Harden qutebrowser profile

author: glitsj16 <glitsj16@users.noreply.github.com> 2022-10-01 19:23:19 +0000
committer: GitHub <noreply@github.com> 2022-10-01 19:23:19 +0000
commit: 2297257745fd568b1f042139b7e3bfa2830eb500 (patch)
tree: e03a393051ede5203ecc5374f91f7c41d64c78ce /etc/profile-m-z
parent: mpv: whitelist mpv-mpris (#5386) (diff)
download: firejail-2297257745fd568b1f042139b7e3bfa2830eb500.tar.gz
firejail-2297257745fd568b1f042139b7e3bfa2830eb500.tar.zst
firejail-2297257745fd568b1f042139b7e3bfa2830eb500.zip
1 files changed, 18 insertions, 0 deletions
diff --git a/etc/profile-m-z/qutebrowser.profile b/etc/profile-m-z/qutebrowser.profile
index fc910b589..e15db2ea5 100644
--- a/etc/profile-m-z/qutebrowser.profile
+++ b/etc/profile-m-z/qutebrowser.profile
@@ -16,6 +16,7 @@ include allow-python3.inc
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
@@ -28,6 +29,7 @@ whitelist ${HOME}/.config/qutebrowser
 whitelist ${HOME}/.local/share/qutebrowser
 include whitelist-common.inc
+apparmor
 caps.drop all
 netfilter
 nodvd
@@ -38,3 +40,19 @@ protocol unix,inet,inet6,netlink
 # blacklisting of chroot system calls breaks qt webengine
 seccomp !chroot,!name_to_handle_at
 # tracelog
+disable-mnt
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,localtime,machine-id,pki,pulse,resolv.conf,ssl
+private-tmp
+dbus-user filter
+dbus-user.talk org.freedesktop.Notifications
+dbus-user.talk org.mpris.MediaPlayer2.*
+# Add the next line to your qutebrowser.local to allow screen sharing under wayland.
+#dbus-user.talk org.freedesktop.portal.Desktop
+# Add the next line to your qutebrowser.local if screen sharing sharing still does not work
+# with the above lines (might depend on the portal implementation).
+#ignore noroot
+dbus-system none
author	glitsj16 <glitsj16@users.noreply.github.com>	2022-10-01 19:23:19 +0000
committer	GitHub <noreply@github.com>	2022-10-01 19:23:19 +0000
commit	2297257745fd568b1f042139b7e3bfa2830eb500 (patch)
tree	e03a393051ede5203ecc5374f91f7c41d64c78ce /etc/profile-m-z
parent	mpv: whitelist mpv-mpris (#5386) (diff)
download	firejail-2297257745fd568b1f042139b7e3bfa2830eb500.tar.gz firejail-2297257745fd568b1f042139b7e3bfa2830eb500.tar.zst firejail-2297257745fd568b1f042139b7e3bfa2830eb500.zip

diff --git a/etc/profile-m-z/qutebrowser.profile b/etc/profile-m-z/qutebrowser.profile index fc910b589..e15db2ea5 100644 --- a/etc/profile-m-z/qutebrowser.profile +++ b/etc/profile-m-z/qutebrowser.profile
@@ -16,6 +16,7 @@ include allow-python3.inc
16		16
17	include disable-common.inc	17	include disable-common.inc
18	include disable-devel.inc	18	include disable-devel.inc
		19	include disable-exec.inc
19	include disable-interpreters.inc	20	include disable-interpreters.inc
20	include disable-programs.inc	21	include disable-programs.inc
21		22
@@ -28,6 +29,7 @@ whitelist ${HOME}/.config/qutebrowser
28	whitelist ${HOME}/.local/share/qutebrowser	29	whitelist ${HOME}/.local/share/qutebrowser
29	include whitelist-common.inc	30	include whitelist-common.inc
30		31
		32	apparmor
31	caps.drop all	33	caps.drop all
32	netfilter	34	netfilter
33	nodvd	35	nodvd
@@ -38,3 +40,19 @@ protocol unix,inet,inet6,netlink
38	# blacklisting of chroot system calls breaks qt webengine	40	# blacklisting of chroot system calls breaks qt webengine
39	seccomp !chroot,!name_to_handle_at	41	seccomp !chroot,!name_to_handle_at
40	# tracelog	42	# tracelog
		43
		44	disable-mnt
		45	private-cache
		46	private-dev
		47	private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,localtime,machine-id,pki,pulse,resolv.conf,ssl
		48	private-tmp
		49
		50	dbus-user filter
		51	dbus-user.talk org.freedesktop.Notifications
		52	dbus-user.talk org.mpris.MediaPlayer2.*
		53	# Add the next line to your qutebrowser.local to allow screen sharing under wayland.
		54	#dbus-user.talk org.freedesktop.portal.Desktop
		55	# Add the next line to your qutebrowser.local if screen sharing sharing still does not work
		56	# with the above lines (might depend on the portal implementation).
		57	#ignore noroot
		58	dbus-system none