4 files changed, 106 insertions, 0 deletions
diff --git a/etc/apparmor/firejail-local b/etc/apparmor/firejail-local
index 557204d75..a81600dfa 100644
--- a/etc/apparmor/firejail-local
+++ b/etc/apparmor/firejail-local
@@ -20,5 +20,8 @@
 # Uncomment to opt-in to apparmor for firefox native-messaging-hosts under ${HOME}
 #owner @{HOME}/.mozilla/native-messaging-hosts/** ix,
+# Uncomment to opt-in to apparmor for mullvad-browser under ${HOME}
+#owner @{HOME}/.local/share/mullvad-browser/** ix,
 # Uncomment to opt-in to apparmor for torbrowser-launcher
 #owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/** ix,
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index a1490ee60..29d5a8700 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -178,6 +178,7 @@ blacklist ${HOME}/.cache/ms-outlook-online
 blacklist ${HOME}/.cache/ms-powerpoint-online
 blacklist ${HOME}/.cache/ms-skype-online
 blacklist ${HOME}/.cache/ms-word-online
+blacklist ${HOME}/.cache/mullvad/mullvadbrowser
 blacklist ${HOME}/.cache/mutt
 blacklist ${HOME}/.cache/mypaint
 blacklist ${HOME}/.cache/netsurf
@@ -550,6 +551,7 @@ blacklist ${HOME}/.config/mpDris2
 blacklist ${HOME}/.config/mpd
 blacklist ${HOME}/.config/mps-youtube
 blacklist ${HOME}/.config/mpv
+blacklist ${HOME}/.config/mullvad-browser-flags.conf
 blacklist ${HOME}/.config/mupen64plus
 blacklist ${HOME}/.config/mutt
 blacklist ${HOME}/.config/mutter
@@ -977,6 +979,7 @@ blacklist ${HOME}/.local/share/meld
 blacklist ${HOME}/.local/share/midori
 blacklist ${HOME}/.local/share/minder
 blacklist ${HOME}/.local/share/mirage
+blacklist ${HOME}/.local/share/mullvad-browser
 blacklist ${HOME}/.local/share/multimc
 blacklist ${HOME}/.local/share/multimc5
 blacklist ${HOME}/.local/share/mupen64plus
@@ -1063,6 +1066,7 @@ blacklist ${HOME}/.mpd
 blacklist ${HOME}/.mpdconf
 blacklist ${HOME}/.mplayer
 blacklist ${HOME}/.msmtprc
+blacklist ${HOME}/.mullvad/mullvadbrowser
 blacklist ${HOME}/.multimc5
 blacklist ${HOME}/.nanorc
 blacklist ${HOME}/.netactview
@@ -1196,6 +1200,7 @@ blacklist ${HOME}/SoftMaker
 blacklist ${HOME}/Standard Notes Backups
 blacklist ${HOME}/TeamSpeak3-Client-linux_amd64
 blacklist ${HOME}/TeamSpeak3-Client-linux_x86
+blacklist ${HOME}/UpdateInfo
 blacklist ${HOME}/hyperrogue.ini
 blacklist ${HOME}/i2p
 blacklist ${HOME}/mps
diff --git a/etc/profile-m-z/mullvad-browser.profile b/etc/profile-m-z/mullvad-browser.profile
new file mode 100644
index 000000000..b9eb57743
--- /dev/null
+++ b/etc/profile-m-z/mullvad-browser.profile
@@ -0,0 +1,97 @@
+# Firejail profile for mullvad-browser
+# Description: Privacy-focused web browser developed in a collaboration between Mullvad VPN and the Tor Project
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mullvad-browser.local
+# Persistent global definitions
+include globals.local
+# IMPORTANT ##########################################
+# The mullvad-browser can be downloaded from the official website
+# and installed manually or via the AUR for Arch Linux (derivatives).
+# The latter installs the browser under /opt/mullvad-browser, while
+# the former can be installed under ${HOME} just about anywhere.
+# If you decide to install it under ${HOME} this profile assumes to find
+# the browser files under ${HOME}/.local/share/mullvad-browser.
+# When you divert from that location you will need to make the needed
+# path adjustments yourself in the below instructions.
+####################################################
+# If you installed under ${HOME}, put the below line in your
+# mullvad-browser.local
+# Note: The relevant rule in /etc/apparmor.d/local/firejail-default will
+# need to be uncommented for the 'apparmor' option to work as expected.
+#ignore noexec ${HOME}
+noblacklist ${HOME}/.cache/mullvad/mullvadbrowser
+noblacklist ${HOME}/.config/mullvad-browser-flags.conf
+noblacklist ${HOME}/.local/share/mullvad-browser
+noblacklist ${HOME}/.mullvad/mullvadbrowser
+# Allow python 3 (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+blacklist /srv
+blacklist /sys/class/net
+blacklist /usr/libexec
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-proc.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.cache/mullvad/mullvadbrowser
+mkdir ${HOME}/.local/share/mullvad-browser
+mkdir ${HOME}/.mullvad/mullvadbrowser
+mkfile ${HOME}/.config/mullvad-browser-flags.conf
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.cache/mullvad/mullvadbrowser
+whitelist ${HOME}/.config/mullvad-browser-flags.conf
+whitelist ${HOME}/.local/share/mullvad-browser
+whitelist ${HOME}/.mullvad/mullvadbrowser
+whitelist /opt/mullvad-browser
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp !chroot
+seccomp.block-secondary
+#tracelog - may cause issues, see #1930
+disable-mnt
+private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,id,kdialog,ln,mkdir,mullvad-browser,mv,python*,rm,sed,sh,tail,tar,tclsh,test,update-desktop-database,xmessage,xz,zenity
+private-dev
+private-etc @tls-ca
+#private-opt mullvad-browser - can cause slow startup
+private-tmp
+blacklist ${PATH}/curl
+blacklist ${PATH}/wget
+blacklist ${PATH}/wget2
+dbus-user filter
+dbus-user.own org.mozilla.mullvadbrowser.*
+dbus-system none
+# cfr. start-mullvad-browser
+# do not (try to) connect to the session manager
+rmenv SESSION_MANAGER
+#restrict-namespaces
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 2755968c9..8a8833968 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -579,6 +579,7 @@ ms-powerpoint
 ms-skype
 ms-word
 mtpaint
+mullvad-browser
 multimc
 multimc5
 mumble

diff --git a/etc/apparmor/firejail-local b/etc/apparmor/firejail-local index 557204d75..a81600dfa 100644 --- a/etc/apparmor/firejail-local +++ b/etc/apparmor/firejail-local
@@ -20,5 +20,8 @@
20	# Uncomment to opt-in to apparmor for firefox native-messaging-hosts under ${HOME}	20	# Uncomment to opt-in to apparmor for firefox native-messaging-hosts under ${HOME}
21	#owner @{HOME}/.mozilla/native-messaging-hosts/** ix,	21	#owner @{HOME}/.mozilla/native-messaging-hosts/** ix,
22		22
		23	# Uncomment to opt-in to apparmor for mullvad-browser under ${HOME}
		24	#owner @{HOME}/.local/share/mullvad-browser/** ix,
		25
23	# Uncomment to opt-in to apparmor for torbrowser-launcher	26	# Uncomment to opt-in to apparmor for torbrowser-launcher
24	#owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_/Browser/* ix,	27	#owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_/Browser/* ix,


diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index a1490ee60..29d5a8700 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc
@@ -178,6 +178,7 @@ blacklist ${HOME}/.cache/ms-outlook-online
178	blacklist ${HOME}/.cache/ms-powerpoint-online	178	blacklist ${HOME}/.cache/ms-powerpoint-online
179	blacklist ${HOME}/.cache/ms-skype-online	179	blacklist ${HOME}/.cache/ms-skype-online
180	blacklist ${HOME}/.cache/ms-word-online	180	blacklist ${HOME}/.cache/ms-word-online
		181	blacklist ${HOME}/.cache/mullvad/mullvadbrowser
181	blacklist ${HOME}/.cache/mutt	182	blacklist ${HOME}/.cache/mutt
182	blacklist ${HOME}/.cache/mypaint	183	blacklist ${HOME}/.cache/mypaint
183	blacklist ${HOME}/.cache/netsurf	184	blacklist ${HOME}/.cache/netsurf
@@ -550,6 +551,7 @@ blacklist ${HOME}/.config/mpDris2
550	blacklist ${HOME}/.config/mpd	551	blacklist ${HOME}/.config/mpd
551	blacklist ${HOME}/.config/mps-youtube	552	blacklist ${HOME}/.config/mps-youtube
552	blacklist ${HOME}/.config/mpv	553	blacklist ${HOME}/.config/mpv
		554	blacklist ${HOME}/.config/mullvad-browser-flags.conf
553	blacklist ${HOME}/.config/mupen64plus	555	blacklist ${HOME}/.config/mupen64plus
554	blacklist ${HOME}/.config/mutt	556	blacklist ${HOME}/.config/mutt
555	blacklist ${HOME}/.config/mutter	557	blacklist ${HOME}/.config/mutter
@@ -977,6 +979,7 @@ blacklist ${HOME}/.local/share/meld
977	blacklist ${HOME}/.local/share/midori	979	blacklist ${HOME}/.local/share/midori
978	blacklist ${HOME}/.local/share/minder	980	blacklist ${HOME}/.local/share/minder
979	blacklist ${HOME}/.local/share/mirage	981	blacklist ${HOME}/.local/share/mirage
		982	blacklist ${HOME}/.local/share/mullvad-browser
980	blacklist ${HOME}/.local/share/multimc	983	blacklist ${HOME}/.local/share/multimc
981	blacklist ${HOME}/.local/share/multimc5	984	blacklist ${HOME}/.local/share/multimc5
982	blacklist ${HOME}/.local/share/mupen64plus	985	blacklist ${HOME}/.local/share/mupen64plus
@@ -1063,6 +1066,7 @@ blacklist ${HOME}/.mpd
1063	blacklist ${HOME}/.mpdconf	1066	blacklist ${HOME}/.mpdconf
1064	blacklist ${HOME}/.mplayer	1067	blacklist ${HOME}/.mplayer
1065	blacklist ${HOME}/.msmtprc	1068	blacklist ${HOME}/.msmtprc
		1069	blacklist ${HOME}/.mullvad/mullvadbrowser
1066	blacklist ${HOME}/.multimc5	1070	blacklist ${HOME}/.multimc5
1067	blacklist ${HOME}/.nanorc	1071	blacklist ${HOME}/.nanorc
1068	blacklist ${HOME}/.netactview	1072	blacklist ${HOME}/.netactview
@@ -1196,6 +1200,7 @@ blacklist ${HOME}/SoftMaker
1196	blacklist ${HOME}/Standard Notes Backups	1200	blacklist ${HOME}/Standard Notes Backups
1197	blacklist ${HOME}/TeamSpeak3-Client-linux_amd64	1201	blacklist ${HOME}/TeamSpeak3-Client-linux_amd64
1198	blacklist ${HOME}/TeamSpeak3-Client-linux_x86	1202	blacklist ${HOME}/TeamSpeak3-Client-linux_x86
		1203	blacklist ${HOME}/UpdateInfo
1199	blacklist ${HOME}/hyperrogue.ini	1204	blacklist ${HOME}/hyperrogue.ini
1200	blacklist ${HOME}/i2p	1205	blacklist ${HOME}/i2p
1201	blacklist ${HOME}/mps	1206	blacklist ${HOME}/mps


diff --git a/etc/profile-m-z/mullvad-browser.profile b/etc/profile-m-z/mullvad-browser.profile new file mode 100644 index 000000000..b9eb57743 --- /dev/null +++ b/etc/profile-m-z/mullvad-browser.profile
@@ -0,0 +1,97 @@
		1	# Firejail profile for mullvad-browser
		2	# Description: Privacy-focused web browser developed in a collaboration between Mullvad VPN and the Tor Project
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include mullvad-browser.local
		6	# Persistent global definitions
		7	include globals.local
		8
		9	# IMPORTANT ##########################################
		10	# The mullvad-browser can be downloaded from the official website
		11	# and installed manually or via the AUR for Arch Linux (derivatives).
		12	# The latter installs the browser under /opt/mullvad-browser, while
		13	# the former can be installed under ${HOME} just about anywhere.
		14	# If you decide to install it under ${HOME} this profile assumes to find
		15	# the browser files under ${HOME}/.local/share/mullvad-browser.
		16	# When you divert from that location you will need to make the needed
		17	# path adjustments yourself in the below instructions.
		18	####################################################
		19
		20	# If you installed under ${HOME}, put the below line in your
		21	# mullvad-browser.local
		22	# Note: The relevant rule in /etc/apparmor.d/local/firejail-default will
		23	# need to be uncommented for the 'apparmor' option to work as expected.
		24	#ignore noexec ${HOME}
		25
		26	noblacklist ${HOME}/.cache/mullvad/mullvadbrowser
		27	noblacklist ${HOME}/.config/mullvad-browser-flags.conf
		28	noblacklist ${HOME}/.local/share/mullvad-browser
		29	noblacklist ${HOME}/.mullvad/mullvadbrowser
		30
		31	# Allow python 3 (blacklisted by disable-interpreters.inc)
		32	include allow-python3.inc
		33
		34	blacklist /srv
		35	blacklist /sys/class/net
		36	blacklist /usr/libexec
		37
		38	include disable-common.inc
		39	include disable-devel.inc
		40	include disable-exec.inc
		41	include disable-interpreters.inc
		42	include disable-proc.inc
		43	include disable-programs.inc
		44	include disable-xdg.inc
		45
		46	mkdir ${HOME}/.cache/mullvad/mullvadbrowser
		47	mkdir ${HOME}/.local/share/mullvad-browser
		48	mkdir ${HOME}/.mullvad/mullvadbrowser
		49	mkfile ${HOME}/.config/mullvad-browser-flags.conf
		50	whitelist ${DOWNLOADS}
		51	whitelist ${HOME}/.cache/mullvad/mullvadbrowser
		52	whitelist ${HOME}/.config/mullvad-browser-flags.conf
		53	whitelist ${HOME}/.local/share/mullvad-browser
		54	whitelist ${HOME}/.mullvad/mullvadbrowser
		55	whitelist /opt/mullvad-browser
		56	include whitelist-common.inc
		57	include whitelist-run-common.inc
		58	include whitelist-runuser-common.inc
		59	include whitelist-usr-share-common.inc
		60	include whitelist-var-common.inc
		61
		62	apparmor
		63	caps.drop all
		64	netfilter
		65	nodvd
		66	nogroups
		67	noinput
		68	nonewprivs
		69	noroot
		70	notv
		71	nou2f
		72	novideo
		73	protocol unix,inet,inet6
		74	seccomp !chroot
		75	seccomp.block-secondary
		76	#tracelog - may cause issues, see #1930
		77
		78	disable-mnt
		79	private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,id,kdialog,ln,mkdir,mullvad-browser,mv,python*,rm,sed,sh,tail,tar,tclsh,test,update-desktop-database,xmessage,xz,zenity
		80	private-dev
		81	private-etc @tls-ca
		82	#private-opt mullvad-browser - can cause slow startup
		83	private-tmp
		84
		85	blacklist ${PATH}/curl
		86	blacklist ${PATH}/wget
		87	blacklist ${PATH}/wget2
		88
		89	dbus-user filter
		90	dbus-user.own org.mozilla.mullvadbrowser.*
		91	dbus-system none
		92
		93	# cfr. start-mullvad-browser
		94	# do not (try to) connect to the session manager
		95	rmenv SESSION_MANAGER
		96
		97	#restrict-namespaces


diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 2755968c9..8a8833968 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config
@@ -579,6 +579,7 @@ ms-powerpoint
579	ms-skype	579	ms-skype
580	ms-word	580	ms-word
581	mtpaint	581	mtpaint
		582	mullvad-browser
582	multimc	583	multimc
583	multimc5	584	multimc5
584	mumble	585	mumble