Try Firefox in a managed directory again

2 files changed, 65 insertions, 0 deletions

diff --git a/.local/bin/firefox b/.local/bin/firefox
new file mode 100755
index 0000000..22d7a79
--- /dev/null
+++ b/.local/bin/firefox
@@ -0,0 +1,46 @@
+#!/bin/sh
+
+# This program is free software: you can redistribute it and/or modify it under
+# the terms of the GNU Affero General Public License as published by the Free
+# Software Foundation, either version 3 of the License, or (at your option) any
+# later version.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
+# details.
+
+readonly BINS="
+	/usr/bin/firefox
+	/usr/bin/firefox-bin
+"
+
+main()
+{
+	require_exe "firejail"
+
+	for bin in $BINS
+	do
+		[ -x "$bin" ] || continue
+
+		exec firejail --profile="$HOME/.local/etc/firejail/firefox.profile" -- "$bin" "$@"
+	done
+
+	printf "No underlying executable found for %s:\n" "${0##*/}" >&2
+
+	for bin in $BINS
+	do
+		printf "\t%s\n" "$bin" >&2
+	done
+}
+
+require_exe()
+{
+	if ! which "$1" 2>&1 > /dev/null
+	then
+		printf "Missing required executable %s\n" "$1"
+		exit 3
+	fi
+}
+
+main "$@"
diff --git a/.local/etc/firejail/firefox.profile b/.local/etc/firejail/firefox.profile
new file mode 100644
index 0000000..3fcb6d9
--- /dev/null
+++ b/.local/etc/firejail/firefox.profile
@@ -0,0 +1,19 @@
+# Limited access to homedir contents
+whitelist ~/.config/firefox
+whitelist ~/.config/gtk-3.0
+whitelist ~/.mozilla/firefox
+whitelist ~/documents
+whitelist ~/downloads/firefox
+whitelist ~/pictures
+
+read-only ~/.config/gtk-3.0
+read-only ~/documents
+read-only ~/pictures
+
+# Use private system resources
+private-tmp
+
+# Remove executable bits
+noexec /tmp
+
+caps.drop all