Skip to content

Firejail configuration

rene-descartes2021 edited this page Sep 13, 2021 · 3 revisions

Firejail configuration (security sandboxing)

Introduction

Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications.

At present, firecfg, the desktop integration utility for Firejail, does not by default integrate Vim, yet Firejail includes a Vim profile. Thus Firejail must be explicitly enabled for vim either by a manual symbolic link in /usr/local/bin or ~/bin:

# Systemwide
$ ln -s /usr/bin/firejail /usr/local/bin/vim
$ ln -s /usr/bin/firejail /usr/local/bin/vim.gtk3
# Or Per user
$ ln -s /usr/bin/firejail ~/bin/vim
$ ln -s /usr/bin/firejail ~/bin/vim.gtk3

Compatibility between default Vim profile and space-vim

The Firejail configuration in /etc/firejail/disable-common.inc included by /etc/firejail/vim.profile includes the following:

# Initialization files that allow arbitrary command execution
[...]
read-only ${HOME}/.vim
read-only ${HOME}/.viminfo
read-only ${HOME}/.vimrc

We must do a few things to allow Vim to function with the space-vim additions, do some combination of:

  1. Disable Vim from writing to those files/folders by editing Vim configuration file: vimrc.local.
  2. Use some combination of ignore read-only and read-write in Firejail Vim configuration file: vim.local.

Vim configuration

In systemwide vimrc.local or user vimrc (/etc/vim/vimrc.local or ~/.spacevim):

"Disable vim from writing to .viminfo
set viminfo=

Firejail configuration

In systemwide or user vim.local (/etc/firejail/vim.local or ~/.config/firejail/vim.local):

# This is a minimal set of directories space-vim needs write access to for operation and must be set in this order.
# info.vim and tags cache folders, and plugin downloads folder (assuming space-vim install is to ~/.vim):
read-only ${HOME}/.vim
read-write ${HOME}/.vim/core/autoload/spacevim
read-write ${HOME}/.vim/core/doc
read-write ${HOME}/.vim/plugged
ignore read-only ${HOME}/.vim

# Alternatively to the minimalist configuration above, you may set the entire ~/.vim folder to read-write:
read-write ${HOME}/.vim
ignore read-only ${HOME}/.vim

# Disallow edits to ${HOME} according to your security preferences:
read-only ${HOME}/Documents
read-only ${HOME}/Downloads
read-only ${HOME}/.config

# Normally Firejail will disallow write access much of ${HOME}.
# You may allow edits explicitly to where you do your development:
read-write ${HOME}/dev

Editing of files read-only by the sandbox

Finally, if you wish to use Vim to edit files that are blocked by the sandbox, I suggest a script named ~/bin/vim-unsandboxed which loads Vim outside of Firejail using the systemwide vimrc configuration (not space-vim or any plugins with possible security vulnerabilities):

#!/usr/bin/env bash
/usr/bin/vim -u /etc/vim/vimrc $@

Or this may work also but may need some tuning:

#!/usr/bin/env bash
firejail --profile=/etc/firejail/vim.profile --read-write ${HOME} vim -u /etc/vim/vimrc $@

Do not run sudo vim

Do not run sudo vim, instead run sudoedit. sudoedit is the better/more secure way of editing files which require sudo, see man sudoedit.

Firejail and Neovim

Firejail at present does not include a profile for Neovim. However one could be made using vim.profile as a starting point.