diff options
Diffstat (limited to '.config/firejail')
-rw-r--r-- | .config/firejail/firefox.profile | 68 | ||||
-rw-r--r-- | .config/firejail/jellyfinmediaplayer.profile | 30 | ||||
-rw-r--r-- | .config/firejail/neomutt.profile | 10 | ||||
-rw-r--r-- | .config/firejail/newsboat.profile | 10 |
4 files changed, 99 insertions, 19 deletions
diff --git a/.config/firejail/firefox.profile b/.config/firejail/firefox.profile index 158cf24..8031c85 100644 --- a/.config/firejail/firefox.profile +++ b/.config/firejail/firefox.profile | |||
@@ -23,29 +23,65 @@ whitelist /usr/share/gtk-doc/html | |||
23 | whitelist /usr/share/mozilla | 23 | whitelist /usr/share/mozilla |
24 | whitelist /usr/share/webext | 24 | whitelist /usr/share/webext |
25 | whitelist ${HOME}/repos/website | 25 | whitelist ${HOME}/repos/website |
26 | whitelist ${HOME}/repos/homelab_iac/docs | ||
26 | whitelist ${HOME}/documents/local_webpages/ | 27 | whitelist ${HOME}/documents/local_webpages/ |
28 | whitelist ${HOME}/documents/downloads/ | ||
29 | whitelist ${HOME}/documents/isos/ | ||
30 | read-only ${HOME}/documents/isos | ||
27 | include whitelist-usr-share-common.inc | 31 | include whitelist-usr-share-common.inc |
28 | 32 | ||
29 | # firefox requires a shell to launch on Arch. | 33 | # Access to GPG and (limited-scope) passwords for browserpass |
30 | #private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which | 34 | writable-run-user |
31 | # Fedora use shell scripts to launch firefox, at least this is required | 35 | noblacklist ${HOME}/.gnupg |
32 | #private-bin basename,bash,cat,dirname,expr,false,firefox,firefox-wayland,getenforce,ln,mkdir,pidof,restorecon,rm,rmdir,sed,sh,tclsh,true,uname | 36 | whitelist ${HOME}/.gnupg |
33 | # private-etc must first be enabled in firefox-common.profile | 37 | noblacklist ${RUNUSER}/gnupg |
34 | #private-etc firefox | 38 | |
39 | noblacklist ${HOME}/.local/share/password-store | ||
40 | whitelist ${HOME}/.local/share/password-store/web | ||
41 | whitelist ${HOME}/.local/share/password-store/homelab/user | ||
42 | whitelist ${HOME}/.local/share/password-store/homelab/proxmox | ||
43 | whitelist ${HOME}/.local/share/password-store/homelab/proxmox-backup | ||
35 | 44 | ||
36 | dbus-user filter | 45 | dbus-user filter |
37 | dbus-user.own org.mozilla.Firefox.* | 46 | dbus-user.own org.mozilla.Firefox.* |
38 | dbus-user.own org.mozilla.firefox.* | 47 | dbus-user.own org.mozilla.firefox.* |
39 | dbus-user.own org.mpris.MediaPlayer2.firefox.* | 48 | dbus-user.own org.mpris.MediaPlayer2.firefox.* |
40 | # Uncomment or put in your firefox.local to enable native notifications. | ||
41 | #dbus-user.talk org.freedesktop.Notifications | ||
42 | # Uncomment or put in your firefox.local to allow to inhibit screensavers | ||
43 | #dbus-user.talk org.freedesktop.ScreenSaver | ||
44 | # Uncomment or put in your firefox.local for plasma browser integration | ||
45 | #dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration | ||
46 | #dbus-user.talk org.kde.JobViewServer | ||
47 | #dbus-user.talk org.kde.kuiserver | ||
48 | ignore dbus-user none | 49 | ignore dbus-user none |
49 | 50 | ||
50 | # Redirect | 51 | noblacklist ${HOME}/.pki |
51 | include firefox-common.profile | 52 | noblacklist ${HOME}/.local/share/pki |
53 | mkdir ${HOME}/.pki | ||
54 | mkdir ${HOME}/.local/share/pki | ||
55 | whitelist ${DOWNLOADS} | ||
56 | whitelist ${HOME}/.pki | ||
57 | whitelist ${HOME}/.local/share/pki | ||
58 | include whitelist-common.inc | ||
59 | include whitelist-var-common.inc | ||
60 | |||
61 | apparmor | ||
62 | caps.drop all | ||
63 | #machine-id | ||
64 | netfilter | ||
65 | nodvd | ||
66 | nogroups | ||
67 | nonewprivs | ||
68 | noroot | ||
69 | notv | ||
70 | ?BROWSER_DISABLE_U2F: nou2f | ||
71 | protocol unix,inet,inet6,netlink | ||
72 | seccomp !chroot | ||
73 | shell none | ||
74 | disable-mnt | ||
75 | ?BROWSER_DISABLE_U2F: private-dev | ||
76 | private-tmp | ||
77 | dbus-user none | ||
78 | dbus-system none | ||
79 | |||
80 | include disable-common.inc | ||
81 | include disable-devel.inc | ||
82 | include disable-exec.inc | ||
83 | include disable-interpreters.inc | ||
84 | include disable-programs.inc | ||
85 | |||
86 | # Breaks GPG when enabled | ||
87 | #include whitelist-runuser-common.inc | ||
diff --git a/.config/firejail/jellyfinmediaplayer.profile b/.config/firejail/jellyfinmediaplayer.profile new file mode 100644 index 0000000..3575ec6 --- /dev/null +++ b/.config/firejail/jellyfinmediaplayer.profile | |||
@@ -0,0 +1,30 @@ | |||
1 | include globals.local | ||
2 | |||
3 | name jellyfinmediaplayer | ||
4 | |||
5 | dbus-user filter | ||
6 | ignore dbus-user none | ||
7 | |||
8 | apparmor | ||
9 | caps.drop all | ||
10 | netfilter | ||
11 | nodvd | ||
12 | nogroups | ||
13 | nonewprivs | ||
14 | noroot | ||
15 | notv | ||
16 | protocol unix,inet,inet6,netlink | ||
17 | seccomp !chroot | ||
18 | shell none | ||
19 | disable-mnt | ||
20 | private-tmp | ||
21 | private-dev | ||
22 | dbus-user none | ||
23 | dbus-system none | ||
24 | |||
25 | include disable-common.inc | ||
26 | include disable-devel.inc | ||
27 | include disable-exec.inc | ||
28 | include disable-interpreters.inc | ||
29 | include disable-programs.inc | ||
30 | include disable-shell.inc | ||
diff --git a/.config/firejail/neomutt.profile b/.config/firejail/neomutt.profile index 0a43c6f..0934bd1 100644 --- a/.config/firejail/neomutt.profile +++ b/.config/firejail/neomutt.profile | |||
@@ -16,6 +16,7 @@ whitelist ${HOME}/.mbsyncrc | |||
16 | whitelist ${HOME}/.config/mbsync | 16 | whitelist ${HOME}/.config/mbsync |
17 | whitelist ${HOME}/.config/msmtp | 17 | whitelist ${HOME}/.config/msmtp |
18 | whitelist ${HOME}/.w3m | 18 | whitelist ${HOME}/.w3m |
19 | whitelist ${HOME}/attachments | ||
19 | 20 | ||
20 | noblacklist ${HOME}/.Mail | 21 | noblacklist ${HOME}/.Mail |
21 | noblacklist ${HOME}/.cache/mutt | 22 | noblacklist ${HOME}/.cache/mutt |
@@ -31,22 +32,25 @@ noblacklist ${HOME}/.mbsyncrc | |||
31 | noblacklist ${HOME}/.config/mbsync | 32 | noblacklist ${HOME}/.config/mbsync |
32 | noblacklist ${HOME}/.config/msmtp | 33 | noblacklist ${HOME}/.config/msmtp |
33 | noblacklist ${HOME}/.w3m | 34 | noblacklist ${HOME}/.w3m |
35 | whitelist ${HOME}/attachments | ||
34 | 36 | ||
35 | # Access to GPG for encrypting/decrypting/signing mail and passwords with pass | 37 | # Access to GPG for encrypting/decrypting/signing mail and passwords with pass |
36 | whitelist ${HOME}/.gnupg | ||
37 | noblacklist ${HOME}/.gnupg | 38 | noblacklist ${HOME}/.gnupg |
38 | whitelist ${RUNUSER}/gnupg | 39 | whitelist ${HOME}/.gnupg |
40 | noblacklist ${RUNUSER}/gnupg | ||
39 | 41 | ||
40 | # This assumes you keep mail account passwords under a separate directory named mail | 42 | # This assumes you keep mail account passwords under a separate directory named mail |
41 | # This to avoid exposing all passwords to the sandbox, only necessary ones | 43 | # This to avoid exposing all passwords to the sandbox, only necessary ones |
44 | noblacklist ${HOME}/.local/share/password-store | ||
42 | whitelist ${HOME}/.local/share/password-store/mail | 45 | whitelist ${HOME}/.local/share/password-store/mail |
43 | noblacklist ${HOME}/.local/share/password-store/mail | ||
44 | 46 | ||
45 | # abook | 47 | # abook |
46 | whitelist ${HOME}/.config/abook | 48 | whitelist ${HOME}/.config/abook |
47 | whitelist ${HOME}/.local/share/abook | 49 | whitelist ${HOME}/.local/share/abook |
48 | 50 | ||
51 | # Breaks GPG when enabled | ||
49 | #include whitelist-runuser-common.inc | 52 | #include whitelist-runuser-common.inc |
53 | |||
50 | writable-run-user | 54 | writable-run-user |
51 | blacklist /tmp/.X11-unix | 55 | blacklist /tmp/.X11-unix |
52 | blacklist ${RUNUSER}/wayland-* | 56 | blacklist ${RUNUSER}/wayland-* |
diff --git a/.config/firejail/newsboat.profile b/.config/firejail/newsboat.profile index 0de5928..ebdc76e 100644 --- a/.config/firejail/newsboat.profile +++ b/.config/firejail/newsboat.profile | |||
@@ -24,6 +24,16 @@ include whitelist-common.inc | |||
24 | include whitelist-runuser-common.inc | 24 | include whitelist-runuser-common.inc |
25 | include whitelist-var-common.inc | 25 | include whitelist-var-common.inc |
26 | 26 | ||
27 | # Access to GPG for encrypting/decrypting/signing mail and passwords with pass | ||
28 | noblacklist ${HOME}/.gnupg | ||
29 | whitelist ${HOME}/.gnupg | ||
30 | noblacklist ${RUNUSER}/gnupg | ||
31 | |||
32 | # This assumes you keep mail account passwords under a separate directory named mail | ||
33 | # This to avoid exposing all passwords to the sandbox, only necessary ones | ||
34 | noblacklist ${HOME}/.local/share/password-store | ||
35 | whitelist ${HOME}/.local/share/password-store/homelab/freshrss | ||
36 | |||
27 | caps.drop all | 37 | caps.drop all |
28 | ipc-namespace | 38 | ipc-namespace |
29 | netfilter | 39 | netfilter |