-
-
Save glitsj16/cb0e325cd5e7269defc6843e6bb88532 to your computer and use it in GitHub Desktop.
Firejail profile for Mullvad Browser
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Firejail profile for mullvad-browser | |
# Persistent local customizations | |
## globals.local overrides | |
## system-wide profile overrides | |
## If you installed under ${HOME}, uncomment the below lines. | |
#ignore noexec ${HOME} | |
#noblacklist ${HOME}/my/shiny/new/mullvad-browser | |
#mkdir ${HOME}/my/shiny/new/mullvad-browser | |
#whitelist ${HOME}/my/shiny/new/mullvad-browser | |
#nowhitelist /opt/mullvad-browser | |
#private-opt none |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Firejail profile for mullvad-browser | |
# Description: Privacy-focused web browser developed in a collaboration between Mullvad VPN and the Tor Project | |
# This file is overwritten after every install/update | |
# Persistent local customizations | |
include mullvad-browser.local | |
# Persistent global definitions | |
include globals.local | |
## IMPORTANT ############################################# | |
# This profile is designed for the mullvad-browser-bin package from the AUR. | |
# Mullvad browser is installed to /opt/mullvad-browser and supports start-up | |
# flags in ${HOME}/.config/mullvad-browser-flags.conf. | |
# https://aur.archlinux.org/packages/mullvad-browser-bin | |
######################################################## | |
## If you installed under ${HOME}, put the below lines in your mullvad-browser.local. | |
#ignore noexec ${HOME} | |
#noblacklist ${HOME}/my/shiny/new/mullvad-browser | |
#mkdir ${HOME}/my/shiny/new/mullvad-browser | |
#whitelist ${HOME}/my/shiny/new/mullvad-browser | |
#nowhitelist /opt/mullvad-browser | |
#private-opt none | |
# Add a rule to /etc/apparmor.d/local/firejail-default if you use AppArmor: | |
# `owner @{HOME}/my/shiny/new/mullvad-browser/** ix,`. | |
noblacklist ${HOME}/.config/mullvad-browser-flags.conf | |
mkfile ${HOME}/.config/mullvad-browser-flags.conf | |
whitelist ${HOME}/.config/mullvad-browser-flags.conf | |
whitelist /opt/mullvad-browser | |
# Cfr. start-mullvad-browser: do not connect to the session manager. | |
rmenv SESSION_MANAGER | |
# Allow python (blacklisted by disable-interpreters.inc) | |
include allow-python2.inc | |
include allow-python3.inc | |
blacklist /srv | |
blacklist /sys/class/net | |
include disable-common.inc | |
include disable-devel.inc | |
include disable-exec.inc | |
include disable-interpreters.inc | |
include disable-programs.inc | |
include disable-xdg.inc | |
whitelist ${DOWNLOADS} | |
include whitelist-common.inc | |
include whitelist-var-common.inc | |
include whitelist-runuser-common.inc | |
include whitelist-usr-share-common.inc | |
apparmor | |
caps.drop all | |
netfilter | |
nodvd | |
nogroups | |
noinput | |
nonewprivs | |
noroot | |
notv | |
nou2f | |
novideo | |
protocol unix,inet,inet6 | |
seccomp !chroot | |
#tracelog - may cause issues, see #1930 | |
disable-mnt | |
private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,id,kdialog,ln,mkdir,mv,python*,rm,sed,sh,tail,tar,tclsh,test,mullvad-browser,update-desktop-database,xmessage,xz,zenity | |
private-dev | |
private-etc @tls-ca | |
private-opt mullvad-browser | |
private-tmp | |
dbus-user none | |
dbus-system none | |
restrict-namespaces |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This firejail profile is designed for the mullvad-browser-bin package from the AUR. Mullvad Browser is installed to
/opt/mullvad-browser
and supports start-up flags in${HOME}/.config/mullvad-browser-flags.conf
.There are comments inside both files with further instructions, including a scenario when you installed manually under
/home
.To respect firejail's profile logic you'll need to add to ot create a
disable-programs.local
file untill upstream gets official profiles for Mullvad Browser: