Last active
February 16, 2025 22:08
-
-
Save richardweinberger/cae9edeafeec4cdf657f9bdae00be241 to your computer and use it in GitHub Desktop.
Confine Firefox
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # | |
| # Run Mozilla Firefox in a sandbox - The goal is to deny access to most locations while keeping the full user experience | |
| # | |
| # - Read/write access only to ~/Downloads, ~/.mozilla (profiles), and /tmp | |
| # - /tmp in read/write is needed to access X11 and for temporary downloads | |
| # - The host /dev is mapped into the sandbox so that access to DRI, camera, and sound devices works | |
| # - --disable-userns is *not* used to allow Firefox to sandbox itself further | |
| # - /run is needed to access the current session (e.g., for PipeWire audio) | |
| # - Developed and tested on OpenSUSE; some paths may vary (e.g., /lib64 or /run) | |
| # | |
| exec bwrap \ | |
| --dev-bind /dev /dev \ | |
| --proc /proc \ | |
| --bind /tmp /tmp \ | |
| --bind ~/.mozilla ~/.mozilla \ | |
| --bind ~/Downloads ~/Downloads \ | |
| --bind ~/.cache/mozilla ~/.cache/mozilla \ | |
| --ro-bind /bin /bin \ | |
| --ro-bind /lib64 /lib64 \ | |
| --ro-bind /sys /sys \ | |
| --ro-bind /etc /etc \ | |
| --ro-bind /usr /usr \ | |
| --ro-bind /run /run \ | |
| --ro-bind ~/.config ~/.config \ | |
| --unshare-all \ | |
| --share-net \ | |
| firefox "$@" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment