github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6
firejail/etc/profile-a-l/chromium-common.profile
Kelvin M. Klann 8b60da9811
profiles: remove mkdir ~/.pki (#6732) 
To reduce clutter in the user home.

This appears to be a legacy path and the relevant profiles already
create an XDG path as well:

    mkdir ${HOME}/.local/share/pki

From nss 3.111[1]:

    /**
     * Return the path to user's NSS database.
     * We search in the following dirs in order:
     * (1) $HOME/.pki/nssdb;
     * (2) $XDG_DATA_HOME/pki/nssdb if XDG_DATA_HOME is set;
     * (3) $HOME/.local/share/pki/nssdb (default XDG_DATA_HOME value).
     * If (1) does not exist, then the returned dir will be set to either
     * (2) or (3), depending if XDG_DATA_HOME is set.
     */

The XDG path has apparently been supported since nss 3.42, which was
released on 2019-01-25[2] [3] [4].

Misc: The original path was first added on commit 3a71eb2af ("added
mkdir in all whitelisted profiles", 2016-02-18) and the XDG path was
first added on commit 63c35052b ("Add '$HOME/.local/share/pki' to
blacklist", 2019-02-03).

Relates to #4262.

[1] https://github.com/nss-dev/nss/blob/NSS_3_111_RTM/lib/sysinit/nsssysinit.c#L64-L72
[2] https://github.com/nss-dev/nss/blob/NSS_3_42_RTM/lib/sysinit/nsssysinit.c#L65-L73
[3] 7f21d4f497
[4] https://github.com/nss-dev/nss/releases/tag/NSS_3_42_RTM
2025-05-04 05:13:08 +00:00

59 lines
1.8 KiB
Text
Raw Permalink Blame History

# Firejail profile for chromium-common
# This file is overwritten after every install/update
# Persistent local customizations
include chromium-common.local
# Persistent global definitions
# added by caller profile
#include globals.local
# noexec ${HOME} breaks DRM binaries.
?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
# To enable support for the KeePassXC extension, add the following lines to
# chromium-common.local.
# Note: Start KeePassXC before the web browser and keep it open to allow
# communication between them.
#noblacklist ${RUNUSER}/app
#whitelist ${RUNUSER}/app/org.keepassxc.KeePassXC
#whitelist ${RUNUSER}/kpxc_server
#whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer
noblacklist ${HOME}/.local/share/pki
noblacklist ${HOME}/.pki
noblacklist /usr/lib/chromium/chrome-sandbox
# Add the next line to chromium-common.local if you want the web browser to
# have access to Gnome extensions (extensions.gnome.org) via the browser
# connector.
#include allow-python3.inc
blacklist ${PATH}/curl
blacklist ${PATH}/wget
blacklist ${PATH}/wget2
mkdir ${HOME}/.local/share/pki
whitelist ${HOME}/.local/share/pki
whitelist ${HOME}/.pki
whitelist /usr/share/mozilla/extensions
whitelist /usr/share/webext
include whitelist-run-common.inc
# If your kernel allows the creation of user namespaces by unprivileged users
# (for example, if running `unshare -U echo enabled` prints "enabled"), you
# can add the next line to chromium-common.local.
#include chromium-common-hardened.inc.profile
?BROWSER_DISABLE_U2F: nou2f
?BROWSER_DISABLE_U2F: private-dev
#private-tmp # issues when using multiple browser sessions
# Note: This prevents access to passwords saved in GNOME Keyring and KWallet
# and breaks Gnome connector.
#dbus-user none
# The file dialog needs to work without d-bus.
?HAS_NODBUS: env NO_CHROME_KDE_FILE_DIALOG=1
# Redirect
include blink-common.profile
Reference in a new issue View git blame Copy permalink