Added customizations for several firejail profiles

Configured local customizations for several firejail profiles.
Whitelisted non-standard paths needed for firefox and newsboat.
Blacklisted non-standard password manager paths.

3 files changed, 107 insertions, 0 deletions

diff --git a/.config/firejail/disable-passwdmgr.local b/.config/firejail/disable-passwdmgr.local
new file mode 100644
index 0000000..7843019
--- /dev/null
+++ b/.config/firejail/disable-passwdmgr.local
@@ -0,0 +1,2 @@
+blacklist ${HOME}/.local/share/password-store
+blacklist ${HOME}/.config/keepassxc/
diff --git a/.config/firejail/firefox.profile b/.config/firejail/firefox.profile
new file mode 100644
index 0000000..158cf24
--- /dev/null
+++ b/.config/firejail/firefox.profile
@@ -0,0 +1,51 @@
+# Firejail profile for firefox
+# Description: Safe and easy web browser from Mozilla
+# This file is overwritten after every install/update
+# Persistent local customizations
+include firefox.local
+# Persistent global definitions
+include globals.local
+
+name firefox
+
+noblacklist ${HOME}/.cache/mozilla
+noblacklist ${HOME}/.mozilla
+
+mkdir ${HOME}/.cache/mozilla/firefox
+mkdir ${HOME}/.mozilla
+whitelist ${HOME}/.cache/mozilla/firefox
+whitelist ${HOME}/.mozilla
+
+whitelist /usr/share/doc
+whitelist /usr/share/firefox
+whitelist /usr/share/gnome-shell/search-providers/firefox-search-provider.ini
+whitelist /usr/share/gtk-doc/html
+whitelist /usr/share/mozilla
+whitelist /usr/share/webext
+whitelist ${HOME}/repos/website
+whitelist ${HOME}/documents/local_webpages/
+include whitelist-usr-share-common.inc
+
+# firefox requires a shell to launch on Arch.
+#private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which
+# Fedora use shell scripts to launch firefox, at least this is required
+#private-bin basename,bash,cat,dirname,expr,false,firefox,firefox-wayland,getenforce,ln,mkdir,pidof,restorecon,rm,rmdir,sed,sh,tclsh,true,uname
+# private-etc must first be enabled in firefox-common.profile
+#private-etc firefox
+
+dbus-user filter
+dbus-user.own org.mozilla.Firefox.*
+dbus-user.own org.mozilla.firefox.*
+dbus-user.own org.mpris.MediaPlayer2.firefox.*
+# Uncomment or put in your firefox.local to enable native notifications.
+#dbus-user.talk org.freedesktop.Notifications
+# Uncomment or put in your firefox.local to allow to inhibit screensavers
+#dbus-user.talk org.freedesktop.ScreenSaver
+# Uncomment or put in your firefox.local for plasma browser integration
+#dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
+#dbus-user.talk org.kde.JobViewServer
+#dbus-user.talk org.kde.kuiserver
+ignore dbus-user none
+
+# Redirect
+include firefox-common.profile
diff --git a/.config/firejail/newsboat.profile b/.config/firejail/newsboat.profile
new file mode 100644
index 0000000..0de5928
--- /dev/null
+++ b/.config/firejail/newsboat.profile
@@ -0,0 +1,54 @@
+# Firejail profile for Newsboat
+# Description: RSS program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include newsboat.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.newsboat
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist ${HOME}/.config/newsboat
+whitelist ${HOME}/.local/share/newsboat
+whitelist ${HOME}/repos/website/rss.xml
+
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol inet,inet6
+seccomp
+shell none
+
+disable-mnt
+private-bin gzip,lynx,newsboat,sh
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,lynx.cfg,lynx.lss,pki,resolv.conf,ssl,terminfo
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
+
+quiet