From 2297257745fd568b1f042139b7e3bfa2830eb500 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Sat, 1 Oct 2022 19:23:19 +0000 Subject: Harden qutebrowser profile --- etc/profile-m-z/qutebrowser.profile | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) (limited to 'etc') diff --git a/etc/profile-m-z/qutebrowser.profile b/etc/profile-m-z/qutebrowser.profile index fc910b589..e15db2ea5 100644 --- a/etc/profile-m-z/qutebrowser.profile +++ b/etc/profile-m-z/qutebrowser.profile @@ -16,6 +16,7 @@ include allow-python3.inc include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-programs.inc @@ -28,6 +29,7 @@ whitelist ${HOME}/.config/qutebrowser whitelist ${HOME}/.local/share/qutebrowser include whitelist-common.inc +apparmor caps.drop all netfilter nodvd @@ -38,3 +40,19 @@ protocol unix,inet,inet6,netlink # blacklisting of chroot system calls breaks qt webengine seccomp !chroot,!name_to_handle_at # tracelog + +disable-mnt +private-cache +private-dev +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,localtime,machine-id,pki,pulse,resolv.conf,ssl +private-tmp + +dbus-user filter +dbus-user.talk org.freedesktop.Notifications +dbus-user.talk org.mpris.MediaPlayer2.* +# Add the next line to your qutebrowser.local to allow screen sharing under wayland. +#dbus-user.talk org.freedesktop.portal.Desktop +# Add the next line to your qutebrowser.local if screen sharing sharing still does not work +# with the above lines (might depend on the portal implementation). +#ignore noroot +dbus-system none -- cgit v1.2.3-70-g09d2 From 8685f25445bd5df8b6d1dc82c312b01a9fb92135 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Sun, 2 Oct 2022 05:55:46 +0000 Subject: unbreak D-Bus mpris support --- etc/profile-m-z/qutebrowser.profile | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'etc') diff --git a/etc/profile-m-z/qutebrowser.profile b/etc/profile-m-z/qutebrowser.profile index e15db2ea5..d41235b08 100644 --- a/etc/profile-m-z/qutebrowser.profile +++ b/etc/profile-m-z/qutebrowser.profile @@ -47,9 +47,10 @@ private-dev private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,localtime,machine-id,pki,pulse,resolv.conf,ssl private-tmp -dbus-user filter -dbus-user.talk org.freedesktop.Notifications -dbus-user.talk org.mpris.MediaPlayer2.* +# to-do: mpris support https://github.com/netblue30/firejail/pull/5389#issuecomment-1264556158 +#dbus-user filter +#dbus-user.talk org.freedesktop.Notifications +#dbus-user.talk org.mpris.MediaPlayer2.* # Add the next line to your qutebrowser.local to allow screen sharing under wayland. #dbus-user.talk org.freedesktop.portal.Desktop # Add the next line to your qutebrowser.local if screen sharing sharing still does not work -- cgit v1.2.3-70-g09d2 From f2ba0b4a228fa929750781995fc0bf4daba3b43e Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Sun, 2 Oct 2022 06:01:09 +0000 Subject: Fix D-Bus mpris support --- etc/profile-m-z/qutebrowser.profile | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) (limited to 'etc') diff --git a/etc/profile-m-z/qutebrowser.profile b/etc/profile-m-z/qutebrowser.profile index d41235b08..5b254c58b 100644 --- a/etc/profile-m-z/qutebrowser.profile +++ b/etc/profile-m-z/qutebrowser.profile @@ -47,10 +47,9 @@ private-dev private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,localtime,machine-id,pki,pulse,resolv.conf,ssl private-tmp -# to-do: mpris support https://github.com/netblue30/firejail/pull/5389#issuecomment-1264556158 -#dbus-user filter -#dbus-user.talk org.freedesktop.Notifications -#dbus-user.talk org.mpris.MediaPlayer2.* +dbus-user filter +dbus-user.own org.mpris.MediaPlayer2.qutebrowser.* +dbus-user.talk org.freedesktop.Notifications # Add the next line to your qutebrowser.local to allow screen sharing under wayland. #dbus-user.talk org.freedesktop.portal.Desktop # Add the next line to your qutebrowser.local if screen sharing sharing still does not work -- cgit v1.2.3-70-g09d2 From 669c18c606893be64011d6b76763243db1b79b9c Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Mon, 3 Oct 2022 18:32:54 +0000 Subject: Harden qutebrowser --- etc/profile-m-z/qutebrowser.profile | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'etc') diff --git a/etc/profile-m-z/qutebrowser.profile b/etc/profile-m-z/qutebrowser.profile index 5b254c58b..ae62c0b89 100644 --- a/etc/profile-m-z/qutebrowser.profile +++ b/etc/profile-m-z/qutebrowser.profile @@ -10,6 +10,9 @@ noblacklist ${HOME}/.cache/qutebrowser noblacklist ${HOME}/.config/qutebrowser noblacklist ${HOME}/.local/share/qutebrowser +# Allow /bin/sh (blacklisted by disable-shell.inc) +include allow-bin-sh.inc + # Allow python (blacklisted by disable-interpreters.inc) include allow-python2.inc include allow-python3.inc @@ -19,6 +22,7 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-programs.inc +include disable-shell.inc mkdir ${HOME}/.cache/qutebrowser mkdir ${HOME}/.config/qutebrowser @@ -27,7 +31,12 @@ whitelist ${DOWNLOADS} whitelist ${HOME}/.cache/qutebrowser whitelist ${HOME}/.config/qutebrowser whitelist ${HOME}/.local/share/qutebrowser +whitelist /usr/share/qtbrowser include whitelist-common.inc +include whitelist-run-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc apparmor caps.drop all -- cgit v1.2.3-70-g09d2