Configuration file updates and additions.

author: Sam Chudnick <sam@chudnick.com> 2023-06-11 08:00:24 -0400
committer: Sam Chudnick <sam@chudnick.com> 2023-06-11 08:00:24 -0400
commit: 12ce8bdd65d3b5fcd6e8227eaecd5f772a90f8da (patch)
tree: 5be7566c5ef41877e1d03a013667fdae1aedf252 /.config/firejail
parent: 9e82c96713989a7565eadac505b36e3dbe91cd5a (diff)
4 files changed, 99 insertions, 19 deletions
diff --git a/.config/firejail/firefox.profile b/.config/firejail/firefox.profile
index 158cf24..8031c85 100644
--- a/.config/firejail/firefox.profile
+++ b/.config/firejail/firefox.profile
@@ -23,29 +23,65 @@ whitelist /usr/share/gtk-doc/html
 whitelist /usr/share/mozilla
 whitelist /usr/share/webext
 whitelist ${HOME}/repos/website
+whitelist ${HOME}/repos/homelab_iac/docs
 whitelist ${HOME}/documents/local_webpages/
+whitelist ${HOME}/documents/downloads/
+whitelist ${HOME}/documents/isos/
+read-only ${HOME}/documents/isos
 include whitelist-usr-share-common.inc
-# firefox requires a shell to launch on Arch.
+# Access to GPG and (limited-scope) passwords for browserpass
-#private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which
+writable-run-user
-# Fedora use shell scripts to launch firefox, at least this is required
+noblacklist ${HOME}/.gnupg
-#private-bin basename,bash,cat,dirname,expr,false,firefox,firefox-wayland,getenforce,ln,mkdir,pidof,restorecon,rm,rmdir,sed,sh,tclsh,true,uname
+whitelist ${HOME}/.gnupg
-# private-etc must first be enabled in firefox-common.profile
+noblacklist ${RUNUSER}/gnupg
-#private-etc firefox
+noblacklist ${HOME}/.local/share/password-store
+whitelist ${HOME}/.local/share/password-store/web
+whitelist ${HOME}/.local/share/password-store/homelab/user
+whitelist ${HOME}/.local/share/password-store/homelab/proxmox
+whitelist ${HOME}/.local/share/password-store/homelab/proxmox-backup
 dbus-user filter
 dbus-user.own org.mozilla.Firefox.*
 dbus-user.own org.mozilla.firefox.*
 dbus-user.own org.mpris.MediaPlayer2.firefox.*
-# Uncomment or put in your firefox.local to enable native notifications.
-#dbus-user.talk org.freedesktop.Notifications
-# Uncomment or put in your firefox.local to allow to inhibit screensavers
-#dbus-user.talk org.freedesktop.ScreenSaver
-# Uncomment or put in your firefox.local for plasma browser integration
-#dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
-#dbus-user.talk org.kde.JobViewServer
-#dbus-user.talk org.kde.kuiserver
 ignore dbus-user none
-# Redirect
+noblacklist ${HOME}/.pki
-include firefox-common.profile
+noblacklist ${HOME}/.local/share/pki
+mkdir ${HOME}/.pki
+mkdir ${HOME}/.local/share/pki
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.pki
+whitelist ${HOME}/.local/share/pki
+include whitelist-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+#machine-id
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+?BROWSER_DISABLE_U2F: nou2f
+protocol unix,inet,inet6,netlink
+seccomp !chroot
+shell none
+disable-mnt
+?BROWSER_DISABLE_U2F: private-dev
+private-tmp
+dbus-user none
+dbus-system none
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+# Breaks GPG when enabled
+#include whitelist-runuser-common.inc
diff --git a/.config/firejail/jellyfinmediaplayer.profile b/.config/firejail/jellyfinmediaplayer.profile
new file mode 100644
index 0000000..3575ec6
--- /dev/null
+++ b/.config/firejail/jellyfinmediaplayer.profile
@@ -0,0 +1,30 @@
+include globals.local
+name jellyfinmediaplayer
+dbus-user filter
+ignore dbus-user none
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6,netlink
+seccomp !chroot
+shell none
+disable-mnt
+private-tmp
+private-dev
+dbus-user none
+dbus-system none
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
diff --git a/.config/firejail/neomutt.profile b/.config/firejail/neomutt.profile
index 0a43c6f..0934bd1 100644
--- a/.config/firejail/neomutt.profile
+++ b/.config/firejail/neomutt.profile
@@ -16,6 +16,7 @@ whitelist ${HOME}/.mbsyncrc
 whitelist ${HOME}/.config/mbsync
 whitelist ${HOME}/.config/msmtp
 whitelist ${HOME}/.w3m
+whitelist ${HOME}/attachments
 noblacklist ${HOME}/.Mail
 noblacklist ${HOME}/.cache/mutt
@@ -31,22 +32,25 @@ noblacklist ${HOME}/.mbsyncrc
 noblacklist ${HOME}/.config/mbsync
 noblacklist ${HOME}/.config/msmtp
 noblacklist ${HOME}/.w3m
+whitelist ${HOME}/attachments
 # Access to GPG for encrypting/decrypting/signing mail and passwords with pass
-whitelist ${HOME}/.gnupg
 noblacklist ${HOME}/.gnupg
-whitelist ${RUNUSER}/gnupg
+whitelist ${HOME}/.gnupg
+noblacklist ${RUNUSER}/gnupg
 # This assumes you keep mail account passwords under a separate directory named mail
 # This to avoid exposing all passwords to the sandbox, only necessary ones
+noblacklist ${HOME}/.local/share/password-store
 whitelist ${HOME}/.local/share/password-store/mail
-noblacklist ${HOME}/.local/share/password-store/mail
 # abook
 whitelist ${HOME}/.config/abook
 whitelist ${HOME}/.local/share/abook
+# Breaks GPG when enabled
 #include whitelist-runuser-common.inc
 writable-run-user
 blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}/wayland-*
diff --git a/.config/firejail/newsboat.profile b/.config/firejail/newsboat.profile
index 0de5928..ebdc76e 100644
--- a/.config/firejail/newsboat.profile
+++ b/.config/firejail/newsboat.profile
@@ -24,6 +24,16 @@ include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-var-common.inc
+# Access to GPG for encrypting/decrypting/signing mail and passwords with pass
+noblacklist ${HOME}/.gnupg
+whitelist ${HOME}/.gnupg
+noblacklist ${RUNUSER}/gnupg
+# This assumes you keep mail account passwords under a separate directory named mail
+# This to avoid exposing all passwords to the sandbox, only necessary ones
+noblacklist ${HOME}/.local/share/password-store
+whitelist ${HOME}/.local/share/password-store/homelab/freshrss
 caps.drop all
 ipc-namespace
 netfilter
author	Sam Chudnick <sam@chudnick.com>	2023-06-11 08:00:24 -0400
committer	Sam Chudnick <sam@chudnick.com>	2023-06-11 08:00:24 -0400
commit	12ce8bdd65d3b5fcd6e8227eaecd5f772a90f8da (patch)
tree	5be7566c5ef41877e1d03a013667fdae1aedf252 /.config/firejail
parent	9e82c96713989a7565eadac505b36e3dbe91cd5a (diff)

diff --git a/.config/firejail/firefox.profile b/.config/firejail/firefox.profile index 158cf24..8031c85 100644 --- a/.config/firejail/firefox.profile +++ b/.config/firejail/firefox.profile
@@ -23,29 +23,65 @@ whitelist /usr/share/gtk-doc/html
23	whitelist /usr/share/mozilla	23	whitelist /usr/share/mozilla
24	whitelist /usr/share/webext	24	whitelist /usr/share/webext
25	whitelist ${HOME}/repos/website	25	whitelist ${HOME}/repos/website
		26	whitelist ${HOME}/repos/homelab_iac/docs
26	whitelist ${HOME}/documents/local_webpages/	27	whitelist ${HOME}/documents/local_webpages/
		28	whitelist ${HOME}/documents/downloads/
		29	whitelist ${HOME}/documents/isos/
		30	read-only ${HOME}/documents/isos
27	include whitelist-usr-share-common.inc	31	include whitelist-usr-share-common.inc
28		32
29	# firefox requires a shell to launch on Arch.	33	# Access to GPG and (limited-scope) passwords for browserpass
30	#private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which	34	writable-run-user
31	# Fedora use shell scripts to launch firefox, at least this is required	35	noblacklist ${HOME}/.gnupg
32	#private-bin basename,bash,cat,dirname,expr,false,firefox,firefox-wayland,getenforce,ln,mkdir,pidof,restorecon,rm,rmdir,sed,sh,tclsh,true,uname	36	whitelist ${HOME}/.gnupg
33	# private-etc must first be enabled in firefox-common.profile	37	noblacklist ${RUNUSER}/gnupg
34	#private-etc firefox	38
		39	noblacklist ${HOME}/.local/share/password-store
		40	whitelist ${HOME}/.local/share/password-store/web
		41	whitelist ${HOME}/.local/share/password-store/homelab/user
		42	whitelist ${HOME}/.local/share/password-store/homelab/proxmox
		43	whitelist ${HOME}/.local/share/password-store/homelab/proxmox-backup
35		44
36	dbus-user filter	45	dbus-user filter
37	dbus-user.own org.mozilla.Firefox.*	46	dbus-user.own org.mozilla.Firefox.*
38	dbus-user.own org.mozilla.firefox.*	47	dbus-user.own org.mozilla.firefox.*
39	dbus-user.own org.mpris.MediaPlayer2.firefox.*	48	dbus-user.own org.mpris.MediaPlayer2.firefox.*
40	# Uncomment or put in your firefox.local to enable native notifications.
41	#dbus-user.talk org.freedesktop.Notifications
42	# Uncomment or put in your firefox.local to allow to inhibit screensavers
43	#dbus-user.talk org.freedesktop.ScreenSaver
44	# Uncomment or put in your firefox.local for plasma browser integration
45	#dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
46	#dbus-user.talk org.kde.JobViewServer
47	#dbus-user.talk org.kde.kuiserver
48	ignore dbus-user none	49	ignore dbus-user none
49		50
50	# Redirect	51	noblacklist ${HOME}/.pki
51	include firefox-common.profile	52	noblacklist ${HOME}/.local/share/pki
		53	mkdir ${HOME}/.pki
		54	mkdir ${HOME}/.local/share/pki
		55	whitelist ${DOWNLOADS}
		56	whitelist ${HOME}/.pki
		57	whitelist ${HOME}/.local/share/pki
		58	include whitelist-common.inc
		59	include whitelist-var-common.inc
		60
		61	apparmor
		62	caps.drop all
		63	#machine-id
		64	netfilter
		65	nodvd
		66	nogroups
		67	nonewprivs
		68	noroot
		69	notv
		70	?BROWSER_DISABLE_U2F: nou2f
		71	protocol unix,inet,inet6,netlink
		72	seccomp !chroot
		73	shell none
		74	disable-mnt
		75	?BROWSER_DISABLE_U2F: private-dev
		76	private-tmp
		77	dbus-user none
		78	dbus-system none
		79
		80	include disable-common.inc
		81	include disable-devel.inc
		82	include disable-exec.inc
		83	include disable-interpreters.inc
		84	include disable-programs.inc
		85
		86	# Breaks GPG when enabled
		87	#include whitelist-runuser-common.inc


diff --git a/.config/firejail/jellyfinmediaplayer.profile b/.config/firejail/jellyfinmediaplayer.profile new file mode 100644 index 0000000..3575ec6 --- /dev/null +++ b/.config/firejail/jellyfinmediaplayer.profile
@@ -0,0 +1,30 @@
		1	include globals.local
		2
		3	name jellyfinmediaplayer
		4
		5	dbus-user filter
		6	ignore dbus-user none
		7
		8	apparmor
		9	caps.drop all
		10	netfilter
		11	nodvd
		12	nogroups
		13	nonewprivs
		14	noroot
		15	notv
		16	protocol unix,inet,inet6,netlink
		17	seccomp !chroot
		18	shell none
		19	disable-mnt
		20	private-tmp
		21	private-dev
		22	dbus-user none
		23	dbus-system none
		24
		25	include disable-common.inc
		26	include disable-devel.inc
		27	include disable-exec.inc
		28	include disable-interpreters.inc
		29	include disable-programs.inc
		30	include disable-shell.inc


diff --git a/.config/firejail/neomutt.profile b/.config/firejail/neomutt.profile index 0a43c6f..0934bd1 100644 --- a/.config/firejail/neomutt.profile +++ b/.config/firejail/neomutt.profile
@@ -16,6 +16,7 @@ whitelist ${HOME}/.mbsyncrc
16	whitelist ${HOME}/.config/mbsync	16	whitelist ${HOME}/.config/mbsync
17	whitelist ${HOME}/.config/msmtp	17	whitelist ${HOME}/.config/msmtp
18	whitelist ${HOME}/.w3m	18	whitelist ${HOME}/.w3m
		19	whitelist ${HOME}/attachments
19		20
20	noblacklist ${HOME}/.Mail	21	noblacklist ${HOME}/.Mail
21	noblacklist ${HOME}/.cache/mutt	22	noblacklist ${HOME}/.cache/mutt
@@ -31,22 +32,25 @@ noblacklist ${HOME}/.mbsyncrc
31	noblacklist ${HOME}/.config/mbsync	32	noblacklist ${HOME}/.config/mbsync
32	noblacklist ${HOME}/.config/msmtp	33	noblacklist ${HOME}/.config/msmtp
33	noblacklist ${HOME}/.w3m	34	noblacklist ${HOME}/.w3m
		35	whitelist ${HOME}/attachments
34		36
35	# Access to GPG for encrypting/decrypting/signing mail and passwords with pass	37	# Access to GPG for encrypting/decrypting/signing mail and passwords with pass
36	whitelist ${HOME}/.gnupg
37	noblacklist ${HOME}/.gnupg	38	noblacklist ${HOME}/.gnupg
38	whitelist ${RUNUSER}/gnupg	39	whitelist ${HOME}/.gnupg
		40	noblacklist ${RUNUSER}/gnupg
39		41
40	# This assumes you keep mail account passwords under a separate directory named mail	42	# This assumes you keep mail account passwords under a separate directory named mail
41	# This to avoid exposing all passwords to the sandbox, only necessary ones	43	# This to avoid exposing all passwords to the sandbox, only necessary ones
		44	noblacklist ${HOME}/.local/share/password-store
42	whitelist ${HOME}/.local/share/password-store/mail	45	whitelist ${HOME}/.local/share/password-store/mail
43	noblacklist ${HOME}/.local/share/password-store/mail
44		46
45	# abook	47	# abook
46	whitelist ${HOME}/.config/abook	48	whitelist ${HOME}/.config/abook
47	whitelist ${HOME}/.local/share/abook	49	whitelist ${HOME}/.local/share/abook
48		50
		51	# Breaks GPG when enabled
49	#include whitelist-runuser-common.inc	52	#include whitelist-runuser-common.inc
		53
50	writable-run-user	54	writable-run-user
51	blacklist /tmp/.X11-unix	55	blacklist /tmp/.X11-unix
52	blacklist ${RUNUSER}/wayland-*	56	blacklist ${RUNUSER}/wayland-*


diff --git a/.config/firejail/newsboat.profile b/.config/firejail/newsboat.profile index 0de5928..ebdc76e 100644 --- a/.config/firejail/newsboat.profile +++ b/.config/firejail/newsboat.profile
@@ -24,6 +24,16 @@ include whitelist-common.inc
24	include whitelist-runuser-common.inc	24	include whitelist-runuser-common.inc
25	include whitelist-var-common.inc	25	include whitelist-var-common.inc
26		26
		27	# Access to GPG for encrypting/decrypting/signing mail and passwords with pass
		28	noblacklist ${HOME}/.gnupg
		29	whitelist ${HOME}/.gnupg
		30	noblacklist ${RUNUSER}/gnupg
		31
		32	# This assumes you keep mail account passwords under a separate directory named mail
		33	# This to avoid exposing all passwords to the sandbox, only necessary ones
		34	noblacklist ${HOME}/.local/share/password-store
		35	whitelist ${HOME}/.local/share/password-store/homelab/freshrss
		36
27	caps.drop all	37	caps.drop all
28	ipc-namespace	38	ipc-namespace
29	netfilter	39	netfilter