summaryrefslogtreecommitdiff
path: root/.config/firejail
diff options
context:
space:
mode:
Diffstat (limited to '.config/firejail')
-rw-r--r--.config/firejail/firefox.profile68
-rw-r--r--.config/firejail/jellyfinmediaplayer.profile30
-rw-r--r--.config/firejail/neomutt.profile10
-rw-r--r--.config/firejail/newsboat.profile10
4 files changed, 99 insertions, 19 deletions
diff --git a/.config/firejail/firefox.profile b/.config/firejail/firefox.profile
index 158cf24..8031c85 100644
--- a/.config/firejail/firefox.profile
+++ b/.config/firejail/firefox.profile
@@ -23,29 +23,65 @@ whitelist /usr/share/gtk-doc/html
23whitelist /usr/share/mozilla 23whitelist /usr/share/mozilla
24whitelist /usr/share/webext 24whitelist /usr/share/webext
25whitelist ${HOME}/repos/website 25whitelist ${HOME}/repos/website
26whitelist ${HOME}/repos/homelab_iac/docs
26whitelist ${HOME}/documents/local_webpages/ 27whitelist ${HOME}/documents/local_webpages/
28whitelist ${HOME}/documents/downloads/
29whitelist ${HOME}/documents/isos/
30read-only ${HOME}/documents/isos
27include whitelist-usr-share-common.inc 31include whitelist-usr-share-common.inc
28 32
29# firefox requires a shell to launch on Arch. 33# Access to GPG and (limited-scope) passwords for browserpass
30#private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which 34writable-run-user
31# Fedora use shell scripts to launch firefox, at least this is required 35noblacklist ${HOME}/.gnupg
32#private-bin basename,bash,cat,dirname,expr,false,firefox,firefox-wayland,getenforce,ln,mkdir,pidof,restorecon,rm,rmdir,sed,sh,tclsh,true,uname 36whitelist ${HOME}/.gnupg
33# private-etc must first be enabled in firefox-common.profile 37noblacklist ${RUNUSER}/gnupg
34#private-etc firefox 38
39noblacklist ${HOME}/.local/share/password-store
40whitelist ${HOME}/.local/share/password-store/web
41whitelist ${HOME}/.local/share/password-store/homelab/user
42whitelist ${HOME}/.local/share/password-store/homelab/proxmox
43whitelist ${HOME}/.local/share/password-store/homelab/proxmox-backup
35 44
36dbus-user filter 45dbus-user filter
37dbus-user.own org.mozilla.Firefox.* 46dbus-user.own org.mozilla.Firefox.*
38dbus-user.own org.mozilla.firefox.* 47dbus-user.own org.mozilla.firefox.*
39dbus-user.own org.mpris.MediaPlayer2.firefox.* 48dbus-user.own org.mpris.MediaPlayer2.firefox.*
40# Uncomment or put in your firefox.local to enable native notifications.
41#dbus-user.talk org.freedesktop.Notifications
42# Uncomment or put in your firefox.local to allow to inhibit screensavers
43#dbus-user.talk org.freedesktop.ScreenSaver
44# Uncomment or put in your firefox.local for plasma browser integration
45#dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
46#dbus-user.talk org.kde.JobViewServer
47#dbus-user.talk org.kde.kuiserver
48ignore dbus-user none 49ignore dbus-user none
49 50
50# Redirect 51noblacklist ${HOME}/.pki
51include firefox-common.profile 52noblacklist ${HOME}/.local/share/pki
53mkdir ${HOME}/.pki
54mkdir ${HOME}/.local/share/pki
55whitelist ${DOWNLOADS}
56whitelist ${HOME}/.pki
57whitelist ${HOME}/.local/share/pki
58include whitelist-common.inc
59include whitelist-var-common.inc
60
61apparmor
62caps.drop all
63#machine-id
64netfilter
65nodvd
66nogroups
67nonewprivs
68noroot
69notv
70?BROWSER_DISABLE_U2F: nou2f
71protocol unix,inet,inet6,netlink
72seccomp !chroot
73shell none
74disable-mnt
75?BROWSER_DISABLE_U2F: private-dev
76private-tmp
77dbus-user none
78dbus-system none
79
80include disable-common.inc
81include disable-devel.inc
82include disable-exec.inc
83include disable-interpreters.inc
84include disable-programs.inc
85
86# Breaks GPG when enabled
87#include whitelist-runuser-common.inc
diff --git a/.config/firejail/jellyfinmediaplayer.profile b/.config/firejail/jellyfinmediaplayer.profile
new file mode 100644
index 0000000..3575ec6
--- /dev/null
+++ b/.config/firejail/jellyfinmediaplayer.profile
@@ -0,0 +1,30 @@
1include globals.local
2
3name jellyfinmediaplayer
4
5dbus-user filter
6ignore dbus-user none
7
8apparmor
9caps.drop all
10netfilter
11nodvd
12nogroups
13nonewprivs
14noroot
15notv
16protocol unix,inet,inet6,netlink
17seccomp !chroot
18shell none
19disable-mnt
20private-tmp
21private-dev
22dbus-user none
23dbus-system none
24
25include disable-common.inc
26include disable-devel.inc
27include disable-exec.inc
28include disable-interpreters.inc
29include disable-programs.inc
30include disable-shell.inc
diff --git a/.config/firejail/neomutt.profile b/.config/firejail/neomutt.profile
index 0a43c6f..0934bd1 100644
--- a/.config/firejail/neomutt.profile
+++ b/.config/firejail/neomutt.profile
@@ -16,6 +16,7 @@ whitelist ${HOME}/.mbsyncrc
16whitelist ${HOME}/.config/mbsync 16whitelist ${HOME}/.config/mbsync
17whitelist ${HOME}/.config/msmtp 17whitelist ${HOME}/.config/msmtp
18whitelist ${HOME}/.w3m 18whitelist ${HOME}/.w3m
19whitelist ${HOME}/attachments
19 20
20noblacklist ${HOME}/.Mail 21noblacklist ${HOME}/.Mail
21noblacklist ${HOME}/.cache/mutt 22noblacklist ${HOME}/.cache/mutt
@@ -31,22 +32,25 @@ noblacklist ${HOME}/.mbsyncrc
31noblacklist ${HOME}/.config/mbsync 32noblacklist ${HOME}/.config/mbsync
32noblacklist ${HOME}/.config/msmtp 33noblacklist ${HOME}/.config/msmtp
33noblacklist ${HOME}/.w3m 34noblacklist ${HOME}/.w3m
35whitelist ${HOME}/attachments
34 36
35# Access to GPG for encrypting/decrypting/signing mail and passwords with pass 37# Access to GPG for encrypting/decrypting/signing mail and passwords with pass
36whitelist ${HOME}/.gnupg
37noblacklist ${HOME}/.gnupg 38noblacklist ${HOME}/.gnupg
38whitelist ${RUNUSER}/gnupg 39whitelist ${HOME}/.gnupg
40noblacklist ${RUNUSER}/gnupg
39 41
40# This assumes you keep mail account passwords under a separate directory named mail 42# This assumes you keep mail account passwords under a separate directory named mail
41# This to avoid exposing all passwords to the sandbox, only necessary ones 43# This to avoid exposing all passwords to the sandbox, only necessary ones
44noblacklist ${HOME}/.local/share/password-store
42whitelist ${HOME}/.local/share/password-store/mail 45whitelist ${HOME}/.local/share/password-store/mail
43noblacklist ${HOME}/.local/share/password-store/mail
44 46
45# abook 47# abook
46whitelist ${HOME}/.config/abook 48whitelist ${HOME}/.config/abook
47whitelist ${HOME}/.local/share/abook 49whitelist ${HOME}/.local/share/abook
48 50
51# Breaks GPG when enabled
49#include whitelist-runuser-common.inc 52#include whitelist-runuser-common.inc
53
50writable-run-user 54writable-run-user
51blacklist /tmp/.X11-unix 55blacklist /tmp/.X11-unix
52blacklist ${RUNUSER}/wayland-* 56blacklist ${RUNUSER}/wayland-*
diff --git a/.config/firejail/newsboat.profile b/.config/firejail/newsboat.profile
index 0de5928..ebdc76e 100644
--- a/.config/firejail/newsboat.profile
+++ b/.config/firejail/newsboat.profile
@@ -24,6 +24,16 @@ include whitelist-common.inc
24include whitelist-runuser-common.inc 24include whitelist-runuser-common.inc
25include whitelist-var-common.inc 25include whitelist-var-common.inc
26 26
27# Access to GPG for encrypting/decrypting/signing mail and passwords with pass
28noblacklist ${HOME}/.gnupg
29whitelist ${HOME}/.gnupg
30noblacklist ${RUNUSER}/gnupg
31
32# This assumes you keep mail account passwords under a separate directory named mail
33# This to avoid exposing all passwords to the sandbox, only necessary ones
34noblacklist ${HOME}/.local/share/password-store
35whitelist ${HOME}/.local/share/password-store/homelab/freshrss
36
27caps.drop all 37caps.drop all
28ipc-namespace 38ipc-namespace
29netfilter 39netfilter