From 12ce8bdd65d3b5fcd6e8227eaecd5f772a90f8da Mon Sep 17 00:00:00 2001 From: Sam Chudnick Date: Sun, 11 Jun 2023 08:00:24 -0400 Subject: Configuration file updates and additions. --- .config/firejail/firefox.profile | 68 ++++++++++++++++++++++++++++++---------- 1 file changed, 52 insertions(+), 16 deletions(-) (limited to '.config/firejail/firefox.profile') diff --git a/.config/firejail/firefox.profile b/.config/firejail/firefox.profile index 158cf24..8031c85 100644 --- a/.config/firejail/firefox.profile +++ b/.config/firejail/firefox.profile @@ -23,29 +23,65 @@ whitelist /usr/share/gtk-doc/html whitelist /usr/share/mozilla whitelist /usr/share/webext whitelist ${HOME}/repos/website +whitelist ${HOME}/repos/homelab_iac/docs whitelist ${HOME}/documents/local_webpages/ +whitelist ${HOME}/documents/downloads/ +whitelist ${HOME}/documents/isos/ +read-only ${HOME}/documents/isos include whitelist-usr-share-common.inc -# firefox requires a shell to launch on Arch. -#private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which -# Fedora use shell scripts to launch firefox, at least this is required -#private-bin basename,bash,cat,dirname,expr,false,firefox,firefox-wayland,getenforce,ln,mkdir,pidof,restorecon,rm,rmdir,sed,sh,tclsh,true,uname -# private-etc must first be enabled in firefox-common.profile -#private-etc firefox +# Access to GPG and (limited-scope) passwords for browserpass +writable-run-user +noblacklist ${HOME}/.gnupg +whitelist ${HOME}/.gnupg +noblacklist ${RUNUSER}/gnupg + +noblacklist ${HOME}/.local/share/password-store +whitelist ${HOME}/.local/share/password-store/web +whitelist ${HOME}/.local/share/password-store/homelab/user +whitelist ${HOME}/.local/share/password-store/homelab/proxmox +whitelist ${HOME}/.local/share/password-store/homelab/proxmox-backup dbus-user filter dbus-user.own org.mozilla.Firefox.* dbus-user.own org.mozilla.firefox.* dbus-user.own org.mpris.MediaPlayer2.firefox.* -# Uncomment or put in your firefox.local to enable native notifications. -#dbus-user.talk org.freedesktop.Notifications -# Uncomment or put in your firefox.local to allow to inhibit screensavers -#dbus-user.talk org.freedesktop.ScreenSaver -# Uncomment or put in your firefox.local for plasma browser integration -#dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration -#dbus-user.talk org.kde.JobViewServer -#dbus-user.talk org.kde.kuiserver ignore dbus-user none -# Redirect -include firefox-common.profile +noblacklist ${HOME}/.pki +noblacklist ${HOME}/.local/share/pki +mkdir ${HOME}/.pki +mkdir ${HOME}/.local/share/pki +whitelist ${DOWNLOADS} +whitelist ${HOME}/.pki +whitelist ${HOME}/.local/share/pki +include whitelist-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +#machine-id +netfilter +nodvd +nogroups +nonewprivs +noroot +notv +?BROWSER_DISABLE_U2F: nou2f +protocol unix,inet,inet6,netlink +seccomp !chroot +shell none +disable-mnt +?BROWSER_DISABLE_U2F: private-dev +private-tmp +dbus-user none +dbus-system none + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc + +# Breaks GPG when enabled +#include whitelist-runuser-common.inc -- cgit v1.2.3