From df2f568041fd926a217812523399b059bc888233 Mon Sep 17 00:00:00 2001
From: Tad <tad@spotco.us>
Date: Sun, 11 Feb 2018 15:27:30 -0500
Subject: Unify all Chromium and Firefox based browser profiles as part of
 #1773

---
 etc/abrowser.profile               | 36 ++--------------
 etc/bnox.profile                   | 23 +----------
 etc/brave.profile                  | 26 +-----------
 etc/chromium-common.profile        | 32 ++++++++++++++
 etc/chromium.profile               | 24 +----------
 etc/cliqz.profile                  | 78 ++++------------------------------
 etc/cyberfox.profile               | 57 +------------------------
 etc/dnox.profile                   | 23 +----------
 etc/firefox-common.profile         | 85 ++++++++++++++++++++++++++++++++++++++
 etc/firefox.profile                | 77 +---------------------------------
 etc/flashpeak-slimjet.profile      | 26 +-----------
 etc/google-chrome-beta.profile     | 23 +----------
 etc/google-chrome-unstable.profile | 23 +----------
 etc/google-chrome.profile          | 25 +----------
 etc/icecat.profile                 | 39 ++---------------
 etc/inox.profile                   | 23 +----------
 etc/iridium.profile                | 24 +----------
 etc/opera-beta.profile             | 17 ++------
 etc/opera.profile                  | 16 +------
 etc/palemoon.profile               | 45 ++------------------
 etc/vivaldi.profile                | 22 +---------
 etc/waterfox.profile               | 68 ++----------------------------
 etc/yandex-browser.profile         | 24 +----------
 23 files changed, 170 insertions(+), 666 deletions(-)
 create mode 100644 etc/chromium-common.profile
 create mode 100644 etc/firefox-common.profile

(limited to 'etc')

diff --git a/etc/abrowser.profile b/etc/abrowser.profile
index 5c964bad1..01f60b559 100644
--- a/etc/abrowser.profile
+++ b/etc/abrowser.profile
@@ -7,42 +7,14 @@ include /etc/firejail/globals.local
 
 noblacklist ${HOME}/.cache/mozilla
 noblacklist ${HOME}/.mozilla
-noblacklist ${HOME}/.pki
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
 
 mkdir ${HOME}/.cache/mozilla/abrowser
 mkdir ${HOME}/.mozilla
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.cache/gnome-mplayer/plugin
 whitelist ${HOME}/.cache/mozilla/abrowser
-whitelist ${HOME}/.config/gnome-mplayer
-whitelist ${HOME}/.config/pipelight-silverlight5.1
-whitelist ${HOME}/.config/pipelight-widevine
-whitelist ${HOME}/.keysnail.js
-whitelist ${HOME}/.lastpass
 whitelist ${HOME}/.mozilla
-whitelist ${HOME}/.pentadactyl
-whitelist ${HOME}/.pentadactylrc
-whitelist ${HOME}/.pki
-whitelist ${HOME}/.vimperator
-whitelist ${HOME}/.vimperatorrc
-whitelist ${HOME}/.wine-pipelight
-whitelist ${HOME}/.wine-pipelight64
-whitelist ${HOME}/.zotero
-whitelist ${HOME}/dwhelper
-include /etc/firejail/whitelist-common.inc
 
-caps.drop all
-netfilter
-nodvd
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6,netlink
-seccomp
-tracelog
+# private-etc ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,abrowser,firefox,mime.types,mailcap,asound.conf,pulse,pki,crypto-policies
+
 
-# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
+# Redirect
+include /etc/firejail/firefox-common.profile
diff --git a/etc/bnox.profile b/etc/bnox.profile
index 4270755c8..3207a2923 100644
--- a/etc/bnox.profile
+++ b/etc/bnox.profile
@@ -7,30 +7,11 @@ include /etc/firejail/globals.local
 
 noblacklist ${HOME}/.cache/bnox
 noblacklist ${HOME}/.config/bnox
-noblacklist ${HOME}/.pki
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-programs.inc
 
 mkdir ${HOME}/.cache/bnox
 mkdir ${HOME}/.config/bnox
-mkdir ${HOME}/.pki
-whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/bnox
 whitelist ${HOME}/.config/bnox
-whitelist ${HOME}/.pki
-include /etc/firejail/whitelist-common.inc
-include /etc/firejail/whitelist-var-common.inc
-
-caps.keep sys_chroot,sys_admin
-netfilter
-nodvd
-nogroups
-notv
-shell none
-
-private-dev
-# private-tmp - problems with multiple browser sessions
 
-noexec ${HOME}
-noexec /tmp
+# Redirect
+include /etc/firejail/chromium-common.profile
diff --git a/etc/brave.profile b/etc/brave.profile
index 668e8a244..cef1d0951 100644
--- a/etc/brave.profile
+++ b/etc/brave.profile
@@ -8,31 +8,9 @@ include /etc/firejail/globals.local
 noblacklist ${HOME}/.config/brave
 # brave uses gpg for built-in password manager
 noblacklist ${HOME}/.gnupg
-noblacklist ${HOME}/.pki
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
 
 mkdir ${HOME}/.config/brave
-mkdir ${HOME}/.pki
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.config/KeePass
 whitelist ${HOME}/.config/brave
-whitelist ${HOME}/.config/keepass
-whitelist ${HOME}/.config/lastpass
-whitelist ${HOME}/.keepass
-whitelist ${HOME}/.lastpass
-whitelist ${HOME}/.pki
-include /etc/firejail/whitelist-common.inc
-
-# caps.drop all
-netfilter
-# nonewprivs
-# noroot
-nodvd
-notv
-# protocol unix,inet,inet6,netlink
-# seccomp
 
-disable-mnt
+# Redirect
+include /etc/firejail/chromium-common.profile
diff --git a/etc/chromium-common.profile b/etc/chromium-common.profile
new file mode 100644
index 000000000..5c5215309
--- /dev/null
+++ b/etc/chromium-common.profile
@@ -0,0 +1,32 @@
+# Firejail profile for chromium-common
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/chromium-common.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+noblacklist ${HOME}/.pki
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-programs.inc
+
+mkdir ${HOME}/.pki
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.pki
+include /etc/firejail/whitelist-common.inc
+include /etc/firejail/whitelist-var-common.inc
+
+caps.keep sys_chroot,sys_admin
+netfilter
+nodvd
+nogroups
+notv
+shell none
+
+disable-mnt
+private-dev
+# private-tmp - problems with multiple browser sessions
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/chromium.profile b/etc/chromium.profile
index 64d790121..ad9f9af33 100644
--- a/etc/chromium.profile
+++ b/etc/chromium.profile
@@ -8,34 +8,14 @@ include /etc/firejail/globals.local
 noblacklist ${HOME}/.cache/chromium
 noblacklist ${HOME}/.config/chromium
 noblacklist ${HOME}/.config/chromium-flags.conf
-noblacklist ${HOME}/.pki
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
 
 mkdir ${HOME}/.cache/chromium
 mkdir ${HOME}/.config/chromium
-mkdir ${HOME}/.pki
-whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/chromium
 whitelist ${HOME}/.config/chromium
 whitelist ${HOME}/.config/chromium-flags.conf
-whitelist ${HOME}/.pki
-include /etc/firejail/whitelist-common.inc
-include /etc/firejail/whitelist-var-common.inc
-
-caps.keep sys_chroot,sys_admin
-netfilter
-nodvd
-nogroups
-notv
-shell none
 
-disable-mnt
 # private-bin chromium,chromium-browser,chromedriver
-private-dev
-# private-tmp - problems with multiple browser sessions
 
-noexec ${HOME}
-noexec /tmp
+# Redirect
+include /etc/firejail/chromium-common.profile
diff --git a/etc/cliqz.profile b/etc/cliqz.profile
index 086dfa233..b4e299337 100644
--- a/etc/cliqz.profile
+++ b/etc/cliqz.profile
@@ -7,77 +7,13 @@ include /etc/firejail/globals.local
 
 noblacklist ${HOME}/.cache/cliqz
 noblacklist ${HOME}/.config/cliqz
-noblacklist ${HOME}/.config/okularpartrc
-noblacklist ${HOME}/.config/okularrc
-noblacklist ${HOME}/.config/qpdfview
-noblacklist ${HOME}/.kde/share/apps/okular
-noblacklist ${HOME}/.kde/share/config/okularpartrc
-noblacklist ${HOME}/.kde/share/config/okularrc
-noblacklist ${HOME}/.kde4/share/apps/okular
-noblacklist ${HOME}/.kde4/share/config/okularpartrc
-noblacklist ${HOME}/.kde4/share/config/okularrc
-# noblacklist ${HOME}/.local/share/gnome-shell/extensions
-noblacklist ${HOME}/.local/share/okular
-noblacklist ${HOME}/.local/share/qpdfview
 
-noblacklist ${HOME}/.pki
+mkdir ${HOME}/.cache/cliqz
+mkdir ${HOME}/.config/cliqz
+whitelist ${HOME}/.cache/cliqz
+whitelist ${HOME}/.config/cliqz
 
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
+# private-etc ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,cliqz,mime.types,mailcap,asound.conf,pulse,pki,crypto-policies
 
-mkdir ${HOME}/.cache/mozilla/firefox
-mkdir ${HOME}/.mozilla
-mkdir ${HOME}/.pki
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.cache/gnome-mplayer/plugin
-whitelist ${HOME}/.cache/mozilla/firefox
-whitelist ${HOME}/.config/gnome-mplayer
-whitelist ${HOME}/.config/okularpartrc
-whitelist ${HOME}/.config/okularrc
-whitelist ${HOME}/.config/pipelight-silverlight5.1
-whitelist ${HOME}/.config/pipelight-widevine
-whitelist ${HOME}/.config/qpdfview
-whitelist ${HOME}/.kde/share/apps/okular
-whitelist ${HOME}/.kde/share/config/okularpartrc
-whitelist ${HOME}/.kde/share/config/okularrc
-whitelist ${HOME}/.kde4/share/apps/okular
-whitelist ${HOME}/.kde4/share/config/okularpartrc
-whitelist ${HOME}/.kde4/share/config/okularrc
-whitelist ${HOME}/.keysnail.js
-whitelist ${HOME}/.lastpass
-whitelist ${HOME}/.local/share/gnome-shell/extensions
-whitelist ${HOME}/.local/share/okular
-whitelist ${HOME}/.local/share/qpdfview
-whitelist ${HOME}/.mozilla
-whitelist ${HOME}/.pentadactyl
-whitelist ${HOME}/.pentadactylrc
-whitelist ${HOME}/.pki
-whitelist ${HOME}/.vimperator
-whitelist ${HOME}/.vimperatorrc
-whitelist ${HOME}/.wine-pipelight
-whitelist ${HOME}/.wine-pipelight64
-whitelist ${HOME}/.zotero
-whitelist ${HOME}/dwhelper
-include /etc/firejail/whitelist-common.inc
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6,netlink
-seccomp
-shell none
-tracelog
-
-# private-bin firefox,which,sh,dbus-launch,dbus-send,env
-private-dev
-# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
+# Redirect
+include /etc/firejail/firefox-common.profile
diff --git a/etc/cyberfox.profile b/etc/cyberfox.profile
index 66cd27461..be9e62123 100644
--- a/etc/cyberfox.profile
+++ b/etc/cyberfox.profile
@@ -7,67 +7,14 @@ include /etc/firejail/globals.local
 
 noblacklist ${HOME}/.8pecxstudios
 noblacklist ${HOME}/.cache/8pecxstudios
-noblacklist ${HOME}/.config/okularpartrc
-noblacklist ${HOME}/.config/okularrc
-noblacklist ${HOME}/.config/qpdfview
-noblacklist ${HOME}/.kde/share/apps/okular
-noblacklist ${HOME}/.kde4/share/apps/okular
-noblacklist ${HOME}/.local/share/okular
-noblacklist ${HOME}/.local/share/qpdfview
-noblacklist ${HOME}/.pki
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
 
 mkdir ${HOME}/.8pecxstudios
 mkdir ${HOME}/.cache/8pecxstudios
-mkdir ${HOME}/.pki
-whitelist ${DOWNLOADS}
 whitelist ${HOME}/.8pecxstudios
 whitelist ${HOME}/.cache/8pecxstudios
-whitelist ${HOME}/.cache/gnome-mplayer/plugin
-whitelist ${HOME}/.config/gnome-mplayer
-whitelist ${HOME}/.config/okularpartrc
-whitelist ${HOME}/.config/okularrc
-whitelist ${HOME}/.config/pipelight-silverlight5.1
-whitelist ${HOME}/.config/pipelight-widevine
-whitelist ${HOME}/.config/qpdfview
-whitelist ${HOME}/.kde/share/apps/okular
-whitelist ${HOME}/.kde4/share/apps/okular
-whitelist ${HOME}/.keysnail.js
-whitelist ${HOME}/.lastpass
-whitelist ${HOME}/.local/share/okular
-whitelist ${HOME}/.local/share/qpdfview
-whitelist ${HOME}/.pentadactyl
-whitelist ${HOME}/.pentadactylrc
-whitelist ${HOME}/.pki
-whitelist ${HOME}/.vimperator
-whitelist ${HOME}/.vimperatorrc
-whitelist ${HOME}/.wine-pipelight
-whitelist ${HOME}/.wine-pipelight64
-whitelist ${HOME}/.zotero
-whitelist ${HOME}/dwhelper
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6,netlink
-seccomp
-shell none
-tracelog
 
-disable-mnt
 # private-bin cyberfox,which,sh,dbus-launch,dbus-send,env
-private-dev
-private-dev
 # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,cyberfox,mime.types,mailcap,asound.conf,pulse
-private-tmp
 
-noexec ${HOME}
-noexec /tmp
+# Redirect
+include /etc/firejail/firefox-common.profile
diff --git a/etc/dnox.profile b/etc/dnox.profile
index d6626c048..505884ca6 100644
--- a/etc/dnox.profile
+++ b/etc/dnox.profile
@@ -7,30 +7,11 @@ include /etc/firejail/globals.local
 
 noblacklist ${HOME}/.cache/dnox
 noblacklist ${HOME}/.config/dnox
-noblacklist ${HOME}/.pki
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-programs.inc
 
 mkdir ${HOME}/.cache/dnox
 mkdir ${HOME}/.config/dnox
-mkdir ${HOME}/.pki
-whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/dnox
 whitelist ${HOME}/.config/dnox
-whitelist ${HOME}/.pki
-include /etc/firejail/whitelist-common.inc
-include /etc/firejail/whitelist-var-common.inc
-
-caps.keep sys_chroot,sys_admin
-netfilter
-nodvd
-nogroups
-notv
-shell none
-
-private-dev
-# private-tmp - problems with multiple browser sessions
 
-noexec ${HOME}
-noexec /tmp
+# Redirect
+include /etc/firejail/chromium-common.profile
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile
new file mode 100644
index 000000000..962080c58
--- /dev/null
+++ b/etc/firefox-common.profile
@@ -0,0 +1,85 @@
+# Firejail profile for firefox-common
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/firefox-common.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+noblacklist ${HOME}/.config/okularpartrc
+noblacklist ${HOME}/.config/okularrc
+noblacklist ${HOME}/.config/qpdfview
+noblacklist ${HOME}/.kde/share/apps/kget
+noblacklist ${HOME}/.kde/share/apps/okular
+noblacklist ${HOME}/.kde/share/config/kgetrc
+noblacklist ${HOME}/.kde/share/config/okularpartrc
+noblacklist ${HOME}/.kde/share/config/okularrc
+noblacklist ${HOME}/.kde4/share/apps/kget
+noblacklist ${HOME}/.kde4/share/apps/okular
+noblacklist ${HOME}/.kde4/share/config/kgetrc
+noblacklist ${HOME}/.kde4/share/config/okularpartrc
+noblacklist ${HOME}/.kde4/share/config/okularrc
+# noblacklist ${HOME}/.local/share/gnome-shell/extensions
+noblacklist ${HOME}/.local/share/okular
+noblacklist ${HOME}/.local/share/qpdfview
+noblacklist ${HOME}/.pki
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-programs.inc
+
+mkdir ${HOME}/.pki
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.cache/gnome-mplayer/plugin
+whitelist ${HOME}/.config/gnome-mplayer
+whitelist ${HOME}/.config/okularpartrc
+whitelist ${HOME}/.config/okularrc
+whitelist ${HOME}/.config/pipelight-silverlight5.1
+whitelist ${HOME}/.config/pipelight-widevine
+whitelist ${HOME}/.config/qpdfview
+whitelist ${HOME}/.kde/share/apps/kget
+whitelist ${HOME}/.kde/share/apps/okular
+whitelist ${HOME}/.kde/share/config/kgetrc
+whitelist ${HOME}/.kde/share/config/okularpartrc
+whitelist ${HOME}/.kde/share/config/okularrc
+whitelist ${HOME}/.kde4/share/apps/kget
+whitelist ${HOME}/.kde4/share/apps/okular
+whitelist ${HOME}/.kde4/share/config/kgetrc
+whitelist ${HOME}/.kde4/share/config/okularpartrc
+whitelist ${HOME}/.kde4/share/config/okularrc
+whitelist ${HOME}/.keysnail.js
+whitelist ${HOME}/.lastpass
+whitelist ${HOME}/.local/share/gnome-shell/extensions
+whitelist ${HOME}/.local/share/okular
+whitelist ${HOME}/.local/share/qpdfview
+whitelist ${HOME}/.pentadactyl
+whitelist ${HOME}/.pentadactylrc
+whitelist ${HOME}/.pki
+whitelist ${HOME}/.vimperator
+whitelist ${HOME}/.vimperatorrc
+whitelist ${HOME}/.wine-pipelight
+whitelist ${HOME}/.wine-pipelight64
+whitelist ${HOME}/.zotero
+whitelist ${HOME}/dwhelper
+include /etc/firejail/whitelist-common.inc
+include /etc/firejail/whitelist-var-common.inc
+
+caps.drop all
+# machine-id breaks pulse audio; it should work fine in setups where sound is not required
+#machine-id
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-dev
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/firefox.profile b/etc/firefox.profile
index 079cb1536..15ca094f1 100644
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@@ -6,90 +6,17 @@ include /etc/firejail/firefox.local
 include /etc/firejail/globals.local
 
 noblacklist ${HOME}/.cache/mozilla
-noblacklist ${HOME}/.config/okularpartrc
-noblacklist ${HOME}/.config/okularrc
-noblacklist ${HOME}/.config/qpdfview
-noblacklist ${HOME}/.kde/share/apps/kget
-noblacklist ${HOME}/.kde/share/apps/okular
-noblacklist ${HOME}/.kde/share/config/kgetrc
-noblacklist ${HOME}/.kde/share/config/okularpartrc
-noblacklist ${HOME}/.kde/share/config/okularrc
-noblacklist ${HOME}/.kde4/share/apps/kget
-noblacklist ${HOME}/.kde4/share/apps/okular
-noblacklist ${HOME}/.kde4/share/config/kgetrc
-noblacklist ${HOME}/.kde4/share/config/okularpartrc
-noblacklist ${HOME}/.kde4/share/config/okularrc
-# noblacklist ${HOME}/.local/share/gnome-shell/extensions
-noblacklist ${HOME}/.local/share/okular
-noblacklist ${HOME}/.local/share/qpdfview
 noblacklist ${HOME}/.mozilla
-noblacklist ${HOME}/.pki
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
 
 mkdir ${HOME}/.cache/mozilla/firefox
 mkdir ${HOME}/.mozilla
-mkdir ${HOME}/.pki
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.cache/gnome-mplayer/plugin
 whitelist ${HOME}/.cache/mozilla/firefox
-whitelist ${HOME}/.config/gnome-mplayer
-whitelist ${HOME}/.config/okularpartrc
-whitelist ${HOME}/.config/okularrc
-whitelist ${HOME}/.config/pipelight-silverlight5.1
-whitelist ${HOME}/.config/pipelight-widevine
-whitelist ${HOME}/.config/qpdfview
-whitelist ${HOME}/.kde/share/apps/kget
-whitelist ${HOME}/.kde/share/apps/okular
-whitelist ${HOME}/.kde/share/config/kgetrc
-whitelist ${HOME}/.kde/share/config/okularpartrc
-whitelist ${HOME}/.kde/share/config/okularrc
-whitelist ${HOME}/.kde4/share/apps/kget
-whitelist ${HOME}/.kde4/share/apps/okular
-whitelist ${HOME}/.kde4/share/config/kgetrc
-whitelist ${HOME}/.kde4/share/config/okularpartrc
-whitelist ${HOME}/.kde4/share/config/okularrc
-whitelist ${HOME}/.keysnail.js
-whitelist ${HOME}/.lastpass
-whitelist ${HOME}/.local/share/gnome-shell/extensions
-whitelist ${HOME}/.local/share/okular
-whitelist ${HOME}/.local/share/qpdfview
 whitelist ${HOME}/.mozilla
-whitelist ${HOME}/.pentadactyl
-whitelist ${HOME}/.pentadactylrc
-whitelist ${HOME}/.pki
-whitelist ${HOME}/.vimperator
-whitelist ${HOME}/.vimperatorrc
-whitelist ${HOME}/.wine-pipelight
-whitelist ${HOME}/.wine-pipelight64
-whitelist ${HOME}/.zotero
-whitelist ${HOME}/dwhelper
-include /etc/firejail/whitelist-common.inc
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-# machine-id breaks pulse audio; it should work fine in setups where sound is not required
-#machine-id
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6,netlink
-seccomp
-shell none
-tracelog
 
-disable-mnt
 # firefox requires a shell to launch on Arch.
 # private-bin firefox,which,sh,dbus-launch,dbus-send,env,bash
-private-dev
 # private-etc below works fine on most distributions. There are some problems on CentOS.
 # private-etc iceweasel,ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse,pki,crypto-policies
-private-tmp
 
-noexec ${HOME}
-noexec /tmp
+# Redirect
+include /etc/firejail/firefox-common.profile
diff --git a/etc/flashpeak-slimjet.profile b/etc/flashpeak-slimjet.profile
index d9be8b9c5..63f9d19a9 100644
--- a/etc/flashpeak-slimjet.profile
+++ b/etc/flashpeak-slimjet.profile
@@ -5,35 +5,13 @@ include /etc/firejail/flashpeak-slimjet.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-# This is a whitelisted profile, the internal browser sandbox
-# is disabled because it requires sudo password. The command
-# to run it is as follows:
-#  firejail flashpeak-slimjet --no-sandbox
-
 noblacklist ${HOME}/.cache/slimjet
 noblacklist ${HOME}/.config/slimjet
-noblacklist ${HOME}/.pki
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
 
 mkdir ${HOME}/.cache/slimjet
 mkdir ${HOME}/.config/slimjet
-mkdir ${HOME}/.pki
-whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/slimjet
 whitelist ${HOME}/.config/slimjet
-whitelist ${HOME}/.pki
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6,netlink
-seccomp
 
-disable-mnt
+# Redirect
+include /etc/firejail/chromium-common.profile
diff --git a/etc/google-chrome-beta.profile b/etc/google-chrome-beta.profile
index 9c7306b85..ab16558ea 100644
--- a/etc/google-chrome-beta.profile
+++ b/etc/google-chrome-beta.profile
@@ -7,30 +7,11 @@ include /etc/firejail/globals.local
 
 noblacklist ${HOME}/.cache/google-chrome-beta
 noblacklist ${HOME}/.config/google-chrome-beta
-noblacklist ${HOME}/.pki
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
 
 mkdir ${HOME}/.cache/google-chrome-beta
 mkdir ${HOME}/.config/google-chrome-beta
-mkdir ${HOME}/.pki
-whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/google-chrome-beta
 whitelist ${HOME}/.config/google-chrome-beta
-whitelist ${HOME}/.pki
-include /etc/firejail/whitelist-common.inc
-
-caps.keep sys_chroot,sys_admin
-netfilter
-nodvd
-nogroups
-notv
-shell none
-
-private-dev
-# private-tmp - problems with multiple browser sessions
 
-noexec ${HOME}
-noexec /tmp
+# Redirect
+include /etc/firejail/chromium-common.profile
diff --git a/etc/google-chrome-unstable.profile b/etc/google-chrome-unstable.profile
index bb05b3e99..b7d0eccf3 100644
--- a/etc/google-chrome-unstable.profile
+++ b/etc/google-chrome-unstable.profile
@@ -7,30 +7,11 @@ include /etc/firejail/globals.local
 
 noblacklist ${HOME}/.cache/google-chrome-unstable
 noblacklist ${HOME}/.config/google-chrome-unstable
-noblacklist ${HOME}/.pki
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
 
 mkdir ${HOME}/.cache/google-chrome-unstable
 mkdir ${HOME}/.config/google-chrome-unstable
-mkdir ${HOME}/.pki
-whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/google-chrome-unstable
 whitelist ${HOME}/.config/google-chrome-unstable
-whitelist ${HOME}/.pki
-include /etc/firejail/whitelist-common.inc
-
-caps.keep sys_chroot,sys_admin
-netfilter
-nodvd
-nogroups
-notv
-shell none
-
-private-dev
-# private-tmp - problems with multiple browser sessions
 
-noexec ${HOME}
-noexec /tmp
+# Redirect
+include /etc/firejail/chromium-common.profile
diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile
index 19ebfa974..6e44190ae 100644
--- a/etc/google-chrome.profile
+++ b/etc/google-chrome.profile
@@ -7,32 +7,11 @@ include /etc/firejail/globals.local
 
 noblacklist ${HOME}/.cache/google-chrome
 noblacklist ${HOME}/.config/google-chrome
-noblacklist ${HOME}/.pki
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
 
 mkdir ${HOME}/.cache/google-chrome
 mkdir ${HOME}/.config/google-chrome
-mkdir ${HOME}/.pki
-whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/google-chrome
 whitelist ${HOME}/.config/google-chrome
-whitelist ${HOME}/.pki
-include /etc/firejail/whitelist-common.inc
-include /etc/firejail/whitelist-var-common.inc
-
-caps.keep sys_chroot,sys_admin
-netfilter
-nodvd
-nogroups
-notv
-shell none
-
-disable-mnt
-private-dev
-# private-tmp - problems with multiple browser sessions
 
-noexec ${HOME}
-noexec /tmp
+# Redirect
+include /etc/firejail/chromium-common.profile
diff --git a/etc/icecat.profile b/etc/icecat.profile
index 9e5526c95..1470d4b12 100644
--- a/etc/icecat.profile
+++ b/etc/icecat.profile
@@ -7,46 +7,13 @@ include /etc/firejail/globals.local
 
 noblacklist ${HOME}/.cache/mozilla
 noblacklist ${HOME}/.mozilla
-noblacklist ${HOME}/.pki
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
 
 mkdir ${HOME}/.cache/mozilla/icecat
 mkdir ${HOME}/.mozilla
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.cache/gnome-mplayer/plugin
 whitelist ${HOME}/.cache/mozilla/icecat
-whitelist ${HOME}/.config/gnome-mplayer
-whitelist ${HOME}/.config/pipelight-silverlight5.1
-whitelist ${HOME}/.config/pipelight-widevine
-whitelist ${HOME}/.keysnail.js
-whitelist ${HOME}/.lastpass
 whitelist ${HOME}/.mozilla
-whitelist ${HOME}/.pentadactyl
-whitelist ${HOME}/.pentadactylrc
-whitelist ${HOME}/.pki
-whitelist ${HOME}/.vimperator
-whitelist ${HOME}/.vimperatorrc
-whitelist ${HOME}/.wine-pipelight
-whitelist ${HOME}/.wine-pipelight64
-whitelist ${HOME}/.zotero
-whitelist ${HOME}/dwhelper
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6,netlink
-seccomp
-tracelog
 
-disable-mnt
-# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
+# private-etc icecat,ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse,pki,crypto-policies
 
-noexec ${HOME}
-noexec /tmp
+# Redirect
+include /etc/firejail/firefox-common.profile
diff --git a/etc/inox.profile b/etc/inox.profile
index fbc654434..652761c54 100644
--- a/etc/inox.profile
+++ b/etc/inox.profile
@@ -7,30 +7,11 @@ include /etc/firejail/globals.local
 
 noblacklist ${HOME}/.cache/inox
 noblacklist ${HOME}/.config/inox
-noblacklist ${HOME}/.pki
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-programs.inc
 
 mkdir ${HOME}/.cache/inox
 mkdir ${HOME}/.config/inox
-mkdir ${HOME}/.pki
-whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/inox
 whitelist ${HOME}/.config/inox
-whitelist ${HOME}/.pki
-include /etc/firejail/whitelist-common.inc
-include /etc/firejail/whitelist-var-common.inc
-
-caps.keep sys_chroot,sys_admin
-netfilter
-nodvd
-nogroups
-notv
-shell none
-
-private-dev
-# private-tmp - problems with multiple browser sessions
 
-noexec ${HOME}
-noexec /tmp
+# Redirect
+include /etc/firejail/chromium-common.profile
diff --git a/etc/iridium.profile b/etc/iridium.profile
index 76026722f..2869c3070 100644
--- a/etc/iridium.profile
+++ b/etc/iridium.profile
@@ -8,30 +8,10 @@ include /etc/firejail/globals.local
 noblacklist ${HOME}/.cache/iridium
 noblacklist ${HOME}/.config/iridium
 
-include /etc/firejail/disable-common.inc
-# chromium/iridium is distributed with a perl script on Arch
-# include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
-
 mkdir ${HOME}/.cache/iridium
 mkdir ${HOME}/.config/iridium
-mkdir ${HOME}/.pki
-whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/iridium
 whitelist ${HOME}/.config/iridium
-whitelist ${HOME}/.pki
-include /etc/firejail/whitelist-common.inc
-include /etc/firejail/whitelist-var-common.inc
-
-caps.keep sys_chroot,sys_admin
-netfilter
-nodvd
-nogroups
-notv
-shell none
-
-private-dev
-# private-tmp - problems with multiple browser sessions
 
-noexec ${HOME}
-noexec /tmp
+# Redirect
+include /etc/firejail/chromium-common.profile
diff --git a/etc/opera-beta.profile b/etc/opera-beta.profile
index 3fe86d26c..38a3152d2 100644
--- a/etc/opera-beta.profile
+++ b/etc/opera-beta.profile
@@ -5,24 +5,13 @@ include /etc/firejail/opera-beta.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
+noblacklist ${HOME}/.cache/opera
 noblacklist ${HOME}/.config/opera-beta
-noblacklist ${HOME}/.pki
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
 
 mkdir ${HOME}/.cache/opera
 mkdir ${HOME}/.config/opera-beta
-mkdir ${HOME}/.pki
-whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/opera
 whitelist ${HOME}/.config/opera-beta
-whitelist ${HOME}/.pki
-include /etc/firejail/whitelist-common.inc
-
-netfilter
-nodvd
-notv
 
-disable-mnt
+# Redirect
+include /etc/firejail/chromium-common.profile
diff --git a/etc/opera.profile b/etc/opera.profile
index fed7564b2..c0138c555 100644
--- a/etc/opera.profile
+++ b/etc/opera.profile
@@ -8,25 +8,13 @@ include /etc/firejail/globals.local
 noblacklist ${HOME}/.cache/opera
 noblacklist ${HOME}/.config/opera
 noblacklist ${HOME}/.opera
-noblacklist ${HOME}/.pki
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
 
 mkdir ${HOME}/.cache/opera
 mkdir ${HOME}/.config/opera
 mkdir ${HOME}/.opera
-mkdir ${HOME}/.pki
-whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/opera
 whitelist ${HOME}/.config/opera
 whitelist ${HOME}/.opera
-whitelist ${HOME}/.pki
-include /etc/firejail/whitelist-common.inc
-
-netfilter
-nodvd
-notv
 
-disable-mnt
+# Redirect
+include /etc/firejail/chromium-common.profile
diff --git a/etc/palemoon.profile b/etc/palemoon.profile
index 1112a9bb7..e59f20e9d 100644
--- a/etc/palemoon.profile
+++ b/etc/palemoon.profile
@@ -8,53 +8,14 @@ include /etc/firejail/globals.local
 noblacklist ${HOME}/.cache/moonchild productions/pale moon
 noblacklist ${HOME}/.moonchild productions/pale moon
 
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
-
-# These are uncommented in the Firefox profile. If you run into trouble you may
-# want to uncomment (some of) them.
-#whitelist ${HOME}/dwhelper
-#whitelist ${HOME}/.zotero
-#whitelist ${HOME}/.vimperatorrc
-#whitelist ${HOME}/.vimperator
-#whitelist ${HOME}/.pentadactylrc
-#whitelist ${HOME}/.pentadactyl
-#whitelist ${HOME}/.keysnail.js
-#whitelist ${HOME}/.config/gnome-mplayer
-#whitelist ${HOME}/.cache/gnome-mplayer/plugin
-#whitelist ${HOME}/.pki
-#whitelist ${HOME}/.lastpass
-
-# For silverlight
-#whitelist ${HOME}/.wine-pipelight
-#whitelist ${HOME}/.wine-pipelight64
-#whitelist ${HOME}/.config/pipelight-widevine
-#whitelist ${HOME}/.config/pipelight-silverlight5.1
-
 mkdir ${HOME}/.cache/moonchild productions/pale moon
 mkdir ${HOME}/.moonchild productions
-whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/moonchild productions/pale moon
 whitelist ${HOME}/.moonchild productions
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6,netlink
-seccomp
-shell none
-tracelog
 
 # private-bin palemoon
-# private-dev (disabled for now as it will interfere with webcam use in palemoon)
-# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
+# private-etc ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,palemoon,mime.types,mailcap,asound.conf,pulse,pki,crypto-policies
 # private-opt palemoon
-private-tmp
 
-disable-mnt
+# Redirect
+include /etc/firejail/firefox-common.profile
diff --git a/etc/vivaldi.profile b/etc/vivaldi.profile
index 3a1f72f23..aeef58292 100644
--- a/etc/vivaldi.profile
+++ b/etc/vivaldi.profile
@@ -8,28 +8,10 @@ include /etc/firejail/globals.local
 noblacklist ${HOME}/.cache/vivaldi
 noblacklist ${HOME}/.config/vivaldi
 
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
-
 mkdir ${HOME}/.cache/vivaldi
 mkdir ${HOME}/.config/vivaldi
-whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/vivaldi
 whitelist ${HOME}/.config/vivaldi
-include /etc/firejail/whitelist-common.inc
-include /etc/firejail/whitelist-var-common.inc
-
-caps.keep sys_chroot,sys_admin
-netfilter
-nodvd
-nogroups
-notv
-shell none
-
-disable-mnt
-private-dev
-# private-tmp - problems with multiple browser sessions
 
-noexec ${HOME}
-noexec /tmp
+# Redirect
+include /etc/firejail/chromium-common.profile
diff --git a/etc/waterfox.profile b/etc/waterfox.profile
index b2abb3a5f..521295dfa 100644
--- a/etc/waterfox.profile
+++ b/etc/waterfox.profile
@@ -7,83 +7,21 @@ include /etc/firejail/globals.local
 
 noblacklist ${HOME}/.cache/mozilla
 noblacklist ${HOME}/.cache/waterfox
-noblacklist ${HOME}/.config/okularpartrc
-noblacklist ${HOME}/.config/okularrc
-noblacklist ${HOME}/.config/qpdfview
-noblacklist ${HOME}/.kde/share/apps/okular
-noblacklist ${HOME}/.kde/share/config/okularpartrc
-noblacklist ${HOME}/.kde/share/config/okularrc
-noblacklist ${HOME}/.kde4/share/apps/okular
-noblacklist ${HOME}/.kde4/share/config/okularpartrc
-noblacklist ${HOME}/.kde4/share/config/okularrc
-# noblacklist ${HOME}/.local/share/gnome-shell/extensions
-noblacklist ${HOME}/.local/share/okular
-noblacklist ${HOME}/.local/share/qpdfview
 noblacklist ${HOME}/.mozilla
 noblacklist ${HOME}/.waterfox
-noblacklist ${HOME}/.pki
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
 
 mkdir ${HOME}/.cache/mozilla/firefox
 mkdir ${HOME}/.mozilla
 mkdir ${HOME}/.cache/waterfox
 mkdir ${HOME}/.waterfox
-mkdir ${HOME}/.pki
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.cache/gnome-mplayer/plugin
 whitelist ${HOME}/.cache/mozilla/firefox
 whitelist ${HOME}/.cache/waterfox
-whitelist ${HOME}/.config/gnome-mplayer
-whitelist ${HOME}/.config/okularpartrc
-whitelist ${HOME}/.config/okularrc
-whitelist ${HOME}/.config/pipelight-silverlight5.1
-whitelist ${HOME}/.config/pipelight-widevine
-whitelist ${HOME}/.config/qpdfview
-whitelist ${HOME}/.kde/share/apps/okular
-whitelist ${HOME}/.kde/share/config/okularpartrc
-whitelist ${HOME}/.kde/share/config/okularrc
-whitelist ${HOME}/.kde4/share/apps/okular
-whitelist ${HOME}/.kde4/share/config/okularpartrc
-whitelist ${HOME}/.kde4/share/config/okularrc
-whitelist ${HOME}/.keysnail.js
-whitelist ${HOME}/.lastpass
-whitelist ${HOME}/.local/share/gnome-shell/extensions
-whitelist ${HOME}/.local/share/okular
-whitelist ${HOME}/.local/share/qpdfview
 whitelist ${HOME}/.mozilla
 whitelist ${HOME}/.waterfox
-whitelist ${HOME}/.pentadactyl
-whitelist ${HOME}/.pentadactylrc
-whitelist ${HOME}/.pki
-whitelist ${HOME}/.vimperator
-whitelist ${HOME}/.vimperatorrc
-whitelist ${HOME}/.wine-pipelight
-whitelist ${HOME}/.wine-pipelight64
-whitelist ${HOME}/.zotero
-whitelist ${HOME}/dwhelper
-include /etc/firejail/whitelist-common.inc
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6,netlink
-seccomp
-shell none
-tracelog
 
 # waterfox requires a shell to launch on Arch. We can possibly remove sh though.
 # private-bin waterfox,which,sh,dbus-launch,dbus-send,env,bash
-private-dev
-# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,waterfox,mime.types,mailcap,asound.conf,pulse
-private-tmp
+# private-etc ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,waterfox,mime.types,mailcap,asound.conf,pulse,pki,crypto-policies
 
-noexec ${HOME}
-noexec /tmp
+# Redirect
+include /etc/firejail/firefox-common.profile
diff --git a/etc/yandex-browser.profile b/etc/yandex-browser.profile
index 1c7769727..fdb7694a5 100644
--- a/etc/yandex-browser.profile
+++ b/etc/yandex-browser.profile
@@ -9,35 +9,15 @@ noblacklist ${HOME}/.cache/yandex-browser
 noblacklist ${HOME}/.cache/yandex-browser-beta
 noblacklist ${HOME}/.config/yandex-browser
 noblacklist ${HOME}/.config/yandex-browser-beta
-noblacklist ${HOME}/.pki
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
 
 mkdir ${HOME}/.cache/yandex-browser
 mkdir ${HOME}/.cache/yandex-browser-beta
 mkdir ${HOME}/.config/yandex-browser
 mkdir ${HOME}/.config/yandex-browser-beta
-mkdir ${HOME}/.pki
-whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/yandex-browser
 whitelist ${HOME}/.cache/yandex-browser-beta
 whitelist ${HOME}/.config/yandex-browser
 whitelist ${HOME}/.config/yandex-browser-beta
-whitelist ${HOME}/.pki
-include /etc/firejail/whitelist-common.inc
-
-caps.keep sys_chroot,sys_admin
-netfilter
-nodvd
-nogroups
-notv
-shell none
-
-disable-mnt
-private-dev
-# private-tmp - problems with multiple browser sessions
 
-noexec ${HOME}
-noexec /tmp
+# Redirect
+include /etc/firejail/chromium-common.profile
-- 
cgit v1.2.3-70-g09d2