profiles: fixes and cleanups for opening links with firefox (#5919)

3 files changed, 24 insertions, 14 deletions

diff --git a/etc/profile-a-l/kube.profile b/etc/profile-a-l/kube.profile
index 5cf30ed40..82336969d 100644
--- a/etc/profile-a-l/kube.profile
+++ b/etc/profile-a-l/kube.profile
@@ -6,11 +6,10 @@ include kube.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.gnupg
-noblacklist ${HOME}/.mozilla
 noblacklist ${HOME}/.cache/kube
 noblacklist ${HOME}/.config/kube
 noblacklist ${HOME}/.config/sink
+noblacklist ${HOME}/.gnupg
 noblacklist ${HOME}/.local/share/kube
 noblacklist ${HOME}/.local/share/sink
 
@@ -22,23 +21,28 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-mkdir ${HOME}/.gnupg
+# The lines below are needed to find the default Firefox profile name, to allow
+# opening links in an existing instance of Firefox (note that it still fails if
+# there isn't a Firefox instance running with the default profile; see #5352)
+noblacklist ${HOME}/.mozilla
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+
 mkdir ${HOME}/.cache/kube
 mkdir ${HOME}/.config/kube
 mkdir ${HOME}/.config/sink
+mkdir ${HOME}/.gnupg
 mkdir ${HOME}/.local/share/kube
 mkdir ${HOME}/.local/share/sink
-whitelist ${HOME}/.gnupg
-whitelist ${HOME}/.mozilla/firefox/profiles.ini
 whitelist ${HOME}/.cache/kube
 whitelist ${HOME}/.config/kube
 whitelist ${HOME}/.config/sink
+whitelist ${HOME}/.gnupg
 whitelist ${HOME}/.local/share/kube
 whitelist ${HOME}/.local/share/sink
 whitelist ${RUNUSER}/gnupg
-whitelist /usr/share/kube
 whitelist /usr/share/gnupg
 whitelist /usr/share/gnupg2
+whitelist /usr/share/kube
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
@@ -63,7 +67,6 @@ tracelog
 
 # disable-mnt
 # Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg
-# Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile.
 private-bin kube,sink_synchronizer
 private-cache
 private-dev
@@ -75,6 +78,8 @@ dbus-user filter
 dbus-user.talk ca.desrt.dconf
 dbus-user.talk org.freedesktop.secrets
 dbus-user.talk org.freedesktop.Notifications
+# allow D-Bus communication with firefox for opening links
+dbus-user.talk org.mozilla.*
 dbus-system none
 
 restrict-namespaces
diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile
index 3e1899ef3..8cb4e4173 100644
--- a/etc/profile-m-z/signal-desktop.profile
+++ b/etc/profile-m-z/signal-desktop.profile
@@ -11,7 +11,9 @@ ignore noexec /tmp
 
 noblacklist ${HOME}/.config/Signal
 
-# These lines are needed to allow Firefox to open links
+# The lines below are needed to find the default Firefox profile name, to allow
+# opening links in an existing instance of Firefox (note that it still fails if
+# there isn't a Firefox instance running with the default profile; see #5352)
 noblacklist ${HOME}/.mozilla
 whitelist ${HOME}/.mozilla/firefox/profiles.ini
 
@@ -21,11 +23,9 @@ whitelist ${HOME}/.config/Signal
 private-etc @tls-ca
 
 dbus-user filter
-
 # allow D-Bus notifications
 dbus-user.talk org.freedesktop.Notifications
-
-# allow D-Bus communication with Firefox browsers for opening links
+# allow D-Bus communication with firefox for opening links
 dbus-user.talk org.mozilla.*
 
 ignore dbus-user none
diff --git a/etc/profile-m-z/trojita.profile b/etc/profile-m-z/trojita.profile
index ba68ccb53..2578eb0be 100644
--- a/etc/profile-m-z/trojita.profile
+++ b/etc/profile-m-z/trojita.profile
@@ -7,7 +7,6 @@ include trojita.local
 include globals.local
 
 noblacklist ${HOME}/.abook
-noblacklist ${HOME}/.mozilla
 noblacklist ${HOME}/.cache/flaska.net/trojita
 noblacklist ${HOME}/.config/flaska.net
 
@@ -19,11 +18,16 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
+# The lines below are needed to find the default Firefox profile name, to allow
+# opening links in an existing instance of Firefox (note that it still fails if
+# there isn't a Firefox instance running with the default profile; see #5352)
+noblacklist ${HOME}/.mozilla
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+
 mkdir ${HOME}/.abook
 mkdir ${HOME}/.cache/flaska.net/trojita
 mkdir ${HOME}/.config/flaska.net
 whitelist ${HOME}/.abook
-whitelist ${HOME}/.mozilla/firefox/profiles.ini
 whitelist ${HOME}/.cache/flaska.net/trojita
 whitelist ${HOME}/.config/flaska.net
 include whitelist-common.inc
@@ -49,7 +53,6 @@ seccomp
 tracelog
 
 # disable-mnt
-# Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile.
 private-bin trojita
 private-cache
 private-dev
@@ -58,6 +61,8 @@ private-tmp
 
 dbus-user filter
 dbus-user.talk org.freedesktop.secrets
+# allow D-Bus communication with firefox for opening links
+dbus-user.talk org.mozilla.*
 dbus-system none
 
 restrict-namespaces