Merge pull request #5389 from glitsj16/qutebrowser-fixes

Harden qutebrowser profile
author: netblue30 <netblue30@protonmail.com> 2022-10-11 11:12:25 -0400
committer: GitHub <noreply@github.com> 2022-10-11 11:12:25 -0400
commit: 7968af73cdedd177291efdb65852d73a930b7fdd (patch)
tree: 31c10b7030f9c2c091210e09758ccea3ffee08f1 /etc/profile-m-z
parent: Merge pull request #5402 from slowpeek/master (diff)
parent: Harden qutebrowser (diff)
download: firejail-7968af73cdedd177291efdb65852d73a930b7fdd.tar.gz
firejail-7968af73cdedd177291efdb65852d73a930b7fdd.tar.zst
firejail-7968af73cdedd177291efdb65852d73a930b7fdd.zip
1 files changed, 27 insertions, 0 deletions
diff --git a/etc/profile-m-z/qutebrowser.profile b/etc/profile-m-z/qutebrowser.profile
index fc910b589..ae62c0b89 100644
--- a/etc/profile-m-z/qutebrowser.profile
+++ b/etc/profile-m-z/qutebrowser.profile
@@ -10,14 +10,19 @@ noblacklist ${HOME}/.cache/qutebrowser
 noblacklist ${HOME}/.config/qutebrowser
 noblacklist ${HOME}/.local/share/qutebrowser
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
 include allow-python3.inc
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
+include disable-shell.inc
 mkdir ${HOME}/.cache/qutebrowser
 mkdir ${HOME}/.config/qutebrowser
@@ -26,8 +31,14 @@ whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/qutebrowser
 whitelist ${HOME}/.config/qutebrowser
 whitelist ${HOME}/.local/share/qutebrowser
+whitelist /usr/share/qtbrowser
 include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
 caps.drop all
 netfilter
 nodvd
@@ -38,3 +49,19 @@ protocol unix,inet,inet6,netlink
 # blacklisting of chroot system calls breaks qt webengine
 seccomp !chroot,!name_to_handle_at
 # tracelog
+disable-mnt
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,localtime,machine-id,pki,pulse,resolv.conf,ssl
+private-tmp
+dbus-user filter
+dbus-user.own org.mpris.MediaPlayer2.qutebrowser.*
+dbus-user.talk org.freedesktop.Notifications
+# Add the next line to your qutebrowser.local to allow screen sharing under wayland.
+#dbus-user.talk org.freedesktop.portal.Desktop
+# Add the next line to your qutebrowser.local if screen sharing sharing still does not work
+# with the above lines (might depend on the portal implementation).
+#ignore noroot
+dbus-system none
author	netblue30 <netblue30@protonmail.com>	2022-10-11 11:12:25 -0400
committer	GitHub <noreply@github.com>	2022-10-11 11:12:25 -0400
commit	7968af73cdedd177291efdb65852d73a930b7fdd (patch)
tree	31c10b7030f9c2c091210e09758ccea3ffee08f1 /etc/profile-m-z
parent	Merge pull request #5402 from slowpeek/master (diff)
parent	Harden qutebrowser (diff)
download	firejail-7968af73cdedd177291efdb65852d73a930b7fdd.tar.gz firejail-7968af73cdedd177291efdb65852d73a930b7fdd.tar.zst firejail-7968af73cdedd177291efdb65852d73a930b7fdd.zip

diff --git a/etc/profile-m-z/qutebrowser.profile b/etc/profile-m-z/qutebrowser.profile index fc910b589..ae62c0b89 100644 --- a/etc/profile-m-z/qutebrowser.profile +++ b/etc/profile-m-z/qutebrowser.profile
@@ -10,14 +10,19 @@ noblacklist ${HOME}/.cache/qutebrowser
10	noblacklist ${HOME}/.config/qutebrowser	10	noblacklist ${HOME}/.config/qutebrowser
11	noblacklist ${HOME}/.local/share/qutebrowser	11	noblacklist ${HOME}/.local/share/qutebrowser
12		12
		13	# Allow /bin/sh (blacklisted by disable-shell.inc)
		14	include allow-bin-sh.inc
		15
13	# Allow python (blacklisted by disable-interpreters.inc)	16	# Allow python (blacklisted by disable-interpreters.inc)
14	include allow-python2.inc	17	include allow-python2.inc
15	include allow-python3.inc	18	include allow-python3.inc
16		19
17	include disable-common.inc	20	include disable-common.inc
18	include disable-devel.inc	21	include disable-devel.inc
		22	include disable-exec.inc
19	include disable-interpreters.inc	23	include disable-interpreters.inc
20	include disable-programs.inc	24	include disable-programs.inc
		25	include disable-shell.inc
21		26
22	mkdir ${HOME}/.cache/qutebrowser	27	mkdir ${HOME}/.cache/qutebrowser
23	mkdir ${HOME}/.config/qutebrowser	28	mkdir ${HOME}/.config/qutebrowser
@@ -26,8 +31,14 @@ whitelist ${DOWNLOADS}
26	whitelist ${HOME}/.cache/qutebrowser	31	whitelist ${HOME}/.cache/qutebrowser
27	whitelist ${HOME}/.config/qutebrowser	32	whitelist ${HOME}/.config/qutebrowser
28	whitelist ${HOME}/.local/share/qutebrowser	33	whitelist ${HOME}/.local/share/qutebrowser
		34	whitelist /usr/share/qtbrowser
29	include whitelist-common.inc	35	include whitelist-common.inc
		36	include whitelist-run-common.inc
		37	include whitelist-runuser-common.inc
		38	include whitelist-usr-share-common.inc
		39	include whitelist-var-common.inc
30		40
		41	apparmor
31	caps.drop all	42	caps.drop all
32	netfilter	43	netfilter
33	nodvd	44	nodvd
@@ -38,3 +49,19 @@ protocol unix,inet,inet6,netlink
38	# blacklisting of chroot system calls breaks qt webengine	49	# blacklisting of chroot system calls breaks qt webengine
39	seccomp !chroot,!name_to_handle_at	50	seccomp !chroot,!name_to_handle_at
40	# tracelog	51	# tracelog
		52
		53	disable-mnt
		54	private-cache
		55	private-dev
		56	private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,localtime,machine-id,pki,pulse,resolv.conf,ssl
		57	private-tmp
		58
		59	dbus-user filter
		60	dbus-user.own org.mpris.MediaPlayer2.qutebrowser.*
		61	dbus-user.talk org.freedesktop.Notifications
		62	# Add the next line to your qutebrowser.local to allow screen sharing under wayland.
		63	#dbus-user.talk org.freedesktop.portal.Desktop
		64	# Add the next line to your qutebrowser.local if screen sharing sharing still does not work
		65	# with the above lines (might depend on the portal implementation).
		66	#ignore noroot
		67	dbus-system none