Update profile for Cyberfox

author: hawkeye116477 <hawkeye116477@gmail.com> 2017-05-30 21:31:39 +0200
committer: hawkeye116477 <hawkeye116477@gmail.com> 2017-05-30 21:31:39 +0200
commit: ae4de575327be1f8ba8bc668622932c0c0fdfe0c (patch)
tree: 37377da945de5f5e95357c015c91e78c6476b7f7 /etc/cyberfox.profile
parent: Add Firejail profile for Waterfox (diff)
download: firejail-ae4de575327be1f8ba8bc668622932c0c0fdfe0c.tar.gz
firejail-ae4de575327be1f8ba8bc668622932c0c0fdfe0c.tar.zst
firejail-ae4de575327be1f8ba8bc668622932c0c0fdfe0c.zip
1 files changed, 22 insertions, 1 deletions
diff --git a/etc/cyberfox.profile b/etc/cyberfox.profile
index 068131d25..c237e33ff 100644
--- a/etc/cyberfox.profile
+++ b/etc/cyberfox.profile
@@ -8,17 +8,25 @@ include /etc/firejail/cyberfox.local
 # Firejail profile for Cyberfox (based on Mozilla Firefox)
 noblacklist ~/.8pecxstudios
 noblacklist ~/.cache/8pecxstudios
+noblacklist ~/.config/qpdfview
+noblacklist ~/.local/share/qpdfview
+noblacklist ~/.kde4/share/apps/okular
+noblacklist ~/.kde/share/apps/okular
+noblacklist ~/.local/share/okular
 noblacklist ~/.pki
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 caps.drop all
+# ipc-namespace crashes cyberfox on some setups
 netfilter
+nogroups
 nonewprivs
 noroot
 protocol unix,inet,inet6,netlink
 seccomp
+shell none
 tracelog
 whitelist ${DOWNLOADS}
@@ -35,8 +43,14 @@ whitelist ~/.pentadactyl
 whitelist ~/.keysnail.js
 whitelist ~/.config/gnome-mplayer
 whitelist ~/.cache/gnome-mplayer/plugin
+mkdir ~/.pki
 whitelist ~/.pki
 whitelist ~/.lastpass
+whitelist ~/.config/qpdfview
+whitelist ~/.local/share/qpdfview
+whitelist ~/.kde4/share/apps/okular
+whitelist ~/.kde/share/apps/okular
+whitelist ~/.local/share/okular
 # silverlight
 whitelist ~/.wine-pipelight
@@ -47,4 +61,11 @@ whitelist ~/.config/pipelight-silverlight5.1
 include /etc/firejail/whitelist-common.inc
 # experimental features
-#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
+#private-bin cyberfox,which,sh,dbus-launch,dbus-send,env
+#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,cyberfox,mime.types,mailcap,asound.conf,pulse
+# private-dev might prevent video calls going out
+private-dev
+private-tmp
+noexec ${HOME}
+noexec /tmp
author	hawkeye116477 <hawkeye116477@gmail.com>	2017-05-30 21:31:39 +0200
committer	hawkeye116477 <hawkeye116477@gmail.com>	2017-05-30 21:31:39 +0200
commit	ae4de575327be1f8ba8bc668622932c0c0fdfe0c (patch)
tree	37377da945de5f5e95357c015c91e78c6476b7f7 /etc/cyberfox.profile
parent	Add Firejail profile for Waterfox (diff)
download	firejail-ae4de575327be1f8ba8bc668622932c0c0fdfe0c.tar.gz firejail-ae4de575327be1f8ba8bc668622932c0c0fdfe0c.tar.zst firejail-ae4de575327be1f8ba8bc668622932c0c0fdfe0c.zip

diff --git a/etc/cyberfox.profile b/etc/cyberfox.profile index 068131d25..c237e33ff 100644 --- a/etc/cyberfox.profile +++ b/etc/cyberfox.profile
@@ -8,17 +8,25 @@ include /etc/firejail/cyberfox.local
8	# Firejail profile for Cyberfox (based on Mozilla Firefox)	8	# Firejail profile for Cyberfox (based on Mozilla Firefox)
9	noblacklist ~/.8pecxstudios	9	noblacklist ~/.8pecxstudios
10	noblacklist ~/.cache/8pecxstudios	10	noblacklist ~/.cache/8pecxstudios
		11	noblacklist ~/.config/qpdfview
		12	noblacklist ~/.local/share/qpdfview
		13	noblacklist ~/.kde4/share/apps/okular
		14	noblacklist ~/.kde/share/apps/okular
		15	noblacklist ~/.local/share/okular
11	noblacklist ~/.pki	16	noblacklist ~/.pki
12	include /etc/firejail/disable-common.inc	17	include /etc/firejail/disable-common.inc
13	include /etc/firejail/disable-programs.inc	18	include /etc/firejail/disable-programs.inc
14	include /etc/firejail/disable-devel.inc	19	include /etc/firejail/disable-devel.inc
15		20
16	caps.drop all	21	caps.drop all
		22	# ipc-namespace crashes cyberfox on some setups
17	netfilter	23	netfilter
		24	nogroups
18	nonewprivs	25	nonewprivs
19	noroot	26	noroot
20	protocol unix,inet,inet6,netlink	27	protocol unix,inet,inet6,netlink
21	seccomp	28	seccomp
		29	shell none
22	tracelog	30	tracelog
23		31
24	whitelist ${DOWNLOADS}	32	whitelist ${DOWNLOADS}
@@ -35,8 +43,14 @@ whitelist ~/.pentadactyl
35	whitelist ~/.keysnail.js	43	whitelist ~/.keysnail.js
36	whitelist ~/.config/gnome-mplayer	44	whitelist ~/.config/gnome-mplayer
37	whitelist ~/.cache/gnome-mplayer/plugin	45	whitelist ~/.cache/gnome-mplayer/plugin
		46	mkdir ~/.pki
38	whitelist ~/.pki	47	whitelist ~/.pki
39	whitelist ~/.lastpass	48	whitelist ~/.lastpass
		49	whitelist ~/.config/qpdfview
		50	whitelist ~/.local/share/qpdfview
		51	whitelist ~/.kde4/share/apps/okular
		52	whitelist ~/.kde/share/apps/okular
		53	whitelist ~/.local/share/okular
40		54
41	# silverlight	55	# silverlight
42	whitelist ~/.wine-pipelight	56	whitelist ~/.wine-pipelight
@@ -47,4 +61,11 @@ whitelist ~/.config/pipelight-silverlight5.1
47	include /etc/firejail/whitelist-common.inc	61	include /etc/firejail/whitelist-common.inc
48		62
49	# experimental features	63	# experimental features
50	#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse	64	#private-bin cyberfox,which,sh,dbus-launch,dbus-send,env
		65	#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,cyberfox,mime.types,mailcap,asound.conf,pulse
		66	# private-dev might prevent video calls going out
		67	private-dev
		68	private-tmp
		69
		70	noexec ${HOME}
		71	noexec /tmp