Create mullvad-browser.profile (#5887)

glitsj16 · web-flow · commit e4913eb9cb21 · 2023-07-22T12:38:28.000Z
Homepage: https://mullvad.net/en/download/browser/linux mullvad-browser: don't use restrict-namespaces mullvad-browser: cover both installation paths Suggested in review by @kmk3.
diff --git a/etc/apparmor/firejail-local b/etc/apparmor/firejail-local
@@ -20,5 +20,8 @@
 # Uncomment to opt-in to apparmor for firefox native-messaging-hosts under ${HOME}
 #owner @{HOME}/.mozilla/native-messaging-hosts/** ix,
 
+# Uncomment to opt-in to apparmor for mullvad-browser under ${HOME}
+#owner @{HOME}/.local/share/mullvad-browser/** ix,
+
 # Uncomment to opt-in to apparmor for torbrowser-launcher
 #owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/** ix,
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
@@ -178,6 +178,7 @@ blacklist ${HOME}/.cache/ms-outlook-online
 blacklist ${HOME}/.cache/ms-powerpoint-online
 blacklist ${HOME}/.cache/ms-skype-online
 blacklist ${HOME}/.cache/ms-word-online
+blacklist ${HOME}/.cache/mullvad/mullvadbrowser
 blacklist ${HOME}/.cache/mutt
 blacklist ${HOME}/.cache/mypaint
 blacklist ${HOME}/.cache/netsurf
@@ -550,6 +551,7 @@ blacklist ${HOME}/.config/mpDris2
 blacklist ${HOME}/.config/mpd
 blacklist ${HOME}/.config/mps-youtube
 blacklist ${HOME}/.config/mpv
+blacklist ${HOME}/.config/mullvad-browser-flags.conf
 blacklist ${HOME}/.config/mupen64plus
 blacklist ${HOME}/.config/mutt
 blacklist ${HOME}/.config/mutter
@@ -977,6 +979,7 @@ blacklist ${HOME}/.local/share/meld
 blacklist ${HOME}/.local/share/midori
 blacklist ${HOME}/.local/share/minder
 blacklist ${HOME}/.local/share/mirage
+blacklist ${HOME}/.local/share/mullvad-browser
 blacklist ${HOME}/.local/share/multimc
 blacklist ${HOME}/.local/share/multimc5
 blacklist ${HOME}/.local/share/mupen64plus
@@ -1063,6 +1066,7 @@ blacklist ${HOME}/.mpd
 blacklist ${HOME}/.mpdconf
 blacklist ${HOME}/.mplayer
 blacklist ${HOME}/.msmtprc
+blacklist ${HOME}/.mullvad/mullvadbrowser
 blacklist ${HOME}/.multimc5
 blacklist ${HOME}/.nanorc
 blacklist ${HOME}/.netactview
@@ -1196,6 +1200,7 @@ blacklist ${HOME}/SoftMaker
 blacklist ${HOME}/Standard Notes Backups
 blacklist ${HOME}/TeamSpeak3-Client-linux_amd64
 blacklist ${HOME}/TeamSpeak3-Client-linux_x86
+blacklist ${HOME}/UpdateInfo
 blacklist ${HOME}/hyperrogue.ini
 blacklist ${HOME}/i2p
 blacklist ${HOME}/mps
diff --git a/etc/profile-m-z/mullvad-browser.profile b/etc/profile-m-z/mullvad-browser.profile
@@ -0,0 +1,97 @@
+# Firejail profile for mullvad-browser
+# Description: Privacy-focused web browser developed in a collaboration between Mullvad VPN and the Tor Project
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mullvad-browser.local
+# Persistent global definitions
+include globals.local
+
+# IMPORTANT ##########################################
+# The mullvad-browser can be downloaded from the official website
+# and installed manually or via the AUR for Arch Linux (derivatives).
+# The latter installs the browser under /opt/mullvad-browser, while
+# the former can be installed under ${HOME} just about anywhere.
+# If you decide to install it under ${HOME} this profile assumes to find
+# the browser files under ${HOME}/.local/share/mullvad-browser.
+# When you divert from that location you will need to make the needed
+# path adjustments yourself in the below instructions.
+####################################################
+
+# If you installed under ${HOME}, put the below line in your
+# mullvad-browser.local
+# Note: The relevant rule in /etc/apparmor.d/local/firejail-default will
+# need to be uncommented for the 'apparmor' option to work as expected.
+#ignore noexec ${HOME}
+
+noblacklist ${HOME}/.cache/mullvad/mullvadbrowser
+noblacklist ${HOME}/.config/mullvad-browser-flags.conf
+noblacklist ${HOME}/.local/share/mullvad-browser
+noblacklist ${HOME}/.mullvad/mullvadbrowser
+
+# Allow python 3 (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+
+blacklist /srv
+blacklist /sys/class/net
+blacklist /usr/libexec
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-proc.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/mullvad/mullvadbrowser
+mkdir ${HOME}/.local/share/mullvad-browser
+mkdir ${HOME}/.mullvad/mullvadbrowser
+mkfile ${HOME}/.config/mullvad-browser-flags.conf
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.cache/mullvad/mullvadbrowser
+whitelist ${HOME}/.config/mullvad-browser-flags.conf
+whitelist ${HOME}/.local/share/mullvad-browser
+whitelist ${HOME}/.mullvad/mullvadbrowser
+whitelist /opt/mullvad-browser
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp !chroot
+seccomp.block-secondary
+#tracelog - may cause issues, see #1930
+
+disable-mnt
+private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,id,kdialog,ln,mkdir,mullvad-browser,mv,python*,rm,sed,sh,tail,tar,tclsh,test,update-desktop-database,xmessage,xz,zenity
+private-dev
+private-etc @tls-ca
+#private-opt mullvad-browser - can cause slow startup
+private-tmp
+
+blacklist ${PATH}/curl
+blacklist ${PATH}/wget
+blacklist ${PATH}/wget2
+
+dbus-user filter
+dbus-user.own org.mozilla.mullvadbrowser.*
+dbus-system none
+
+# cfr. start-mullvad-browser
+# do not (try to) connect to the session manager
+rmenv SESSION_MANAGER
+
+#restrict-namespaces
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
@@ -579,6 +579,7 @@ ms-powerpoint
 ms-skype
 ms-word
 mtpaint
+mullvad-browser
 multimc
 multimc5
 mumble
