-
Notifications
You must be signed in to change notification settings - Fork 256
Firejail configuration
Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications.
At present, firecfg, the desktop integration utility for Firejail, does not by default integrate Vim, yet Firejail includes a Vim profile. Thus Firejail must be explicitly enabled for vim either by a manual symbolic link in /usr/local/bin
or ~/bin
:
# Systemwide
$ ln -s /usr/bin/firejail /usr/local/bin/vim
$ ln -s /usr/bin/firejail /usr/local/bin/vim.gtk3
# Or Per user
$ ln -s /usr/bin/firejail ~/bin/vim
$ ln -s /usr/bin/firejail ~/bin/vim.gtk3
The Firejail configuration in /etc/firejail/disable-common.inc
included by /etc/firejail/vim.profile
includes the following:
# Initialization files that allow arbitrary command execution
[...]
read-only ${HOME}/.vim
read-only ${HOME}/.viminfo
read-only ${HOME}/.vimrc
We must do a few things to allow Vim to function with the space-vim additions, do some combination of:
- Disable Vim from writing to those files/folders by editing Vim configuration file:
vimrc.local
. - Use some combination of
ignore read-only
andread-write
in Firejail Vim configuration file:vim.local
.
In systemwide vimrc.local
or user vimrc
(/etc/vim/vimrc.local
or ~/.spacevim
):
"Disable vim from writing to .viminfo
set viminfo=
In systemwide or user vim.local
(/etc/firejail/vim.local
or ~/.config/firejail/vim.local
):
# This is a minimal set of directories space-vim needs write access to for operation and must be set in this order.
# info.vim and tags cache folders, and plugin downloads folder (assuming space-vim install is to ~/.vim):
read-only ${HOME}/.vim
read-write ${HOME}/.vim/core/autoload/spacevim
read-write ${HOME}/.vim/core/doc
read-write ${HOME}/.vim/plugged
ignore read-only ${HOME}/.vim
# Alternatively to the minimalist configuration above, you may set the entire ~/.vim folder to read-write:
read-write ${HOME}/.vim
ignore read-only ${HOME}/.vim
# Disallow edits to ${HOME} according to your security preferences:
read-only ${HOME}/Documents
read-only ${HOME}/Downloads
read-only ${HOME}/.config
# Normally Firejail will disallow write access much of ${HOME}.
# You may allow edits explicitly to where you do your development:
read-write ${HOME}/dev
Finally, if you wish to use Vim to edit files that are blocked by the sandbox, I suggest a script named ~/bin/vim-unsandboxed
which loads Vim outside of Firejail using the systemwide vimrc configuration (not space-vim or any plugins with possible security vulnerabilities):
#!/usr/bin/env bash
/usr/bin/vim -u /etc/vim/vimrc $@
Or this may work also but may need some tuning:
#!/usr/bin/env bash
firejail --profile=/etc/firejail/vim.profile --read-write ${HOME} vim -u /etc/vim/vimrc $@
Do not run sudo vim
, instead run sudoedit
. sudoedit is the better/more secure way of editing files which require sudo, see man sudoedit
.
Firejail at present does not include a profile for Neovim. However one could be made using vim.profile
as a starting point.