Update profiles to use XDG config dirs, even in the case of applicati…

…ons which don't normally follow those (you may have to change paths if you don't use this)
chiraag-nataraj · Jan 24, 2019 · 8768270 · 8768270
1 parent b535a44
commit 8768270
Show file tree

Hide file tree

Showing 15 changed files with 98 additions and 62 deletions.
diff --git a/Viber.profile b/Viber.profile
@@ -6,9 +6,10 @@ ignore memory-deny-write-execute
 
 include ${HOME}/.config/firejail/common.inc
 
-mkdir ${HOME}/.ViberPC
+mkdir ${HOME}/.config/ViberPC
 
 whitelist ${HOME}/.ViberPC
+whitelist ${HOME}/.config/ViberPC
 whitelist ${DOWNLOADS}
 
 private-bin sh,dig,awk,xdg-mime,cut,touch,mv

diff --git a/chromium.profile b/chromium.profile
@@ -14,7 +14,7 @@ mkdir ${HOME}/.config/chromium
 
 whitelist ${HOME}/.config/chromium
 whitelist ${HOME}/.themes
-whitelist ${HOME}/.gtkrc-2.0
+whitelist ${HOME}/.config/gtk-3.0
 
 whitelist ${DOWNLOADS}
 
@@ -37,3 +37,4 @@ private-etc fonts,alternatives,X11,pulse,resolv.conf,localtime,chromium.d
 # whitelist /dev/zero
 
 caps.keep sys_chroot,sys_admin
+blacklist /usr/share/fonts/truetype/unifont
diff --git a/elinks.profile b/elinks.profile
@@ -3,7 +3,7 @@ ignore net none
 include ${HOME}/.config/firejail/common.inc
 
 whitelist ${DOWNLOADS}
-whitelist ${HOME}/.elinks
+whitelist ${HOME}/.config/elinks
 
 private-bin elinks
 private-lib

diff --git a/emacs.profile b/emacs.profile
@@ -1,5 +1,5 @@
 ignore private-tmp
-ignore private-dev
+ignore noexec ${HOME}
 
 include ${HOME}/.config/firejail/common.inc
 
@@ -9,22 +9,18 @@ include ${HOME}/.config/firejail/common.inc
 whitelist /tmp/user/1000/
 whitelist /tmp/.X11-unix/
 
-mkfile ${HOME}/.emacs
-mkdir ${HOME}/.emacs.d
-mkdir ${HOME}/emacs_tmp/
+mkdir ${HOME}/.config/emacs
 
 whitelist ${DOWNLOADS}
 whitelist ${DOCUMENTS}
-whitelist ${HOME}/.emacs
 whitelist ${HOME}/.emacs.d
+whitelist ${HOME}/.config/emacs
 whitelist ${HOME}/.config/gtk-3.0
-whitelist ${HOME}/.gnupg
-whitelist ${HOME}/.git
-whitelist ${HOME}/mpd/socket
-whitelist ${HOME}/texmf
-whitelist ${HOME}/emacs_tmp
+whitelist ${HOME}/.local/share/fonts
+whitelist ${HOME}/.local/share/texmf
 
 keep-var-tmp
 writable-var
 writable-run-user
 keep-dev-shm
+
diff --git a/firefox.profile b/firefox.profile
@@ -6,19 +6,20 @@ ignore memory-deny-write-execute
 
 include ${HOME}/.config/firejail/common.inc
 
-mkdir ${HOME}/.mozilla/firefox
+mkdir ${HOME}/.config/mozilla/firefox
 
-whitelist ${HOME}/.mozilla/firefox
+# whitelist ${HOME}/.mozilla
+whitelist ${HOME}/.config/mozilla/firefox
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.pulse
 whitelist ${HOME}/.cache/mozilla/firefox
 whitelist ${HOME}/.config/pulse
 whitelist ${HOME}/.config/gtk-3.0
 whitelist ${HOME}/.gtkrc-2.0
 whitelist ${HOME}/.gtkrc.mine
-whitelist ${HOME}/.themes
+whitelist ${HOME}/.local/share/themes
 
-private-bin firefox,firefox-esr,which,sh,env
+private-bin firefox,firefox-esr,which,sh,env,bash
 private-etc hosts,passwd,mime.types,fonts,mailcap,firefox,xdg,gtk-3.0,X11,pulse,alternatives,localtime,nsswitch.conf,resolv.conf
 
 # Disabled for now because it crashes certain sites
@@ -32,3 +33,4 @@ private-etc hosts,passwd,mime.types,fonts,mailcap,firefox,xdg,gtk-3.0,X11,pulse,
 # whitelist /usr/share/zoneinfo
 # whitelist /usr/share/locale
 # whitelist /usr/share/glib-2.0
+blacklist /usr/share/fonts/truetype/unifont
diff --git a/freecadcmd.profile b/freecadcmd.profile
@@ -1,5 +1 @@
-# Firejail profile alias for freecad
-# This file is overwritten after every install/update
-
-
 include ${HOME}/.config/firejail/freecad.profile
diff --git a/git.profile b/git.profile
@@ -2,13 +2,13 @@ ignore blacklist /usr/share/
 include ${HOME}/.config/firejail/ssh.profile
 
 whitelist ${DOCUMENTS}
-whitelist ${HOME}/.gitconfig
-whitelist ${HOME}/.gnupg
+whitelist ${HOME}/.config/git
+whitelist ${HOME}/.config/gnupg
 whitelist ${HOME}/.password-store
 
-private-bin git,git-receive-pack,git-shell,git-upload-archive,git-upload-pack,gpg
-private-etc ssl
-private-lib git-core,libcurl-gnutls.so.4,libexpat.so.1,ssl,x86_64-linux-gnu/sasl2,nss,libdb-5.3.so,libcrypt-2.27.so,libcrypto.so.1.1
+private-bin git,git-receive-pack,git-shell,git-upload-archive,git-upload-pack,gpg,pager
+private-etc ssl,alternatives,terminfo
+private-lib git-core,libcurl-gnutls.so.4,libexpat.so.1,ssl,x86_64-linux-gnu/sasl2,nss,libdb-5.3.so,libcrypt-2.27.so,libcrypto.so.1.1,terminfo
 
 whitelist /usr/share/git-core
 

diff --git a/mpd.profile b/mpd.profile
@@ -1,11 +1,11 @@
 include ${HOME}/.config/firejail/common.inc
 
 mkdir ${HOME}/mpd
-mkfile ${HOME}/.mpdconf
+mkfile ${HOME}/.config/mpd/mpd.conf
 
 whitelist ${MUSIC}
-whitelist ${HOME}/mpd
-whitelist ${HOME}/.mpdconf
+whitelist ${HOME}/.local/share/mpd
+whitelist ${HOME}/.config/mpd/
 whitelist ${HOME}/.config/pulse/
 whitelist ${HOME}/.pulse/
 read-only ${MUSIC}

diff --git a/mutt.profile b/mutt.profile
@@ -1,24 +1,20 @@
 ignore private-tmp
 ignore private-dev
-ignore net
+ignore net none
 
 include ${HOME}/.config/firejail/common.inc
 
-mkdir ${HOME}/.mutt
-mkdir ${HOME}/.muttrc
-mkdir ${HOME}/.mutt_cache
-mkdir ${HOME}/.signatures
-
-whitelist ${HOME}/.mutt
-whitelist ${HOME}/.muttrc
-whitelist ${HOME}/.mutt_certificates
-whitelist ${HOME}/.signatures
-whitelist ${HOME}/.mailcap
-whitelist ${HOME}/sent
-whitelist ${HOME}/.mutt_cache
+mkdir ${HOME}/.config/mutt
+mkdir ${HOME}/.config/mutt/muttrc
+mkdir ${HOME}/.config/mutt/mutt_cache
+mkdir ${HOME}/.config/mutt/signatures
+
+whitelist ${HOME}/.config/mutt
+whitelist ${HOME}/.config/mailcap
 whitelist ${HOME}/Mail
 whitelist ${HOME}/.gnupg
-whitelist ${HOME}/.rolo
+whitelist ${HOME}/.config/gnupg
+whitelist ${HOME}/.config/rolo
 whitelist ${DOWNLOADS}
 
 whitelist /tmp/user/1000/emacs1000/
@@ -27,9 +23,10 @@ whitelist /tmp/user/1000/mutt1000/
 # Enhance security
 
 private-bin sh,dash,mutt,mutt_dotlock,bash,emacsclient,emacsclient.emacs25,elinks,gpg,gpg-agent,gpgsm,pinentry,dig,awk,pinentry-gtk-2,mutt_vc_query
-private-lib x86_64-linux-gnu/sasl2,nss,libdb-5.3.so,libcrypt-2.27.so,libcrypto.so.1.1,gconv,libapparmor.so.1,libtinfo.so.6,libtic.so.6,terminfo
+# private-lib x86_64-linux-gnu/sasl2,nss,libdb-5.3.so,libcrypt-2.27.so,libcrypto.so.1.1,gconv,libapparmor.so.1,libtinfo.so.6,libtic.so.6,terminfo
 
 whitelist /usr/share/locale
+whitelist /usr/share/zoneinfo
 
 whitelist /dev/stdout
 whitelist /dev/stdin
@@ -39,8 +36,8 @@ whitelist /dev/random
 whitelist /dev/null
 whitelist /dev/tty
 
-private-etc Muttrc.d,Muttrc,alternatives,resolv.conf,ssl,mime.types
+private-etc Muttrc.d,Muttrc,alternatives,resolv.conf,ssl,mime.types,localtime
 
-seccomp.keep open,access,prctl,fstat,mmap,write,read,close,munmap,chown,unshare,fcntl,execve,brk,mprotect,arch_prctl,getpid,getuid,getgid,geteuid,getegid,rt_sigprocmask,rt_sigaction,uname,stat,getppid,getpgrp,getrlimit,getpeername,set_tid_address,set_robust_list,futex,getrusage,umask,ioctl,socket,connect,lseek,getsid,pipe,clone,dup2,wait4,openat,rt_sigreturn,getdents,exit_group,faccessat,lstat,pread64,pwrite64,ftruncate,select,unlink,mkdir,link,rmdir,alarm,readlink,sendto,fdatasync,recvfrom,chmod,getcwd,setrlimit,utime,mlock,clock_gettime,setresgid,chdir,fsync,nanosleep,poll,sendmmsg,bind,getsockname,recvmsg,writev,mremap,rename,truncate,sched_yield,sysinfo,kill,sendmsg,setresuid,setsid,listen,pselect6,accept,getsockopt,tgkill,madvise,exit,statfs,getrandom,fchmod,fchown,gettid,sigaltstack,epoll_create,getgroups,epoll_ctl,rt_sigsuspend,setsockopt,epoll_wait,inotify_init,inotify_add_watch,prlimit64,getresuid,getresgid,dup,eventfd2,munlock,fstatfs,fadvise64,shmget,shmat,shmctl,shmdt,symlink,restart_syscall,getdents64
+seccomp.keep open,access,prctl,fstat,mmap,write,read,close,munmap,chown,unshare,fcntl,execve,brk,mprotect,arch_prctl,getpid,getuid,getgid,geteuid,getegid,rt_sigprocmask,rt_sigaction,uname,stat,getppid,getpgrp,getrlimit,getpeername,set_tid_address,set_robust_list,futex,getrusage,umask,ioctl,socket,connect,lseek,getsid,pipe,clone,dup2,wait4,openat,rt_sigreturn,getdents,exit_group,faccessat,lstat,pread64,pwrite64,ftruncate,select,unlink,mkdir,link,rmdir,alarm,readlink,sendto,fdatasync,recvfrom,chmod,getcwd,setrlimit,utime,mlock,clock_gettime,setresgid,chdir,fsync,nanosleep,poll,sendmmsg,bind,getsockname,recvmsg,writev,mremap,rename,truncate,sched_yield,sysinfo,kill,sendmsg,setresuid,setsid,listen,pselect6,accept,getsockopt,tgkill,madvise,exit,statfs,getrandom,fchmod,fchown,gettid,sigaltstack,epoll_create,getgroups,epoll_ctl,rt_sigsuspend,setsockopt,epoll_wait,inotify_init,inotify_add_watch,prlimit64,getresuid,getresgid,dup,eventfd2,munlock,fstatfs,fadvise64,shmget,shmat,shmctl,shmdt,symlink,restart_syscall,getdents64,pipe2,readlinkat,timerfd_create
 
 writable-run-user
diff --git a/newsboat.profile b/newsboat.profile
@@ -3,7 +3,8 @@ ignore private-tmp
 
 include ${HOME}/.config/firejail/common.inc
 
-whitelist ${HOME}/.newsboat
+whitelist ${HOME}/.config/newsboat
+whitelist ${HOME}/.local/share/newsboat
 
 whitelist /tmp/user/1000/
 whitelist /tmp/.X11-unix/X0

diff --git a/private-profile.sh b/private-profile.sh
@@ -1,18 +1,37 @@
 #!/bin/bash
 
 private=0
+privlib=0
+use_systemd=0
 name=""
 copy=0
 netns=""
 rmprof=0
+to_copy=()
+evvars=()
 
-set -ue
+exitm()
+{
+ echo "$1"
+ rmprof
+ exit 1
+}
+
+rmprof()
+{
+ if [[ "$rmprof" -eq 1 && -n "${profile+x}" ]]
+ then
+ rm -r "${profile}"
+ fi
+}
+
+set -e
 
 while getopts "p:tcn:" arg
 do
  case ${arg} in
  p)
- profile=${OPTARG}
+ profile="${OPTARG}"
  name=$(basename "$profile")
  ;;
  t)
@@ -22,7 +41,7 @@ do
  copy=1
  ;;
  n)
- netns=${OPTARG}
+ netns="${OPTARG}"
  ;;
  *)
  exit 1
@@ -37,6 +56,11 @@ varfile="$1"
 
 shift
 
+if [[ -z "${progname:+x}" || -z "${profiledir:+x}" ]]
+then
+ exitm '$progname and $profiledir must be specified and cannot be empty strings!'
+fi
+
 vpncmd()
 {
  systemctl -q is-active openvpn@us3-TCP-chaanakya && netns="" || netns="$netns"
@@ -49,6 +73,10 @@ fjargs=( "--nowhitelist=${profiledir}" )
 
 if [ "$privlib" -eq 1 ]
 then
+ if [[ -z "${genlib+x}" || -z "${libdir+x}" ]]
+ then
+ exitm '$genlib and $libdir must all be set for $privlib!'
+ fi
  . "$genlib"
  libs=$(compile_list "${libdir}" "${extralibs}")
  fjargs+=( "--private-lib=$libs" )
@@ -58,6 +86,10 @@ fi
 
 if [ "$private" -eq 1 ]
 then
+ if [[ -z "${destdir+x}" ]]
+ then
+ exitm '$destdir must be specified (even if it is an empty string)!'
+ fi
  nprofile=$(mktemp -d -p "${profiledir}")
  name=$(basename "$nprofile")
  if [ "${destdir}" != "" ]
@@ -67,6 +99,10 @@ then
  rmprof=1
  if [ "$copy" -eq 1 ]
  then
+ if [[ -z "${profile+x}" ]]
+ then
+ exitm 'A profile must be specified on the command-line if copying is enabled!'
+ fi
  for i in "${tocopy[@]}"
  do
  cp -R "${profile}"/"${i}" "${nprofile}"/"${destdir}"/"${i}"
@@ -75,6 +111,11 @@ then
  profile="$nprofile"
 fi
 
+if [[ -z "${profile+x}" ]]
+then
+ exitm 'Either $profile must be specified on the command-line or a temporary profile must be requested!'
+fi
+
 sprogname=$(basename "${progname}")
 
 fjargs+=( "--whitelist=${profile}" "--name=${sprogname}-${name}" )
@@ -91,6 +132,11 @@ do
  fjargs+=( "--env=${i}" )
 done
 
+if [[ -z "${progargs+x}" || -z "${rprogargs+x}" ]]
+then
+ exitm '$progargs and $rprogargs must be specified (even if as empty arrays)!'
+fi
+
 cmd="${firejail} ${fjargs[*]} -- ${progname} $(eval echo "${progargs[@]}")"
 rcmd="${progname} $(eval echo "${rprogargs[@]}")"
 
@@ -115,7 +161,4 @@ fi
 
 # Remove profile if asked
 
-if [ "$rmprof" -eq 1 ]
-then
- rm -r "${profile}"
-fi
+rmprof
diff --git a/private-profiles/firefox.private b/private-profiles/firefox.private
@@ -1,9 +1,9 @@
 libdir=/usr/lib/firefox
 extralibs="nss,pulseaudio,nvidia,python3.6,gconv,libpulse.so.0,libFLAC.so.8,libogg.so.0,libopus.so.0,libvorbis.so.0,libvorbisenc.so.2,libavcodec.so.57,libavutil.so.55,libcrystalhd.so.3,libdrm.so.2,libGL.so.1,libnss_resolve.so.2,libnss_systemd.so.2"
-genlib=~/scripts/gen_libraries
+genlib=~/bin/gen_libraries
 privlib=1
 use_systemd=1
-profiledir=~/.mozilla/firefox/
+profiledir=~/.config/mozilla/firefox/
 tocopy=( extensions browser-extension-data extension-preferences.json extension-settings.json extensions.json prefs.js gmp gmp-widevinecdm gmp-gmpopenh264 search.json.mozlz4 pluginreg.dat )
 destdir=""
 progname="firefox"

diff --git a/ssh.profile b/ssh.profile
@@ -3,7 +3,7 @@ ignore net none
 include ${HOME}/.config/firejail/common.inc
 
 whitelist ${DOWNLOADS}
-whitelist ${HOME}/.ssh
+whitelist ${HOME}/.local/share/ssh
 
 writable-run-user
 join-or-start ssh
@@ -13,5 +13,3 @@ private-etc ssh,resolv.conf,nsswitch.conf,hosts,passwd
 private-lib openssh
 
 blacklist /usr/share/
-
-quiet
diff --git a/virtualbox.profile b/virtualbox.profile
@@ -14,7 +14,7 @@ mkdir ${HOME}/.config/VirtualBox
 mkfile ${HOME}/.config/Trolltech.conf
 
 whitelist ${DOWNLOADS}
-whitelist ${HOME}/VirtualBox_VMs
+whitelist ${HOME}/.local/share/vms/vbox
 whitelist ${HOME}/.config/VirtualBox
 whitelist ${HOME}/.gtkrc-2.0
 whitelist ${HOME}/.gtkrc.mine

diff --git a/x-terminal-emulator.profile b/x-terminal-emulator.profile
@@ -1,11 +1,12 @@
 ignore nodbus
 ignore private-tmp
-ignore private-dev
-ignore nou2f
 ignore memory-deny-write-execute
 ignore noexec ${HOME}
 
 include ${HOME}/.config/firejail/common.inc
 
 whitelist /tmp/user/1000
 whitelist /tmp/.X11-unix/
+
+writable-run-user
+keep-dev-shm