Whitelist /var and fix private-bit filter for waterfox on Arch

author: hawkeye116477 <hawkeye116477@gmail.com> 2017-09-25 23:05:05 +0200
committer: hawkeye116477 <hawkeye116477@gmail.com> 2017-09-25 23:35:45 +0200
commit: 989f79331fbbe8e7ea051c35e30050cd497d3bf8 (patch)
tree: d8ca1ca4ad1455be408412e23e92a5af73e77656 /etc/waterfox.profile
parent: Add a profile for Android ROM compilation (diff)
download: firejail-989f79331fbbe8e7ea051c35e30050cd497d3bf8.tar.gz
firejail-989f79331fbbe8e7ea051c35e30050cd497d3bf8.tar.zst
firejail-989f79331fbbe8e7ea051c35e30050cd497d3bf8.zip
1 files changed, 3 insertions, 1 deletions
diff --git a/etc/waterfox.profile b/etc/waterfox.profile
index 2322c1fae..67995f345 100644
--- a/etc/waterfox.profile
+++ b/etc/waterfox.profile
@@ -65,6 +65,7 @@ whitelist ~/.wine-pipelight64
 whitelist ~/.zotero
 whitelist ~/dwhelper
 include /etc/firejail/whitelist-common.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 netfilter
@@ -78,7 +79,8 @@ seccomp
 shell none
 tracelog
-# private-bin waterfox,which,sh,dbus-launch,dbus-send,env
+# waterfox requires a shell to launch on Arch. We can possibly remove sh though.
+# private-bin waterfox,which,sh,dbus-launch,dbus-send,env,dash,bash
 private-dev
 # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,waterfox,mime.types,mailcap,asound.conf,pulse
 private-tmp
author	hawkeye116477 <hawkeye116477@gmail.com>	2017-09-25 23:05:05 +0200
committer	hawkeye116477 <hawkeye116477@gmail.com>	2017-09-25 23:35:45 +0200
commit	989f79331fbbe8e7ea051c35e30050cd497d3bf8 (patch)
tree	d8ca1ca4ad1455be408412e23e92a5af73e77656 /etc/waterfox.profile
parent	Add a profile for Android ROM compilation (diff)
download	firejail-989f79331fbbe8e7ea051c35e30050cd497d3bf8.tar.gz firejail-989f79331fbbe8e7ea051c35e30050cd497d3bf8.tar.zst firejail-989f79331fbbe8e7ea051c35e30050cd497d3bf8.zip

diff --git a/etc/waterfox.profile b/etc/waterfox.profile index 2322c1fae..67995f345 100644 --- a/etc/waterfox.profile +++ b/etc/waterfox.profile
@@ -65,6 +65,7 @@ whitelist ~/.wine-pipelight64
65	whitelist ~/.zotero	65	whitelist ~/.zotero
66	whitelist ~/dwhelper	66	whitelist ~/dwhelper
67	include /etc/firejail/whitelist-common.inc	67	include /etc/firejail/whitelist-common.inc
		68	include /etc/firejail/whitelist-var-common.inc
68		69
69	caps.drop all	70	caps.drop all
70	netfilter	71	netfilter
@@ -78,7 +79,8 @@ seccomp
78	shell none	79	shell none
79	tracelog	80	tracelog
80		81
81	# private-bin waterfox,which,sh,dbus-launch,dbus-send,env	82	# waterfox requires a shell to launch on Arch. We can possibly remove sh though.
		83	# private-bin waterfox,which,sh,dbus-launch,dbus-send,env,dash,bash
82	private-dev	84	private-dev
83	# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,waterfox,mime.types,mailcap,asound.conf,pulse	85	# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,waterfox,mime.types,mailcap,asound.conf,pulse
84	private-tmp	86	private-tmp