From 6cdeac2f3682c6a2709b0e9977c0becd006819d1 Mon Sep 17 00:00:00 2001
From: hawkeye116477 <hawkeye116477@gmail.com>
Date: Tue, 30 May 2017 21:30:46 +0200
Subject: Add Firejail profile for Waterfox

---
 etc/waterfox.profile | 71 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 71 insertions(+)
 create mode 100644 etc/waterfox.profile

diff --git a/etc/waterfox.profile b/etc/waterfox.profile
new file mode 100644
index 000000000..2a9670a0d
--- /dev/null
+++ b/etc/waterfox.profile
@@ -0,0 +1,71 @@
+# Persistent global definitions go here
+include /etc/firejail/globals.local
+
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/waterfox.local
+
+# Firejail profile for Waterfox (based on Mozilla Firefox)
+noblacklist ~/.mozilla
+noblacklist ~/.cache/mozilla
+noblacklist ~/.config/qpdfview
+noblacklist ~/.local/share/qpdfview
+noblacklist ~/.kde4/share/apps/okular
+noblacklist ~/.kde/share/apps/okular
+noblacklist ~/.local/share/okular
+noblacklist ~/.pki
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+
+caps.drop all
+# ipc-namespace crashes waterfox on some setups
+netfilter
+nogroups
+nonewprivs
+noroot
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+whitelist ${DOWNLOADS}
+mkdir ~/.mozilla
+whitelist ~/.mozilla
+mkdir ~/.cache/mozilla/firefox
+whitelist ~/.cache/mozilla/firefox
+whitelist ~/dwhelper
+whitelist ~/.zotero
+whitelist ~/.vimperatorrc
+whitelist ~/.vimperator
+whitelist ~/.pentadactylrc
+whitelist ~/.pentadactyl
+whitelist ~/.keysnail.js
+whitelist ~/.config/gnome-mplayer
+whitelist ~/.cache/gnome-mplayer/plugin
+mkdir ~/.pki
+whitelist ~/.pki
+whitelist ~/.lastpass
+whitelist ~/.config/qpdfview
+whitelist ~/.local/share/qpdfview
+whitelist ~/.kde4/share/apps/okular
+whitelist ~/.kde/share/apps/okular
+whitelist ~/.local/share/okular
+
+# silverlight
+whitelist ~/.wine-pipelight
+whitelist ~/.wine-pipelight64
+whitelist ~/.config/pipelight-widevine
+whitelist ~/.config/pipelight-silverlight5.1
+
+include /etc/firejail/whitelist-common.inc
+
+# experimental features
+#private-bin waterfox,which,sh,dbus-launch,dbus-send,env
+#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,waterfox,mime.types,mailcap,asound.conf,pulse
+# private-dev might prevent video calls going out
+private-dev
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
-- 
cgit v1.2.3-54-g00ecf