From 12ce8bdd65d3b5fcd6e8227eaecd5f772a90f8da Mon Sep 17 00:00:00 2001 From: Sam Chudnick Date: Sun, 11 Jun 2023 08:00:24 -0400 Subject: Configuration file updates and additions. --- .config/firejail/firefox.profile | 68 +++++++++++++++++++++------- .config/firejail/jellyfinmediaplayer.profile | 30 ++++++++++++ .config/firejail/neomutt.profile | 10 ++-- .config/firejail/newsboat.profile | 10 ++++ 4 files changed, 99 insertions(+), 19 deletions(-) create mode 100644 .config/firejail/jellyfinmediaplayer.profile (limited to '.config/firejail') diff --git a/.config/firejail/firefox.profile b/.config/firejail/firefox.profile index 158cf24..8031c85 100644 --- a/.config/firejail/firefox.profile +++ b/.config/firejail/firefox.profile @@ -23,29 +23,65 @@ whitelist /usr/share/gtk-doc/html whitelist /usr/share/mozilla whitelist /usr/share/webext whitelist ${HOME}/repos/website +whitelist ${HOME}/repos/homelab_iac/docs whitelist ${HOME}/documents/local_webpages/ +whitelist ${HOME}/documents/downloads/ +whitelist ${HOME}/documents/isos/ +read-only ${HOME}/documents/isos include whitelist-usr-share-common.inc -# firefox requires a shell to launch on Arch. -#private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which -# Fedora use shell scripts to launch firefox, at least this is required -#private-bin basename,bash,cat,dirname,expr,false,firefox,firefox-wayland,getenforce,ln,mkdir,pidof,restorecon,rm,rmdir,sed,sh,tclsh,true,uname -# private-etc must first be enabled in firefox-common.profile -#private-etc firefox +# Access to GPG and (limited-scope) passwords for browserpass +writable-run-user +noblacklist ${HOME}/.gnupg +whitelist ${HOME}/.gnupg +noblacklist ${RUNUSER}/gnupg + +noblacklist ${HOME}/.local/share/password-store +whitelist ${HOME}/.local/share/password-store/web +whitelist ${HOME}/.local/share/password-store/homelab/user +whitelist ${HOME}/.local/share/password-store/homelab/proxmox +whitelist ${HOME}/.local/share/password-store/homelab/proxmox-backup dbus-user filter dbus-user.own org.mozilla.Firefox.* dbus-user.own org.mozilla.firefox.* dbus-user.own org.mpris.MediaPlayer2.firefox.* -# Uncomment or put in your firefox.local to enable native notifications. -#dbus-user.talk org.freedesktop.Notifications -# Uncomment or put in your firefox.local to allow to inhibit screensavers -#dbus-user.talk org.freedesktop.ScreenSaver -# Uncomment or put in your firefox.local for plasma browser integration -#dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration -#dbus-user.talk org.kde.JobViewServer -#dbus-user.talk org.kde.kuiserver ignore dbus-user none -# Redirect -include firefox-common.profile +noblacklist ${HOME}/.pki +noblacklist ${HOME}/.local/share/pki +mkdir ${HOME}/.pki +mkdir ${HOME}/.local/share/pki +whitelist ${DOWNLOADS} +whitelist ${HOME}/.pki +whitelist ${HOME}/.local/share/pki +include whitelist-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +#machine-id +netfilter +nodvd +nogroups +nonewprivs +noroot +notv +?BROWSER_DISABLE_U2F: nou2f +protocol unix,inet,inet6,netlink +seccomp !chroot +shell none +disable-mnt +?BROWSER_DISABLE_U2F: private-dev +private-tmp +dbus-user none +dbus-system none + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc + +# Breaks GPG when enabled +#include whitelist-runuser-common.inc diff --git a/.config/firejail/jellyfinmediaplayer.profile b/.config/firejail/jellyfinmediaplayer.profile new file mode 100644 index 0000000..3575ec6 --- /dev/null +++ b/.config/firejail/jellyfinmediaplayer.profile @@ -0,0 +1,30 @@ +include globals.local + +name jellyfinmediaplayer + +dbus-user filter +ignore dbus-user none + +apparmor +caps.drop all +netfilter +nodvd +nogroups +nonewprivs +noroot +notv +protocol unix,inet,inet6,netlink +seccomp !chroot +shell none +disable-mnt +private-tmp +private-dev +dbus-user none +dbus-system none + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc diff --git a/.config/firejail/neomutt.profile b/.config/firejail/neomutt.profile index 0a43c6f..0934bd1 100644 --- a/.config/firejail/neomutt.profile +++ b/.config/firejail/neomutt.profile @@ -16,6 +16,7 @@ whitelist ${HOME}/.mbsyncrc whitelist ${HOME}/.config/mbsync whitelist ${HOME}/.config/msmtp whitelist ${HOME}/.w3m +whitelist ${HOME}/attachments noblacklist ${HOME}/.Mail noblacklist ${HOME}/.cache/mutt @@ -31,22 +32,25 @@ noblacklist ${HOME}/.mbsyncrc noblacklist ${HOME}/.config/mbsync noblacklist ${HOME}/.config/msmtp noblacklist ${HOME}/.w3m +whitelist ${HOME}/attachments # Access to GPG for encrypting/decrypting/signing mail and passwords with pass -whitelist ${HOME}/.gnupg noblacklist ${HOME}/.gnupg -whitelist ${RUNUSER}/gnupg +whitelist ${HOME}/.gnupg +noblacklist ${RUNUSER}/gnupg # This assumes you keep mail account passwords under a separate directory named mail # This to avoid exposing all passwords to the sandbox, only necessary ones +noblacklist ${HOME}/.local/share/password-store whitelist ${HOME}/.local/share/password-store/mail -noblacklist ${HOME}/.local/share/password-store/mail # abook whitelist ${HOME}/.config/abook whitelist ${HOME}/.local/share/abook +# Breaks GPG when enabled #include whitelist-runuser-common.inc + writable-run-user blacklist /tmp/.X11-unix blacklist ${RUNUSER}/wayland-* diff --git a/.config/firejail/newsboat.profile b/.config/firejail/newsboat.profile index 0de5928..ebdc76e 100644 --- a/.config/firejail/newsboat.profile +++ b/.config/firejail/newsboat.profile @@ -24,6 +24,16 @@ include whitelist-common.inc include whitelist-runuser-common.inc include whitelist-var-common.inc +# Access to GPG for encrypting/decrypting/signing mail and passwords with pass +noblacklist ${HOME}/.gnupg +whitelist ${HOME}/.gnupg +noblacklist ${RUNUSER}/gnupg + +# This assumes you keep mail account passwords under a separate directory named mail +# This to avoid exposing all passwords to the sandbox, only necessary ones +noblacklist ${HOME}/.local/share/password-store +whitelist ${HOME}/.local/share/password-store/homelab/freshrss + caps.drop all ipc-namespace netfilter -- cgit v1.2.3