# Firejail profile for firefox # This file is overwritten after every install/update # Persistent local customizations include /etc/firejail/firefox.local # Persistent global definitions include /etc/firejail/globals.local noblacklist ${HOME}/.cache/mozilla noblacklist ${HOME}/.config/okularpartrc noblacklist ${HOME}/.config/okularrc noblacklist ${HOME}/.config/qpdfview noblacklist ${HOME}/.kde/share/apps/kget noblacklist ${HOME}/.kde/share/apps/okular noblacklist ${HOME}/.kde/share/config/kgetrc noblacklist ${HOME}/.kde/share/config/okularpartrc noblacklist ${HOME}/.kde/share/config/okularrc noblacklist ${HOME}/.kde4/share/apps/kget noblacklist ${HOME}/.kde4/share/apps/okular noblacklist ${HOME}/.kde4/share/config/kgetrc noblacklist ${HOME}/.kde4/share/config/okularpartrc noblacklist ${HOME}/.kde4/share/config/okularrc # noblacklist ${HOME}/.local/share/gnome-shell/extensions noblacklist ${HOME}/.local/share/okular noblacklist ${HOME}/.local/share/qpdfview noblacklist ${HOME}/.mozilla noblacklist ${HOME}/.pki noblacklist ${HOME}/.local/share/pki include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-programs.inc mkdir ${HOME}/.cache/mozilla/firefox mkdir ${HOME}/.mozilla mkdir ${HOME}/.pki mkdir ${HOME}/.local/share/pki whitelist ${DOWNLOADS} whitelist ${HOME}/.cache/gnome-mplayer/plugin whitelist ${HOME}/.cache/mozilla/firefox whitelist ${HOME}/.config/gnome-mplayer whitelist ${HOME}/.config/okularpartrc whitelist ${HOME}/.config/okularrc whitelist ${HOME}/.config/pipelight-silverlight5.1 whitelist ${HOME}/.config/pipelight-widevine whitelist ${HOME}/.config/qpdfview whitelist ${HOME}/.kde/share/apps/kget whitelist ${HOME}/.kde/share/apps/okular whitelist ${HOME}/.kde/share/config/kgetrc whitelist ${HOME}/.kde/share/config/okularpartrc whitelist ${HOME}/.kde/share/config/okularrc whitelist ${HOME}/.kde4/share/apps/kget whitelist ${HOME}/.kde4/share/apps/okular whitelist ${HOME}/.kde4/share/config/kgetrc whitelist ${HOME}/.kde4/share/config/okularpartrc whitelist ${HOME}/.kde4/share/config/okularrc whitelist ${HOME}/.keysnail.js whitelist ${HOME}/.lastpass whitelist ${HOME}/.local/share/gnome-shell/extensions whitelist ${HOME}/.local/share/okular whitelist ${HOME}/.local/share/qpdfview whitelist ${HOME}/.mozilla whitelist ${HOME}/.pentadactyl whitelist ${HOME}/.pentadactylrc whitelist ${HOME}/.pki whitelist ${HOME}/.local/share/pki whitelist ${HOME}/.vimperator whitelist ${HOME}/.vimperatorrc whitelist ${HOME}/.wine-pipelight whitelist ${HOME}/.wine-pipelight64 whitelist ${HOME}/.zotero whitelist ${HOME}/dwhelper include /etc/firejail/whitelist-common.inc include /etc/firejail/whitelist-var-common.inc caps.drop all # machine-id breaks pulse audio; it should work fine in setups where sound is not required #machine-id netfilter nodvd nogroups nonewprivs noroot notv protocol unix,inet,inet6,netlink #seccomp - replaced with seccomp.drop for Firefox 60 seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice shell none #tracelog - disabled for Firefox 60 disable-mnt # firefox requires a shell to launch on Arch. # private-bin firefox,which,sh,dbus-launch,dbus-send,env,bash private-dev # private-etc below works fine on most distributions. There are some problems on CentOS. # private-etc alternatives,iceweasel,ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse private-tmp noexec ${HOME} noexec /tmp