1 files changed, 52 insertions, 16 deletions
diff --git a/.config/firejail/firefox.profile b/.config/firejail/firefox.profile
index 158cf24..8031c85 100644
--- a/.config/firejail/firefox.profile
+++ b/.config/firejail/firefox.profile
@@ -23,29 +23,65 @@ whitelist /usr/share/gtk-doc/html
 whitelist /usr/share/mozilla
 whitelist /usr/share/webext
 whitelist ${HOME}/repos/website
+whitelist ${HOME}/repos/homelab_iac/docs
 whitelist ${HOME}/documents/local_webpages/
+whitelist ${HOME}/documents/downloads/
+whitelist ${HOME}/documents/isos/
+read-only ${HOME}/documents/isos
 include whitelist-usr-share-common.inc
-# firefox requires a shell to launch on Arch.
+# Access to GPG and (limited-scope) passwords for browserpass
-#private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which
+writable-run-user
-# Fedora use shell scripts to launch firefox, at least this is required
+noblacklist ${HOME}/.gnupg
-#private-bin basename,bash,cat,dirname,expr,false,firefox,firefox-wayland,getenforce,ln,mkdir,pidof,restorecon,rm,rmdir,sed,sh,tclsh,true,uname
+whitelist ${HOME}/.gnupg
-# private-etc must first be enabled in firefox-common.profile
+noblacklist ${RUNUSER}/gnupg
-#private-etc firefox
+noblacklist ${HOME}/.local/share/password-store
+whitelist ${HOME}/.local/share/password-store/web
+whitelist ${HOME}/.local/share/password-store/homelab/user
+whitelist ${HOME}/.local/share/password-store/homelab/proxmox
+whitelist ${HOME}/.local/share/password-store/homelab/proxmox-backup
 dbus-user filter
 dbus-user.own org.mozilla.Firefox.*
 dbus-user.own org.mozilla.firefox.*
 dbus-user.own org.mpris.MediaPlayer2.firefox.*
-# Uncomment or put in your firefox.local to enable native notifications.
-#dbus-user.talk org.freedesktop.Notifications
-# Uncomment or put in your firefox.local to allow to inhibit screensavers
-#dbus-user.talk org.freedesktop.ScreenSaver
-# Uncomment or put in your firefox.local for plasma browser integration
-#dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
-#dbus-user.talk org.kde.JobViewServer
-#dbus-user.talk org.kde.kuiserver
 ignore dbus-user none
-# Redirect
+noblacklist ${HOME}/.pki
-include firefox-common.profile
+noblacklist ${HOME}/.local/share/pki
+mkdir ${HOME}/.pki
+mkdir ${HOME}/.local/share/pki
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.pki
+whitelist ${HOME}/.local/share/pki
+include whitelist-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+#machine-id
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+?BROWSER_DISABLE_U2F: nou2f
+protocol unix,inet,inet6,netlink
+seccomp !chroot
+shell none
+disable-mnt
+?BROWSER_DISABLE_U2F: private-dev
+private-tmp
+dbus-user none
+dbus-system none
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+# Breaks GPG when enabled
+#include whitelist-runuser-common.inc

diff --git a/.config/firejail/firefox.profile b/.config/firejail/firefox.profile index 158cf24..8031c85 100644 --- a/.config/firejail/firefox.profile +++ b/.config/firejail/firefox.profile
@@ -23,29 +23,65 @@ whitelist /usr/share/gtk-doc/html
23	whitelist /usr/share/mozilla	23	whitelist /usr/share/mozilla
24	whitelist /usr/share/webext	24	whitelist /usr/share/webext
25	whitelist ${HOME}/repos/website	25	whitelist ${HOME}/repos/website
		26	whitelist ${HOME}/repos/homelab_iac/docs
26	whitelist ${HOME}/documents/local_webpages/	27	whitelist ${HOME}/documents/local_webpages/
		28	whitelist ${HOME}/documents/downloads/
		29	whitelist ${HOME}/documents/isos/
		30	read-only ${HOME}/documents/isos
27	include whitelist-usr-share-common.inc	31	include whitelist-usr-share-common.inc
28		32
29	# firefox requires a shell to launch on Arch.	33	# Access to GPG and (limited-scope) passwords for browserpass
30	#private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which	34	writable-run-user
31	# Fedora use shell scripts to launch firefox, at least this is required	35	noblacklist ${HOME}/.gnupg
32	#private-bin basename,bash,cat,dirname,expr,false,firefox,firefox-wayland,getenforce,ln,mkdir,pidof,restorecon,rm,rmdir,sed,sh,tclsh,true,uname	36	whitelist ${HOME}/.gnupg
33	# private-etc must first be enabled in firefox-common.profile	37	noblacklist ${RUNUSER}/gnupg
34	#private-etc firefox	38
		39	noblacklist ${HOME}/.local/share/password-store
		40	whitelist ${HOME}/.local/share/password-store/web
		41	whitelist ${HOME}/.local/share/password-store/homelab/user
		42	whitelist ${HOME}/.local/share/password-store/homelab/proxmox
		43	whitelist ${HOME}/.local/share/password-store/homelab/proxmox-backup
35		44
36	dbus-user filter	45	dbus-user filter
37	dbus-user.own org.mozilla.Firefox.*	46	dbus-user.own org.mozilla.Firefox.*
38	dbus-user.own org.mozilla.firefox.*	47	dbus-user.own org.mozilla.firefox.*
39	dbus-user.own org.mpris.MediaPlayer2.firefox.*	48	dbus-user.own org.mpris.MediaPlayer2.firefox.*
40	# Uncomment or put in your firefox.local to enable native notifications.
41	#dbus-user.talk org.freedesktop.Notifications
42	# Uncomment or put in your firefox.local to allow to inhibit screensavers
43	#dbus-user.talk org.freedesktop.ScreenSaver
44	# Uncomment or put in your firefox.local for plasma browser integration
45	#dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
46	#dbus-user.talk org.kde.JobViewServer
47	#dbus-user.talk org.kde.kuiserver
48	ignore dbus-user none	49	ignore dbus-user none
49		50
50	# Redirect	51	noblacklist ${HOME}/.pki
51	include firefox-common.profile	52	noblacklist ${HOME}/.local/share/pki
		53	mkdir ${HOME}/.pki
		54	mkdir ${HOME}/.local/share/pki
		55	whitelist ${DOWNLOADS}
		56	whitelist ${HOME}/.pki
		57	whitelist ${HOME}/.local/share/pki
		58	include whitelist-common.inc
		59	include whitelist-var-common.inc
		60
		61	apparmor
		62	caps.drop all
		63	#machine-id
		64	netfilter
		65	nodvd
		66	nogroups
		67	nonewprivs
		68	noroot
		69	notv
		70	?BROWSER_DISABLE_U2F: nou2f
		71	protocol unix,inet,inet6,netlink
		72	seccomp !chroot
		73	shell none
		74	disable-mnt
		75	?BROWSER_DISABLE_U2F: private-dev
		76	private-tmp
		77	dbus-user none
		78	dbus-system none
		79
		80	include disable-common.inc
		81	include disable-devel.inc
		82	include disable-exec.inc
		83	include disable-interpreters.inc
		84	include disable-programs.inc
		85
		86	# Breaks GPG when enabled
		87	#include whitelist-runuser-common.inc