Firejail: rewrite browser profiles with redirections
We are shipping Firejail with a large number of browser profiles. Many of these browsers are just forks off Firefox and Chromium, with only minor deviations from the original codebase.
In order to ease maintenance, I would like to propose rewriting these profiles with redirections to something like firefox-common.inc and chromium-common.inc. The browser profiles themselves could keep their specific paths (and private-bin if necessary).
Should projects begin to deviate more strongly (like Moon browser does already), it is still always possible to switch to a dedicated profile.
smitsohu
All 9 comments
Here are all the browsers we have profiles for. If I missed any just edit it in.
Chromium Based
- bnox
- brave
- chromium (chromium-browser)
- dnox
- flashpeak-slimjet
- google-chrome (google-chrome-stable)
- google-chrome-beta
- google-chrome-unstable
- inox
- iridium (iridium-browser)
- opera
- opera-beta
- vivaldi (vivaldi-beta, vivaldi-stable)
- yandex-browser
Gecko Based
- abrowser
- cliqz
- cyberfox (Cyberfox)
- firefox (firefox-developer-edition, firefox-esr, firefox-nightly, iceweasel)
- icecat
- palemoon
- torbrowser-launcher
- waterfox
WekKit2Gtk
- epiphany
- surf
- uzbl
QtWebEngine (cef?)
- qupzilla
- qutebrowser
Text Based
- elinks
- lynx
Unknown
- dillo
- netsurf
SkewedZeppelin
on 11 Feb 2018
Of note there are 4 email clients that all include firefox.profile for whatever reason:
fossamail, geary, icedove, and thunderbird
SkewedZeppelin
on 11 Feb 2018
Here I gave it a go and unified all of the Chromium-based profiles
https://github.com/SkewedZeppelin/firejail/commit/30d0b5d179992f752e38694052de953f8da970c9
Edit: Updated with brave added. Its probably safe to merge.
the Firefox ones might be more tedious, we should also evaluate whether or not we want to keep all of the paths that we currently do in Firefox
SkewedZeppelin
on 11 Feb 2018
On the note about the email clients, I for one think we ought to not include firefox in their profiles. We already have to do some workarounds (like ignore private-tmp and commenting out machine-id in the thunderbird profile, all because we also include firefox's profile.)
I'll take a look at the firefox profiles and see if I can get something similar to @SkewedZeppelin
Fred-Barclay
on 11 Feb 2018
@Fred-Barclay I hope you didn't start yet, because I just finished.
Here are all Chromium and Firefox based browsers profiles unified https://github.com/SkewedZeppelin/firejail/commit/df2f568041fd926a217812523399b059bc888233
I left out torbrowser for the increased security. We should also consider removing many of the paths in firefox-common.profile
SkewedZeppelin
on 11 Feb 2018
@SkewedZeppelin no worries. 馃榿 Thanks!
Would removing all of the paths besides
${HOME}/.cache/mozilla/firefox
${HOME}/.mozilla
${HOME}/.pki
whitelist ${DOWNLOADS}
be too far?
Fred-Barclay
on 11 Feb 2018
So these? That'd be great, but I wonder how many people use addons/plugins that depend on them.
${HOME}/.cache/gnome-mplayer/plugin
${HOME}/.config/gnome-mplayer
${HOME}/.config/okularpartrc
${HOME}/.config/okularrc
${HOME}/.config/pipelight-silverlight5.1
${HOME}/.config/pipelight-widevine
${HOME}/.config/qpdfview
${HOME}/dwhelper
${HOME}/.kde4/share/apps/kget
${HOME}/.kde4/share/apps/okular
${HOME}/.kde4/share/config/kgetrc
${HOME}/.kde4/share/config/okularpartrc
${HOME}/.kde4/share/config/okularrc
${HOME}/.kde/share/apps/kget
${HOME}/.kde/share/apps/okular
${HOME}/.kde/share/config/kgetrc
${HOME}/.kde/share/config/okularpartrc
${HOME}/.kde/share/config/okularrc
${HOME}/.keysnail.js
${HOME}/.lastpass
${HOME}/.local/share/gnome-shell/extensions
${HOME}/.local/share/okular
${HOME}/.local/share/qpdfview
${HOME}/.pentadactyl
${HOME}/.pentadactylrc
${HOME}/.vimperator
${HOME}/.vimperatorrc
${HOME}/.wine-pipelight
${HOME}/.wine-pipelight64
${HOME}/.zotero
We could break them out into an includes and have it included by default, so advanced users wanting extra security can comment the line. Or the inverse or similar.
Like include /etc/firejail/firefox-common-addons.inc
Edit: See https://github.com/SkewedZeppelin/firejail/commit/c4a640f05acd675ee47452ab078dcc2abd229406
SkewedZeppelin
on 11 Feb 2018
Like
include /etc/firejail/firefox-common-addons.inc
Let's do it!
EDIT: by "it" I would prefer commenting the include addons line out and just letting advanced users uncomment it if needed... but this might temporarily break more people's setups than we really ought.
Now that firefox is using webextensions (like Chrome, I believe), maybe we don't need all these paths anyways? The chrome profiles don't have 'em and I don't think we've had any real issues despite them not being there.
Fred-Barclay
on 11 Feb 2018
@Fred-Barclay Ahh, sorry, I had not seen your edit when I posted to the PR.
The chrome profiles don't have 'em and I don't think we've had any real issues despite them not being there.
Maybe external pdf readers were more popular in Firefox because the built-in reader used to be worse than Chromium's :smile:
But in general I agree, you have a point there.
smitsohu
on 12 Feb 2018
Related issues
fl-chris
路
4Comments
ghost
路
3Comments
Vincent43
路
3Comments
crass
路
3Comments
ericschdt
路
3Comments
Most helpful comment
So these? That'd be great, but I wonder how many people use addons/plugins that depend on them.
We could break them out into an includes and have it included by default, so advanced users wanting extra security can comment the line. Or the inverse or similar.
Like
include /etc/firejail/firefox-common-addons.incEdit: See https://github.com/SkewedZeppelin/firejail/commit/c4a640f05acd675ee47452ab078dcc2abd229406