Merge branch 'master' of ssh://github.com/netblue30/firejail

3 files changed, 58 insertions, 43 deletions

diff --git a/etc/profile-a-l/electron-mail.profile b/etc/profile-a-l/electron-mail.profile
index 0e5c35167..d0d0f2168 100644
--- a/etc/profile-a-l/electron-mail.profile
+++ b/etc/profile-a-l/electron-mail.profile
@@ -1,55 +1,43 @@
-# Firejail profile for electron-mail
-# Description: Unofficial desktop app for several E2E encrypted email providers
+# Firejail profile for ElectronMail
+# Description: Unofficial desktop app for the Proton Mail E2E encrypted email provider
 # This file is overwritten after every install/update
 # Persistent local customizations
 include electron-mail.local
 # Persistent global definitions
 include globals.local
 
+ignore dbus-user none
+ignore disable-mnt
+
 noblacklist ${HOME}/.config/electron-mail
 
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-programs.inc
+# sh is needed to allow Firefox to open links
+include allow-bin-sh.inc
+
 include disable-shell.inc
-include disable-xdg.inc
 
 mkdir ${HOME}/.config/electron-mail
 whitelist ${HOME}/.config/electron-mail
-whitelist ${DOWNLOADS}
-
-include whitelist-common.inc
-include whitelist-runuser-common.inc
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
-
-apparmor
-caps.drop all
-netfilter
-no3d
-nodvd
-nogroups
-noinput
-nonewprivs
-noroot
-notv
-nou2f
-novideo
-protocol unix,inet,inet6,netlink
-seccomp !chroot
-# tracelog - breaks on Arch
-
-private-bin electron-mail
-private-cache
-private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,selinux,ssl,xdg
+
+# The lines below are needed to find the default Firefox profile name, to allow
+# opening links in an existing instance of Firefox (note that it still fails if
+# there isn't a Firefox instance running with the default profile; see #5352)
+noblacklist ${HOME}/.mozilla
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+read-only ${HOME}/.mozilla/firefox/profiles.ini
+
+machine-id
+nosound
+
+private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
 private-opt ElectronMail
-private-tmp
 
-# breaks tray functionality
-# dbus-user none
-dbus-system none
+dbus-user filter
+dbus-user.talk org.freedesktop.Notifications
+dbus-user.talk org.freedesktop.secrets
+dbus-user.talk org.gnome.keyring.SystemPrompter
+# allow D-Bus communication with firefox for opening links
+dbus-user.talk org.mozilla.*
 
-# memory-deny-write-execute - breaks on Arch
+# Redirect
+include electron.profile
diff --git a/etc/profile-m-z/qutebrowser.profile b/etc/profile-m-z/qutebrowser.profile
index fc910b589..ae62c0b89 100644
--- a/etc/profile-m-z/qutebrowser.profile
+++ b/etc/profile-m-z/qutebrowser.profile
@@ -10,14 +10,19 @@ noblacklist ${HOME}/.cache/qutebrowser
 noblacklist ${HOME}/.config/qutebrowser
 noblacklist ${HOME}/.local/share/qutebrowser
 
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
 include allow-python3.inc
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
+include disable-shell.inc
 
 mkdir ${HOME}/.cache/qutebrowser
 mkdir ${HOME}/.config/qutebrowser
@@ -26,8 +31,14 @@ whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/qutebrowser
 whitelist ${HOME}/.config/qutebrowser
 whitelist ${HOME}/.local/share/qutebrowser
+whitelist /usr/share/qtbrowser
 include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 netfilter
 nodvd
@@ -38,3 +49,19 @@ protocol unix,inet,inet6,netlink
 # blacklisting of chroot system calls breaks qt webengine
 seccomp !chroot,!name_to_handle_at
 # tracelog
+
+disable-mnt
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,localtime,machine-id,pki,pulse,resolv.conf,ssl
+private-tmp
+
+dbus-user filter
+dbus-user.own org.mpris.MediaPlayer2.qutebrowser.*
+dbus-user.talk org.freedesktop.Notifications
+# Add the next line to your qutebrowser.local to allow screen sharing under wayland.
+#dbus-user.talk org.freedesktop.portal.Desktop
+# Add the next line to your qutebrowser.local if screen sharing sharing still does not work
+# with the above lines (might depend on the portal implementation).
+#ignore noroot
+dbus-system none
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 3b743386e..c26d21ec9 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -164,12 +164,12 @@ private-bin and private-lib are disabled by default when running appimages.
 .br
 Example:
 .br
-$ firejail --appimage --profile=krita krita-3.0-x86_64.appimage
+$ firejail --profile=krita --appimage krita-3.0-x86_64.appimage
 .br
-$ firejail --appimage --private --profile=krita krita-3.0-x86_64.appimage
+$ firejail --private --profile=krita --appimage krita-3.0-x86_64.appimage
 .br
 #ifdef HAVE_X11
-$ firejail --appimage --net=none --x11 --profile=krita krita-3.0-x86_64.appimage
+$ firejail --net=none --x11 --profile=krita --appimage krita-3.0-x86_64.appimage
 #endif
 .TP
 #ifdef HAVE_NETWORK