diff options
author | glitsj16 <glitsj16@users.noreply.github.com> | 2023-07-22 12:38:28 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-07-22 12:38:28 +0000 |
commit | e4913eb9cb2188f8b556b00ec0e713e11226126b (patch) | |
tree | 2905c97fa34394af36597bf4ff9070792267e880 /etc/profile-m-z | |
parent | torbrowser-launcher: hardening (#5886) (diff) | |
download | firejail-e4913eb9cb2188f8b556b00ec0e713e11226126b.tar.gz firejail-e4913eb9cb2188f8b556b00ec0e713e11226126b.tar.zst firejail-e4913eb9cb2188f8b556b00ec0e713e11226126b.zip |
Create mullvad-browser.profile (#5887)
Homepage: https://mullvad.net/en/download/browser/linux
mullvad-browser: don't use restrict-namespaces
mullvad-browser: cover both installation paths
Suggested in review by @kmk3.
Diffstat (limited to 'etc/profile-m-z')
-rw-r--r-- | etc/profile-m-z/mullvad-browser.profile | 97 |
1 files changed, 97 insertions, 0 deletions
diff --git a/etc/profile-m-z/mullvad-browser.profile b/etc/profile-m-z/mullvad-browser.profile new file mode 100644 index 000000000..b9eb57743 --- /dev/null +++ b/etc/profile-m-z/mullvad-browser.profile | |||
@@ -0,0 +1,97 @@ | |||
1 | # Firejail profile for mullvad-browser | ||
2 | # Description: Privacy-focused web browser developed in a collaboration between Mullvad VPN and the Tor Project | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include mullvad-browser.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # IMPORTANT ########################################## | ||
10 | # The mullvad-browser can be downloaded from the official website | ||
11 | # and installed manually or via the AUR for Arch Linux (derivatives). | ||
12 | # The latter installs the browser under /opt/mullvad-browser, while | ||
13 | # the former can be installed under ${HOME} just about anywhere. | ||
14 | # If you decide to install it under ${HOME} this profile assumes to find | ||
15 | # the browser files under ${HOME}/.local/share/mullvad-browser. | ||
16 | # When you divert from that location you will need to make the needed | ||
17 | # path adjustments yourself in the below instructions. | ||
18 | #################################################### | ||
19 | |||
20 | # If you installed under ${HOME}, put the below line in your | ||
21 | # mullvad-browser.local | ||
22 | # Note: The relevant rule in /etc/apparmor.d/local/firejail-default will | ||
23 | # need to be uncommented for the 'apparmor' option to work as expected. | ||
24 | #ignore noexec ${HOME} | ||
25 | |||
26 | noblacklist ${HOME}/.cache/mullvad/mullvadbrowser | ||
27 | noblacklist ${HOME}/.config/mullvad-browser-flags.conf | ||
28 | noblacklist ${HOME}/.local/share/mullvad-browser | ||
29 | noblacklist ${HOME}/.mullvad/mullvadbrowser | ||
30 | |||
31 | # Allow python 3 (blacklisted by disable-interpreters.inc) | ||
32 | include allow-python3.inc | ||
33 | |||
34 | blacklist /srv | ||
35 | blacklist /sys/class/net | ||
36 | blacklist /usr/libexec | ||
37 | |||
38 | include disable-common.inc | ||
39 | include disable-devel.inc | ||
40 | include disable-exec.inc | ||
41 | include disable-interpreters.inc | ||
42 | include disable-proc.inc | ||
43 | include disable-programs.inc | ||
44 | include disable-xdg.inc | ||
45 | |||
46 | mkdir ${HOME}/.cache/mullvad/mullvadbrowser | ||
47 | mkdir ${HOME}/.local/share/mullvad-browser | ||
48 | mkdir ${HOME}/.mullvad/mullvadbrowser | ||
49 | mkfile ${HOME}/.config/mullvad-browser-flags.conf | ||
50 | whitelist ${DOWNLOADS} | ||
51 | whitelist ${HOME}/.cache/mullvad/mullvadbrowser | ||
52 | whitelist ${HOME}/.config/mullvad-browser-flags.conf | ||
53 | whitelist ${HOME}/.local/share/mullvad-browser | ||
54 | whitelist ${HOME}/.mullvad/mullvadbrowser | ||
55 | whitelist /opt/mullvad-browser | ||
56 | include whitelist-common.inc | ||
57 | include whitelist-run-common.inc | ||
58 | include whitelist-runuser-common.inc | ||
59 | include whitelist-usr-share-common.inc | ||
60 | include whitelist-var-common.inc | ||
61 | |||
62 | apparmor | ||
63 | caps.drop all | ||
64 | netfilter | ||
65 | nodvd | ||
66 | nogroups | ||
67 | noinput | ||
68 | nonewprivs | ||
69 | noroot | ||
70 | notv | ||
71 | nou2f | ||
72 | novideo | ||
73 | protocol unix,inet,inet6 | ||
74 | seccomp !chroot | ||
75 | seccomp.block-secondary | ||
76 | #tracelog - may cause issues, see #1930 | ||
77 | |||
78 | disable-mnt | ||
79 | private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,id,kdialog,ln,mkdir,mullvad-browser,mv,python*,rm,sed,sh,tail,tar,tclsh,test,update-desktop-database,xmessage,xz,zenity | ||
80 | private-dev | ||
81 | private-etc @tls-ca | ||
82 | #private-opt mullvad-browser - can cause slow startup | ||
83 | private-tmp | ||
84 | |||
85 | blacklist ${PATH}/curl | ||
86 | blacklist ${PATH}/wget | ||
87 | blacklist ${PATH}/wget2 | ||
88 | |||
89 | dbus-user filter | ||
90 | dbus-user.own org.mozilla.mullvadbrowser.* | ||
91 | dbus-system none | ||
92 | |||
93 | # cfr. start-mullvad-browser | ||
94 | # do not (try to) connect to the session manager | ||
95 | rmenv SESSION_MANAGER | ||
96 | |||
97 | #restrict-namespaces | ||