default Firefox whitelisting

author: netblue30 <netblue30@yahoo.com> 2015-10-25 10:45:25 -0400
committer: netblue30 <netblue30@yahoo.com> 2015-10-25 10:45:25 -0400
commit: 5a52191865c5f0cdbc610b0ad656b919f0dc1605 (patch)
tree: 0f821744e282d9c4409242b43c9ea6db8857f4ed
parent: fix struct stat64 problem for musl libc (diff)
download: firejail-5a52191865c5f0cdbc610b0ad656b919f0dc1605.tar.gz
firejail-5a52191865c5f0cdbc610b0ad656b919f0dc1605.tar.zst
firejail-5a52191865c5f0cdbc610b0ad656b919f0dc1605.zip
3 files changed, 22 insertions, 23 deletions
diff --git a/README.md b/README.md
index 37bf7af4d..2cf9c6d1e 100644
--- a/README.md
+++ b/README.md
@@ -34,34 +34,27 @@ FAQ: https://l3net.wordpress.com/projects/firejail/firejail-faq/
-## Known Problems
+## New features in the development version
-### PulseAudio 7.0
+### Enable whitelists in Firefox default profile
-The srbchannel IPC mechanism, introduced in PulseAudio 6.0, was enabled by default in release 7.0.
+The next release will bring in default whitelisting for Firefox files and folders under /home/user.
-Arch Linux users are reporting sound problems when running applications in Firejail sandbox.
+If you start the sandbox without any other options, this is what you'll get:
-A preliminary fix was introduced on master branch. The fix is available in release 0.9.32, and disables PulseAudio shared memory functionality
-inside the sandbox. If you are seeing any problems,
-please let us know here: https://github.com/netblue30/firejail/issues/69
-If you are unable to update Firejail, or if you want to continue using the latest released version, these are some workarounds:
+![Whitelisted home directory](firefox-whitelist.png?raw=true)
-*   Running ALSA
+The code is located in etc/firefox.inc file:
-    By default, if Firefox fails to connect to PulseAudio, it will connect directly to ALSA.
-    Also by default, ALSA comes with the sound volume down. You would need to install *alsamixer*
-    (*alsa-utils* package) or *gnome-alsamixer*, run it, and crank up the volume (both Master and PCM).
- 
-*  Disable shm functionality in PulseAudio
 `````
-$ mkdir -p ~/.config/pulse
+whitelist ~/.mozilla
-$ cd ~/.config/pulse
+whitelist ~/Downloads
-$ cp /etc/pulse/client.conf .
+whitelist ~/dwhelper
-$ echo "enable-shm = no" >> client.conf
+whitelist ~/.zotero
+whitelist ~/.lastpass
 `````
-* Disable srbchannel IPC mechanism in version 7.0
-    Edit /etc/pulse/default.pa – change the line "load-module module-native-protocol-unix"
-    to "load-module module-native-protocol-unix srbchannel=no" and restart PulseAudio daemon.
+I intend to bring in all files and directories used by Firefox addons and plugins. So far I have
+[Video DownloadHelper](https://addons.mozilla.org/en-US/firefox/addon/video-downloadhelper/),
+[Zotero](https://www.zotero.org/download/) and
+[LastPass](https://addons.mozilla.org/en-US/firefox/addon/lastpass-password-manager/).
+If you're using a anything else, please let me know.
diff --git a/etc/firefox.profile b/etc/firefox.profile
index ec95324c8..2e8081ad3 100644
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@@ -9,6 +9,12 @@ seccomp
 netfilter
 noroot
 shell none
+whitelist ~/.mozilla
+whitelist ~/Downloads
+whitelist ~/dwhelper
+whitelist ~/.zotero
+whitelist ~/.lastpass
diff --git a/firefox-whitelist.png b/firefox-whitelist.png
new file mode 100644
index 000000000..e98cb4b02
--- /dev/null
+++ b/firefox-whitelist.png
Binary files differ
author	netblue30 <netblue30@yahoo.com>	2015-10-25 10:45:25 -0400
committer	netblue30 <netblue30@yahoo.com>	2015-10-25 10:45:25 -0400
commit	5a52191865c5f0cdbc610b0ad656b919f0dc1605 (patch)
tree	0f821744e282d9c4409242b43c9ea6db8857f4ed
parent	fix struct stat64 problem for musl libc (diff)
download	firejail-5a52191865c5f0cdbc610b0ad656b919f0dc1605.tar.gz firejail-5a52191865c5f0cdbc610b0ad656b919f0dc1605.tar.zst firejail-5a52191865c5f0cdbc610b0ad656b919f0dc1605.zip

diff --git a/README.md b/README.md index 37bf7af4d..2cf9c6d1e 100644 --- a/README.md +++ b/README.md
@@ -34,34 +34,27 @@ FAQ: https://l3net.wordpress.com/projects/firejail/firejail-faq/
34		34
35		35
36		36
37	## Known Problems	37	## New features in the development version
38		38
39	### PulseAudio 7.0	39	### Enable whitelists in Firefox default profile
40		40
41	The srbchannel IPC mechanism, introduced in PulseAudio 6.0, was enabled by default in release 7.0.	41	The next release will bring in default whitelisting for Firefox files and folders under /home/user.
42	Arch Linux users are reporting sound problems when running applications in Firejail sandbox.	42	If you start the sandbox without any other options, this is what you'll get:
43	A preliminary fix was introduced on master branch. The fix is available in release 0.9.32, and disables PulseAudio shared memory functionality
44	inside the sandbox. If you are seeing any problems,
45	please let us know here: https://github.com/netblue30/firejail/issues/69
46		43
47	If you are unable to update Firejail, or if you want to continue using the latest released version, these are some workarounds:	44	![Whitelisted home directory](firefox-whitelist.png?raw=true)
48		45
49	* Running ALSA	46	The code is located in etc/firefox.inc file:
50		47
51	By default, if Firefox fails to connect to PulseAudio, it will connect directly to ALSA.
52	Also by default, ALSA comes with the sound volume down. You would need to install alsamixer
53	(alsa-utils package) or gnome-alsamixer, run it, and crank up the volume (both Master and PCM).
54
55	* Disable shm functionality in PulseAudio
56	`````	48	`````
57	$ mkdir -p ~/.config/pulse	49	whitelist ~/.mozilla
58	$ cd ~/.config/pulse	50	whitelist ~/Downloads
59	$ cp /etc/pulse/client.conf .	51	whitelist ~/dwhelper
60	$ echo "enable-shm = no" >> client.conf	52	whitelist ~/.zotero
		53	whitelist ~/.lastpass
61	`````	54	`````
62	* Disable srbchannel IPC mechanism in version 7.0
63
64	Edit /etc/pulse/default.pa – change the line "load-module module-native-protocol-unix"
65	to "load-module module-native-protocol-unix srbchannel=no" and restart PulseAudio daemon.
66
67		55
		56	I intend to bring in all files and directories used by Firefox addons and plugins. So far I have
		57	[Video DownloadHelper](https://addons.mozilla.org/en-US/firefox/addon/video-downloadhelper/),
		58	[Zotero](https://www.zotero.org/download/) and
		59	[LastPass](https://addons.mozilla.org/en-US/firefox/addon/lastpass-password-manager/).
		60	If you're using a anything else, please let me know.


diff --git a/etc/firefox.profile b/etc/firefox.profile index ec95324c8..2e8081ad3 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile
@@ -9,6 +9,12 @@ seccomp
9	netfilter	9	netfilter
10	noroot	10	noroot
11	shell none	11	shell none
		12	whitelist ~/.mozilla
		13	whitelist ~/Downloads
		14	whitelist ~/dwhelper
		15	whitelist ~/.zotero
		16	whitelist ~/.lastpass
		17
12		18
13		19
14		20


diff --git a/firefox-whitelist.png b/firefox-whitelist.png new file mode 100644 index 000000000..e98cb4b02 --- /dev/null +++ b/firefox-whitelist.png
Binary files differ