I use a lot of plugins, and while I’m generally not paranoid.

After some feedback, I came to the conclusion that the next statement is wrong. I’d say the plugin ecosystem of nvim isn’t as secure as say VSCode or JetBrains.

So after some tinkering, I got firejail to behave nicely with nvim using a custom profile, for some reason the stock profile did not work at all, might be an issue on my end though.

Simply create the profile, then start nvim with firejail --whitelist=$SRC --read-write=$SRC nvim $SRC, I’d recommend aliasing it or using a wrapper.

update 2023-10-11 updated the profile to support zsh and go better, also add xdg-open.

update 2023-10-19 up to date version of the profile @ https://github.com/OneOfOne/dotfiles/blob/master/.config/firejail/nvim.profile

~/.config/firejail/nvim.profile

include globals.local
#include disable-xdg.inc
include whitelist-run-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc
include whitelist-common.inc

whitelist /usr/share/nvim
whitelist ${HOME}/.git*
whitelist ${HOME}/.dotfiles
whitelist ${HOME}/.cache/nvim
whitelist ${HOME}/.config/nvim
whitelist ${HOME}/.local/share/nvim
whitelist ${HOME}/.local/state/nvim

read-write ${HOME}/.dotfiles/.config/nvim
read-write ${HOME}/.cache/nvim
read-write ${HOME}/.config/nvim
read-write ${HOME}/.local/state/nvim

# gnupg & git
writable-run-user
whitelist ${HOME}/.gnupg
noblacklist ${RUNUSER}/gnupg
whitelist ${RUNUSER}/gnupg

whitelist ${HOME}/.config/lazygit
read-write ${HOME}/.config/lazygit

# custom addons
whitelist ${HOME}/code/nvim/spm.nvim

# copilot
whitelist ${HOME}/.config/github-copilot
read-write ${HOME}/.config/github-copilot

# go
whitelist ${HOME}/code/go/
whitelist ${HOME}/sdk/go/
whitelist ${HOME}/.cache/go-build
read-write ${HOME}/.cache/go-build

#zsh & term
whitelist /usr/share/zsh
whitelist ${HOME}/.terminfo/

ipc-namespace
nogroups
nonewprivs
noroot
protocol unix,inet,inet6
seccomp
seccomp.block-secondary
tracelog

private-dev

restrict-namespaces

~/bin/wvim (nvim wrapper with kitty as a “UI”)

#!/bin/zsh

local cwd="$PWD"
local p="$1"
[ "$1" != "" ] && shift
if [ -d "$p" ]; then
	p="$(realpath $p)"
	cwd="$p"
fi

export ZDOTDIR=~/.dotfiles

if [[ "$WAYLAND_DISPLAY" != "" ]]; then
	kitty -d $cwd -- firejail --quiet --whitelist=$p --read-write=$p nvim $p $@ &
else
	firejail --quiet --whitelist=$p --read-write=$p nvim $p $@
fi

~/bin/xdg-open (if you need to open the browser or an extra app from nvim or lazygit)

#!/bin/zsh

systemd-run --user --quiet --no-block /usr/bin/xdg-open "$@" || /usr/bin/xdg-open "$@"