diff options
author | netblue30 <netblue30@protonmail.com> | 2022-10-11 11:12:25 -0400 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-10-11 11:12:25 -0400 |
commit | 7968af73cdedd177291efdb65852d73a930b7fdd (patch) | |
tree | 31c10b7030f9c2c091210e09758ccea3ffee08f1 | |
parent | Merge pull request #5402 from slowpeek/master (diff) | |
parent | Harden qutebrowser (diff) | |
download | firejail-7968af73cdedd177291efdb65852d73a930b7fdd.tar.gz firejail-7968af73cdedd177291efdb65852d73a930b7fdd.tar.zst firejail-7968af73cdedd177291efdb65852d73a930b7fdd.zip |
Merge pull request #5389 from glitsj16/qutebrowser-fixes
Harden qutebrowser profile
-rw-r--r-- | etc/profile-m-z/qutebrowser.profile | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/etc/profile-m-z/qutebrowser.profile b/etc/profile-m-z/qutebrowser.profile index fc910b589..ae62c0b89 100644 --- a/etc/profile-m-z/qutebrowser.profile +++ b/etc/profile-m-z/qutebrowser.profile | |||
@@ -10,14 +10,19 @@ noblacklist ${HOME}/.cache/qutebrowser | |||
10 | noblacklist ${HOME}/.config/qutebrowser | 10 | noblacklist ${HOME}/.config/qutebrowser |
11 | noblacklist ${HOME}/.local/share/qutebrowser | 11 | noblacklist ${HOME}/.local/share/qutebrowser |
12 | 12 | ||
13 | # Allow /bin/sh (blacklisted by disable-shell.inc) | ||
14 | include allow-bin-sh.inc | ||
15 | |||
13 | # Allow python (blacklisted by disable-interpreters.inc) | 16 | # Allow python (blacklisted by disable-interpreters.inc) |
14 | include allow-python2.inc | 17 | include allow-python2.inc |
15 | include allow-python3.inc | 18 | include allow-python3.inc |
16 | 19 | ||
17 | include disable-common.inc | 20 | include disable-common.inc |
18 | include disable-devel.inc | 21 | include disable-devel.inc |
22 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | 23 | include disable-interpreters.inc |
20 | include disable-programs.inc | 24 | include disable-programs.inc |
25 | include disable-shell.inc | ||
21 | 26 | ||
22 | mkdir ${HOME}/.cache/qutebrowser | 27 | mkdir ${HOME}/.cache/qutebrowser |
23 | mkdir ${HOME}/.config/qutebrowser | 28 | mkdir ${HOME}/.config/qutebrowser |
@@ -26,8 +31,14 @@ whitelist ${DOWNLOADS} | |||
26 | whitelist ${HOME}/.cache/qutebrowser | 31 | whitelist ${HOME}/.cache/qutebrowser |
27 | whitelist ${HOME}/.config/qutebrowser | 32 | whitelist ${HOME}/.config/qutebrowser |
28 | whitelist ${HOME}/.local/share/qutebrowser | 33 | whitelist ${HOME}/.local/share/qutebrowser |
34 | whitelist /usr/share/qtbrowser | ||
29 | include whitelist-common.inc | 35 | include whitelist-common.inc |
36 | include whitelist-run-common.inc | ||
37 | include whitelist-runuser-common.inc | ||
38 | include whitelist-usr-share-common.inc | ||
39 | include whitelist-var-common.inc | ||
30 | 40 | ||
41 | apparmor | ||
31 | caps.drop all | 42 | caps.drop all |
32 | netfilter | 43 | netfilter |
33 | nodvd | 44 | nodvd |
@@ -38,3 +49,19 @@ protocol unix,inet,inet6,netlink | |||
38 | # blacklisting of chroot system calls breaks qt webengine | 49 | # blacklisting of chroot system calls breaks qt webengine |
39 | seccomp !chroot,!name_to_handle_at | 50 | seccomp !chroot,!name_to_handle_at |
40 | # tracelog | 51 | # tracelog |
52 | |||
53 | disable-mnt | ||
54 | private-cache | ||
55 | private-dev | ||
56 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,localtime,machine-id,pki,pulse,resolv.conf,ssl | ||
57 | private-tmp | ||
58 | |||
59 | dbus-user filter | ||
60 | dbus-user.own org.mpris.MediaPlayer2.qutebrowser.* | ||
61 | dbus-user.talk org.freedesktop.Notifications | ||
62 | # Add the next line to your qutebrowser.local to allow screen sharing under wayland. | ||
63 | #dbus-user.talk org.freedesktop.portal.Desktop | ||
64 | # Add the next line to your qutebrowser.local if screen sharing sharing still does not work | ||
65 | # with the above lines (might depend on the portal implementation). | ||
66 | #ignore noroot | ||
67 | dbus-system none | ||