diff options
author | rusty-snake <41237666+rusty-snake@users.noreply.github.com> | 2020-11-09 16:08:48 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-11-09 16:08:48 +0000 |
commit | 594300374dc15bd704bcb1f2a98b17faef80aa79 (patch) | |
tree | ac1b6d8c80a94f26c82c17ee30c34a1623f9c064 /etc | |
parent | adding test-profiles to ci test (diff) | |
download | firejail-594300374dc15bd704bcb1f2a98b17faef80aa79.tar.gz firejail-594300374dc15bd704bcb1f2a98b17faef80aa79.tar.zst firejail-594300374dc15bd704bcb1f2a98b17faef80aa79.zip |
rework chromium (#3688)
* rework chromium
+ 516d0811 has removed fundamental security features.
(remove caps.drop=all, nonewprivs, noroot, seccomp, protocol; add
caps.keep)
Though this is only necessary if running under a kernel which
disallow
unprivileged userns clones. Arch's linux-hardened and debian kernel
are
patched accordingly. Arch's linux and linux-lts kernels support this
restriction via sysctk (kernel.unprivileged_userns_clone=0) as users
opt-in.
Other kernels such as mainline or fedora/redhat always support
unprivileged
userns clone and have no sysctl parameter to disable it. Debian and
Arch
users can enable it with 'sysctl kernel.unprivileged_userns_clone=1'.
This commit adds a chromium-common-hardened.inc which can be included
in
chromium-common to enhance security of chromium-based programs.
+ chromium-common.profile: add private-cache
+ chromium-common.profile: add wruc and wusc, but disable it for the
following
profiles until tested. tests welcome.
- [ ] bnox, dnox, enox, inox, snox
- [ ] brave
- [ ] flashpeak-slimjet
- [ ] google-chrome, google-chrome-beta, google-chrome-unstable
- [ ] iridium
- [ ] min
- [ ] opera, opera-beta
+ move vivaldi-snapshot paths from vivaldi-snapshot.profile to vivaldi.
/usr/bin/vivaldi is a symlink to /etc/alternatives/vivaldi which can
be
vivaldi-stable, vivaldi-beta or vivaldi-snapshot.
vivaldi-snapshot.profile
missed also some features from vivaldi.profile, solve this by making
it
redirect to vivaldi.profile. TODO: exist new paths such as
.local/lib/vivaldi
also for vivaldi-snapshot?
+ create chromium-browser-privacy.profile (closes #3633)
* update 1
+ add missing 'ignore whitelist /usr/share/chromium'
+ revert 'Move drm-relaktions in vivaldi.profile behind
BROWSER_ALLOW_DRM.'. This breaks not just DRM, it break things such
as AAC too. In addition vivaldi shows a something is broken pop-up,
we would have a lot of 'does not work with firejail' issues.
* update 2
* update 3
fixes #3709
Diffstat (limited to 'etc')
23 files changed, 125 insertions, 14 deletions
diff --git a/etc/inc/chromium-common-hardened.inc b/etc/inc/chromium-common-hardened.inc new file mode 100644 index 000000000..f33ce3115 --- /dev/null +++ b/etc/inc/chromium-common-hardened.inc | |||
@@ -0,0 +1,5 @@ | |||
1 | caps.drop all | ||
2 | nonewprivs | ||
3 | noroot | ||
4 | protocol unix,inet,inet6,netlink | ||
5 | seccomp !chroot | ||
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 1fba79f43..7e3c0b657 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -391,6 +391,7 @@ blacklist ${HOME}/.config/transmission | |||
391 | blacklist ${HOME}/.config/truecraft | 391 | blacklist ${HOME}/.config/truecraft |
392 | blacklist ${HOME}/.config/tvbrowser | 392 | blacklist ${HOME}/.config/tvbrowser |
393 | blacklist ${HOME}/.config/uGet | 393 | blacklist ${HOME}/.config/uGet |
394 | blacklist ${HOME}/.config/ungoogled-chromium | ||
394 | blacklist ${HOME}/.config/uzbl | 395 | blacklist ${HOME}/.config/uzbl |
395 | blacklist ${HOME}/.config/viewnior | 396 | blacklist ${HOME}/.config/viewnior |
396 | blacklist ${HOME}/.config/vivaldi | 397 | blacklist ${HOME}/.config/vivaldi |
@@ -977,6 +978,7 @@ blacklist ${HOME}/.cache/telepathy | |||
977 | blacklist ${HOME}/.cache/thunderbird | 978 | blacklist ${HOME}/.cache/thunderbird |
978 | blacklist ${HOME}/.cache/torbrowser | 979 | blacklist ${HOME}/.cache/torbrowser |
979 | blacklist ${HOME}/.cache/transmission | 980 | blacklist ${HOME}/.cache/transmission |
981 | blacklist ${HOME}/.cache/ungoogled-chromium | ||
980 | blacklist ${HOME}/.cache/vivaldi | 982 | blacklist ${HOME}/.cache/vivaldi |
981 | blacklist ${HOME}/.cache/vivaldi-snapshot | 983 | blacklist ${HOME}/.cache/vivaldi-snapshot |
982 | blacklist ${HOME}/.cache/vlc | 984 | blacklist ${HOME}/.cache/vlc |
diff --git a/etc/profile-a-l/bnox.profile b/etc/profile-a-l/bnox.profile index 031f3f4bd..6e8f0d7d1 100644 --- a/etc/profile-a-l/bnox.profile +++ b/etc/profile-a-l/bnox.profile | |||
@@ -5,6 +5,11 @@ include bnox.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 | ||
9 | ignore whitelist /usr/share/chromium | ||
10 | ignore include whitelist-runuser-common.inc | ||
11 | ignore include whitelist-usr-share-common.inc | ||
12 | |||
8 | noblacklist ${HOME}/.cache/bnox | 13 | noblacklist ${HOME}/.cache/bnox |
9 | noblacklist ${HOME}/.config/bnox | 14 | noblacklist ${HOME}/.config/bnox |
10 | 15 | ||
diff --git a/etc/profile-a-l/brave.profile b/etc/profile-a-l/brave.profile index 35c59f5a3..904d3e94f 100644 --- a/etc/profile-a-l/brave.profile +++ b/etc/profile-a-l/brave.profile | |||
@@ -8,6 +8,12 @@ include globals.local | |||
8 | 8 | ||
9 | # noexec /tmp is included in chromium-common.profile and breaks Brave | 9 | # noexec /tmp is included in chromium-common.profile and breaks Brave |
10 | ignore noexec /tmp | 10 | ignore noexec /tmp |
11 | # TOR is installed in ${HOME} | ||
12 | ignore noexec ${HOME} | ||
13 | # Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 | ||
14 | ignore whitelist /usr/share/chromium | ||
15 | ignore include whitelist-runuser-common.inc | ||
16 | ignore include whitelist-usr-share-common.inc | ||
11 | 17 | ||
12 | noblacklist ${HOME}/.cache/BraveSoftware | 18 | noblacklist ${HOME}/.cache/BraveSoftware |
13 | noblacklist ${HOME}/.config/BraveSoftware | 19 | noblacklist ${HOME}/.config/BraveSoftware |
diff --git a/etc/profile-a-l/chromium-browser-privacy.profile b/etc/profile-a-l/chromium-browser-privacy.profile new file mode 100644 index 000000000..09eaa2d12 --- /dev/null +++ b/etc/profile-a-l/chromium-browser-privacy.profile | |||
@@ -0,0 +1,17 @@ | |||
1 | # Firejail profile for chromium-browser-privacy | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include chromium-browser-privacy.local | ||
5 | |||
6 | noblacklist ${HOME}/.cache/ungoogled-chromium | ||
7 | noblacklist ${HOME}/.config/ungoogled-chromium | ||
8 | |||
9 | mkdir ${HOME}/.cache/ungoogled-chromium | ||
10 | mkdir ${HOME}/.config/ungoogled-chromium | ||
11 | whitelist ${HOME}/.cache/ungoogled-chromium | ||
12 | whitelist ${HOME}/.config/ungoogled-chromium | ||
13 | |||
14 | # private-bin basename,bash,chromium-browser-privacy,dirname,mkdir,readlink,sed,touch,which,xdg-settings | ||
15 | |||
16 | # Redirect | ||
17 | include chromium.profile | ||
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile index 899400d25..6a9cf99b0 100644 --- a/etc/profile-a-l/chromium-common.profile +++ b/etc/profile-a-l/chromium-common.profile | |||
@@ -16,16 +16,25 @@ include disable-common.inc | |||
16 | include disable-devel.inc | 16 | include disable-devel.inc |
17 | include disable-exec.inc | 17 | include disable-exec.inc |
18 | include disable-interpreters.inc | 18 | include disable-interpreters.inc |
19 | # include disable-passwdmgr.inc | ||
19 | include disable-programs.inc | 20 | include disable-programs.inc |
21 | include disable-xdg.inc | ||
20 | 22 | ||
21 | mkdir ${HOME}/.pki | 23 | mkdir ${HOME}/.pki |
22 | mkdir ${HOME}/.local/share/pki | 24 | mkdir ${HOME}/.local/share/pki |
23 | whitelist ${DOWNLOADS} | 25 | whitelist ${DOWNLOADS} |
24 | whitelist ${HOME}/.pki | 26 | whitelist ${HOME}/.pki |
25 | whitelist ${HOME}/.local/share/pki | 27 | whitelist ${HOME}/.local/share/pki |
28 | whitelist /usr/share/chromium | ||
26 | include whitelist-common.inc | 29 | include whitelist-common.inc |
30 | include whitelist-runuser-common.inc | ||
31 | include whitelist-usr-share-common.inc | ||
27 | include whitelist-var-common.inc | 32 | include whitelist-var-common.inc |
28 | 33 | ||
34 | # Uncomment the next line (or add it to your chromium-common.local) | ||
35 | # if your kernel allows unprivileged userns clone. | ||
36 | #include chromium-common-hardened.inc | ||
37 | |||
29 | apparmor | 38 | apparmor |
30 | caps.keep sys_admin,sys_chroot | 39 | caps.keep sys_admin,sys_chroot |
31 | netfilter | 40 | netfilter |
@@ -36,8 +45,10 @@ notv | |||
36 | shell none | 45 | shell none |
37 | 46 | ||
38 | disable-mnt | 47 | disable-mnt |
48 | private-cache | ||
39 | ?BROWSER_DISABLE_U2F: private-dev | 49 | ?BROWSER_DISABLE_U2F: private-dev |
40 | # private-tmp - problems with multiple browser sessions | 50 | # problems with multiple browser sessions |
51 | #private-tmp | ||
41 | 52 | ||
42 | # prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector | 53 | # prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector |
43 | # dbus-user none | 54 | # dbus-user none |
diff --git a/etc/profile-a-l/dnox.profile b/etc/profile-a-l/dnox.profile index e02395771..51ba6f8b7 100644 --- a/etc/profile-a-l/dnox.profile +++ b/etc/profile-a-l/dnox.profile | |||
@@ -5,6 +5,11 @@ include dnox.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 | ||
9 | ignore whitelist /usr/share/chromium | ||
10 | ignore include whitelist-runuser-common.inc | ||
11 | ignore include whitelist-usr-share-common.inc | ||
12 | |||
8 | noblacklist ${HOME}/.cache/dnox | 13 | noblacklist ${HOME}/.cache/dnox |
9 | noblacklist ${HOME}/.config/dnox | 14 | noblacklist ${HOME}/.config/dnox |
10 | 15 | ||
diff --git a/etc/profile-a-l/enox.profile b/etc/profile-a-l/enox.profile index d8ac8b24a..d982433e2 100644 --- a/etc/profile-a-l/enox.profile +++ b/etc/profile-a-l/enox.profile | |||
@@ -5,6 +5,11 @@ include enox.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 | ||
9 | ignore whitelist /usr/share/chromium | ||
10 | ignore include whitelist-runuser-common.inc | ||
11 | ignore include whitelist-usr-share-common.inc | ||
12 | |||
8 | noblacklist ${HOME}/.cache/Enox | 13 | noblacklist ${HOME}/.cache/Enox |
9 | noblacklist ${HOME}/.config/Enox | 14 | noblacklist ${HOME}/.config/Enox |
10 | 15 | ||
diff --git a/etc/profile-a-l/flashpeak-slimjet.profile b/etc/profile-a-l/flashpeak-slimjet.profile index b841bce75..310fb378f 100644 --- a/etc/profile-a-l/flashpeak-slimjet.profile +++ b/etc/profile-a-l/flashpeak-slimjet.profile | |||
@@ -5,6 +5,11 @@ include flashpeak-slimjet.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 | ||
9 | ignore whitelist /usr/share/chromium | ||
10 | ignore include whitelist-runuser-common.inc | ||
11 | ignore include whitelist-usr-share-common.inc | ||
12 | |||
8 | noblacklist ${HOME}/.cache/slimjet | 13 | noblacklist ${HOME}/.cache/slimjet |
9 | noblacklist ${HOME}/.config/slimjet | 14 | noblacklist ${HOME}/.config/slimjet |
10 | 15 | ||
diff --git a/etc/profile-a-l/google-chrome-beta.profile b/etc/profile-a-l/google-chrome-beta.profile index a62e4cf74..ebe5e870b 100644 --- a/etc/profile-a-l/google-chrome-beta.profile +++ b/etc/profile-a-l/google-chrome-beta.profile | |||
@@ -5,6 +5,11 @@ include google-chrome-beta.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 | ||
9 | ignore whitelist /usr/share/chromium | ||
10 | ignore include whitelist-runuser-common.inc | ||
11 | ignore include whitelist-usr-share-common.inc | ||
12 | |||
8 | noblacklist ${HOME}/.cache/google-chrome-beta | 13 | noblacklist ${HOME}/.cache/google-chrome-beta |
9 | noblacklist ${HOME}/.config/google-chrome-beta | 14 | noblacklist ${HOME}/.config/google-chrome-beta |
10 | 15 | ||
diff --git a/etc/profile-a-l/google-chrome-unstable.profile b/etc/profile-a-l/google-chrome-unstable.profile index 14547eab2..4d303f71b 100644 --- a/etc/profile-a-l/google-chrome-unstable.profile +++ b/etc/profile-a-l/google-chrome-unstable.profile | |||
@@ -5,6 +5,11 @@ include google-chrome-unstable.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 | ||
9 | ignore whitelist /usr/share/chromium | ||
10 | ignore include whitelist-runuser-common.inc | ||
11 | ignore include whitelist-usr-share-common.inc | ||
12 | |||
8 | noblacklist ${HOME}/.cache/google-chrome-unstable | 13 | noblacklist ${HOME}/.cache/google-chrome-unstable |
9 | noblacklist ${HOME}/.config/google-chrome-unstable | 14 | noblacklist ${HOME}/.config/google-chrome-unstable |
10 | 15 | ||
diff --git a/etc/profile-a-l/google-chrome.profile b/etc/profile-a-l/google-chrome.profile index 66f76caa0..ed2595f72 100644 --- a/etc/profile-a-l/google-chrome.profile +++ b/etc/profile-a-l/google-chrome.profile | |||
@@ -5,6 +5,11 @@ include google-chrome.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 | ||
9 | ignore whitelist /usr/share/chromium | ||
10 | ignore include whitelist-runuser-common.inc | ||
11 | ignore include whitelist-usr-share-common.inc | ||
12 | |||
8 | noblacklist ${HOME}/.cache/google-chrome | 13 | noblacklist ${HOME}/.cache/google-chrome |
9 | noblacklist ${HOME}/.config/google-chrome | 14 | noblacklist ${HOME}/.config/google-chrome |
10 | 15 | ||
diff --git a/etc/profile-a-l/inox.profile b/etc/profile-a-l/inox.profile index 1b3db73b4..a5cac12f2 100644 --- a/etc/profile-a-l/inox.profile +++ b/etc/profile-a-l/inox.profile | |||
@@ -5,6 +5,11 @@ include inox.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 | ||
9 | ignore whitelist /usr/share/chromium | ||
10 | ignore include whitelist-runuser-common.inc | ||
11 | ignore include whitelist-usr-share-common.inc | ||
12 | |||
8 | noblacklist ${HOME}/.cache/inox | 13 | noblacklist ${HOME}/.cache/inox |
9 | noblacklist ${HOME}/.config/inox | 14 | noblacklist ${HOME}/.config/inox |
10 | 15 | ||
diff --git a/etc/profile-a-l/iridium.profile b/etc/profile-a-l/iridium.profile index ebb39b0a3..3037d00e9 100644 --- a/etc/profile-a-l/iridium.profile +++ b/etc/profile-a-l/iridium.profile | |||
@@ -5,6 +5,11 @@ include iridium.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 | ||
9 | ignore whitelist /usr/share/chromium | ||
10 | ignore include whitelist-runuser-common.inc | ||
11 | ignore include whitelist-usr-share-common.inc | ||
12 | |||
8 | noblacklist ${HOME}/.cache/iridium | 13 | noblacklist ${HOME}/.cache/iridium |
9 | noblacklist ${HOME}/.config/iridium | 14 | noblacklist ${HOME}/.config/iridium |
10 | 15 | ||
diff --git a/etc/profile-m-z/min.profile b/etc/profile-m-z/min.profile index 7f3aeab44..5dac50cd8 100644 --- a/etc/profile-m-z/min.profile +++ b/etc/profile-m-z/min.profile | |||
@@ -6,6 +6,11 @@ include min.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 | ||
10 | ignore whitelist /usr/share/chromium | ||
11 | ignore include whitelist-runuser-common.inc | ||
12 | ignore include whitelist-usr-share-common.inc | ||
13 | |||
9 | noblacklist ${HOME}/.config/Min | 14 | noblacklist ${HOME}/.config/Min |
10 | 15 | ||
11 | mkdir ${HOME}/.config/Min | 16 | mkdir ${HOME}/.config/Min |
diff --git a/etc/profile-m-z/opera-beta.profile b/etc/profile-m-z/opera-beta.profile index 8658d30c6..551f1aba4 100644 --- a/etc/profile-m-z/opera-beta.profile +++ b/etc/profile-m-z/opera-beta.profile | |||
@@ -5,6 +5,11 @@ include opera-beta.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Disable for now, see https://www.tutorialspoint.com/difference-between-void-main-and-int-main-in-c-cplusplus | ||
9 | ignore whitelist /usr/share/chromium | ||
10 | ignore include whitelist-runuser-common.inc | ||
11 | ignore include whitelist-usr-share-common.inc | ||
12 | |||
8 | noblacklist ${HOME}/.cache/opera | 13 | noblacklist ${HOME}/.cache/opera |
9 | noblacklist ${HOME}/.config/opera-beta | 14 | noblacklist ${HOME}/.config/opera-beta |
10 | 15 | ||
diff --git a/etc/profile-m-z/opera.profile b/etc/profile-m-z/opera.profile index b342b3961..2c7c5fc35 100644 --- a/etc/profile-m-z/opera.profile +++ b/etc/profile-m-z/opera.profile | |||
@@ -6,6 +6,11 @@ include opera.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Disable for now, see https://www.tutorialspoint.com/difference-between-void-main-and-int-main-in-c-cplusplus | ||
10 | ignore whitelist /usr/share/chromium | ||
11 | ignore include whitelist-runuser-common.inc | ||
12 | ignore include whitelist-usr-share-common.inc | ||
13 | |||
9 | noblacklist ${HOME}/.cache/opera | 14 | noblacklist ${HOME}/.cache/opera |
10 | noblacklist ${HOME}/.config/opera | 15 | noblacklist ${HOME}/.config/opera |
11 | noblacklist ${HOME}/.opera | 16 | noblacklist ${HOME}/.opera |
diff --git a/etc/profile-m-z/snox.profile b/etc/profile-m-z/snox.profile index 3b3fd1ae1..83493652c 100644 --- a/etc/profile-m-z/snox.profile +++ b/etc/profile-m-z/snox.profile | |||
@@ -5,6 +5,11 @@ include snox.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Disable for now, see https://www.tutorialspoint.com/difference-between-void-main-and-int-main-in-c-cplusplus | ||
9 | ignore whitelist /usr/share/chromium | ||
10 | ignore include whitelist-runuser-common.inc | ||
11 | ignore include whitelist-usr-share-common.inc | ||
12 | |||
8 | noblacklist ${HOME}/.cache/snox | 13 | noblacklist ${HOME}/.cache/snox |
9 | noblacklist ${HOME}/.config/snox | 14 | noblacklist ${HOME}/.config/snox |
10 | 15 | ||
diff --git a/etc/profile-m-z/vivaldi-beta.profile b/etc/profile-m-z/vivaldi-beta.profile index 5de5682a3..0d80167f3 100644 --- a/etc/profile-m-z/vivaldi-beta.profile +++ b/etc/profile-m-z/vivaldi-beta.profile | |||
@@ -1,5 +1,7 @@ | |||
1 | # Firejail profile alias for vivaldi | 1 | # Firejail profile for vivaldi-beta |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include vivaldi-beta.local | ||
3 | 5 | ||
4 | # Redirect | 6 | # Redirect |
5 | include vivaldi.profile | 7 | include vivaldi.profile |
diff --git a/etc/profile-m-z/vivaldi-snapshot.profile b/etc/profile-m-z/vivaldi-snapshot.profile index ea4a4009f..543f206af 100644 --- a/etc/profile-m-z/vivaldi-snapshot.profile +++ b/etc/profile-m-z/vivaldi-snapshot.profile | |||
@@ -2,16 +2,6 @@ | |||
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include vivaldi-snapshot.local | 4 | include vivaldi-snapshot.local |
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.cache/vivaldi-snapshot | ||
9 | noblacklist ${HOME}/.config/vivaldi-snapshot | ||
10 | |||
11 | mkdir ${HOME}/.cache/vivaldi-snapshot | ||
12 | mkdir ${HOME}/.config/vivaldi-snapshot | ||
13 | whitelist ${HOME}/.cache/vivaldi-snapshot | ||
14 | whitelist ${HOME}/.config/vivaldi-snapshot | ||
15 | 5 | ||
16 | # Redirect | 6 | # Redirect |
17 | include chromium-common.profile | 7 | include vivaldi.profile |
diff --git a/etc/profile-m-z/vivaldi-stable.profile b/etc/profile-m-z/vivaldi-stable.profile index 5de5682a3..94b2cd76c 100644 --- a/etc/profile-m-z/vivaldi-stable.profile +++ b/etc/profile-m-z/vivaldi-stable.profile | |||
@@ -1,5 +1,7 @@ | |||
1 | # Firejail profile alias for vivaldi | 1 | # Firejail profile for vivaldi-stable |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include vivaldi-stable.local | ||
3 | 5 | ||
4 | # Redirect | 6 | # Redirect |
5 | include vivaldi.profile | 7 | include vivaldi.profile |
diff --git a/etc/profile-m-z/vivaldi.profile b/etc/profile-m-z/vivaldi.profile index 096ce8a72..541942453 100644 --- a/etc/profile-m-z/vivaldi.profile +++ b/etc/profile-m-z/vivaldi.profile | |||
@@ -13,14 +13,20 @@ whitelist /var/opt/vivaldi | |||
13 | writable-var | 13 | writable-var |
14 | 14 | ||
15 | noblacklist ${HOME}/.cache/vivaldi | 15 | noblacklist ${HOME}/.cache/vivaldi |
16 | noblacklist ${HOME}/.cache/vivaldi-snapshot | ||
16 | noblacklist ${HOME}/.config/vivaldi | 17 | noblacklist ${HOME}/.config/vivaldi |
18 | noblacklist ${HOME}/.config/vivaldi-snapshot | ||
17 | noblacklist ${HOME}/.local/lib/vivaldi | 19 | noblacklist ${HOME}/.local/lib/vivaldi |
18 | 20 | ||
19 | mkdir ${HOME}/.cache/vivaldi | 21 | mkdir ${HOME}/.cache/vivaldi |
22 | mkdir ${HOME}/.cache/vivaldi-snapshot | ||
20 | mkdir ${HOME}/.config/vivaldi | 23 | mkdir ${HOME}/.config/vivaldi |
24 | mkdir ${HOME}/.config/vivaldi-snapshot | ||
21 | mkdir ${HOME}/.local/lib/vivaldi | 25 | mkdir ${HOME}/.local/lib/vivaldi |
22 | whitelist ${HOME}/.cache/vivaldi | 26 | whitelist ${HOME}/.cache/vivaldi |
27 | whitelist ${HOME}/.cache/vivaldi-snapshot | ||
23 | whitelist ${HOME}/.config/vivaldi | 28 | whitelist ${HOME}/.config/vivaldi |
29 | whitelist ${HOME}/.config/vivaldi-snapshot | ||
24 | whitelist ${HOME}/.local/lib/vivaldi | 30 | whitelist ${HOME}/.local/lib/vivaldi |
25 | 31 | ||
26 | # breaks vivaldi sync | 32 | # breaks vivaldi sync |
diff --git a/etc/profile-m-z/yandex-browser.profile b/etc/profile-m-z/yandex-browser.profile index 680bef677..81cd021f7 100644 --- a/etc/profile-m-z/yandex-browser.profile +++ b/etc/profile-m-z/yandex-browser.profile | |||
@@ -5,6 +5,11 @@ include yandex-browser.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Disable for now, see https://www.tutorialspoint.com/difference-between-void-main-and-int-main-in-c-cplusplus | ||
9 | ignore whitelist /usr/share/chromium | ||
10 | ignore include whitelist-runuser-common.inc | ||
11 | ignore include whitelist-usr-share-common.inc | ||
12 | |||
8 | noblacklist ${HOME}/.cache/yandex-browser | 13 | noblacklist ${HOME}/.cache/yandex-browser |
9 | noblacklist ${HOME}/.cache/yandex-browser-beta | 14 | noblacklist ${HOME}/.cache/yandex-browser-beta |
10 | noblacklist ${HOME}/.config/yandex-browser | 15 | noblacklist ${HOME}/.config/yandex-browser |