From e4913eb9cb2188f8b556b00ec0e713e11226126b Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Sat, 22 Jul 2023 12:38:28 +0000 Subject: Create mullvad-browser.profile (#5887) Homepage: https://mullvad.net/en/download/browser/linux mullvad-browser: don't use restrict-namespaces mullvad-browser: cover both installation paths Suggested in review by @kmk3. --- etc/apparmor/firejail-local | 3 + etc/inc/disable-programs.inc | 5 ++ etc/profile-m-z/mullvad-browser.profile | 97 +++++++++++++++++++++++++++++++++ src/firecfg/firecfg.config | 1 + 4 files changed, 106 insertions(+) create mode 100644 etc/profile-m-z/mullvad-browser.profile diff --git a/etc/apparmor/firejail-local b/etc/apparmor/firejail-local index 557204d75..a81600dfa 100644 --- a/etc/apparmor/firejail-local +++ b/etc/apparmor/firejail-local @@ -20,5 +20,8 @@ # Uncomment to opt-in to apparmor for firefox native-messaging-hosts under ${HOME} #owner @{HOME}/.mozilla/native-messaging-hosts/** ix, +# Uncomment to opt-in to apparmor for mullvad-browser under ${HOME} +#owner @{HOME}/.local/share/mullvad-browser/** ix, + # Uncomment to opt-in to apparmor for torbrowser-launcher #owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/** ix, diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index a1490ee60..29d5a8700 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc @@ -178,6 +178,7 @@ blacklist ${HOME}/.cache/ms-outlook-online blacklist ${HOME}/.cache/ms-powerpoint-online blacklist ${HOME}/.cache/ms-skype-online blacklist ${HOME}/.cache/ms-word-online +blacklist ${HOME}/.cache/mullvad/mullvadbrowser blacklist ${HOME}/.cache/mutt blacklist ${HOME}/.cache/mypaint blacklist ${HOME}/.cache/netsurf @@ -550,6 +551,7 @@ blacklist ${HOME}/.config/mpDris2 blacklist ${HOME}/.config/mpd blacklist ${HOME}/.config/mps-youtube blacklist ${HOME}/.config/mpv +blacklist ${HOME}/.config/mullvad-browser-flags.conf blacklist ${HOME}/.config/mupen64plus blacklist ${HOME}/.config/mutt blacklist ${HOME}/.config/mutter @@ -977,6 +979,7 @@ blacklist ${HOME}/.local/share/meld blacklist ${HOME}/.local/share/midori blacklist ${HOME}/.local/share/minder blacklist ${HOME}/.local/share/mirage +blacklist ${HOME}/.local/share/mullvad-browser blacklist ${HOME}/.local/share/multimc blacklist ${HOME}/.local/share/multimc5 blacklist ${HOME}/.local/share/mupen64plus @@ -1063,6 +1066,7 @@ blacklist ${HOME}/.mpd blacklist ${HOME}/.mpdconf blacklist ${HOME}/.mplayer blacklist ${HOME}/.msmtprc +blacklist ${HOME}/.mullvad/mullvadbrowser blacklist ${HOME}/.multimc5 blacklist ${HOME}/.nanorc blacklist ${HOME}/.netactview @@ -1196,6 +1200,7 @@ blacklist ${HOME}/SoftMaker blacklist ${HOME}/Standard Notes Backups blacklist ${HOME}/TeamSpeak3-Client-linux_amd64 blacklist ${HOME}/TeamSpeak3-Client-linux_x86 +blacklist ${HOME}/UpdateInfo blacklist ${HOME}/hyperrogue.ini blacklist ${HOME}/i2p blacklist ${HOME}/mps diff --git a/etc/profile-m-z/mullvad-browser.profile b/etc/profile-m-z/mullvad-browser.profile new file mode 100644 index 000000000..b9eb57743 --- /dev/null +++ b/etc/profile-m-z/mullvad-browser.profile @@ -0,0 +1,97 @@ +# Firejail profile for mullvad-browser +# Description: Privacy-focused web browser developed in a collaboration between Mullvad VPN and the Tor Project +# This file is overwritten after every install/update +# Persistent local customizations +include mullvad-browser.local +# Persistent global definitions +include globals.local + +# IMPORTANT ########################################## +# The mullvad-browser can be downloaded from the official website +# and installed manually or via the AUR for Arch Linux (derivatives). +# The latter installs the browser under /opt/mullvad-browser, while +# the former can be installed under ${HOME} just about anywhere. +# If you decide to install it under ${HOME} this profile assumes to find +# the browser files under ${HOME}/.local/share/mullvad-browser. +# When you divert from that location you will need to make the needed +# path adjustments yourself in the below instructions. +#################################################### + +# If you installed under ${HOME}, put the below line in your +# mullvad-browser.local +# Note: The relevant rule in /etc/apparmor.d/local/firejail-default will +# need to be uncommented for the 'apparmor' option to work as expected. +#ignore noexec ${HOME} + +noblacklist ${HOME}/.cache/mullvad/mullvadbrowser +noblacklist ${HOME}/.config/mullvad-browser-flags.conf +noblacklist ${HOME}/.local/share/mullvad-browser +noblacklist ${HOME}/.mullvad/mullvadbrowser + +# Allow python 3 (blacklisted by disable-interpreters.inc) +include allow-python3.inc + +blacklist /srv +blacklist /sys/class/net +blacklist /usr/libexec + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-proc.inc +include disable-programs.inc +include disable-xdg.inc + +mkdir ${HOME}/.cache/mullvad/mullvadbrowser +mkdir ${HOME}/.local/share/mullvad-browser +mkdir ${HOME}/.mullvad/mullvadbrowser +mkfile ${HOME}/.config/mullvad-browser-flags.conf +whitelist ${DOWNLOADS} +whitelist ${HOME}/.cache/mullvad/mullvadbrowser +whitelist ${HOME}/.config/mullvad-browser-flags.conf +whitelist ${HOME}/.local/share/mullvad-browser +whitelist ${HOME}/.mullvad/mullvadbrowser +whitelist /opt/mullvad-browser +include whitelist-common.inc +include whitelist-run-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +netfilter +nodvd +nogroups +noinput +nonewprivs +noroot +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp !chroot +seccomp.block-secondary +#tracelog - may cause issues, see #1930 + +disable-mnt +private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,id,kdialog,ln,mkdir,mullvad-browser,mv,python*,rm,sed,sh,tail,tar,tclsh,test,update-desktop-database,xmessage,xz,zenity +private-dev +private-etc @tls-ca +#private-opt mullvad-browser - can cause slow startup +private-tmp + +blacklist ${PATH}/curl +blacklist ${PATH}/wget +blacklist ${PATH}/wget2 + +dbus-user filter +dbus-user.own org.mozilla.mullvadbrowser.* +dbus-system none + +# cfr. start-mullvad-browser +# do not (try to) connect to the session manager +rmenv SESSION_MANAGER + +#restrict-namespaces diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 2755968c9..8a8833968 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -579,6 +579,7 @@ ms-powerpoint ms-skype ms-word mtpaint +mullvad-browser multimc multimc5 mumble -- cgit v1.2.3-70-g09d2