diff --git a/etc/profile-a-l/cachy-browser.profile b/etc/profile-a-l/cachy-browser.profile index 4500d41bf3..6bebbf7b07 100644 --- a/etc/profile-a-l/cachy-browser.profile +++ b/etc/profile-a-l/cachy-browser.profile @@ -1,5 +1,5 @@ -# Firejail profile for Cachy-Browser -# Description: Librewolf fork based on enhanced privacy with gentoo patchset +# Firejail profile for cachy-browser +# Description: Librewolf fork based on enhanced privacy with Gentoo patchset # This file is overwritten after every install/update # Persistent local customizations include cachy-browser.local @@ -15,7 +15,7 @@ whitelist ${HOME}/.cache/cachy whitelist ${HOME}/.cachy whitelist /usr/share/cachy-browser -# Add the next line to your cachy-browser.local to enable private-bin (Arch Linux). +# Add the next line to cachy-browser.local to enable private-bin. #private-bin dbus-launch,dbus-send,cachy-browser,sh private-etc cachy-browser diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile index 3a368dafb1..928514ebc2 100644 --- a/etc/profile-a-l/chromium-common.profile +++ b/etc/profile-a-l/chromium-common.profile @@ -20,8 +20,9 @@ noblacklist ${HOME}/.local/share/pki noblacklist ${HOME}/.pki noblacklist /usr/lib/chromium/chrome-sandbox -# Add the next line to your chromium-common.local if you want Google Chrome/Chromium browser -# to have access to Gnome extensions (extensions.gnome.org) via browser connector +# Add the next line to chromium-common.local if you want the web browser to +# have access to Gnome extensions (extensions.gnome.org) via the browser +# connector. #include allow-python3.inc blacklist ${PATH}/curl @@ -38,7 +39,7 @@ include whitelist-run-common.inc # If your kernel allows the creation of user namespaces by unprivileged users # (for example, if running `unshare -U echo enabled` prints "enabled"), you -# can add the next line to your chromium-common.local. +# can add the next line to chromium-common.local. #include chromium-common-hardened.inc.profile ?BROWSER_DISABLE_U2F: nou2f @@ -46,8 +47,8 @@ include whitelist-run-common.inc ?BROWSER_DISABLE_U2F: private-dev #private-tmp # issues when using multiple browser sessions -# This prevents access to passwords saved in GNOME Keyring and KWallet, also -# breaks Gnome connector. +# Note: This prevents access to passwords saved in GNOME Keyring and KWallet +# and breaks Gnome connector. #dbus-user none # The file dialog needs to work without d-bus. diff --git a/etc/profile-a-l/firefox-common-addons.profile b/etc/profile-a-l/firefox-common-addons.profile index 5e3d0983d0..932e18ccc2 100644 --- a/etc/profile-a-l/firefox-common-addons.profile +++ b/etc/profile-a-l/firefox-common-addons.profile @@ -79,7 +79,7 @@ whitelist ${HOME}/dwhelper whitelist /usr/share/lua* whitelist /usr/share/mpv -# GNOME Shell integration (chrome-gnome-shell) needs dbus and python +# GNOME Shell integration (chrome-gnome-shell) needs dbus and python. noblacklist ${HOME}/.local/share/gnome-shell whitelist ${HOME}/.local/share/gnome-shell dbus-user.talk ca.desrt.dconf diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile index 2467d5dc9d..3284821eb0 100644 --- a/etc/profile-a-l/firefox-common.profile +++ b/etc/profile-a-l/firefox-common.profile @@ -23,7 +23,8 @@ include firefox-common.local #whitelist ${RUNUSER}/kpxc_server #whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer -# Add the next line to your firefox-common.local to allow access to common programs/addons/plugins. +# Add the next line to firefox-common.local to allow access to common +# programs/addons/plugins. #include firefox-common-addons.profile noblacklist ${HOME}/.local/share/pki @@ -59,31 +60,37 @@ apparmor # Fixme! apparmor-replace caps.drop all -# machine-id breaks pulse audio; add it to your firefox-common.local if sound is not required. +# Note: machine-id breaks pulseaudio; add it to firefox-common.local if sound +# is not required. #machine-id netfilter nodvd nogroups noinput nonewprivs -# noroot breaks GTK_USE_PORTAL=1 usage, see https://github.com/netblue30/firejail/issues/2506. +# Note: noroot breaks GTK_USE_PORTAL=1 usage; see +# https://github.com/netblue30/firejail/issues/2506. noroot notv ?BROWSER_DISABLE_U2F: nou2f protocol unix,inet,inet6,netlink -# The below seccomp configuration still permits chroot syscall. See https://github.com/netblue30/firejail/issues/2506 for possible workarounds. +# Note: The seccomp line below still permits the chroot syscall; see +# https://github.com/netblue30/firejail/issues/2506 for possible workarounds. seccomp !chroot -# Disable tracelog, it breaks or causes major issues with many firefox based browsers, see https://github.com/netblue30/firejail/issues/1930. +# Note: tracelog may break or cause major issues with many Firefox-based +# browsers; see https://github.com/netblue30/firejail/issues/1930. #tracelog disable-mnt ?BROWSER_DISABLE_U2F: private-dev -# private-etc below works fine on most distributions. There could be some problems on CentOS. +# Note: The private-etc line below works fine on most distributions but it +# could cause problems on CentOS. private-etc @tls-ca,@x11,mailcap,mime.types,os-release private-tmp -# 'dbus-user none' breaks various desktop integration features like global menus, native notifications, -# Gnome connector, KDE connect and power management on KDE Plasma. +# Note: `dbus-user none` breaks various desktop integration features like +# global menus, native notifications, Gnome connector, KDE Connect and power +# management on KDE Plasma. dbus-user none dbus-system none diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile index 92a44c2099..92b7eb1c72 100644 --- a/etc/profile-a-l/firefox.profile +++ b/etc/profile-a-l/firefox.profile @@ -6,10 +6,10 @@ include firefox.local # Persistent global definitions include globals.local -# Note: Sandboxing web browsers is as important as it is complex. Users might be -# interested in creating custom profiles depending on use case (e.g. one for -# general browsing, another for banking, ...). Consult our FAQ/issue tracker for more -# info. Here are a few links to get you going. +# Note: Sandboxing web browsers is as important as it is complex. Users might +# be interested in creating custom profiles depending on the use case (e.g. one +# for general browsing, another for banking, ...). Consult our FAQ/issue +# tracker for more information. Here are a few links to get you going: # https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#firefox-doesnt-open-in-a-new-sandbox-instead-it-opens-a-new-tab-in-an-existing-firefox-instance # https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#how-do-i-run-two-instances-of-firefox # https://github.com/netblue30/firejail/issues/4206#issuecomment-824806968 @@ -34,9 +34,9 @@ whitelist /usr/share/gnome-shell/search-providers/firefox-search-provider.ini whitelist ${RUNUSER}/*firefox* whitelist ${RUNUSER}/psd/*firefox* -# firefox requires a shell to launch on Arch - add the next line to your firefox.local to enable private-bin. +# Note: Firefox requires a shell to launch on Arch and Fedora. +# Add the next lines to firefox.local to enable private-bin. #private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which -# Fedora uses shell scripts to launch firefox - add the next line to your firefox.local to enable private-bin. #private-bin basename,bash,cat,dirname,expr,false,firefox,firefox-wayland,getenforce,ln,mkdir,pidof,restorecon,rm,rmdir,sed,sh,tclsh,true,uname private-etc firefox diff --git a/etc/profile-a-l/librewolf.profile b/etc/profile-a-l/librewolf.profile index da41ca7815..23d2f78c24 100644 --- a/etc/profile-a-l/librewolf.profile +++ b/etc/profile-a-l/librewolf.profile @@ -1,4 +1,4 @@ -# Firejail profile for Librewolf +# Firejail profile for librewolf # Description: Firefox fork based on privacy # This file is overwritten after every install/update # Persistent local customizations @@ -16,7 +16,7 @@ whitelist ${HOME}/.librewolf whitelist /usr/share/librewolf -# Add the next line to your librewolf.local to enable private-bin (Arch Linux). +# Add the next line to librewolf.local to enable private-bin. #private-bin dbus-launch,dbus-send,librewolf,sh private-etc librewolf