diff options
-rw-r--r-- | etc/apparmor/firejail-local | 3 | ||||
-rw-r--r-- | etc/inc/disable-programs.inc | 5 | ||||
-rw-r--r-- | etc/profile-m-z/mullvad-browser.profile | 97 | ||||
-rw-r--r-- | src/firecfg/firecfg.config | 1 |
4 files changed, 106 insertions, 0 deletions
diff --git a/etc/apparmor/firejail-local b/etc/apparmor/firejail-local index 557204d75..a81600dfa 100644 --- a/etc/apparmor/firejail-local +++ b/etc/apparmor/firejail-local | |||
@@ -20,5 +20,8 @@ | |||
20 | # Uncomment to opt-in to apparmor for firefox native-messaging-hosts under ${HOME} | 20 | # Uncomment to opt-in to apparmor for firefox native-messaging-hosts under ${HOME} |
21 | #owner @{HOME}/.mozilla/native-messaging-hosts/** ix, | 21 | #owner @{HOME}/.mozilla/native-messaging-hosts/** ix, |
22 | 22 | ||
23 | # Uncomment to opt-in to apparmor for mullvad-browser under ${HOME} | ||
24 | #owner @{HOME}/.local/share/mullvad-browser/** ix, | ||
25 | |||
23 | # Uncomment to opt-in to apparmor for torbrowser-launcher | 26 | # Uncomment to opt-in to apparmor for torbrowser-launcher |
24 | #owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/** ix, | 27 | #owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/** ix, |
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index a1490ee60..29d5a8700 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -178,6 +178,7 @@ blacklist ${HOME}/.cache/ms-outlook-online | |||
178 | blacklist ${HOME}/.cache/ms-powerpoint-online | 178 | blacklist ${HOME}/.cache/ms-powerpoint-online |
179 | blacklist ${HOME}/.cache/ms-skype-online | 179 | blacklist ${HOME}/.cache/ms-skype-online |
180 | blacklist ${HOME}/.cache/ms-word-online | 180 | blacklist ${HOME}/.cache/ms-word-online |
181 | blacklist ${HOME}/.cache/mullvad/mullvadbrowser | ||
181 | blacklist ${HOME}/.cache/mutt | 182 | blacklist ${HOME}/.cache/mutt |
182 | blacklist ${HOME}/.cache/mypaint | 183 | blacklist ${HOME}/.cache/mypaint |
183 | blacklist ${HOME}/.cache/netsurf | 184 | blacklist ${HOME}/.cache/netsurf |
@@ -550,6 +551,7 @@ blacklist ${HOME}/.config/mpDris2 | |||
550 | blacklist ${HOME}/.config/mpd | 551 | blacklist ${HOME}/.config/mpd |
551 | blacklist ${HOME}/.config/mps-youtube | 552 | blacklist ${HOME}/.config/mps-youtube |
552 | blacklist ${HOME}/.config/mpv | 553 | blacklist ${HOME}/.config/mpv |
554 | blacklist ${HOME}/.config/mullvad-browser-flags.conf | ||
553 | blacklist ${HOME}/.config/mupen64plus | 555 | blacklist ${HOME}/.config/mupen64plus |
554 | blacklist ${HOME}/.config/mutt | 556 | blacklist ${HOME}/.config/mutt |
555 | blacklist ${HOME}/.config/mutter | 557 | blacklist ${HOME}/.config/mutter |
@@ -977,6 +979,7 @@ blacklist ${HOME}/.local/share/meld | |||
977 | blacklist ${HOME}/.local/share/midori | 979 | blacklist ${HOME}/.local/share/midori |
978 | blacklist ${HOME}/.local/share/minder | 980 | blacklist ${HOME}/.local/share/minder |
979 | blacklist ${HOME}/.local/share/mirage | 981 | blacklist ${HOME}/.local/share/mirage |
982 | blacklist ${HOME}/.local/share/mullvad-browser | ||
980 | blacklist ${HOME}/.local/share/multimc | 983 | blacklist ${HOME}/.local/share/multimc |
981 | blacklist ${HOME}/.local/share/multimc5 | 984 | blacklist ${HOME}/.local/share/multimc5 |
982 | blacklist ${HOME}/.local/share/mupen64plus | 985 | blacklist ${HOME}/.local/share/mupen64plus |
@@ -1063,6 +1066,7 @@ blacklist ${HOME}/.mpd | |||
1063 | blacklist ${HOME}/.mpdconf | 1066 | blacklist ${HOME}/.mpdconf |
1064 | blacklist ${HOME}/.mplayer | 1067 | blacklist ${HOME}/.mplayer |
1065 | blacklist ${HOME}/.msmtprc | 1068 | blacklist ${HOME}/.msmtprc |
1069 | blacklist ${HOME}/.mullvad/mullvadbrowser | ||
1066 | blacklist ${HOME}/.multimc5 | 1070 | blacklist ${HOME}/.multimc5 |
1067 | blacklist ${HOME}/.nanorc | 1071 | blacklist ${HOME}/.nanorc |
1068 | blacklist ${HOME}/.netactview | 1072 | blacklist ${HOME}/.netactview |
@@ -1196,6 +1200,7 @@ blacklist ${HOME}/SoftMaker | |||
1196 | blacklist ${HOME}/Standard Notes Backups | 1200 | blacklist ${HOME}/Standard Notes Backups |
1197 | blacklist ${HOME}/TeamSpeak3-Client-linux_amd64 | 1201 | blacklist ${HOME}/TeamSpeak3-Client-linux_amd64 |
1198 | blacklist ${HOME}/TeamSpeak3-Client-linux_x86 | 1202 | blacklist ${HOME}/TeamSpeak3-Client-linux_x86 |
1203 | blacklist ${HOME}/UpdateInfo | ||
1199 | blacklist ${HOME}/hyperrogue.ini | 1204 | blacklist ${HOME}/hyperrogue.ini |
1200 | blacklist ${HOME}/i2p | 1205 | blacklist ${HOME}/i2p |
1201 | blacklist ${HOME}/mps | 1206 | blacklist ${HOME}/mps |
diff --git a/etc/profile-m-z/mullvad-browser.profile b/etc/profile-m-z/mullvad-browser.profile new file mode 100644 index 000000000..b9eb57743 --- /dev/null +++ b/etc/profile-m-z/mullvad-browser.profile | |||
@@ -0,0 +1,97 @@ | |||
1 | # Firejail profile for mullvad-browser | ||
2 | # Description: Privacy-focused web browser developed in a collaboration between Mullvad VPN and the Tor Project | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include mullvad-browser.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # IMPORTANT ########################################## | ||
10 | # The mullvad-browser can be downloaded from the official website | ||
11 | # and installed manually or via the AUR for Arch Linux (derivatives). | ||
12 | # The latter installs the browser under /opt/mullvad-browser, while | ||
13 | # the former can be installed under ${HOME} just about anywhere. | ||
14 | # If you decide to install it under ${HOME} this profile assumes to find | ||
15 | # the browser files under ${HOME}/.local/share/mullvad-browser. | ||
16 | # When you divert from that location you will need to make the needed | ||
17 | # path adjustments yourself in the below instructions. | ||
18 | #################################################### | ||
19 | |||
20 | # If you installed under ${HOME}, put the below line in your | ||
21 | # mullvad-browser.local | ||
22 | # Note: The relevant rule in /etc/apparmor.d/local/firejail-default will | ||
23 | # need to be uncommented for the 'apparmor' option to work as expected. | ||
24 | #ignore noexec ${HOME} | ||
25 | |||
26 | noblacklist ${HOME}/.cache/mullvad/mullvadbrowser | ||
27 | noblacklist ${HOME}/.config/mullvad-browser-flags.conf | ||
28 | noblacklist ${HOME}/.local/share/mullvad-browser | ||
29 | noblacklist ${HOME}/.mullvad/mullvadbrowser | ||
30 | |||
31 | # Allow python 3 (blacklisted by disable-interpreters.inc) | ||
32 | include allow-python3.inc | ||
33 | |||
34 | blacklist /srv | ||
35 | blacklist /sys/class/net | ||
36 | blacklist /usr/libexec | ||
37 | |||
38 | include disable-common.inc | ||
39 | include disable-devel.inc | ||
40 | include disable-exec.inc | ||
41 | include disable-interpreters.inc | ||
42 | include disable-proc.inc | ||
43 | include disable-programs.inc | ||
44 | include disable-xdg.inc | ||
45 | |||
46 | mkdir ${HOME}/.cache/mullvad/mullvadbrowser | ||
47 | mkdir ${HOME}/.local/share/mullvad-browser | ||
48 | mkdir ${HOME}/.mullvad/mullvadbrowser | ||
49 | mkfile ${HOME}/.config/mullvad-browser-flags.conf | ||
50 | whitelist ${DOWNLOADS} | ||
51 | whitelist ${HOME}/.cache/mullvad/mullvadbrowser | ||
52 | whitelist ${HOME}/.config/mullvad-browser-flags.conf | ||
53 | whitelist ${HOME}/.local/share/mullvad-browser | ||
54 | whitelist ${HOME}/.mullvad/mullvadbrowser | ||
55 | whitelist /opt/mullvad-browser | ||
56 | include whitelist-common.inc | ||
57 | include whitelist-run-common.inc | ||
58 | include whitelist-runuser-common.inc | ||
59 | include whitelist-usr-share-common.inc | ||
60 | include whitelist-var-common.inc | ||
61 | |||
62 | apparmor | ||
63 | caps.drop all | ||
64 | netfilter | ||
65 | nodvd | ||
66 | nogroups | ||
67 | noinput | ||
68 | nonewprivs | ||
69 | noroot | ||
70 | notv | ||
71 | nou2f | ||
72 | novideo | ||
73 | protocol unix,inet,inet6 | ||
74 | seccomp !chroot | ||
75 | seccomp.block-secondary | ||
76 | #tracelog - may cause issues, see #1930 | ||
77 | |||
78 | disable-mnt | ||
79 | private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,id,kdialog,ln,mkdir,mullvad-browser,mv,python*,rm,sed,sh,tail,tar,tclsh,test,update-desktop-database,xmessage,xz,zenity | ||
80 | private-dev | ||
81 | private-etc @tls-ca | ||
82 | #private-opt mullvad-browser - can cause slow startup | ||
83 | private-tmp | ||
84 | |||
85 | blacklist ${PATH}/curl | ||
86 | blacklist ${PATH}/wget | ||
87 | blacklist ${PATH}/wget2 | ||
88 | |||
89 | dbus-user filter | ||
90 | dbus-user.own org.mozilla.mullvadbrowser.* | ||
91 | dbus-system none | ||
92 | |||
93 | # cfr. start-mullvad-browser | ||
94 | # do not (try to) connect to the session manager | ||
95 | rmenv SESSION_MANAGER | ||
96 | |||
97 | #restrict-namespaces | ||
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 2755968c9..8a8833968 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -579,6 +579,7 @@ ms-powerpoint | |||
579 | ms-skype | 579 | ms-skype |
580 | ms-word | 580 | ms-word |
581 | mtpaint | 581 | mtpaint |
582 | mullvad-browser | ||
582 | multimc | 583 | multimc |
583 | multimc5 | 584 | multimc5 |
584 | mumble | 585 | mumble |