-# Chromium browser profile
-noblacklist ~/.config/chromium
-noblacklist ~/.cache/chromium
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-programs.inc
-
-# chromium is distributed with a perl script on Arch
-# include /etc/firejail/disable-devel.inc
-#
-
-netfilter
-
-whitelist ${DOWNLOADS}
-mkdir ~/.config/chromium
-whitelist ~/.config/chromium
-mkdir ~/.cache/chromium
-whitelist ~/.cache/chromium
-mkdir ~/.config/chromium-profiles
-whitelist ~/.config/chromium-profiles
-mkdir ~/.pki
-whitelist ~/.pki
-
-# lastpass, keepassx
-whitelist ~/.keepassx
-whitelist ~/.config/keepassx
-whitelist ~/keepassx.kdbx
-whitelist ~/.lastpass
-whitelist ~/.config/lastpass
-
-# specific to Arch
-whitelist ~/.config/chromium-flags.conf
-
-include /etc/firejail/whitelist-common.inc
+include /etc/firejail/chromium.profile
+quiet
-# mutt email client profile
+# mutt profile
+blacklist /tmp/.X11-unix
-noblacklist ~/.muttrc
-noblacklist ~/.mutt
-noblacklist ~/.mutt/muttrc
-noblacklist ~/.mailcap
-noblacklist ~/.gnupg
-noblacklist ~/.mail
-noblacklist ~/.Mail
-noblacklist ~/mail
-noblacklist ~/Mail
-noblacklist ~/sent
-noblacklist ~/postponed
-noblacklist ~/.cache/mutt
-noblacklist ~/.w3m
-noblacklist ~/.elinks
-noblacklist ~/.vim
-noblacklist ~/.vimrc
-noblacklist ~/.viminfo
-noblacklist ~/.emacs
-noblacklist ~/.emacs.d
-noblacklist ~/.signature
-noblacklist ~/.bogofilter
+noblacklist /var/mail
+noblacklist /var/spool/mail
+noblacklist ${HOME}/.Mail
+noblacklist ${HOME}/.bogofilter
+noblacklist ${HOME}/.cache/mutt
+noblacklist ${HOME}/.elinks
+noblacklist ${HOME}/.emacs
+noblacklist ${HOME}/.emacs.d
+noblacklist ${HOME}/.gnupg
+noblacklist ${HOME}/.mail
+noblacklist ${HOME}/.mailcap
+noblacklist ${HOME}/.msmtprc
+noblacklist ${HOME}/.mutt
+noblacklist ${HOME}/.muttrc
+noblacklist ${HOME}/.signature
+noblacklist ${HOME}/.vim
+noblacklist ${HOME}/.viminfo
+noblacklist ${HOME}/.vimrc
+noblacklist ${HOME}/.w3m
+noblacklist ${HOME}/Mail
+noblacklist ${HOME}/mail
+noblacklist ${HOME}/postponed
+noblacklist ${HOME}/sent
# custom
quiet
noblacklist ~/.msmtprc
noblacklist ~/.procmailrc
noblacklist ~/.fetchmailrc
+noblacklist /usr/bin/procmail
+noblacklist /usr/bin/fetchmail
noblacklist /usr/bin/perl
-#noblacklist /usr/bin/cpan*
+noblacklist /usr/bin/cpan*
noblacklist /usr/share/perl*
noblacklist /usr/lib/perl*
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-programs.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-devel.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
caps.drop all
netfilter
+no3d
+nodvd
nogroups
nonewprivs
noroot
nosound
+notv
+nou2f
+novideo
protocol unix,inet,inet6
seccomp
shell none
+writable-run-user
private-dev
# ranger file manager profile
quiet
-noblacklist /usr/bin/perl
-#noblacklist /usr/bin/cpan*
-noblacklist /usr/share/perl*
-noblacklist /usr/lib/perl*
-noblacklist ${HOME}/.config/ranger
+
+# include the default profile
+include /etc/firejail/ranger.profile
+
+# allow write operations in non-default folders
+include whitelist-common.local
# from fbreader ebook reader profile
noblacklist ${HOME}/.FBReader
noblacklist ~/.config/zathura
noblacklist ~/.local/share/zathura
-# from gimp profile
+## from gimp profile
noblacklist ${HOME}/.gimp*
# from mpv profile
noblacklist ${HOME}/.config/mpv
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-programs.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-
-caps.drop all
-netfilter
-net none
-nonewprivs
-noroot
-nogroups
-protocol unix
-seccomp
-
-# We need sound support to play media files
-#nosound
-
-private-tmp
-private-dev
projects / rhatto / dotfiles / profile.git / commitdiff