# Last Modified: Tue Oct 24 16:34:53 2023
include <tunables/global>

## Copyright (C) 2014 troubadour <trobador@riseup.net>
## Copyright (C) 2014 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

@{user_download_dirs}=@{HOME}/@{XDG_DOWNLOAD_DIR}

/**/*-browser/Browser/firefox flags=(attach_disconnected) {
  include <abstractions/X>
  include <abstractions/audio>
  include <abstractions/base>
  include <abstractions/fonts>
  include <abstractions/user-tmp>
  include <local/home.tor-browser.firefox>

  capability sys_admin,
  capability sys_chroot,
  capability sys_ptrace,

  network inet stream,
  network inet6 stream,
  network netlink raw,

  userns,

  deny /etc/fstab r,
  deny /etc/group r,
  deny /etc/host.conf r,
  deny /etc/hosts r,
  deny /etc/mailcap r,
  deny /etc/nsswitch.conf r,
  deny /etc/passwd r,
  deny /etc/resolv.conf r,
  deny /etc/udev/udev.conf r,
  deny /run/udev/** r,

  deny /sys/devices/** r,

  /var/cache/fontconfig/** r,
  deny /var/cache/fontconfig/** wk,
  deny /var/lib/dbus/machine-id r,

  deny @{PROC}/@{pid}/cmdline r,
  deny @{PROC}/@{pid}/mountinfo r,
  deny @{PROC}/@{pid}/net/arp r,
  deny @{PROC}/@{pid}/net/route r,
  deny @{PROC}/@{pid}/stat r,
  deny @{PROC}/@{pid}/task/ r,
  deny @{PROC}/@{pid}/task/** r,
  deny @{PROC}/sys/kernel/random/uuid r,
  deny @{PROC}/sys/vm/overcommit_memory r,

  /bin/dash rix,
  /bin/ps rix,

  /dev/dri/** r,
  /dev/shm/org.chromium.* rwk,
  /dev/shm/org.mozilla.ipc.* rwk,
  /dev/vboxuser rw,

  /etc/dconf/** r,
  /etc/debian_version r,
  /etc/glvnd/egl_vendor.d/ r,
  /etc/ld.so.conf r,
  /etc/ld.so.conf.d/* r,
  /etc/mime.types r,
  /etc/python*/** r,
  /etc/timezone r,
  /etc/wildmidi/wildmidi.cfg r,
  /etc/xfce4/defaults.list r,

  /run/**/**/dconf/ rw,
  /run/**/**/dconf/** rw,
  /run/anon-ws-disable-stacked-tor/127.0.0.1_9150.sock rw,
  /run/anon-ws-disable-stacked-tor/127.0.0.1_9151.sock rw,
  /run/firejail/lib/libpostexecseccomp.so mr,
  /run/resolvconf/resolv.conf r,
  /run/split-browser-disp/from-firefox w,
  /run/split-browser-disp/into-firefox rw,

  /sys/bus/ r,
  /sys/bus/pci/devices/ r,
  /sys/class/ r,
  /sys/class/input/ r,

  /usr/bin/apt-cache rix,
  /usr/bin/cut mrix,
  /usr/bin/dash rix,
  /usr/bin/dirname rix,
  /usr/bin/getopt mrix,
  /usr/bin/kde4-config rix,
  /usr/bin/lsb_release rix,
  /usr/bin/ps rix,
  /usr/bin/pulseaudio rix,

  /usr/bin/tr mrix,
  /usr/lib/*-linux-gnu/** mrix,
  /usr/lib/python*/lib-dynload/* mr,
  /usr/local/lib/python*/dist-packages/ r,
  /usr/local/lib/python*/dist-packages/** r,
  /usr/share/** r,
  /usr/share/applications/** rk,

  /var/cache/fontconfig/ rk,
  /var/cache/fontconfig/** r,

  @{PROC}/*/environ r,
  @{PROC}/@{pid}/fd/ r,
  @{PROC}/@{pid}/gid_map rw,
  @{PROC}/@{pid}/setgroups rw,
  @{PROC}/@{pid}/status r,
  @{PROC}/@{pid}/uid_map rw,
  owner @{PROC}/*/cgroup r,
  owner @{PROC}/*/mounts r,
  owner @{PROC}/*/oom_score_adj w,

  owner /**/*-browser/** mrwlkix,

  @{HOME}/ r,
  @{HOME}/.config/ibus/bus/* r,
  @{HOME}/.kde/share/config/* r,
  owner @{HOME}/@{XDG_DESKTOP_DIR}/ w,
  owner @{HOME}/@{XDG_DOWNLOAD_DIR}/ w,
  owner @{HOME}/@{XDG_DESKTOP_DIR}/ r,
  owner @{HOME}/@{XDG_DESKTOP_DIR}/** rwkl,
  owner @{user_download_dirs}/ r,
  owner @{user_download_dirs}/** rwkl,

}