1 files changed, 33 insertions, 19 deletions
diff --git a/etc/yandex-browser.profile b/etc/yandex-browser.profile
index b1a26c3ea..bfb7b9d87 100644
--- a/etc/yandex-browser.profile
+++ b/etc/yandex-browser.profile
@@ -1,28 +1,42 @@
-# Chromium browser profile
+# Firejail profile for yandex-browser
-noblacklist ~/.config/yandex-browser-beta
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/yandex-browser.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+noblacklist ~/.cache/yandex-browser
 noblacklist ~/.cache/yandex-browser-beta
+noblacklist ~/.config/yandex-browser
+noblacklist ~/.config/yandex-browser-beta
+noblacklist ~/.pki
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-programs.inc
-# chromium is distributed with a perl script on Arch
+mkdir ~/.cache/yandex-browser
-# include /etc/firejail/disable-devel.inc
-#
-netfilter
-whitelist ${DOWNLOADS}
-mkdir ~/.config/yandex-browser-beta
-whitelist ~/.config/yandex-browser-beta
 mkdir ~/.cache/yandex-browser-beta
-whitelist ~/.cache/yandex-browser-beta
+mkdir ~/.config/yandex-browser
+mkdir ~/.config/yandex-browser-beta
 mkdir ~/.pki
+whitelist ${DOWNLOADS}
+whitelist ~/.cache/yandex-browser
+whitelist ~/.cache/yandex-browser-beta
+whitelist ~/.config/yandex-browser
+whitelist ~/.config/yandex-browser-beta
 whitelist ~/.pki
+include /etc/firejail/whitelist-common.inc
+caps.keep sys_chroot,sys_admin
+netfilter
+nodvd
+nogroups
+notv
+shell none
-# lastpass, keepassx
+private-dev
-whitelist ~/.keepassx
+# private-tmp - problems with multiple browser sessions
-whitelist ~/.config/keepassx
-whitelist ~/keepassx.kdbx
-whitelist ~/.lastpass
-whitelist ~/.config/lastpass
-include /etc/firejail/whitelist-common.inc
+noexec ${HOME}
+noexec /tmp

diff --git a/etc/yandex-browser.profile b/etc/yandex-browser.profile index b1a26c3ea..bfb7b9d87 100644 --- a/etc/yandex-browser.profile +++ b/etc/yandex-browser.profile
@@ -1,28 +1,42 @@
1	# Chromium browser profile	1	# Firejail profile for yandex-browser
2	noblacklist ~/.config/yandex-browser-beta	2	# This file is overwritten after every install/update
		3	# Persistent local customizations
		4	include /etc/firejail/yandex-browser.local
		5	# Persistent global definitions
		6	include /etc/firejail/globals.local
		7
		8	noblacklist ~/.cache/yandex-browser
3	noblacklist ~/.cache/yandex-browser-beta	9	noblacklist ~/.cache/yandex-browser-beta
		10	noblacklist ~/.config/yandex-browser
		11	noblacklist ~/.config/yandex-browser-beta
		12	noblacklist ~/.pki
		13
4	include /etc/firejail/disable-common.inc	14	include /etc/firejail/disable-common.inc
		15	include /etc/firejail/disable-devel.inc
5	include /etc/firejail/disable-programs.inc	16	include /etc/firejail/disable-programs.inc
6		17
7	# chromium is distributed with a perl script on Arch	18	mkdir ~/.cache/yandex-browser
8	# include /etc/firejail/disable-devel.inc
9	#
10
11	netfilter
12
13	whitelist ${DOWNLOADS}
14	mkdir ~/.config/yandex-browser-beta
15	whitelist ~/.config/yandex-browser-beta
16	mkdir ~/.cache/yandex-browser-beta	19	mkdir ~/.cache/yandex-browser-beta
17	whitelist ~/.cache/yandex-browser-beta	20	mkdir ~/.config/yandex-browser
		21	mkdir ~/.config/yandex-browser-beta
18	mkdir ~/.pki	22	mkdir ~/.pki
		23	whitelist ${DOWNLOADS}
		24	whitelist ~/.cache/yandex-browser
		25	whitelist ~/.cache/yandex-browser-beta
		26	whitelist ~/.config/yandex-browser
		27	whitelist ~/.config/yandex-browser-beta
19	whitelist ~/.pki	28	whitelist ~/.pki
		29	include /etc/firejail/whitelist-common.inc
		30
		31	caps.keep sys_chroot,sys_admin
		32	netfilter
		33	nodvd
		34	nogroups
		35	notv
		36	shell none
20		37
21	# lastpass, keepassx	38	private-dev
22	whitelist ~/.keepassx	39	# private-tmp - problems with multiple browser sessions
23	whitelist ~/.config/keepassx
24	whitelist ~/keepassx.kdbx
25	whitelist ~/.lastpass
26	whitelist ~/.config/lastpass
27		40
28	include /etc/firejail/whitelist-common.inc	41	noexec ${HOME}
		42	noexec /tmp