Firenvim extension to firefox

[b33rcity]

• OS Version: Fedora 30
• Browser Version: Firefox 69

I'm wondering if anyone has successfully used firenvim with a sandboxed Firefox?

I ran firefox in- and outside of a firejail sandbox and lsof on the nvim process to get some clues about what to whitelist. With sandbox:

COMMAND  PID USER   FD      TYPE DEVICE SIZE/OFF NODE NAME
nvim    3415   d9  cwd   unknown                      /proc/3415/cwd (readlink: Permission denied)
...

and a few dozen more /proc/<PID>/ entries with the same permission denied error when using the sandbox. Without the sandbox, there would be entries including the libraries nvim is linked against, nvim's own binary, a couple dozen unix sockets, and a TCP socket (firenvim uses a WebSocket to do RPC with nvim). This isn't surprising, of course--I'm just not sure what to do about it.

I created ~/.config/firejail/firefox.local with this content:

noblacklist ${HOME}/.config/nvim/
noblacklist ${HOME}/.local/share/nvim/
noblacklist ${HOME}/.local/share/firenvim
whitelist ${HOME}/.config/nvim/
whitelist ${HOME}/.local/share/nvim/
whitelist ${HOME}/.local/share/firenvim

and this allowed the extension itself to work. I suspect I would need to add private-lib and private-bin so the sandbox can access those, as well as some permissions for the TCP listener...

And before I go down that rabbit-hole, I figured I should see if my approach here is even a good one. That is, my idea here is to run the nvim instance inside the same sandbox as firefox by changing firenvim's shell script from exec nvim to exec firejail --join=firefox nvim. Should I be approaching this differently? Or am I just a couple more whitelists away from success?

[rusty-snake]

Does it work with --noprofile?

[rusty-snake]

@b33rcity
I'm closing here due to inactivity, please fell free to reopen if you have more questions.