diff options
| author | Adrian Kummerlaender | 2016-12-10 23:06:02 +0100 |
|---|---|---|
| committer | Adrian Kummerlaender | 2016-12-10 23:07:11 +0100 |
| commit | 00fb152bbcf000568389cb3c5d9b348c826e3af4 (patch) | |
| tree | 4b94bb31c69189c13253d648732d6a75ff989fd7 | |
| parent | aa7bedfde66a83289808961cea57f0d095771e70 (diff) | |
| download | dotfiles-00fb152bbcf000568389cb3c5d9b348c826e3af4.tar dotfiles-00fb152bbcf000568389cb3c5d9b348c826e3af4.tar.gz dotfiles-00fb152bbcf000568389cb3c5d9b348c826e3af4.tar.bz2 dotfiles-00fb152bbcf000568389cb3c5d9b348c826e3af4.tar.lz dotfiles-00fb152bbcf000568389cb3c5d9b348c826e3af4.tar.xz dotfiles-00fb152bbcf000568389cb3c5d9b348c826e3af4.tar.zst dotfiles-00fb152bbcf000568389cb3c5d9b348c826e3af4.zip | |
Add firejail profiles for chromium and firefox
Firejail provides an easy to use process isolation tool enabling e.g. restrictions of the specific files accessible to browsers. This is obviously quite useful as there is no reason for e.g. Firefox to be able to access my SSH private keys (there was even an PDF.js exploit related to this specific threat some time back).
| -rw-r--r-- | firejail/.config/firejail/chromium.profile | 32 | ||||
| -rw-r--r-- | firejail/.config/firejail/firefox.profile | 30 |
2 files changed, 62 insertions, 0 deletions
diff --git a/firejail/.config/firejail/chromium.profile b/firejail/.config/firejail/chromium.profile new file mode 100644 index 0000000..3adf2a1 --- /dev/null +++ b/firejail/.config/firejail/chromium.profile @@ -0,0 +1,32 @@ +# Chromium browser profile +noblacklist ~/.config/chromium +noblacklist ~/.cache/chromium +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc + +netfilter + +whitelist ${DOWNLOADS} +mkdir ~/.config/chromium +whitelist ~/.config/chromium +mkdir ~/.cache/chromium +whitelist ~/.cache/chromium +mkdir ~/.pki +whitelist ~/.pki + +# lastpass, keepassx +whitelist ~/.keepassx +whitelist ~/.config/keepassx +whitelist ~/keepassx.kdbx +whitelist ~/.lastpass +whitelist ~/.config/lastpass + +# allowed _payload_ home directories +whitelist ~/downloads +whitelist ~/webarchive +whitelist ~/share + +# specific to Arch +whitelist ~/.config/chromium-flags.conf + +include /etc/firejail/whitelist-common.inc diff --git a/firejail/.config/firejail/firefox.profile b/firejail/.config/firejail/firefox.profile new file mode 100644 index 0000000..c7a964f --- /dev/null +++ b/firejail/.config/firejail/firefox.profile @@ -0,0 +1,30 @@ +noblacklist ~/.mozilla +noblacklist ~/.cache/mozilla + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp +tracelog + +mkdir ~/.mozilla +whitelist ~/.mozilla +mkdir ~/.cache/mozilla/firefox +whitelist ~/.cache/mozilla/firefox +whitelist ~/dwhelper +whitelist ~/.pentadactylrc +whitelist ~/.pentadactyl +whitelist ~/.pki + +# allowed _payload_ home directories +whitelist ~/downloads +whitelist ~/webarchive +whitelist ~/share + +include /etc/firejail/whitelist-common.inc |