Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
96 lines (76 sloc) 2.49 KB
# For waterfox-current
# See also https://github.com/mk-fg/waterfox
#include <tunables/global>
profile /opt/waterfox-current/waterfox-current {
#include <abstractions/base>
#include <abstractions/site/base>
#include <abstractions/site/de>
#include <abstractions/X>
#include <abstractions/fonts>
#include <abstractions/nameservice>
#include <abstractions/freedesktop.org>
#include <abstractions/ssl-certs>
#include <abstractions/pulse>
#include <abstractions/dconf>
#include <abstractions/user-download>
/opt/waterfox-current/waterfox-current cix, # tabs
@{HOME}/.waterfox/url-handler cUx, # dispatcher for magnet: and such
/opt/waterfox-current/** rm,
/etc/mime.types r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/applications/screensavers/ r,
deny capability sys_admin,
deny capability sys_chroot,
deny capability sys_ptrace,
signal (receive) peer=unconfined,
deny signal (send) peer=unconfined,
owner @{HOME}/.waterfox/ rwk,
owner @{HOME}/.waterfox/** rwkm,
deny @{HOME}/.mozilla/ rw,
deny @{HOME}/.mozilla/** rw,
owner @{HOME}/.cache/waterfox/ rwk,
owner @{HOME}/.cache/waterfox/** rwkm,
owner @{HOME}/.cache/mesa_shader_cache/** rwk,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/{mountinfo,statm,smaps} r,
owner @{PROC}/@{pid}/task/@{pids}/stat r,
@{PROC}/@{pids}/net/arp r,
@{PROC}/@{pids}/{uid_map,gid_map,setgroups} rw,
owner /run/user/[0-9]*/dconf/user rw,
/dev/ r,
/dev/shm/org.chromium.* rwkm,
/dev/shm/org.mozilla.ipc.* rwkm,
# Must use TMPDIR=/tmp/waterfox/ env to have it store all its stuff there
# Otherwise it creates a lot of different non-descriptive files/dirs in /tmp root
/tmp/waterfox/ rwk,
/tmp/waterfox/** rwk,
# GPU identification
/sys/bus/pci/devices/ r,
/sys/devices/pci[0-9:.]*/[0-9:.]*/* r,
/sys/devices/pci[0-9:.]*/[0-9:.]*/[0-9:.]*/* r,
# U2F token, can be tested via https://webauthn.io/
/sys/devices/system/cpu/present r,
/run/udev/data/* r,
/sys/devices/pci*/ r,
/sys/devices/pci*/*/ r,
/sys/devices/pci*/*/usb*/ r,
/sys/devices/pci*/*/usb*/**/uevent r,
/sys/{bus,class,class/hidraw}/ r,
/sys/class/hidraw/hidraw* r,
/dev/hidraw* rw,
# URL handlers
owner @{HOME_BIN}/wrappers/xdg-open Ux,
owner @{HOME_BIN}/wrappers/leech_*.wrapper Ux,
# File selection dialogs
deny @{HOME} r,
/etc/fstab r,
/run/mount/utab r,
# User GTK3 theme/icon dirs
owner @{HOME}/.themes/ r,
owner @{HOME}/.themes/** r,
owner @{HOME}/.icons/ r,
owner @{HOME}/.icons/** r,
# All network
network inet dgram,
network inet stream,
}
You can’t perform that action at this time.