Skip to content

Commit

Permalink
profiles: browsers: format and improve comments
Browse files Browse the repository at this point in the history
  • Loading branch information
kmk3 committed Sep 25, 2024
1 parent 7fbf180 commit 9ee85f3
Show file tree
Hide file tree
Showing 6 changed files with 32 additions and 24 deletions.
6 changes: 3 additions & 3 deletions etc/profile-a-l/cachy-browser.profile
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# Firejail profile for Cachy-Browser
# Description: Librewolf fork based on enhanced privacy with gentoo patchset
# Firejail profile for cachy-browser
# Description: Librewolf fork based on enhanced privacy with Gentoo patchset
# This file is overwritten after every install/update
# Persistent local customizations
include cachy-browser.local
Expand All @@ -15,7 +15,7 @@ whitelist ${HOME}/.cache/cachy
whitelist ${HOME}/.cachy
whitelist /usr/share/cachy-browser

# Add the next line to your cachy-browser.local to enable private-bin (Arch Linux).
# Add the next line to cachy-browser.local to enable private-bin.
#private-bin dbus-launch,dbus-send,cachy-browser,sh
private-etc cachy-browser

Expand Down
9 changes: 5 additions & 4 deletions etc/profile-a-l/chromium-common.profile
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,9 @@ noblacklist ${HOME}/.local/share/pki
noblacklist ${HOME}/.pki
noblacklist /usr/lib/chromium/chrome-sandbox

# Add the next line to your chromium-common.local if you want Google Chrome/Chromium browser
# to have access to Gnome extensions (extensions.gnome.org) via browser connector
# Add the next line to chromium-common.local if you want the web browser to
# have access to Gnome extensions (extensions.gnome.org) via the browser
# connector.
#include allow-python3.inc

blacklist ${PATH}/curl
Expand All @@ -46,8 +47,8 @@ include whitelist-run-common.inc
?BROWSER_DISABLE_U2F: private-dev
#private-tmp # issues when using multiple browser sessions

# This prevents access to passwords saved in GNOME Keyring and KWallet, also
# breaks Gnome connector.
# Note: This prevents access to passwords saved in GNOME Keyring and KWallet
# and breaks Gnome connector.
#dbus-user none

# The file dialog needs to work without d-bus.
Expand Down
2 changes: 1 addition & 1 deletion etc/profile-a-l/firefox-common-addons.profile
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,7 @@ whitelist ${HOME}/dwhelper
whitelist /usr/share/lua*
whitelist /usr/share/mpv

# GNOME Shell integration (chrome-gnome-shell) needs dbus and python
# GNOME Shell integration (chrome-gnome-shell) needs dbus and python.
noblacklist ${HOME}/.local/share/gnome-shell
whitelist ${HOME}/.local/share/gnome-shell
dbus-user.talk ca.desrt.dconf
Expand Down
23 changes: 15 additions & 8 deletions etc/profile-a-l/firefox-common.profile
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,8 @@ include firefox-common.local
#whitelist ${RUNUSER}/kpxc_server
#whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer

# Add the next line to your firefox-common.local to allow access to common programs/addons/plugins.
# Add the next line to firefox-common.local to allow access to common
# programs/addons/plugins.
#include firefox-common-addons.profile

noblacklist ${HOME}/.local/share/pki
Expand Down Expand Up @@ -59,31 +60,37 @@ apparmor
# Fixme!
apparmor-replace
caps.drop all
# machine-id breaks pulse audio; add it to your firefox-common.local if sound is not required.
# Note: machine-id breaks pulseaudio; add it to firefox-common.local if sound
# is not required.
#machine-id
netfilter
nodvd
nogroups
noinput
nonewprivs
# noroot breaks GTK_USE_PORTAL=1 usage, see https://github.com/netblue30/firejail/issues/2506.
# Note: noroot breaks GTK_USE_PORTAL=1 usage; see
# https://github.com/netblue30/firejail/issues/2506.
noroot
notv
?BROWSER_DISABLE_U2F: nou2f
protocol unix,inet,inet6,netlink
# The below seccomp configuration still permits chroot syscall. See https://github.com/netblue30/firejail/issues/2506 for possible workarounds.
# Note: The seccomp line below still permits the chroot syscall; see
# https://github.com/netblue30/firejail/issues/2506 for possible workarounds.
seccomp !chroot
# Disable tracelog, it breaks or causes major issues with many firefox based browsers, see https://github.com/netblue30/firejail/issues/1930.
# Note: tracelog may break or cause major issues with many Firefox-based
# browsers; see https://github.com/netblue30/firejail/issues/1930.
#tracelog

disable-mnt
?BROWSER_DISABLE_U2F: private-dev
# private-etc below works fine on most distributions. There could be some problems on CentOS.
# Note: The private-etc line below works fine on most distributions but it
# could cause problems on CentOS.
private-etc @tls-ca,@x11,mailcap,mime.types,os-release
private-tmp

# 'dbus-user none' breaks various desktop integration features like global menus, native notifications,
# Gnome connector, KDE connect and power management on KDE Plasma.
# Note: `dbus-user none` breaks various desktop integration features like
# global menus, native notifications, Gnome connector, KDE Connect and power
# management on KDE Plasma.
dbus-user none
dbus-system none

Expand Down
12 changes: 6 additions & 6 deletions etc/profile-a-l/firefox.profile
Original file line number Diff line number Diff line change
Expand Up @@ -6,10 +6,10 @@ include firefox.local
# Persistent global definitions
include globals.local

# Note: Sandboxing web browsers is as important as it is complex. Users might be
# interested in creating custom profiles depending on use case (e.g. one for
# general browsing, another for banking, ...). Consult our FAQ/issue tracker for more
# info. Here are a few links to get you going.
# Note: Sandboxing web browsers is as important as it is complex. Users might
# be interested in creating custom profiles depending on the use case (e.g. one
# for general browsing, another for banking, ...). Consult our FAQ/issue
# tracker for more information. Here are a few links to get you going:
# https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#firefox-doesnt-open-in-a-new-sandbox-instead-it-opens-a-new-tab-in-an-existing-firefox-instance
# https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#how-do-i-run-two-instances-of-firefox
# https://github.com/netblue30/firejail/issues/4206#issuecomment-824806968
Expand All @@ -34,9 +34,9 @@ whitelist /usr/share/gnome-shell/search-providers/firefox-search-provider.ini
whitelist ${RUNUSER}/*firefox*
whitelist ${RUNUSER}/psd/*firefox*

# firefox requires a shell to launch on Arch - add the next line to your firefox.local to enable private-bin.
# Note: Firefox requires a shell to launch on Arch and Fedora.
# Add the next lines to firefox.local to enable private-bin.
#private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which
# Fedora uses shell scripts to launch firefox - add the next line to your firefox.local to enable private-bin.
#private-bin basename,bash,cat,dirname,expr,false,firefox,firefox-wayland,getenforce,ln,mkdir,pidof,restorecon,rm,rmdir,sed,sh,tclsh,true,uname
private-etc firefox

Expand Down
4 changes: 2 additions & 2 deletions etc/profile-a-l/librewolf.profile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Firejail profile for Librewolf
# Firejail profile for librewolf
# Description: Firefox fork based on privacy
# This file is overwritten after every install/update
# Persistent local customizations
Expand All @@ -16,7 +16,7 @@ whitelist ${HOME}/.librewolf

whitelist /usr/share/librewolf

# Add the next line to your librewolf.local to enable private-bin (Arch Linux).
# Add the next line to librewolf.local to enable private-bin.
#private-bin dbus-launch,dbus-send,librewolf,sh
private-etc librewolf

Expand Down

0 comments on commit 9ee85f3

Please sign in to comment.