reorganize github etc directory

author: netblue30 <netblue30@yahoo.com> 2020-04-21 08:24:28 -0400
committer: netblue30 <netblue30@yahoo.com> 2020-04-21 08:24:28 -0400
commit: 018d75775eab4a0f045949a9d069c57686ca2686 (patch)
tree: aac3a1a65cca0d4875795c55109a5c3e35efdefb /etc/profile-a-l/firefox-common.profile
parent: small fixes (diff)
download: firejail-018d75775eab4a0f045949a9d069c57686ca2686.tar.gz
firejail-018d75775eab4a0f045949a9d069c57686ca2686.tar.zst
firejail-018d75775eab4a0f045949a9d069c57686ca2686.zip
1 files changed, 60 insertions, 0 deletions
diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile
new file mode 100644
index 000000000..7c343c26d
--- /dev/null
+++ b/etc/profile-a-l/firefox-common.profile
@@ -0,0 +1,60 @@
+# Firejail profile for firefox-common
+# This file is overwritten after every install/update
+# Persistent local customizations
+include firefox-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+# noexec ${HOME} breaks DRM binaries.
+?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
+# Uncomment the following line (or put it in your firefox-common.local) to allow access to common programs/addons/plugins.
+#include firefox-common-addons.inc
+noblacklist ${HOME}/.pki
+noblacklist ${HOME}/.local/share/pki
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+mkdir ${HOME}/.pki
+mkdir ${HOME}/.local/share/pki
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.pki
+whitelist ${HOME}/.local/share/pki
+include whitelist-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+# machine-id breaks pulse audio; it should work fine in setups where sound is not required.
+#machine-id
+netfilter
+nodvd
+nogroups
+nonewprivs
+# noroot breaks GTK_USE_PORTAL=1 usage, see https://github.com/netblue30/firejail/issues/2506.
+noroot
+notv
+?BROWSER_DISABLE_U2F: nou2f
+protocol unix,inet,inet6,netlink
+# The below seccomp configuration still permits chroot syscall. See https://github.com/netblue30/firejail/issues/2506 for possible workarounds.
+seccomp !chroot
+shell none
+# Disable tracelog, it breaks or causes major issues with many firefox based browsers, see https://github.com/netblue30/firejail/issues/1930.
+#tracelog
+disable-mnt
+?BROWSER_DISABLE_U2F: private-dev
+# private-etc below works fine on most distributions. There are some problems on CentOS.
+#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-tmp
+# breaks various desktop integration features
+# among other things global menus, native notifications, Gnome connector, KDE connect and power management on KDE Plasma
+dbus-user none
+dbus-system none
author	netblue30 <netblue30@yahoo.com>	2020-04-21 08:24:28 -0400
committer	netblue30 <netblue30@yahoo.com>	2020-04-21 08:24:28 -0400
commit	018d75775eab4a0f045949a9d069c57686ca2686 (patch)
tree	aac3a1a65cca0d4875795c55109a5c3e35efdefb /etc/profile-a-l/firefox-common.profile
parent	small fixes (diff)
download	firejail-018d75775eab4a0f045949a9d069c57686ca2686.tar.gz firejail-018d75775eab4a0f045949a9d069c57686ca2686.tar.zst firejail-018d75775eab4a0f045949a9d069c57686ca2686.zip

diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile new file mode 100644 index 000000000..7c343c26d --- /dev/null +++ b/etc/profile-a-l/firefox-common.profile
@@ -0,0 +1,60 @@
	1	# Firejail profile for firefox-common
	2	# This file is overwritten after every install/update
	3	# Persistent local customizations
	4	include firefox-common.local
	5	# Persistent global definitions
	6	# added by caller profile
	7	#include globals.local
	8
	9	# noexec ${HOME} breaks DRM binaries.
	10	?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
	11
	12	# Uncomment the following line (or put it in your firefox-common.local) to allow access to common programs/addons/plugins.
	13	#include firefox-common-addons.inc
	14
	15	noblacklist ${HOME}/.pki
	16	noblacklist ${HOME}/.local/share/pki
	17
	18	include disable-common.inc
	19	include disable-devel.inc
	20	include disable-exec.inc
	21	include disable-interpreters.inc
	22	include disable-programs.inc
	23
	24	mkdir ${HOME}/.pki
	25	mkdir ${HOME}/.local/share/pki
	26	whitelist ${DOWNLOADS}
	27	whitelist ${HOME}/.pki
	28	whitelist ${HOME}/.local/share/pki
	29	include whitelist-common.inc
	30	include whitelist-var-common.inc
	31
	32	apparmor
	33	caps.drop all
	34	# machine-id breaks pulse audio; it should work fine in setups where sound is not required.
	35	#machine-id
	36	netfilter
	37	nodvd
	38	nogroups
	39	nonewprivs
	40	# noroot breaks GTK_USE_PORTAL=1 usage, see https://github.com/netblue30/firejail/issues/2506.
	41	noroot
	42	notv
	43	?BROWSER_DISABLE_U2F: nou2f
	44	protocol unix,inet,inet6,netlink
	45	# The below seccomp configuration still permits chroot syscall. See https://github.com/netblue30/firejail/issues/2506 for possible workarounds.
	46	seccomp !chroot
	47	shell none
	48	# Disable tracelog, it breaks or causes major issues with many firefox based browsers, see https://github.com/netblue30/firejail/issues/1930.
	49	#tracelog
	50
	51	disable-mnt
	52	?BROWSER_DISABLE_U2F: private-dev
	53	# private-etc below works fine on most distributions. There are some problems on CentOS.
	54	#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
	55	private-tmp
	56
	57	# breaks various desktop integration features
	58	# among other things global menus, native notifications, Gnome connector, KDE connect and power management on KDE Plasma
	59	dbus-user none
	60	dbus-system none