Apparmor profile for Vivaldi browser?

  • Hi,
    is there a properly developed Apparmor profile for the Vivaldi browser?

    I say 'properly developed' as it is an easy task to cobble one together yourself, but if you're not fully aware of what each permission actually gives, it can be a total waste of time.

  • @nerderello said in Apparmor profile for Vivaldi browser?:


    Can't help you with Apparmor, but i can with Firejail, if you decide on that instead. I run all my browsers, incl. both V's, & multiple other non-browser pgms, in FJ. It's good.

  • Steffie,
    many thanks for your reply.
    I'm currently trying out your suggestion - using firejail - with the browser I know the best - Firefox.
    Apart from firejail causing a whole load of new Apparmor messages (and creating an empty copy of the "/etc/" file - which of course causes even more Apparmor messages) it seems to be fine.
    Haven't used it with Vivaldi yet, as the profiles included in the Ubuntu package don't have it.
    While I continue to trial firejail with my old Firefox browser, can you suggest any useful links and/or tools that will enhance my firejail experience.


  • @nerderello said in Apparmor profile for Vivaldi browser?:


    Hi @nerderello . Glad you've given it a try, hope it works out to your satisfaction. I cannot vouch for FJ & Apparmor playing nice together [not saying they won't; i just don't know... i've never used the latter].

    FYI, here's my V-SS FJ profile [you store your personal profiles in (your equivalent of) /home/steffie/.config/firejail/vivaldi-snapshot.profile (they take precedence over any stock profile of same name in /etc/firejail)]:

    # Firejail profile alias for vivaldi-snapshot ... via copying & editing the std vivaldi profile of FJ 0.9.50 - on 28/11/17.
    # Firejail profile for vivaldi-snapshot
    # This file is overwritten after every install/update
    # Persistent local customizations
    include /etc/firejail/vivaldi-snapshot.local
    # Persistent global definitions
    include /etc/firejail/globals.local
    noblacklist ~/.cache/vivaldi-snapshot
    noblacklist ~/.config/vivaldi-snapshot
    include /etc/firejail/
    include /etc/firejail/
    include /etc/firejail/
    mkdir ~/.cache/vivaldi-snapshot
    mkdir ~/.config/vivaldi-snapshot
    whitelist ${DOWNLOADS}
    whitelist ~/.cache/vivaldi-snapshot
    whitelist ~/.config/vivaldi-snapshot
    include /etc/firejail/
    caps.keep sys_chroot,sys_admin
    shell none
    # private-tmp - problems with multiple browser sessions
    noexec ${HOME}
    noexec /tmp
    # 19/1/18:   NB: With advent of V-Snapshot 1.14.1072.3 (Official Build) snapshot (64-bit), which comes with Chromium 64 that breaks previous installation & storage protocol for libffmpeg, without which H.264/MP4 [hence Netflix] break, I had to add the following new line, else Firejail itself actually blocks access to the new file /home/steffie/.local/lib/vivaldi/ -- ironic. 
    whitelist ~/.local/lib/vivaldi/
    # 8/2/18:   Some weeks ago the preceding workaround became unnecessary [indeed i do not need ~/.local/lib/vivaldi/ anymore & so deleted it back then], but i chose to retain this mod in my custom v-SS FJ profile just in case a future V-SS update makes the workaround needed again. 

    My current FJ version is 0.9.52-1. If Ubuntu uses an older version, my profile might not work; some FJ version jumps deliver substantial changes, with rather different stock profiles to match the enhanced codebase.

    FYI, here's the current stock profiles for 0.9.52-1:

    [steffie@GA-Z97-HD3-Tower firejail (points to ⁄etc⁄firejail)]$ ls -h
    0ad.profile                gjs.profile                               pdftotext.profile
    2048-qt.profile            globaltime.profile                        peek.profile
    7z.profile                 gnome-2048.profile                        picard.profile
    abrowser.profile           gnome-books.profile                       pidgin.profile
    akregator.profile          gnome-calculator.profile                  ping.profile
    amarok.profile             gnome-chess.profile                       pingus.profile
    amule.profile              gnome-clocks.profile                      pinta.profile
    android-studio.profile     gnome-contacts.profile                    pithos.profile
    aosp.profile               gnome-documents.profile                   pix.profile
    apktool.profile            gnome-font-viewer.profile                 pluma.profile
    arch-audit.profile         gnome-maps.profile                        polari.profile
    archaudit-report.profile   gnome-mplayer.profile                     psi-plus.profile
    ardour4.profile            gnome-music.profile                       qbittorrent.profile
    ardour5.profile            gnome-photos.profile                      qemu-launcher.profile
    arduino.profile            gnome-ring.profile                        qemu-system-x86_64.profile
    ark.profile                gnome-twitch.profile                      qlipper.profile
    arm.profile                gnome-weather.profile                     qpdfview.profile
    atom-beta.profile          goobox.profile                            qtox.profile
    atom.profile               google-chrome-beta.profile                quassel.profile
    atool.profile              google-chrome.profile                     quiterss.profile
    atril.profile              google-chrome-stable.profile              qupzilla.profile
    audacious.profile          google-chrome-unstable.profile            qutebrowser.profile
    audacity.profile           google-earth.profile                      rambox.profile
    aweather.profile           google-play-music-desktop-player.profile  ranger.profile
    baloo_file.profile         gpa.profile                               remmina.profile
    baobab.profile             gpg-agent.profile                         rhythmbox.profile
    bibletime.profile          gpg.profile                               ricochet.profile
    bitlbee.profile            gpicview.profile                          riot-web.profile
    bleachbit.profile          gpredict.profile                          ristretto.profile
    blender.profile            gtar.profile                              rocketchat.profile
    bless.profile              gthumb.profile                            rtorrent.profile
    bluefish.profile           guayadeque.profile              
    bnox.profile               gucharmap.profile                         scribus.profile
    brackets.profile           gwenview.profile                          sdat2img.profile
    brasero.profile            gzip.profile                              seamonkey-bin.profile
    brave.profile              handbrake-gtk.profile                     seamonkey.profile
    bsdtar.profile             handbrake.profile                         server.profile
    caja.profile               hashcat.profile                           shotcut.profile
    calibre.profile            hedgewars.profile                         signal-desktop.profile
    calligraauthor.profile     hexchat.profile                           silentarmy.profile                              
    calligraconverter.profile  highlight.profile                         simple-scan.profile                             
    calligraflow.profile       hugin.profile                             simutrans.profile
    calligraplan.profile       icecat.profile                            skanlite.profile
    calligraplanwork.profile   icedove.profile                           skypeforlinux.profile
    calligra.profile           iceweasel.profile                         skype.profile
    calligrasheets.profile                           slack.profile
    calligrastage.profile      imagej.profile                            smplayer.profile
    calligrawords.profile      img2txt.profile                           smtube.profile
    catfish.profile            inkscape.profile                          snap.profile
    cherrytree.profile         inox.profile                              soffice.profile
    chromium-browser.profile   iridium-browser.profile                   soundconverter.profile
    chromium.profile           iridium.profile                           spotify.profile
    cinelerra.profile          itch.profile                              sqlitebrowser.profile
    cin.profile                jd-gui.profile                            ssh-agent.profile
    clamav.profile             jitsi.profile                             ssh.profile
    clamdscan.profile          k3b.profile                               start-tor-browser.profile
    clamdtop.profile           karbon.profile                            steam.profile
    clamscan.profile           kate.profile                              stellarium.profile
    claws-mail.profile         kcalc.profile                             strings.profile
    clementine.profile         kdeinit4.profile                          supertux2.profile
    clipit.profile             kdenlive.profile                          surf.profile
    cliqz.profile              keepass2.profile                          synfigstudio.profile
    cmus.profile               keepass.profile                           tar.profile
    conkeror.profile           keepassx2.profile               
    conky.profile              keepassxc.profile                         teamspeak3.profile
    corebird.profile           keepassx.profile                          telegram-desktop.profile
    cower.profile              kget.profile                              telegram.profile
    cpio.profile               kino.profile                              Telegram.profile
    cryptocat.profile          kmail.profile                             terasology.profile
    Cryptocat.profile          knotes.profile                            thunar.profile
    curl.profile               kodi.profile                              Thunar.profile
    cvlc.profile               konversation.profile                      thunderbird.profile
    cyberfox.profile           kopete.profile                            tor-browser-en.profile
    Cyberfox.profile           krita.profile                             torbrowser-launcher.profile
    darktable.profile          krunner.profile                           tor.profile
    deadbeef.profile           ktorrent.profile                          totem.profile
    default.profile            kwin_x11.profile                          tracker.profile
    deluge.profile             kwrite.profile                            transmission-cli.profile
    dex2jar.profile            leafpad.profile                           transmission-gtk.profile
    dia.profile                less.profile                              transmission-qt.profile
    digikam.profile            libreoffice.profile                       transmission-show.profile
    dillo.profile              liferea.profile                           truecraft.profile
    dino.profile               linphone.profile                          tuxguitar.profile         lmms.profile                              uefitool.profile          localc.profile                            uget-gtk.profile      lodraw.profile                            unbound.profile       loffice.profile                           unknown-horizons.profile
    display.profile            lofromtemplate.profile                    unrar.profile
    dnox.profile               login.users                               unzip.profile
    dnscrypt-proxy.profile     loimpress.profile                         uudeview.profile
    dnsmasq.profile            lollypop.profile                          uzbl-browser.profile
    dolphin.profile            lomath.profile                            Viber.profile
    dooble.profile             loweb.profile                             viewnior.profile
    dooble-qt4.profile         lowriter.profile                          viking.profile
    dosbox.profile             luminance-hdr.profile                     vim.profile
    dragon.profile             lximage-qt.profile                        virtualbox.profile
    dropbox.profile            lxmusic.profile                           VirtualBox.profile
    ebook-viewer.profile       lynx.profile                              vivaldi-beta.profile
    electron.profile           macrofusion.profile                       vivaldi.profile
    elinks.profile             makepkg.profile                           vivaldi-stable.profile
    emacs.profile              mate-calc.profile                         vlc.profile
    empathy.profile            mate-calculator.profile                   vym.profile
    enchant.profile            mate-color-select.profile                 w3m.profile
    engrampa.profile           mate-dictionary.profile                   warzone2100.profile
    enpass.profile             mathematica.profile                       waterfox.profile
    eog.profile                Mathematica.profile             
    eom.profile                mcabber.profile                           weechat-curses.profile
    epiphany.profile           mediainfo.profile                         weechat.profile
    etr.profile                mediathekview.profile                     wesnoth.profile
    evince.profile             meld.profile                              wget.profile
    evolution.profile          midori.profile                  
    exiftool.profile           minetest.profile                
    fbreader.profile           mousepad.profile                          wine.profile
    feh.profile                mpd.profile                               wire.profile
    fetchmail.profile          mplayer.profile                           Wire.profile
    ffmpeg.profile             mpv.profile                               wireshark-gtk.profile
    file.profile               multimc5.profile                          wireshark.profile
    file-roller.profile        mumble.profile                            wireshark-qt.profile
    filezilla.profile          mupdf.profile                             xcalc.profile
    firefox-esr.profile        mupen64plus.profile                       xchat.profile
    firefox-nightly.profile    musescore.profile                         xed.profile
    firefox.profile            mutt.profile                              Xephyr.profile
    firejail.config            natron.profile                            xfburn.profile
    flashpeak-slimjet.profile  Natron.profile                            xfce4-dict.profile
    flowblade.profile          nautilus.profile                          xfce4-notes.profile
    fontforge.profile          nemo.profile                              xiphos.profile
    fossamail.profile          netsurf.profile                           xmms.profile
    FossaMail.profile          neverball.profile                         xmr-stak-cpu.profile
    franz.profile              nheko.profile                             xonotic-glx.profile
    freecadcmd.profile                               xonotic.profile
    freecad.profile            nylas.profile                             xonotic-sdl.profile
    freshclam.profile          obs.profile                               xpdf.profile
    frozen-bubble.profile      odt2txt.profile                           xplayer.profile
    gajim.profile              okular.profile                            xpra.profile
    galculator.profile         openbox.profile                           xreader.profile
    geany.profile              open-invaders.profile                     x-terminal-emulator.profile
    geary.profile              openshot.profile                          Xvfb.profile
    gedit.profile              openshot-qt.profile                       xviewer.profile
    geeqie.profile             opera-beta.profile                        xzdec.profile
    ghb.profile                opera.profile                             xz.profile
    gimp-2.8.profile           orage.profile                             yandex-browser.profile
    gimp.profile               palemoon.profile                          youtube-dl.profile
    gitg.profile               parole.profile                            zaproxy.profile
    git.profile                pcmanfm.profile                           zart.profile
    gitter.profile             pdfmod.profile                            zathura.profile
    Gitter.profile             pdfsam.profile                            zoom.profile
    [steffie@GA-Z97-HD3-Tower firejail (points to ⁄etc⁄firejail)]$ 

    Note there is a Vivaldi [ie, Stable] profile therein; older FJ versions did not have it].

    These are some of the links i have historically found informative:

    7. [teehee]

    Finally, fyi here's some [older] FJ memory-joggers i keep in my V Notes webpanel:

    **FireJail** & **firecfg**.
    Running **sudo firecfg** enables Firejail for all programs, individual programs can then be disabled by removing them from **/usr/local/bin**.
    Need to re-run **sudo firecfg** after installing new pgms. 
    Installing and configuring Firejail
    Download the latest Firejail .deb package from our Download page and run the following three commands in a terminal:
           $ sudo dpkg -i firejail_0.9.46_1_amd64.deb
           $ firecfg --fix-sound
           $ sudo firecfg
    The *first* command installs Firejail software. 
    The *second* command solves some shared memory/PID namespace bugs in PulseAudio software prior to version 9. 
    The *third* command integrates Firejail into your desktop. You would need to logout and login back to apply PulseAudio changes.

    Happy FJ'ing.

  • Steffie,
    thanks for this, it'll keep me busy for a while. 🙂
    The version that comes with Ubuntu is 9.38.10 which is just short of the LTS.
    I'll give the latest stable version - 9.52.1 - a go.

    thanks again


Looks like your connection to Vivaldi Forum was lost, please wait while we try to reconnect.