aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAdrian Kummerlaender2016-12-10 23:06:02 +0100
committerAdrian Kummerlaender2016-12-10 23:07:11 +0100
commit00fb152bbcf000568389cb3c5d9b348c826e3af4 (patch)
tree4b94bb31c69189c13253d648732d6a75ff989fd7
parentaa7bedfde66a83289808961cea57f0d095771e70 (diff)
downloaddotfiles-00fb152bbcf000568389cb3c5d9b348c826e3af4.tar
dotfiles-00fb152bbcf000568389cb3c5d9b348c826e3af4.tar.gz
dotfiles-00fb152bbcf000568389cb3c5d9b348c826e3af4.tar.bz2
dotfiles-00fb152bbcf000568389cb3c5d9b348c826e3af4.tar.xz
dotfiles-00fb152bbcf000568389cb3c5d9b348c826e3af4.zip
Add firejail profiles for chromium and firefox
Firejail provides an easy to use process isolation tool enabling e.g. restrictions of the specific files accessible to browsers. This is obviously quite useful as there is no reason for e.g. Firefox to be able to access my SSH private keys (there was even an PDF.js exploit related to this specific threat some time back).
-rw-r--r--firejail/.config/firejail/chromium.profile32
-rw-r--r--firejail/.config/firejail/firefox.profile30
2 files changed, 62 insertions, 0 deletions
diff --git a/firejail/.config/firejail/chromium.profile b/firejail/.config/firejail/chromium.profile
new file mode 100644
index 0000000..3adf2a1
--- /dev/null
+++ b/firejail/.config/firejail/chromium.profile
@@ -0,0 +1,32 @@
+# Chromium browser profile
+noblacklist ~/.config/chromium
+noblacklist ~/.cache/chromium
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+
+netfilter
+
+whitelist ${DOWNLOADS}
+mkdir ~/.config/chromium
+whitelist ~/.config/chromium
+mkdir ~/.cache/chromium
+whitelist ~/.cache/chromium
+mkdir ~/.pki
+whitelist ~/.pki
+
+# lastpass, keepassx
+whitelist ~/.keepassx
+whitelist ~/.config/keepassx
+whitelist ~/keepassx.kdbx
+whitelist ~/.lastpass
+whitelist ~/.config/lastpass
+
+# allowed _payload_ home directories
+whitelist ~/downloads
+whitelist ~/webarchive
+whitelist ~/share
+
+# specific to Arch
+whitelist ~/.config/chromium-flags.conf
+
+include /etc/firejail/whitelist-common.inc
diff --git a/firejail/.config/firejail/firefox.profile b/firejail/.config/firejail/firefox.profile
new file mode 100644
index 0000000..c7a964f
--- /dev/null
+++ b/firejail/.config/firejail/firefox.profile
@@ -0,0 +1,30 @@
+noblacklist ~/.mozilla
+noblacklist ~/.cache/mozilla
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6,netlink
+seccomp
+tracelog
+
+mkdir ~/.mozilla
+whitelist ~/.mozilla
+mkdir ~/.cache/mozilla/firefox
+whitelist ~/.cache/mozilla/firefox
+whitelist ~/dwhelper
+whitelist ~/.pentadactylrc
+whitelist ~/.pentadactyl
+whitelist ~/.pki
+
+# allowed _payload_ home directories
+whitelist ~/downloads
+whitelist ~/webarchive
+whitelist ~/share
+
+include /etc/firejail/whitelist-common.inc