# Limited access to homedir contents
whitelist ~/.config/firefox
whitelist ~/.config/gtk-3.0
whitelist ~/.mozilla/firefox
whitelist ~/documents
whitelist ~/downloads
whitelist ~/pictures

read-only ~/.config/gtk-3.0
read-only ~/documents
read-only ~/downloads
read-only ~/pictures

read-write ~/downloads/firefox

# Use private system resources
private-tmp

# Remove executable bits
noexec /tmp

caps.drop all