Skip to content

Commit

Permalink
Merge pull request #6486 from kmk3/browsers-improve-comments
Browse files Browse the repository at this point in the history
profiles: browsers: centralize/sync/improve comments
  • Loading branch information
kmk3 authored Sep 28, 2024
2 parents 98e81ea + 49d21b0 commit 92f4820
Show file tree
Hide file tree
Showing 7 changed files with 68 additions and 110 deletions.
28 changes: 3 additions & 25 deletions etc/profile-a-l/cachy-browser.profile
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# Firejail profile for Cachy-Browser
# Description: Librewolf fork based on enhanced privacy with gentoo patchset
# Firejail profile for cachy-browser
# Description: Librewolf fork based on enhanced privacy with Gentoo patchset
# This file is overwritten after every install/update
# Persistent local customizations
include cachy-browser.local
Expand All @@ -15,34 +15,12 @@ whitelist ${HOME}/.cache/cachy
whitelist ${HOME}/.cachy
whitelist /usr/share/cachy-browser

# Add the next lines to your cachy-browser.local if you want to use the migration wizard.
#noblacklist ${HOME}/.mozilla
#whitelist ${HOME}/.mozilla

# To enable KeePassXC Plugin add one of the following lines to your cachy-browser.local.
# Note: Start KeePassXC before CachyBrowser and keep it open to allow communication between them.
#whitelist ${RUNUSER}/kpxc_server
#whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer

# Add the next line to your cachy-browser.local to enable private-bin (Arch Linux).
# Add the next line to cachy-browser.local to enable private-bin.
#private-bin dbus-launch,dbus-send,cachy-browser,sh
private-etc cachy-browser

dbus-user filter
dbus-user.own org.mozilla.cachybrowser.*
# Add the next line to your cachy-browser.local to enable native notifications.
#dbus-user.talk org.freedesktop.Notifications
# Add the next line to your cachy-browser.local to allow inhibiting screensavers.
#dbus-user.talk org.freedesktop.ScreenSaver
# Add the next lines to your cachy-browser.local for plasma browser integration.
#dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
#dbus-user.talk org.kde.JobViewServer
#dbus-user.talk org.kde.kuiserver
# Add the next line to your cachy-browser.local to allow screensharing under Wayland.
#dbus-user.talk org.freedesktop.portal.Desktop
# Also add the next line to your cachy-browser.local if screensharing does not work with
# the above lines (depends on the portal implementation).
#ignore noroot
ignore dbus-user none

# Redirect
Expand Down
18 changes: 13 additions & 5 deletions etc/profile-a-l/chromium-common.profile
Original file line number Diff line number Diff line change
Expand Up @@ -9,12 +9,20 @@ include chromium-common.local
# noexec ${HOME} breaks DRM binaries.
?BROWSER_ALLOW_DRM: ignore noexec ${HOME}

# To enable support for the KeePassXC extension, add the following lines to
# chromium-common.local.
# Note: Start KeePassXC before the web browser and keep it open to allow
# communication between them.
#whitelist ${RUNUSER}/kpxc_server
#whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer

noblacklist ${HOME}/.local/share/pki
noblacklist ${HOME}/.pki
noblacklist /usr/lib/chromium/chrome-sandbox

# Add the next line to your chromium-common.local if you want Google Chrome/Chromium browser
# to have access to Gnome extensions (extensions.gnome.org) via browser connector
# Add the next line to chromium-common.local if you want the web browser to
# have access to Gnome extensions (extensions.gnome.org) via the browser
# connector.
#include allow-python3.inc

blacklist ${PATH}/curl
Expand All @@ -31,16 +39,16 @@ include whitelist-run-common.inc

# If your kernel allows the creation of user namespaces by unprivileged users
# (for example, if running `unshare -U echo enabled` prints "enabled"), you
# can add the next line to your chromium-common.local.
# can add the next line to chromium-common.local.
#include chromium-common-hardened.inc.profile

?BROWSER_DISABLE_U2F: nou2f

?BROWSER_DISABLE_U2F: private-dev
#private-tmp # issues when using multiple browser sessions

# This prevents access to passwords saved in GNOME Keyring and KWallet, also
# breaks Gnome connector.
# Note: This prevents access to passwords saved in GNOME Keyring and KWallet
# and breaks Gnome connector.
#dbus-user none

# The file dialog needs to work without d-bus.
Expand Down
2 changes: 1 addition & 1 deletion etc/profile-a-l/firefox-common-addons.profile
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,7 @@ whitelist ${HOME}/dwhelper
whitelist /usr/share/lua*
whitelist /usr/share/mpv

# GNOME Shell integration (chrome-gnome-shell) needs dbus and python
# GNOME Shell integration (chrome-gnome-shell) needs dbus and python.
noblacklist ${HOME}/.local/share/gnome-shell
whitelist ${HOME}/.local/share/gnome-shell
dbus-user.talk ca.desrt.dconf
Expand Down
51 changes: 43 additions & 8 deletions etc/profile-a-l/firefox-common.profile
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,20 @@ include firefox-common.local
# noexec ${RUNUSER} breaks DRM binaries when using profile-sync-daemon.
?BROWSER_ALLOW_DRM: ignore noexec ${RUNUSER}

# Add the next line to your firefox-common.local to allow access to common programs/addons/plugins.
# Add the next lines to firefox-common.local if you want to use the migration
# wizard.
#noblacklist ${HOME}/.mozilla
#whitelist ${HOME}/.mozilla

# To enable support for the KeePassXC extension, add the following lines to
# firefox-common.local.
# Note: Start KeePassXC before the web browser and keep it open to allow
# communication between them.
#whitelist ${RUNUSER}/kpxc_server
#whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer

# Add the next line to firefox-common.local to allow access to common
# programs/addons/plugins.
#include firefox-common-addons.profile

noblacklist ${HOME}/.local/share/pki
Expand Down Expand Up @@ -47,32 +60,54 @@ apparmor
# Fixme!
apparmor-replace
caps.drop all
# machine-id breaks pulse audio; add it to your firefox-common.local if sound is not required.
# Note: machine-id breaks pulseaudio; add it to firefox-common.local if sound
# is not required.
#machine-id
netfilter
nodvd
nogroups
noinput
nonewprivs
# noroot breaks GTK_USE_PORTAL=1 usage, see https://github.com/netblue30/firejail/issues/2506.
# Note: noroot breaks GTK_USE_PORTAL=1 usage; see
# https://github.com/netblue30/firejail/issues/2506.
noroot
notv
?BROWSER_DISABLE_U2F: nou2f
protocol unix,inet,inet6,netlink
# The below seccomp configuration still permits chroot syscall. See https://github.com/netblue30/firejail/issues/2506 for possible workarounds.
# Note: The seccomp line below still permits the chroot syscall; see
# https://github.com/netblue30/firejail/issues/2506 for possible workarounds.
seccomp !chroot
# Disable tracelog, it breaks or causes major issues with many firefox based browsers, see https://github.com/netblue30/firejail/issues/1930.
# Note: tracelog may break or cause major issues with many Firefox-based
# browsers; see https://github.com/netblue30/firejail/issues/1930.
#tracelog

disable-mnt
?BROWSER_DISABLE_U2F: private-dev
# private-etc below works fine on most distributions. There could be some problems on CentOS.
# Note: The private-etc line below works fine on most distributions but it
# could cause problems on CentOS.
private-etc @tls-ca,@x11,mailcap,mime.types,os-release
private-tmp

# 'dbus-user none' breaks various desktop integration features like global menus, native notifications,
# Gnome connector, KDE connect and power management on KDE Plasma.
# Note: `dbus-user none` breaks various desktop integration features like
# global menus, native notifications, Gnome connector, KDE Connect and power
# management on KDE Plasma.
dbus-user none
dbus-system none

# Add the next line to firefox-common.local to enable native notifications.
#dbus-user.talk org.freedesktop.Notifications
# Add the next line to firefox-common.local to allow inhibiting screensavers.
#dbus-user.talk org.freedesktop.ScreenSaver
# Add the next lines to firefox-common.local for plasma browser integration.
#dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
#dbus-user.talk org.kde.JobViewServer
#dbus-user.talk org.kde.kdeconnect
#dbus-user.talk org.kde.kuiserver
# Add the next line to firefox-common.local to allow screensharing under
# Wayland.
#dbus-user.talk org.freedesktop.portal.Desktop
# Also add the next line to firefox-common.local if screensharing does not work
# with the above lines (depends on the portal implementation).
#ignore noroot

#restrict-namespaces
31 changes: 6 additions & 25 deletions etc/profile-a-l/firefox.profile
Original file line number Diff line number Diff line change
Expand Up @@ -6,10 +6,10 @@ include firefox.local
# Persistent global definitions
include globals.local

# Note: Sandboxing web browsers is as important as it is complex. Users might be
# interested in creating custom profiles depending on use case (e.g. one for
# general browsing, another for banking, ...). Consult our FAQ/issue tracker for more
# info. Here are a few links to get you going.
# Note: Sandboxing web browsers is as important as it is complex. Users might
# be interested in creating custom profiles depending on the use case (e.g. one
# for general browsing, another for banking, ...). Consult our FAQ/issue
# tracker for more information. Here are a few links to get you going:
# https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#firefox-doesnt-open-in-a-new-sandbox-instead-it-opens-a-new-tab-in-an-existing-firefox-instance
# https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#how-do-i-run-two-instances-of-firefox
# https://github.com/netblue30/firejail/issues/4206#issuecomment-824806968
Expand All @@ -29,39 +29,20 @@ mkdir ${HOME}/.mozilla
whitelist ${HOME}/.cache/mozilla/firefox
whitelist ${HOME}/.mozilla

# Add one of the following whitelist options to your firefox.local to enable KeePassXC Plugin support.
# Note: Start KeePassXC before Firefox and keep it open to allow communication between them.
#whitelist ${RUNUSER}/kpxc_server
#whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer

whitelist /usr/share/firefox
whitelist /usr/share/gnome-shell/search-providers/firefox-search-provider.ini
whitelist ${RUNUSER}/*firefox*
whitelist ${RUNUSER}/psd/*firefox*

# firefox requires a shell to launch on Arch - add the next line to your firefox.local to enable private-bin.
# Note: Firefox requires a shell to launch on Arch and Fedora.
# Add the next lines to firefox.local to enable private-bin.
#private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which
# Fedora uses shell scripts to launch firefox - add the next line to your firefox.local to enable private-bin.
#private-bin basename,bash,cat,dirname,expr,false,firefox,firefox-wayland,getenforce,ln,mkdir,pidof,restorecon,rm,rmdir,sed,sh,tclsh,true,uname
private-etc firefox

dbus-user filter
dbus-user.own org.mozilla.*
dbus-user.own org.mpris.MediaPlayer2.firefox.*
# Add the next line to your firefox.local to enable native notifications.
#dbus-user.talk org.freedesktop.Notifications
# Add the next line to your firefox.local to allow inhibiting screensavers.
#dbus-user.talk org.freedesktop.ScreenSaver
# Add the next lines to your firefox.local for plasma browser integration.
#dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
#dbus-user.talk org.kde.JobViewServer
#dbus-user.talk org.kde.kdeconnect
#dbus-user.talk org.kde.kuiserver
# Add the next line to your firefox.local to allow screen sharing under wayland.
#dbus-user.talk org.freedesktop.portal.Desktop
# Add the next line to your firefox.local if screen sharing sharing still does not work
# with the above lines (might depend on the portal implementation).
#ignore noroot
ignore dbus-user none

# Redirect
Expand Down
22 changes: 0 additions & 22 deletions etc/profile-a-l/floorp.profile
Original file line number Diff line number Diff line change
Expand Up @@ -14,30 +14,8 @@ mkdir ${HOME}/.floorp
whitelist ${HOME}/.cache/floorp
whitelist ${HOME}/.floorp

# Add the next lines to your floorp.local if you want to use the migration wizard.
#noblacklist ${HOME}/.mozilla
#whitelist ${HOME}/.mozilla

# To enable KeePassXC Plugin add one of the following lines to your floorp.local.
# Note: Start KeePassXC before floorp and keep it open to allow communication between them.
#whitelist ${RUNUSER}/kpxc_server
#whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer

dbus-user filter
dbus-user.own org.mozilla.floorp.*
# Add the next line to your floorp.local to enable native notifications.
#dbus-user.talk org.freedesktop.Notifications
# Add the next line to your floorp.local to allow inhibiting screensavers.
#dbus-user.talk org.freedesktop.ScreenSaver
# Add the next lines to your floorp.local for plasma browser integration.
#dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
#dbus-user.talk org.kde.JobViewServer
#dbus-user.talk org.kde.kuiserver
# Add the next line to your floorp.local to allow screensharing under Wayland.
#dbus-user.talk org.freedesktop.portal.Desktop
# Also add the next line to your floorp.local if screensharing does not work with
# the above lines (depends on the portal implementation).
#ignore noroot
ignore apparmor
ignore dbus-user none

Expand Down
26 changes: 2 additions & 24 deletions etc/profile-a-l/librewolf.profile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Firejail profile for Librewolf
# Firejail profile for librewolf
# Description: Firefox fork based on privacy
# This file is overwritten after every install/update
# Persistent local customizations
Expand All @@ -14,38 +14,16 @@ mkdir ${HOME}/.librewolf
whitelist ${HOME}/.cache/librewolf
whitelist ${HOME}/.librewolf

# Add the next lines to your librewolf.local if you want to use the migration wizard.
#noblacklist ${HOME}/.mozilla
#whitelist ${HOME}/.mozilla

# To enable KeePassXC Plugin add one of the following lines to your librewolf.local.
# Note: Start KeePassXC before Librewolf and keep it open to allow communication between them.
#whitelist ${RUNUSER}/kpxc_server
#whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer

whitelist /usr/share/librewolf

# Add the next line to your librewolf.local to enable private-bin (Arch Linux).
# Add the next line to librewolf.local to enable private-bin.
#private-bin dbus-launch,dbus-send,librewolf,sh
private-etc librewolf

dbus-user filter
dbus-user.own io.gitlab.firefox.*
dbus-user.own io.gitlab.librewolf.*
dbus-user.own org.mozilla.librewolf.*
# Add the next line to your librewolf.local to enable native notifications.
#dbus-user.talk org.freedesktop.Notifications
# Add the next line to your librewolf.local to allow inhibiting screensavers.
#dbus-user.talk org.freedesktop.ScreenSaver
# Add the next lines to your librewolf.local for plasma browser integration.
#dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
#dbus-user.talk org.kde.JobViewServer
#dbus-user.talk org.kde.kuiserver
# Add the next line to your librewolf.local to allow screensharing under Wayland.
#dbus-user.talk org.freedesktop.portal.Desktop
# Also add the next line to your librewolf.local if screensharing does not work with
# the above lines (depends on the portal implementation).
#ignore noroot
ignore apparmor
ignore dbus-user none

Expand Down

0 comments on commit 92f4820

Please sign in to comment.