I guess the first set of things would be:
- read-write access[1] to everything under
$HOME - NO access to $HOME of other user accounts
- read-only access to
/(root partition) and most subdirs- are there any that should deserve special “protection”, so be explicitly hidden? For example, somewhere where per-user secrets (like WLAN passwords) are stored?
- probably no access to any of the other mounts, i.e. all the Android apex/vendor/… stuff
- NO access to
/sys/kernel, especially not/sys/kernel/debug(accessing files there is known to sometimes cause a device hang, or even crash). - Probably no access to other special locations, like
/proc, and/dev
Simple enough for a start. I know that’s basically “unjailed” plus some things.
Luckily, upstream Firejail has profiles which can serve as a template:
- firejail/etc/profile-a-l/file-manager-common.profile at master · netblue30/firejail · GitHub
- firejail/etc/profile-a-l/dolphin.profile at master · netblue30/firejail · GitHub
- firejail/etc/profile-m-z/nautilus.profile at master · netblue30/firejail · GitHub
as permitted by regular user permissions ↩︎