From 00fb152bbcf000568389cb3c5d9b348c826e3af4 Mon Sep 17 00:00:00 2001 From: Adrian Kummerlaender Date: Sat, 10 Dec 2016 23:06:02 +0100 Subject: Add firejail profiles for chromium and firefox Firejail provides an easy to use process isolation tool enabling e.g. restrictions of the specific files accessible to browsers. This is obviously quite useful as there is no reason for e.g. Firefox to be able to access my SSH private keys (there was even an PDF.js exploit related to this specific threat some time back). --- firejail/.config/firejail/chromium.profile | 32 ++++++++++++++++++++++++++++++ firejail/.config/firejail/firefox.profile | 30 ++++++++++++++++++++++++++++ 2 files changed, 62 insertions(+) create mode 100644 firejail/.config/firejail/chromium.profile create mode 100644 firejail/.config/firejail/firefox.profile diff --git a/firejail/.config/firejail/chromium.profile b/firejail/.config/firejail/chromium.profile new file mode 100644 index 0000000..3adf2a1 --- /dev/null +++ b/firejail/.config/firejail/chromium.profile @@ -0,0 +1,32 @@ +# Chromium browser profile +noblacklist ~/.config/chromium +noblacklist ~/.cache/chromium +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc + +netfilter + +whitelist ${DOWNLOADS} +mkdir ~/.config/chromium +whitelist ~/.config/chromium +mkdir ~/.cache/chromium +whitelist ~/.cache/chromium +mkdir ~/.pki +whitelist ~/.pki + +# lastpass, keepassx +whitelist ~/.keepassx +whitelist ~/.config/keepassx +whitelist ~/keepassx.kdbx +whitelist ~/.lastpass +whitelist ~/.config/lastpass + +# allowed _payload_ home directories +whitelist ~/downloads +whitelist ~/webarchive +whitelist ~/share + +# specific to Arch +whitelist ~/.config/chromium-flags.conf + +include /etc/firejail/whitelist-common.inc diff --git a/firejail/.config/firejail/firefox.profile b/firejail/.config/firejail/firefox.profile new file mode 100644 index 0000000..c7a964f --- /dev/null +++ b/firejail/.config/firejail/firefox.profile @@ -0,0 +1,30 @@ +noblacklist ~/.mozilla +noblacklist ~/.cache/mozilla + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp +tracelog + +mkdir ~/.mozilla +whitelist ~/.mozilla +mkdir ~/.cache/mozilla/firefox +whitelist ~/.cache/mozilla/firefox +whitelist ~/dwhelper +whitelist ~/.pentadactylrc +whitelist ~/.pentadactyl +whitelist ~/.pki + +# allowed _payload_ home directories +whitelist ~/downloads +whitelist ~/webarchive +whitelist ~/share + +include /etc/firejail/whitelist-common.inc -- cgit v1.2.3