Add Firejail profile for Waterfox

author: hawkeye116477 <hawkeye116477@gmail.com> 2017-05-30 21:30:46 +0200
committer: hawkeye116477 <hawkeye116477@gmail.com> 2017-05-30 21:30:46 +0200
commit: 6cdeac2f3682c6a2709b0e9977c0becd006819d1 (patch)
tree: b3305a0164124dae109a67a57a1dd6c349db5e69 /etc/waterfox.profile
parent: readme.md text (diff)
download: firejail-6cdeac2f3682c6a2709b0e9977c0becd006819d1.tar.gz
firejail-6cdeac2f3682c6a2709b0e9977c0becd006819d1.tar.zst
firejail-6cdeac2f3682c6a2709b0e9977c0becd006819d1.zip
1 files changed, 71 insertions, 0 deletions
diff --git a/etc/waterfox.profile b/etc/waterfox.profile
new file mode 100644
index 000000000..2a9670a0d
--- /dev/null
+++ b/etc/waterfox.profile
@@ -0,0 +1,71 @@
+# Persistent global definitions go here
+include /etc/firejail/globals.local
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/waterfox.local
+# Firejail profile for Waterfox (based on Mozilla Firefox)
+noblacklist ~/.mozilla
+noblacklist ~/.cache/mozilla
+noblacklist ~/.config/qpdfview
+noblacklist ~/.local/share/qpdfview
+noblacklist ~/.kde4/share/apps/okular
+noblacklist ~/.kde/share/apps/okular
+noblacklist ~/.local/share/okular
+noblacklist ~/.pki
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+caps.drop all
+# ipc-namespace crashes waterfox on some setups
+netfilter
+nogroups
+nonewprivs
+noroot
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+whitelist ${DOWNLOADS}
+mkdir ~/.mozilla
+whitelist ~/.mozilla
+mkdir ~/.cache/mozilla/firefox
+whitelist ~/.cache/mozilla/firefox
+whitelist ~/dwhelper
+whitelist ~/.zotero
+whitelist ~/.vimperatorrc
+whitelist ~/.vimperator
+whitelist ~/.pentadactylrc
+whitelist ~/.pentadactyl
+whitelist ~/.keysnail.js
+whitelist ~/.config/gnome-mplayer
+whitelist ~/.cache/gnome-mplayer/plugin
+mkdir ~/.pki
+whitelist ~/.pki
+whitelist ~/.lastpass
+whitelist ~/.config/qpdfview
+whitelist ~/.local/share/qpdfview
+whitelist ~/.kde4/share/apps/okular
+whitelist ~/.kde/share/apps/okular
+whitelist ~/.local/share/okular
+# silverlight
+whitelist ~/.wine-pipelight
+whitelist ~/.wine-pipelight64
+whitelist ~/.config/pipelight-widevine
+whitelist ~/.config/pipelight-silverlight5.1
+include /etc/firejail/whitelist-common.inc
+# experimental features
+#private-bin waterfox,which,sh,dbus-launch,dbus-send,env
+#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,waterfox,mime.types,mailcap,asound.conf,pulse
+# private-dev might prevent video calls going out
+private-dev
+private-tmp
+noexec ${HOME}
+noexec /tmp
author	hawkeye116477 <hawkeye116477@gmail.com>	2017-05-30 21:30:46 +0200
committer	hawkeye116477 <hawkeye116477@gmail.com>	2017-05-30 21:30:46 +0200
commit	6cdeac2f3682c6a2709b0e9977c0becd006819d1 (patch)
tree	b3305a0164124dae109a67a57a1dd6c349db5e69 /etc/waterfox.profile
parent	readme.md text (diff)
download	firejail-6cdeac2f3682c6a2709b0e9977c0becd006819d1.tar.gz firejail-6cdeac2f3682c6a2709b0e9977c0becd006819d1.tar.zst firejail-6cdeac2f3682c6a2709b0e9977c0becd006819d1.zip

diff --git a/etc/waterfox.profile b/etc/waterfox.profile new file mode 100644 index 000000000..2a9670a0d --- /dev/null +++ b/etc/waterfox.profile
@@ -0,0 +1,71 @@
	1	# Persistent global definitions go here
	2	include /etc/firejail/globals.local
	3
	4	# This file is overwritten during software install.
	5	# Persistent customizations should go in a .local file.
	6	include /etc/firejail/waterfox.local
	7
	8	# Firejail profile for Waterfox (based on Mozilla Firefox)
	9	noblacklist ~/.mozilla
	10	noblacklist ~/.cache/mozilla
	11	noblacklist ~/.config/qpdfview
	12	noblacklist ~/.local/share/qpdfview
	13	noblacklist ~/.kde4/share/apps/okular
	14	noblacklist ~/.kde/share/apps/okular
	15	noblacklist ~/.local/share/okular
	16	noblacklist ~/.pki
	17	include /etc/firejail/disable-common.inc
	18	include /etc/firejail/disable-programs.inc
	19	include /etc/firejail/disable-devel.inc
	20
	21	caps.drop all
	22	# ipc-namespace crashes waterfox on some setups
	23	netfilter
	24	nogroups
	25	nonewprivs
	26	noroot
	27	protocol unix,inet,inet6,netlink
	28	seccomp
	29	shell none
	30	tracelog
	31
	32	whitelist ${DOWNLOADS}
	33	mkdir ~/.mozilla
	34	whitelist ~/.mozilla
	35	mkdir ~/.cache/mozilla/firefox
	36	whitelist ~/.cache/mozilla/firefox
	37	whitelist ~/dwhelper
	38	whitelist ~/.zotero
	39	whitelist ~/.vimperatorrc
	40	whitelist ~/.vimperator
	41	whitelist ~/.pentadactylrc
	42	whitelist ~/.pentadactyl
	43	whitelist ~/.keysnail.js
	44	whitelist ~/.config/gnome-mplayer
	45	whitelist ~/.cache/gnome-mplayer/plugin
	46	mkdir ~/.pki
	47	whitelist ~/.pki
	48	whitelist ~/.lastpass
	49	whitelist ~/.config/qpdfview
	50	whitelist ~/.local/share/qpdfview
	51	whitelist ~/.kde4/share/apps/okular
	52	whitelist ~/.kde/share/apps/okular
	53	whitelist ~/.local/share/okular
	54
	55	# silverlight
	56	whitelist ~/.wine-pipelight
	57	whitelist ~/.wine-pipelight64
	58	whitelist ~/.config/pipelight-widevine
	59	whitelist ~/.config/pipelight-silverlight5.1
	60
	61	include /etc/firejail/whitelist-common.inc
	62
	63	# experimental features
	64	#private-bin waterfox,which,sh,dbus-launch,dbus-send,env
	65	#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,waterfox,mime.types,mailcap,asound.conf,pulse
	66	# private-dev might prevent video calls going out
	67	private-dev
	68	private-tmp
	69
	70	noexec ${HOME}
	71	noexec /tmp