Firejail profile for Mullvad Browser

mullvad-browser.local

# Firejail profile for mullvad-browser
# Persistent local customizations

## globals.local overrides

## system-wide profile overrides

## If you installed under ${HOME}, uncomment the below lines.
#ignore noexec ${HOME}
#noblacklist ${HOME}/my/shiny/new/mullvad-browser
#mkdir ${HOME}/my/shiny/new/mullvad-browser
#whitelist ${HOME}/my/shiny/new/mullvad-browser
#nowhitelist /opt/mullvad-browser
#private-opt none

mullvad-browser.profile

# Firejail profile for mullvad-browser
# Description: Privacy-focused web browser developed in a collaboration between Mullvad VPN and the Tor Project
# This file is overwritten after every install/update
# Persistent local customizations
include mullvad-browser.local
# Persistent global definitions
include globals.local

## IMPORTANT #############################################
# This profile is designed for the mullvad-browser-bin package from the AUR.
# Mullvad browser is installed to /opt/mullvad-browser and supports start-up
# flags in ${HOME}/.config/mullvad-browser-flags.conf.
# https://aur.archlinux.org/packages/mullvad-browser-bin
########################################################

## If you installed under ${HOME}, put the below lines in your mullvad-browser.local.
#ignore noexec ${HOME}
#noblacklist ${HOME}/my/shiny/new/mullvad-browser
#mkdir ${HOME}/my/shiny/new/mullvad-browser
#whitelist ${HOME}/my/shiny/new/mullvad-browser
#nowhitelist /opt/mullvad-browser
#private-opt none
# Add a rule to /etc/apparmor.d/local/firejail-default if you use AppArmor:
# `owner @{HOME}/my/shiny/new/mullvad-browser/** ix,`.

noblacklist ${HOME}/.config/mullvad-browser-flags.conf
mkfile ${HOME}/.config/mullvad-browser-flags.conf
whitelist ${HOME}/.config/mullvad-browser-flags.conf
whitelist /opt/mullvad-browser

# Cfr. start-mullvad-browser: do not connect to the session manager.
rmenv SESSION_MANAGER

# Allow python (blacklisted by disable-interpreters.inc)
include allow-python2.inc
include allow-python3.inc

blacklist /srv
blacklist /sys/class/net

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-programs.inc
include disable-xdg.inc

whitelist ${DOWNLOADS}
include whitelist-common.inc
include whitelist-var-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc

apparmor
caps.drop all
netfilter
nodvd
nogroups
noinput
nonewprivs
noroot
notv
nou2f
novideo
protocol unix,inet,inet6
seccomp !chroot
#tracelog - may cause issues, see #1930

disable-mnt
private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,id,kdialog,ln,mkdir,mv,python*,rm,sed,sh,tail,tar,tclsh,test,mullvad-browser,update-desktop-database,xmessage,xz,zenity
private-dev
private-etc @tls-ca
private-opt mullvad-browser
private-tmp

dbus-user none
dbus-system none

restrict-namespaces

This firejail profile is designed for the mullvad-browser-bin package from the AUR. Mullvad Browser is installed to /opt/mullvad-browser and supports start-up flags in ${HOME}/.config/mullvad-browser-flags.conf.

There are comments inside both files with further instructions, including a scenario when you installed manually under /home.

To respect firejail's profile logic you'll need to add to ot create a disable-programs.local file untill upstream gets official profiles for Mullvad Browser:

# mullvad-browser
blacklist ${HOME}/.config/mullvad-browser-flags.conf
blacklist ${HOME}/my/shiny/new/mullvad-browser