -noblacklist ${PATH}/nc -noblacklist /tmp/ssh-* -noblacklist ~/.subversion - -include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc -include /etc/firejail/disable-passwdmgr.inc - -# allow write operations in non-default folders -include whitelist-common.local - -# allow git to work with dotfiles -read-write ${HOME}/.dotfiles - -caps.drop all -netfilter -nonewprivs -noroot -nogroups -nosound -protocol unix,inet,inet6 -seccomp -shell none - -private-dev diff --git a/config.dot/firejail/luakit.profile.link b/config.dot/firejail/luakit.profile.link deleted file mode 100644 index 19ed543..0000000 --- a/config.dot/firejail/luakit.profile.link +++ /dev/null @@ -1,13 +0,0 @@ -# luakit profile - -#blacklist ${HOME}/.wine -noblacklist ~/.config/luakit -noblacklist ~/.local/share/luakit - -caps.drop all -netfilter -nonewprivs -noroot -protocol unix,inet,inet6 -seccomp -shell none diff --git a/config.dot/firejail/mutt.profile.link b/config.dot/firejail/mutt.profile.link deleted file mode 100644 index eca098d..0000000 --- a/config.dot/firejail/mutt.profile.link +++ /dev/null @@ -1,78 +0,0 @@ -# mutt profile -blacklist /tmp/.X11-unix - -noblacklist /var/mail -noblacklist /var/spool/mail -noblacklist ${HOME}/.Mail -noblacklist ${HOME}/.bogofilter -noblacklist ${HOME}/.cache/mutt -noblacklist ${HOME}/.elinks -noblacklist ${HOME}/.emacs -noblacklist ${HOME}/.emacs.d -noblacklist ${HOME}/.gnupg -noblacklist ${HOME}/.mail -noblacklist ${HOME}/.mailcap -noblacklist ${HOME}/.msmtprc -noblacklist ${HOME}/.mutt -noblacklist ${HOME}/.muttrc -noblacklist ${HOME}/.signature -noblacklist ${HOME}/.vim -noblacklist ${HOME}/.viminfo -noblacklist ${HOME}/.vimrc -noblacklist ${HOME}/.w3m -noblacklist ${HOME}/Mail -noblacklist ${HOME}/mail -noblacklist ${HOME}/postponed -noblacklist ${HOME}/sent - -# custom -quiet -noblacklist ~/.custom -noblacklist ~/.msmtprc -noblacklist ~/.procmailrc -noblacklist ~/.fetchmailrc -noblacklist ~/.getmail -noblacklist ~/apps/utils-mail -noblacklist /usr/bin/procmail -noblacklist /usr/bin/fetchmail -noblacklist /usr/bin/getmail -noblacklist /usr/bin/getmails -noblacklist /usr/bin/perl -noblacklist /usr/bin/cpan* -noblacklist /usr/share/perl* -noblacklist /usr/lib/perl* - -# allow local mail -whitelist /var/mail - -# allow write operations in non-default folders -include whitelist-common.local - -include disable-common.inc -include disable-devel.inc - -# These restrictions prevent the use of the getmails(1) script -#include disable-interpreters.inc - -include disable-passwdmgr.inc -include disable-programs.inc - -caps.drop all -netfilter -no3d -nodvd -nogroups -noroot -nosound -notv -nou2f -novideo -writable-run-user - -# These restrictions prevent msmtp to use the passwordeval option -#nonewprivs -#protocol unix,inet,inet6 -#seccomp -#shell none - -private-dev diff --git a/config.dot/firejail/ranger.profile.link b/config.dot/firejail/ranger.profile.link deleted file mode 100644 index 70bf94b..0000000 --- a/config.dot/firejail/ranger.profile.link +++ /dev/null @@ -1,21 +0,0 @@ -# ranger file manager profile -quiet - -# allow write operations in non-default folders -include whitelist-common.local - -# from fbreader ebook reader profile -noblacklist ${HOME}/.FBReader - -# from zathura document viewer profile -noblacklist ~/.config/zathura -noblacklist ~/.local/share/zathura - -## from gimp profile -noblacklist ${HOME}/.gimp* - -# from mpv profile -noblacklist ${HOME}/.config/mpv - -# include the default profile -include /etc/firejail/ranger.profile -- cgit v1.2.3