1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
|
# Firejail profile for mullvad-browser
# Description: Privacy-focused web browser developed in a collaboration between Mullvad VPN and the Tor Project
# This file is overwritten after every install/update
# Persistent local customizations
include mullvad-browser.local
# Persistent global definitions
include globals.local
# IMPORTANT ##########################################
# The mullvad-browser can be downloaded from the official website
# and installed manually or via the AUR for Arch Linux (derivatives).
# The latter installs the browser under /opt/mullvad-browser, while
# the former can be installed under ${HOME} just about anywhere.
# If you decide to install it under ${HOME} this profile assumes to find
# the browser files under ${HOME}/.local/share/mullvad-browser.
# When you divert from that location you will need to make the needed
# path adjustments yourself in the below instructions.
####################################################
# If you installed under ${HOME}, put the below line in your
# mullvad-browser.local
# Note: The relevant rule in /etc/apparmor.d/local/firejail-default will
# need to be uncommented for the 'apparmor' option to work as expected.
#ignore noexec ${HOME}
noblacklist ${HOME}/.cache/mullvad/mullvadbrowser
noblacklist ${HOME}/.config/mullvad-browser-flags.conf
noblacklist ${HOME}/.local/share/mullvad-browser
noblacklist ${HOME}/.mullvad/mullvadbrowser
# Allow python 3 (blacklisted by disable-interpreters.inc)
include allow-python3.inc
blacklist /srv
blacklist /sys/class/net
blacklist /usr/libexec
include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-proc.inc
include disable-programs.inc
include disable-xdg.inc
mkdir ${HOME}/.cache/mullvad/mullvadbrowser
mkdir ${HOME}/.local/share/mullvad-browser
mkdir ${HOME}/.mullvad/mullvadbrowser
mkfile ${HOME}/.config/mullvad-browser-flags.conf
whitelist ${DOWNLOADS}
whitelist ${HOME}/.cache/mullvad/mullvadbrowser
whitelist ${HOME}/.config/mullvad-browser-flags.conf
whitelist ${HOME}/.local/share/mullvad-browser
whitelist ${HOME}/.mullvad/mullvadbrowser
whitelist /opt/mullvad-browser
include whitelist-common.inc
include whitelist-run-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc
apparmor
caps.drop all
netfilter
nodvd
nogroups
noinput
nonewprivs
noroot
notv
nou2f
novideo
protocol unix,inet,inet6
seccomp !chroot
seccomp.block-secondary
#tracelog # may cause issues, see #1930
disable-mnt
private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,id,kdialog,ln,mkdir,mullvad-browser,mv,python*,rm,sed,sh,tail,tar,tclsh,test,update-desktop-database,xmessage,xz,zenity
private-dev
private-etc @tls-ca
private-tmp
blacklist ${PATH}/curl
blacklist ${PATH}/wget
blacklist ${PATH}/wget2
dbus-user filter
dbus-user.own org.mozilla.mullvadbrowser.*
dbus-system none
# cfr. start-mullvad-browser
# do not (try to) connect to the session manager
rmenv SESSION_MANAGER
#restrict-namespaces
|
