Update profiles, tentatively introduce X11 jailing

chiraag-nataraj · Jul 30, 2017 · 89f9339 · 89f9339
1 parent bba47d3
commit 89f9339
Show file tree

Hide file tree

Showing 6 changed files with 22 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -3,6 +3,8 @@ Tight Firejail profiles
 
 This is a collection of tighter firejail (https://github.com/netblue30/firejail) profiles for certain applications. These may or may not work on your computer since some of them use seccomp filters, which may depend on architecture and OS. These were designed on Debian sid/experimental x86_64.
 
+I have tentatively started enabling X11 jailing on some of these profiles. Because `xpra` servers take so long to start up, I end up starting the xpra servers separately (at login) and assign different ones for different things. For example, `:470` is for all of the jailed terminal emulators and `:480` is for mutt (and anything it spawns). I also created a jail script that simply tells `xpra` to initialize the given display number and run the given command — it's simple but handy for `xpra` servers I only need for a given program. If you use different `xpra` display numbers or don't use X11 jailing at all, simply modify or comment the `env` command in `x-terminal-emulator.profile` and `mutt.profile`.
+
 List of currently-supported programs:
 * Ardour 5
 * Akregator

diff --git a/fetchmail.profile b/fetchmail.profile
@@ -1,6 +1,7 @@
 whitelist ${HOME}/scripts/fetchmail-real.sh
 # whitelist ${HOME}/.fetchmailrc.gpg
-# whitelist /tmp/fetchmailrc
+## Location of your fetchmailrc - I decrypt it into /tmp/fetchmailrc
+whitelist /tmp/fetchmailrc
 whitelist ${HOME}/Mail
 whitelist ${HOME}/.procmailrc.gmail
 whitelist ${HOME}/.procmailrc.brown
@@ -11,8 +12,12 @@ blacklist /mnt
 blacklist /opt
 
 noroot
+# private-bin fetchmail,procmail,bash,chmod
 private-dev
+# private-etc passwd,hosts,resolv.conf
 caps.drop all
 seccomp
 nogroups
-nosound
+nosound
+
+x11 none
diff --git a/gimp.profile b/gimp.profile
@@ -1,6 +1,7 @@
 whitelist ${HOME}/.gimp-2.8
 whitelist ${HOME}/.gtkrc-2.0
 whitelist ${HOME}/.themes
+whitelist ${HOME}/.fonts
 
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/Pictures

diff --git a/jail b/jail
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+DISP="$1"
+COM="$2"
+
+xpra start $DISP --start-child="$COM" --exit-with-children=yes --attach=yes
diff --git a/mutt.profile b/mutt.profile
@@ -26,6 +26,8 @@ whitelist /tmp/user/1000/mutt1000/
 noexec ${HOME}
 noexec /tmp
 
+env DISPLAY=:480
+
 # Enhance security
 
 private-bin sh,dash,mutt,mutt_dotlock,bash,emacsclient,emacsclient.emacs25,elinks,gpg,gpg-agent,pinentry,dig,awk

diff --git a/x-terminal-emulator.profile b/x-terminal-emulator.profile
@@ -6,7 +6,9 @@ ipc-namespace
 noroot
 nogroups
 net none
+noexec /tmp
 whitelist /tmp/user/1000/
-whitelist /tmp/.X11-unix/
+whitelist /tmp/.X11-unix/X470
+whitelist /tmp/fcitx-socket-:0
 
-noexec /tmp
+env DISPLAY=:470