diff options
-rw-r--r-- | etc/cyberfox.profile | 23 | ||||
-rw-r--r-- | etc/waterfox.profile | 71 |
2 files changed, 93 insertions, 1 deletions
diff --git a/etc/cyberfox.profile b/etc/cyberfox.profile index 068131d25..c237e33ff 100644 --- a/etc/cyberfox.profile +++ b/etc/cyberfox.profile | |||
@@ -8,17 +8,25 @@ include /etc/firejail/cyberfox.local | |||
8 | # Firejail profile for Cyberfox (based on Mozilla Firefox) | 8 | # Firejail profile for Cyberfox (based on Mozilla Firefox) |
9 | noblacklist ~/.8pecxstudios | 9 | noblacklist ~/.8pecxstudios |
10 | noblacklist ~/.cache/8pecxstudios | 10 | noblacklist ~/.cache/8pecxstudios |
11 | noblacklist ~/.config/qpdfview | ||
12 | noblacklist ~/.local/share/qpdfview | ||
13 | noblacklist ~/.kde4/share/apps/okular | ||
14 | noblacklist ~/.kde/share/apps/okular | ||
15 | noblacklist ~/.local/share/okular | ||
11 | noblacklist ~/.pki | 16 | noblacklist ~/.pki |
12 | include /etc/firejail/disable-common.inc | 17 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-programs.inc | 18 | include /etc/firejail/disable-programs.inc |
14 | include /etc/firejail/disable-devel.inc | 19 | include /etc/firejail/disable-devel.inc |
15 | 20 | ||
16 | caps.drop all | 21 | caps.drop all |
22 | # ipc-namespace crashes cyberfox on some setups | ||
17 | netfilter | 23 | netfilter |
24 | nogroups | ||
18 | nonewprivs | 25 | nonewprivs |
19 | noroot | 26 | noroot |
20 | protocol unix,inet,inet6,netlink | 27 | protocol unix,inet,inet6,netlink |
21 | seccomp | 28 | seccomp |
29 | shell none | ||
22 | tracelog | 30 | tracelog |
23 | 31 | ||
24 | whitelist ${DOWNLOADS} | 32 | whitelist ${DOWNLOADS} |
@@ -35,8 +43,14 @@ whitelist ~/.pentadactyl | |||
35 | whitelist ~/.keysnail.js | 43 | whitelist ~/.keysnail.js |
36 | whitelist ~/.config/gnome-mplayer | 44 | whitelist ~/.config/gnome-mplayer |
37 | whitelist ~/.cache/gnome-mplayer/plugin | 45 | whitelist ~/.cache/gnome-mplayer/plugin |
46 | mkdir ~/.pki | ||
38 | whitelist ~/.pki | 47 | whitelist ~/.pki |
39 | whitelist ~/.lastpass | 48 | whitelist ~/.lastpass |
49 | whitelist ~/.config/qpdfview | ||
50 | whitelist ~/.local/share/qpdfview | ||
51 | whitelist ~/.kde4/share/apps/okular | ||
52 | whitelist ~/.kde/share/apps/okular | ||
53 | whitelist ~/.local/share/okular | ||
40 | 54 | ||
41 | # silverlight | 55 | # silverlight |
42 | whitelist ~/.wine-pipelight | 56 | whitelist ~/.wine-pipelight |
@@ -47,4 +61,11 @@ whitelist ~/.config/pipelight-silverlight5.1 | |||
47 | include /etc/firejail/whitelist-common.inc | 61 | include /etc/firejail/whitelist-common.inc |
48 | 62 | ||
49 | # experimental features | 63 | # experimental features |
50 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse | 64 | #private-bin cyberfox,which,sh,dbus-launch,dbus-send,env |
65 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,cyberfox,mime.types,mailcap,asound.conf,pulse | ||
66 | # private-dev might prevent video calls going out | ||
67 | private-dev | ||
68 | private-tmp | ||
69 | |||
70 | noexec ${HOME} | ||
71 | noexec /tmp | ||
diff --git a/etc/waterfox.profile b/etc/waterfox.profile new file mode 100644 index 000000000..2a9670a0d --- /dev/null +++ b/etc/waterfox.profile | |||
@@ -0,0 +1,71 @@ | |||
1 | # Persistent global definitions go here | ||
2 | include /etc/firejail/globals.local | ||
3 | |||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/waterfox.local | ||
7 | |||
8 | # Firejail profile for Waterfox (based on Mozilla Firefox) | ||
9 | noblacklist ~/.mozilla | ||
10 | noblacklist ~/.cache/mozilla | ||
11 | noblacklist ~/.config/qpdfview | ||
12 | noblacklist ~/.local/share/qpdfview | ||
13 | noblacklist ~/.kde4/share/apps/okular | ||
14 | noblacklist ~/.kde/share/apps/okular | ||
15 | noblacklist ~/.local/share/okular | ||
16 | noblacklist ~/.pki | ||
17 | include /etc/firejail/disable-common.inc | ||
18 | include /etc/firejail/disable-programs.inc | ||
19 | include /etc/firejail/disable-devel.inc | ||
20 | |||
21 | caps.drop all | ||
22 | # ipc-namespace crashes waterfox on some setups | ||
23 | netfilter | ||
24 | nogroups | ||
25 | nonewprivs | ||
26 | noroot | ||
27 | protocol unix,inet,inet6,netlink | ||
28 | seccomp | ||
29 | shell none | ||
30 | tracelog | ||
31 | |||
32 | whitelist ${DOWNLOADS} | ||
33 | mkdir ~/.mozilla | ||
34 | whitelist ~/.mozilla | ||
35 | mkdir ~/.cache/mozilla/firefox | ||
36 | whitelist ~/.cache/mozilla/firefox | ||
37 | whitelist ~/dwhelper | ||
38 | whitelist ~/.zotero | ||
39 | whitelist ~/.vimperatorrc | ||
40 | whitelist ~/.vimperator | ||
41 | whitelist ~/.pentadactylrc | ||
42 | whitelist ~/.pentadactyl | ||
43 | whitelist ~/.keysnail.js | ||
44 | whitelist ~/.config/gnome-mplayer | ||
45 | whitelist ~/.cache/gnome-mplayer/plugin | ||
46 | mkdir ~/.pki | ||
47 | whitelist ~/.pki | ||
48 | whitelist ~/.lastpass | ||
49 | whitelist ~/.config/qpdfview | ||
50 | whitelist ~/.local/share/qpdfview | ||
51 | whitelist ~/.kde4/share/apps/okular | ||
52 | whitelist ~/.kde/share/apps/okular | ||
53 | whitelist ~/.local/share/okular | ||
54 | |||
55 | # silverlight | ||
56 | whitelist ~/.wine-pipelight | ||
57 | whitelist ~/.wine-pipelight64 | ||
58 | whitelist ~/.config/pipelight-widevine | ||
59 | whitelist ~/.config/pipelight-silverlight5.1 | ||
60 | |||
61 | include /etc/firejail/whitelist-common.inc | ||
62 | |||
63 | # experimental features | ||
64 | #private-bin waterfox,which,sh,dbus-launch,dbus-send,env | ||
65 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,waterfox,mime.types,mailcap,asound.conf,pulse | ||
66 | # private-dev might prevent video calls going out | ||
67 | private-dev | ||
68 | private-tmp | ||
69 | |||
70 | noexec ${HOME} | ||
71 | noexec /tmp | ||