vim: custom profiles for sudoedit and plugins

[rene-descartes2021]

I noticed Vim isn't in firecfg. It was added here and later removed here. Documented here.

The idea I use is a script ~/bin/vim-unsandboxed, which I use to edit files otherwise sandboxed by Firejail:

#!/usr/bin/env bash
/usr/bin/vim -u /etc/vim/vimrc $@

The -u /etc/vim/vimrc argument loads the systemwide vimrc, and does not load any user-installed plugins with possible security vulnerabilities/exploits (I have ~50 plugins pulled from git repositories!). I guess --clean might be better, but on Debian that results in nomodeline not being set via /usr/share/vim/vim81/debian.vim. I'm not sure if Vim had been patched to disallow that vulnerability. So, I'm not sure what the best option or other considerations would be.

On the CLI I call vim for normal development, and when I need to edit a file in e.g. ~/.config or ~/bin I call vim-unsandboxed. Seems to work well, enabling me to sandbox all those plugins useful for developing code (plugins which often embed other languages than Vimscript, such as Python).

And one should never use sudo vim, one should instead use sudoedit. The above script pertains to the editing of files in the HOME directory sandboxed by firejail.

[rene-descartes2021]

The Firejail configuration in /etc/firejail/disable-common.inc included by /etc/firejail/vim.profile includes the following:

# Initialization files that allow arbitrary command execution
[...]
read-only ${HOME}/.vim
read-only ${HOME}/.viminfo
read-only ${HOME}/.vimrc

We must do a few things to allow Vim to function with plugin additions (I use space-vim), do some combination of:

1. Disable Vim from writing to those files/folders by editing Vim configuration file: vimrc.local.
2. Use some combination of ignore read-only and read-write in Firejail Vim configuration file: vim.local.

---

1. In systemwide or user vimrc.local, /etc/vim/vimrc.local or ~/.vim/vimrc.local (your system may differ):

"Disable Vim from writing to .viminfo
set viminfo=
"You may have to configure plugins to write their cache to a different location
" than ~/.vim, e.g. by setting $TMPDIR, read their docs & file issues with them if you get problems with them

2. In vim.local, ~/.config/firejail/vim.local:

# `:PlugInstall` needs write access to ~/.vim/plugged for operation:
read-only ${HOME}/.vim
read-write ${HOME}/.vim/plugged
ignore read-only ${HOME}/.vim

# Instead of the above, a minimalist approach would be to normally disallow write access to ~/.vim,
#  And only during plugin installation use a different command allowing write access:
read-only ${HOME}/.vim

# Disallow edits to ${HOME} according to your security preferences, e.g.:
read-only ${HOME}/Documents
read-only ${HOME}/Downloads
read-only ${HOME}/.config

# Normally Firejail will disallow write access much of ${HOME}.
# You may allow edits explicitly to where you do your development:
read-write ${HOME}/dev

Only give write access to ~/.vim/plugged when necessary for :PlugInstall. As plugin installation isn't a very frequent occurrence:

$ firejail --profile=/etc/firejail/vim.profile --read-write=~/.vim/plugged vim -es +'PlugInstall' +qall

[kmk3]

Related: #4841 (comment)