From 6cdeac2f3682c6a2709b0e9977c0becd006819d1 Mon Sep 17 00:00:00 2001
From: hawkeye116477 <hawkeye116477@gmail.com>
Date: Tue, 30 May 2017 21:30:46 +0200
Subject: Add Firejail profile for Waterfox

---
 etc/waterfox.profile | 71 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 71 insertions(+)
 create mode 100644 etc/waterfox.profile

diff --git a/etc/waterfox.profile b/etc/waterfox.profile
new file mode 100644
index 000000000..2a9670a0d
--- /dev/null
+++ b/etc/waterfox.profile
@@ -0,0 +1,71 @@
+# Persistent global definitions go here
+include /etc/firejail/globals.local
+
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/waterfox.local
+
+# Firejail profile for Waterfox (based on Mozilla Firefox)
+noblacklist ~/.mozilla
+noblacklist ~/.cache/mozilla
+noblacklist ~/.config/qpdfview
+noblacklist ~/.local/share/qpdfview
+noblacklist ~/.kde4/share/apps/okular
+noblacklist ~/.kde/share/apps/okular
+noblacklist ~/.local/share/okular
+noblacklist ~/.pki
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+
+caps.drop all
+# ipc-namespace crashes waterfox on some setups
+netfilter
+nogroups
+nonewprivs
+noroot
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+whitelist ${DOWNLOADS}
+mkdir ~/.mozilla
+whitelist ~/.mozilla
+mkdir ~/.cache/mozilla/firefox
+whitelist ~/.cache/mozilla/firefox
+whitelist ~/dwhelper
+whitelist ~/.zotero
+whitelist ~/.vimperatorrc
+whitelist ~/.vimperator
+whitelist ~/.pentadactylrc
+whitelist ~/.pentadactyl
+whitelist ~/.keysnail.js
+whitelist ~/.config/gnome-mplayer
+whitelist ~/.cache/gnome-mplayer/plugin
+mkdir ~/.pki
+whitelist ~/.pki
+whitelist ~/.lastpass
+whitelist ~/.config/qpdfview
+whitelist ~/.local/share/qpdfview
+whitelist ~/.kde4/share/apps/okular
+whitelist ~/.kde/share/apps/okular
+whitelist ~/.local/share/okular
+
+# silverlight
+whitelist ~/.wine-pipelight
+whitelist ~/.wine-pipelight64
+whitelist ~/.config/pipelight-widevine
+whitelist ~/.config/pipelight-silverlight5.1
+
+include /etc/firejail/whitelist-common.inc
+
+# experimental features
+#private-bin waterfox,which,sh,dbus-launch,dbus-send,env
+#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,waterfox,mime.types,mailcap,asound.conf,pulse
+# private-dev might prevent video calls going out
+private-dev
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
-- 
cgit v1.2.3-70-g09d2


From ae4de575327be1f8ba8bc668622932c0c0fdfe0c Mon Sep 17 00:00:00 2001
From: hawkeye116477 <hawkeye116477@gmail.com>
Date: Tue, 30 May 2017 21:31:39 +0200
Subject: Update profile for Cyberfox

---
 etc/cyberfox.profile | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/etc/cyberfox.profile b/etc/cyberfox.profile
index 068131d25..c237e33ff 100644
--- a/etc/cyberfox.profile
+++ b/etc/cyberfox.profile
@@ -8,17 +8,25 @@ include /etc/firejail/cyberfox.local
 # Firejail profile for Cyberfox (based on Mozilla Firefox)
 noblacklist ~/.8pecxstudios
 noblacklist ~/.cache/8pecxstudios
+noblacklist ~/.config/qpdfview
+noblacklist ~/.local/share/qpdfview
+noblacklist ~/.kde4/share/apps/okular
+noblacklist ~/.kde/share/apps/okular
+noblacklist ~/.local/share/okular
 noblacklist ~/.pki
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 
 caps.drop all
+# ipc-namespace crashes cyberfox on some setups
 netfilter
+nogroups
 nonewprivs
 noroot
 protocol unix,inet,inet6,netlink
 seccomp
+shell none
 tracelog
 
 whitelist ${DOWNLOADS}
@@ -35,8 +43,14 @@ whitelist ~/.pentadactyl
 whitelist ~/.keysnail.js
 whitelist ~/.config/gnome-mplayer
 whitelist ~/.cache/gnome-mplayer/plugin
+mkdir ~/.pki
 whitelist ~/.pki
 whitelist ~/.lastpass
+whitelist ~/.config/qpdfview
+whitelist ~/.local/share/qpdfview
+whitelist ~/.kde4/share/apps/okular
+whitelist ~/.kde/share/apps/okular
+whitelist ~/.local/share/okular
 
 # silverlight
 whitelist ~/.wine-pipelight
@@ -47,4 +61,11 @@ whitelist ~/.config/pipelight-silverlight5.1
 include /etc/firejail/whitelist-common.inc
 
 # experimental features
-#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
+#private-bin cyberfox,which,sh,dbus-launch,dbus-send,env
+#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,cyberfox,mime.types,mailcap,asound.conf,pulse
+# private-dev might prevent video calls going out
+private-dev
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
-- 
cgit v1.2.3-70-g09d2