From 92be701355d9c25e4c5fc0e80a15874fb1b69ea0 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 13 May 2018 12:23:16 -0400 Subject: profile fixes for 0.9.52 (Ubuntu 18.04) in etc-fixes directory --- etc-fixes/0.9.52/firefox.profile | 96 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 96 insertions(+) create mode 100644 etc-fixes/0.9.52/firefox.profile (limited to 'etc-fixes/0.9.52/firefox.profile') diff --git a/etc-fixes/0.9.52/firefox.profile b/etc-fixes/0.9.52/firefox.profile new file mode 100644 index 000000000..6b19b14df --- /dev/null +++ b/etc-fixes/0.9.52/firefox.profile @@ -0,0 +1,96 @@ +# Firejail profile for firefox +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/firefox.local +# Persistent global definitions +include /etc/firejail/globals.local + +noblacklist ${HOME}/.cache/mozilla +noblacklist ${HOME}/.config/okularpartrc +noblacklist ${HOME}/.config/okularrc +noblacklist ${HOME}/.config/qpdfview +noblacklist ${HOME}/.kde/share/apps/kget +noblacklist ${HOME}/.kde/share/apps/okular +noblacklist ${HOME}/.kde/share/config/kgetrc +noblacklist ${HOME}/.kde/share/config/okularpartrc +noblacklist ${HOME}/.kde/share/config/okularrc +noblacklist ${HOME}/.kde4/share/apps/kget +noblacklist ${HOME}/.kde4/share/apps/okular +noblacklist ${HOME}/.kde4/share/config/kgetrc +noblacklist ${HOME}/.kde4/share/config/okularpartrc +noblacklist ${HOME}/.kde4/share/config/okularrc +# noblacklist ${HOME}/.local/share/gnome-shell/extensions +noblacklist ${HOME}/.local/share/okular +noblacklist ${HOME}/.local/share/qpdfview +noblacklist ${HOME}/.mozilla +noblacklist ${HOME}/.pki + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-programs.inc + +mkdir ${HOME}/.cache/mozilla/firefox +mkdir ${HOME}/.mozilla +mkdir ${HOME}/.pki +whitelist ${DOWNLOADS} +whitelist ${HOME}/.cache/gnome-mplayer/plugin +whitelist ${HOME}/.cache/mozilla/firefox +whitelist ${HOME}/.config/gnome-mplayer +whitelist ${HOME}/.config/okularpartrc +whitelist ${HOME}/.config/okularrc +whitelist ${HOME}/.config/pipelight-silverlight5.1 +whitelist ${HOME}/.config/pipelight-widevine +whitelist ${HOME}/.config/qpdfview +whitelist ${HOME}/.kde/share/apps/kget +whitelist ${HOME}/.kde/share/apps/okular +whitelist ${HOME}/.kde/share/config/kgetrc +whitelist ${HOME}/.kde/share/config/okularpartrc +whitelist ${HOME}/.kde/share/config/okularrc +whitelist ${HOME}/.kde4/share/apps/kget +whitelist ${HOME}/.kde4/share/apps/okular +whitelist ${HOME}/.kde4/share/config/kgetrc +whitelist ${HOME}/.kde4/share/config/okularpartrc +whitelist ${HOME}/.kde4/share/config/okularrc +whitelist ${HOME}/.keysnail.js +whitelist ${HOME}/.lastpass +whitelist ${HOME}/.local/share/gnome-shell/extensions +whitelist ${HOME}/.local/share/okular +whitelist ${HOME}/.local/share/qpdfview +whitelist ${HOME}/.mozilla +whitelist ${HOME}/.pentadactyl +whitelist ${HOME}/.pentadactylrc +whitelist ${HOME}/.pki +whitelist ${HOME}/.vimperator +whitelist ${HOME}/.vimperatorrc +whitelist ${HOME}/.wine-pipelight +whitelist ${HOME}/.wine-pipelight64 +whitelist ${HOME}/.zotero +whitelist ${HOME}/dwhelper +include /etc/firejail/whitelist-common.inc +include /etc/firejail/whitelist-var-common.inc + +caps.drop all +# machine-id breaks pulse audio; it should work fine in setups where sound is not required +#machine-id +netfilter +nodvd +nogroups +nonewprivs +noroot +notv +protocol unix,inet,inet6,netlink +#seccomp - replaced with seccomp.drop for Firefox 60 +seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice +shell none +#tracelog - disabled for Firefox 60 + +disable-mnt +# firefox requires a shell to launch on Arch. +# private-bin firefox,which,sh,dbus-launch,dbus-send,env,bash +private-dev +# private-etc below works fine on most distributions. There are some problems on CentOS. +# private-etc iceweasel,ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse +private-tmp + +noexec ${HOME} +noexec /tmp -- cgit v1.2.3-54-g00ecf