1 files changed, 97 insertions, 0 deletions

diff --git a/etc/profile-m-z/mullvad-browser.profile b/etc/profile-m-z/mullvad-browser.profile
new file mode 100644
index 000000000..b9eb57743
--- /dev/null
+++ b/etc/profile-m-z/mullvad-browser.profile
@@ -0,0 +1,97 @@
+# Firejail profile for mullvad-browser
+# Description: Privacy-focused web browser developed in a collaboration between Mullvad VPN and the Tor Project
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mullvad-browser.local
+# Persistent global definitions
+include globals.local
+
+# IMPORTANT ##########################################
+# The mullvad-browser can be downloaded from the official website
+# and installed manually or via the AUR for Arch Linux (derivatives).
+# The latter installs the browser under /opt/mullvad-browser, while
+# the former can be installed under ${HOME} just about anywhere.
+# If you decide to install it under ${HOME} this profile assumes to find
+# the browser files under ${HOME}/.local/share/mullvad-browser.
+# When you divert from that location you will need to make the needed
+# path adjustments yourself in the below instructions.
+####################################################
+
+# If you installed under ${HOME}, put the below line in your
+# mullvad-browser.local
+# Note: The relevant rule in /etc/apparmor.d/local/firejail-default will
+# need to be uncommented for the 'apparmor' option to work as expected.
+#ignore noexec ${HOME}
+
+noblacklist ${HOME}/.cache/mullvad/mullvadbrowser
+noblacklist ${HOME}/.config/mullvad-browser-flags.conf
+noblacklist ${HOME}/.local/share/mullvad-browser
+noblacklist ${HOME}/.mullvad/mullvadbrowser
+
+# Allow python 3 (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+
+blacklist /srv
+blacklist /sys/class/net
+blacklist /usr/libexec
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-proc.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/mullvad/mullvadbrowser
+mkdir ${HOME}/.local/share/mullvad-browser
+mkdir ${HOME}/.mullvad/mullvadbrowser
+mkfile ${HOME}/.config/mullvad-browser-flags.conf
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.cache/mullvad/mullvadbrowser
+whitelist ${HOME}/.config/mullvad-browser-flags.conf
+whitelist ${HOME}/.local/share/mullvad-browser
+whitelist ${HOME}/.mullvad/mullvadbrowser
+whitelist /opt/mullvad-browser
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp !chroot
+seccomp.block-secondary
+#tracelog - may cause issues, see #1930
+
+disable-mnt
+private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,id,kdialog,ln,mkdir,mullvad-browser,mv,python*,rm,sed,sh,tail,tar,tclsh,test,update-desktop-database,xmessage,xz,zenity
+private-dev
+private-etc @tls-ca
+#private-opt mullvad-browser - can cause slow startup
+private-tmp
+
+blacklist ${PATH}/curl
+blacklist ${PATH}/wget
+blacklist ${PATH}/wget2
+
+dbus-user filter
+dbus-user.own org.mozilla.mullvadbrowser.*
+dbus-system none
+
+# cfr. start-mullvad-browser
+# do not (try to) connect to the session manager
+rmenv SESSION_MANAGER
+
+#restrict-namespaces