From 4b769e3a6addf7e2dfaf0f2480a78ebec5746f26 Mon Sep 17 00:00:00 2001
From: Patrick Spek <p.spek@tyil.nl>
Date: Mon, 2 Mar 2020 13:44:06 +0100
Subject: Try Firefox in a managed directory again

---
 .config/firefox/chrome/userChrome.css | 18 +++++++++++
 .config/firefox/user.js               | 29 ++++++++++++++++++
 .local/bin/firefox                    | 46 ++++++++++++++++++++++++++++
 .local/etc/firejail/firefox.profile   | 19 ++++++++++++
 README.md                             | 56 ++---------------------------------
 5 files changed, 115 insertions(+), 53 deletions(-)
 create mode 100644 .config/firefox/chrome/userChrome.css
 create mode 100644 .config/firefox/user.js
 create mode 100755 .local/bin/firefox
 create mode 100644 .local/etc/firejail/firefox.profile

diff --git a/.config/firefox/chrome/userChrome.css b/.config/firefox/chrome/userChrome.css
new file mode 100644
index 0000000..e2ab027
--- /dev/null
+++ b/.config/firefox/chrome/userChrome.css
@@ -0,0 +1,18 @@
+/* Hide default tab bar */
+#main-window[tabsintitlebar="true"]:not([extradragspace="true"]) #TabsToolbar > .toolbar-items {
+    opacity: 0;
+    pointer-events: none;
+}
+#main-window:not([tabsintitlebar="true"]) #TabsToolbar {
+    visibility: collapse !important;
+}
+
+/* Hide header of sidebar */
+#sidebar-header {
+    display: none;
+}
+
+/* Make unread tabs italic */
+tab-item.unread .label-content {
+    font-style: italic;
+}
diff --git a/.config/firefox/user.js b/.config/firefox/user.js
new file mode 100644
index 0000000..1da44b4
--- /dev/null
+++ b/.config/firefox/user.js
@@ -0,0 +1,29 @@
+// Settings changed after going through properties
+user_pref("app.shield.optoutstudies.enabled", false);
+user_pref("browser.ctrlTab.recentlyUsedOrder", false);
+user_pref("browser.download.dir", "/home/tyil/downloads/firefox");
+user_pref("browser.download.folderList", 2);
+user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons", false);
+user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features", false);
+user_pref("browser.newtabpage.activity-stream.feeds.section.highlights", false);
+user_pref("browser.newtabpage.activity-stream.feeds.snippets", false);
+user_pref("browser.newtabpage.activity-stream.feeds.topsites", false);
+user_pref("browser.newtabpage.activity-stream.showSearch", false);
+user_pref("browser.newtabpage.enabled", false);
+user_pref("browser.search.hiddenOneOffs", "Google,Bing,Amazon.com,eBay,Twitter");
+user_pref("browser.search.suggest.enabled", false);
+user_pref("browser.startup.homepage", "https://searx.tyil.nl");
+user_pref("browser.startup.page", 3);
+user_pref("browser.urlbar.placeholderName", "DuckDuckGo");
+user_pref("general.smoothScroll", false);
+user_pref("privacy.donottrackheader.enabled", true);
+
+// Make Firefox load userChrome.css again...
+user_pref("toolkit.legacyUserProfileCustomizations.stylesheets", true);
+
+// Disable whatever trash Firefox devs are pushing these days
+user_pref("extensions.pocket.enabled", false);
+user_pref("media.videocontrols.picture-in-picture.enabled", false);
+user_pref("media.videocontrols.picture-in-picture.video-toggle.enabled", false);
+user_pref("network.trr.mode", 5); // DoH
+user_pref("pdfjs.disabled", true);
diff --git a/.local/bin/firefox b/.local/bin/firefox
new file mode 100755
index 0000000..22d7a79
--- /dev/null
+++ b/.local/bin/firefox
@@ -0,0 +1,46 @@
+#!/bin/sh
+
+# This program is free software: you can redistribute it and/or modify it under
+# the terms of the GNU Affero General Public License as published by the Free
+# Software Foundation, either version 3 of the License, or (at your option) any
+# later version.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
+# details.
+
+readonly BINS="
+	/usr/bin/firefox
+	/usr/bin/firefox-bin
+"
+
+main()
+{
+	require_exe "firejail"
+
+	for bin in $BINS
+	do
+		[ -x "$bin" ] || continue
+
+		exec firejail --profile="$HOME/.local/etc/firejail/firefox.profile" -- "$bin" "$@"
+	done
+
+	printf "No underlying executable found for %s:\n" "${0##*/}" >&2
+
+	for bin in $BINS
+	do
+		printf "\t%s\n" "$bin" >&2
+	done
+}
+
+require_exe()
+{
+	if ! which "$1" 2>&1 > /dev/null
+	then
+		printf "Missing required executable %s\n" "$1"
+		exit 3
+	fi
+}
+
+main "$@"
diff --git a/.local/etc/firejail/firefox.profile b/.local/etc/firejail/firefox.profile
new file mode 100644
index 0000000..3fcb6d9
--- /dev/null
+++ b/.local/etc/firejail/firefox.profile
@@ -0,0 +1,19 @@
+# Limited access to homedir contents
+whitelist ~/.config/firefox
+whitelist ~/.config/gtk-3.0
+whitelist ~/.mozilla/firefox
+whitelist ~/documents
+whitelist ~/downloads/firefox
+whitelist ~/pictures
+
+read-only ~/.config/gtk-3.0
+read-only ~/documents
+read-only ~/pictures
+
+# Use private system resources
+private-tmp
+
+# Remove executable bits
+noexec /tmp
+
+caps.drop all
diff --git a/README.md b/README.md
index 0bc5894..61883cb 100644
--- a/README.md
+++ b/README.md
@@ -47,59 +47,9 @@ rest are even worse.
 
 ### Firefox (nightly)
 
-The Firefox configuration files live in a random directory in
-`$HOME/.mozilla/firefox`.
-
-#### `user.js`
-
-```js
-// Settings changed after going through properties
-user_pref("app.shield.optoutstudies.enabled", false);
-user_pref("browser.ctrlTab.recentlyUsedOrder", false);
-user_pref("browser.download.dir", "/home/tyil/downloads/firefox");
-user_pref("browser.download.folderList", 2);
-user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons", false);
-user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features", false);
-user_pref("browser.newtabpage.activity-stream.feeds.section.highlights", false);
-user_pref("browser.newtabpage.activity-stream.feeds.snippets", false);
-user_pref("browser.newtabpage.activity-stream.feeds.topsites", false);
-user_pref("browser.newtabpage.activity-stream.showSearch", false);
-user_pref("browser.newtabpage.enabled", false);
-user_pref("browser.search.hiddenOneOffs", "Google,Bing,Amazon.com,eBay,Twitter");
-user_pref("browser.search.suggest.enabled", false);
-user_pref("browser.startup.homepage", "https://searx.tyil.nl");
-user_pref("browser.startup.page", 3);
-user_pref("browser.urlbar.placeholderName", "DuckDuckGo");
-user_pref("general.smoothScroll", false);
-user_pref("privacy.donottrackheader.enabled", true);
-user_pref("network.trr.mode", 5);
-
-// Make Firefox load userChrome.css again...
-user_pref("toolkit.legacyUserProfileCustomizations.stylesheets", true);
-```
-
-#### `chrome/userChrome.css`
-
-```css
-/* Hide default tab bar */
-#main-window[tabsintitlebar="true"]:not([extradragspace="true"]) #TabsToolbar > .toolbar-items {
-    opacity: 0;
-    pointer-events: none;
-}
-#main-window:not([tabsintitlebar="true"]) #TabsToolbar {
-    visibility: collapse !important;
-}
-
-/* Hide header of sidebar */
-#sidebar-header {
-    display: none;
-}
-
-/* Make unread tabs italic */
-tab-item.unread .label-content {
-    font-style: italic;
-}
-```
+Start Firefox with `-p` first, create a new profile and set the directory to
+`~/.config/firefox`. This *should* be enough for the configuration files,
+however, addons still need to be managed by hand.
 
 #### Addons
 
-- 
cgit v1.1