diff options
author | netblue30 <netblue30@protonmail.com> | 2023-07-26 08:59:33 -0400 |
---|---|---|
committer | netblue30 <netblue30@protonmail.com> | 2023-07-26 08:59:33 -0400 |
commit | 6d4bb95948363263e220dc475db71a9341f1294e (patch) | |
tree | 5c66a28720ee7fd78683a219717d3d7e40eed265 /etc/profile-m-z | |
parent | netlock/nettrace cleanup (diff) | |
parent | spotify: D-Bus hardening (#5923) (diff) | |
download | firejail-6d4bb95948363263e220dc475db71a9341f1294e.tar.gz firejail-6d4bb95948363263e220dc475db71a9341f1294e.tar.zst firejail-6d4bb95948363263e220dc475db71a9341f1294e.zip |
Merge branch 'master' of ssh://github.com/netblue30/firejail
Diffstat (limited to 'etc/profile-m-z')
-rw-r--r-- | etc/profile-m-z/minetest.profile | 5 | ||||
-rw-r--r-- | etc/profile-m-z/mov-cli.profile | 4 | ||||
-rw-r--r-- | etc/profile-m-z/mpv.profile | 2 | ||||
-rw-r--r-- | etc/profile-m-z/nodejs-common.profile | 2 | ||||
-rw-r--r-- | etc/profile-m-z/noprofile.profile | 15 | ||||
-rw-r--r-- | etc/profile-m-z/palemoon.profile | 2 | ||||
-rw-r--r-- | etc/profile-m-z/pingus.profile | 3 | ||||
-rw-r--r-- | etc/profile-m-z/rtin.profile | 2 | ||||
-rw-r--r-- | etc/profile-m-z/signal-desktop.profile | 8 | ||||
-rw-r--r-- | etc/profile-m-z/sniffnet.profile | 49 | ||||
-rw-r--r-- | etc/profile-m-z/spotify.profile | 11 | ||||
-rw-r--r-- | etc/profile-m-z/steam.profile | 4 | ||||
-rw-r--r-- | etc/profile-m-z/thunderbird.profile | 3 | ||||
-rw-r--r-- | etc/profile-m-z/tin.profile | 4 | ||||
-rw-r--r-- | etc/profile-m-z/trojita.profile | 11 | ||||
-rw-r--r-- | etc/profile-m-z/waterfox.profile | 1 |
16 files changed, 95 insertions, 31 deletions
diff --git a/etc/profile-m-z/minetest.profile b/etc/profile-m-z/minetest.profile index 15474c96e..7b0135695 100644 --- a/etc/profile-m-z/minetest.profile +++ b/etc/profile-m-z/minetest.profile | |||
@@ -6,8 +6,9 @@ include minetest.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # In order to save in-game screenshots to a persistent location edit ~/.minetest/minetest.conf: | 9 | # In order to save in-game screenshots to a persistent location, |
10 | # screenshot_path = /home/<USER>/.minetest/screenshots | 10 | # edit ~/.minetest/minetest.conf: |
11 | # screenshot_path = /home/<USER>/.minetest/screenshots | ||
11 | 12 | ||
12 | noblacklist ${HOME}/.cache/minetest | 13 | noblacklist ${HOME}/.cache/minetest |
13 | noblacklist ${HOME}/.minetest | 14 | noblacklist ${HOME}/.minetest |
diff --git a/etc/profile-m-z/mov-cli.profile b/etc/profile-m-z/mov-cli.profile index c5f764912..8007b887a 100644 --- a/etc/profile-m-z/mov-cli.profile +++ b/etc/profile-m-z/mov-cli.profile | |||
@@ -8,9 +8,13 @@ include mov-cli.local | |||
8 | # added by included profile | 8 | # added by included profile |
9 | #include globals.local | 9 | #include globals.local |
10 | 10 | ||
11 | noblacklist ${HOME}/.config/mov-cli | ||
12 | |||
11 | include disable-proc.inc | 13 | include disable-proc.inc |
12 | include disable-xdg.inc | 14 | include disable-xdg.inc |
13 | 15 | ||
16 | mkdir ${HOME}/.config/mov-cli | ||
17 | whitelist ${HOME}/.config/mov-cli | ||
14 | include whitelist-run-common.inc | 18 | include whitelist-run-common.inc |
15 | include whitelist-runuser-common.inc | 19 | include whitelist-runuser-common.inc |
16 | 20 | ||
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile index bd01d4082..fd35483be 100644 --- a/etc/profile-m-z/mpv.profile +++ b/etc/profile-m-z/mpv.profile | |||
@@ -9,7 +9,7 @@ include globals.local | |||
9 | 9 | ||
10 | # In order to save screenshots to a persistent location, | 10 | # In order to save screenshots to a persistent location, |
11 | # edit ~/.config/mpv/foobar.conf: | 11 | # edit ~/.config/mpv/foobar.conf: |
12 | # screenshot-directory=~/Pictures | 12 | # screenshot-directory=~/Pictures |
13 | 13 | ||
14 | # mpv has a powerful Lua API and some of the Lua scripts interact with | 14 | # mpv has a powerful Lua API and some of the Lua scripts interact with |
15 | # external resources which are blocked by firejail. In such cases you need to | 15 | # external resources which are blocked by firejail. In such cases you need to |
diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile index f3b0c8a49..4c463521c 100644 --- a/etc/profile-m-z/nodejs-common.profile +++ b/etc/profile-m-z/nodejs-common.profile | |||
@@ -7,7 +7,7 @@ include nodejs-common.local | |||
7 | # added by caller profile | 7 | # added by caller profile |
8 | #include globals.local | 8 | #include globals.local |
9 | 9 | ||
10 | # NOTE: gulp, node-gyp, npm, npx, semver and yarn are all node scripts | 10 | # Note: gulp, node-gyp, npm, npx, semver and yarn are all node scripts |
11 | # using the `#!/usr/bin/env node` shebang. By sandboxing node the full | 11 | # using the `#!/usr/bin/env node` shebang. By sandboxing node the full |
12 | # node.js stack will be firejailed. The only exception is nvm, which is implemented | 12 | # node.js stack will be firejailed. The only exception is nvm, which is implemented |
13 | # as a sourced shell function, not an executable binary. Hence it is not | 13 | # as a sourced shell function, not an executable binary. Hence it is not |
diff --git a/etc/profile-m-z/noprofile.profile b/etc/profile-m-z/noprofile.profile index db4113f94..7d0e01d98 100644 --- a/etc/profile-m-z/noprofile.profile +++ b/etc/profile-m-z/noprofile.profile | |||
@@ -1,17 +1,16 @@ | |||
1 | # This is the weakest possible firejail profile. | 1 | # This is the weakest possible firejail profile. |
2 | # If a program still fail with this profile, it is incompatible with firejail. | 2 | # If a program still fails with this profile, it is incompatible with firejail. |
3 | # (from https://gist.github.com/rusty-snake/bb234cb3e50e1e4e7429f29a7931cc72) | 3 | # (from https://gist.github.com/rusty-snake/bb234cb3e50e1e4e7429f29a7931cc72) |
4 | # | 4 | # |
5 | # Usage: | 5 | # Usage: |
6 | # 1. download | 6 | # $ firejail --profile=noprofile.profile /path/to/program |
7 | # 2. firejail --profile=noprofile.profile /path/to/program | ||
8 | 7 | ||
9 | # Keep in mind that even with this profile some things are done | 8 | # Keep in mind that even with this profile some things are done |
10 | # which can break the program. | 9 | # which can break the program: |
11 | # - some env-vars are cleared | 10 | # - some env-vars are cleared; |
12 | # - /etc/firejail/firejail.config can contain options such as 'force-nonewprivs yes' | 11 | # - /etc/firejail/firejail.config can contain options such as 'force-nonewprivs yes'; |
13 | # - a new private pid-namespace is created | 12 | # - a new private pid-namespace is created; |
14 | # - a minimal hardcoded blacklist is applied | 13 | # - a minimal hardcoded blacklist is applied; |
15 | # - ... | 14 | # - ... |
16 | 15 | ||
17 | noblacklist /sys/fs | 16 | noblacklist /sys/fs |
diff --git a/etc/profile-m-z/palemoon.profile b/etc/profile-m-z/palemoon.profile index 24701b657..ab4e24595 100644 --- a/etc/profile-m-z/palemoon.profile +++ b/etc/profile-m-z/palemoon.profile | |||
@@ -12,6 +12,8 @@ mkdir ${HOME}/.cache/moonchild productions/pale moon | |||
12 | mkdir ${HOME}/.moonchild productions | 12 | mkdir ${HOME}/.moonchild productions |
13 | whitelist ${HOME}/.cache/moonchild productions/pale moon | 13 | whitelist ${HOME}/.cache/moonchild productions/pale moon |
14 | whitelist ${HOME}/.moonchild productions | 14 | whitelist ${HOME}/.moonchild productions |
15 | whitelist /usr/share/moonchild productions | ||
16 | whitelist /usr/share/palemoon | ||
15 | 17 | ||
16 | # Palemoon can use the full firejail seccomp filter (unlike firefox >= 60) | 18 | # Palemoon can use the full firejail seccomp filter (unlike firefox >= 60) |
17 | seccomp | 19 | seccomp |
diff --git a/etc/profile-m-z/pingus.profile b/etc/profile-m-z/pingus.profile index 3ff033e0b..e274b6443 100644 --- a/etc/profile-m-z/pingus.profile +++ b/etc/profile-m-z/pingus.profile | |||
@@ -23,8 +23,9 @@ include disable-xdg.inc | |||
23 | 23 | ||
24 | mkdir ${HOME}/.pingus | 24 | mkdir ${HOME}/.pingus |
25 | whitelist ${HOME}/.pingus | 25 | whitelist ${HOME}/.pingus |
26 | # Debian keeps games data under /usr/share/games | ||
27 | whitelist /usr/share/games/pingus | ||
26 | whitelist /usr/share/pingus | 28 | whitelist /usr/share/pingus |
27 | whitelist /usr/share/games/pingus # Debian keeps games data under /usr/share/games | ||
28 | include whitelist-common.inc | 29 | include whitelist-common.inc |
29 | include whitelist-runuser-common.inc | 30 | include whitelist-runuser-common.inc |
30 | include whitelist-usr-share-common.inc | 31 | include whitelist-usr-share-common.inc |
diff --git a/etc/profile-m-z/rtin.profile b/etc/profile-m-z/rtin.profile index 87aa69bcb..b1acf8b2e 100644 --- a/etc/profile-m-z/rtin.profile +++ b/etc/profile-m-z/rtin.profile | |||
@@ -1,6 +1,6 @@ | |||
1 | # Firejail profile for rtin | 1 | # Firejail profile for rtin |
2 | # Description: ncurses-based Usenet newsreader | 2 | # Description: ncurses-based Usenet newsreader |
3 | # symlink to tin, same as `tin -r` | 3 | # symlink to tin, same as `tin -r` |
4 | # This file is overwritten after every install/update | 4 | # This file is overwritten after every install/update |
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include rtin.local | 6 | include rtin.local |
diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile index 3e1899ef3..8cb4e4173 100644 --- a/etc/profile-m-z/signal-desktop.profile +++ b/etc/profile-m-z/signal-desktop.profile | |||
@@ -11,7 +11,9 @@ ignore noexec /tmp | |||
11 | 11 | ||
12 | noblacklist ${HOME}/.config/Signal | 12 | noblacklist ${HOME}/.config/Signal |
13 | 13 | ||
14 | # These lines are needed to allow Firefox to open links | 14 | # The lines below are needed to find the default Firefox profile name, to allow |
15 | # opening links in an existing instance of Firefox (note that it still fails if | ||
16 | # there isn't a Firefox instance running with the default profile; see #5352) | ||
15 | noblacklist ${HOME}/.mozilla | 17 | noblacklist ${HOME}/.mozilla |
16 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | 18 | whitelist ${HOME}/.mozilla/firefox/profiles.ini |
17 | 19 | ||
@@ -21,11 +23,9 @@ whitelist ${HOME}/.config/Signal | |||
21 | private-etc @tls-ca | 23 | private-etc @tls-ca |
22 | 24 | ||
23 | dbus-user filter | 25 | dbus-user filter |
24 | |||
25 | # allow D-Bus notifications | 26 | # allow D-Bus notifications |
26 | dbus-user.talk org.freedesktop.Notifications | 27 | dbus-user.talk org.freedesktop.Notifications |
27 | 28 | # allow D-Bus communication with firefox for opening links | |
28 | # allow D-Bus communication with Firefox browsers for opening links | ||
29 | dbus-user.talk org.mozilla.* | 29 | dbus-user.talk org.mozilla.* |
30 | 30 | ||
31 | ignore dbus-user none | 31 | ignore dbus-user none |
diff --git a/etc/profile-m-z/sniffnet.profile b/etc/profile-m-z/sniffnet.profile new file mode 100644 index 000000000..eb18c1f01 --- /dev/null +++ b/etc/profile-m-z/sniffnet.profile | |||
@@ -0,0 +1,49 @@ | |||
1 | # Firejail profile for sniffnet | ||
2 | # Description: Network traffic monitor | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include sniffnet.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/sniffnet | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-proc.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | include whitelist-common.inc | ||
20 | include whitelist-run-common.inc | ||
21 | include whitelist-runuser-common.inc | ||
22 | include whitelist-usr-share-common.inc | ||
23 | include whitelist-var-common.inc | ||
24 | |||
25 | apparmor | ||
26 | #caps.drop all | ||
27 | caps.keep net_admin,net_raw | ||
28 | netfilter | ||
29 | nodvd | ||
30 | nogroups | ||
31 | noinput | ||
32 | # nonewprivs - breaks network traffic capture for unprivileged users | ||
33 | # noroot | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | #seccomp | ||
38 | tracelog | ||
39 | |||
40 | disable-mnt | ||
41 | #private-bin sniffnet | ||
42 | # private-dev prevents (some) interfaces from being shown. | ||
43 | private-etc @network,@tls-ca | ||
44 | private-tmp | ||
45 | |||
46 | dbus-user none | ||
47 | dbus-system none | ||
48 | |||
49 | #restrict-namespaces | ||
diff --git a/etc/profile-m-z/spotify.profile b/etc/profile-m-z/spotify.profile index f07b10319..c893a92fb 100644 --- a/etc/profile-m-z/spotify.profile +++ b/etc/profile-m-z/spotify.profile | |||
@@ -16,6 +16,7 @@ include disable-common.inc | |||
16 | include disable-devel.inc | 16 | include disable-devel.inc |
17 | include disable-exec.inc | 17 | include disable-exec.inc |
18 | include disable-interpreters.inc | 18 | include disable-interpreters.inc |
19 | include disable-proc.inc | ||
19 | include disable-programs.inc | 20 | include disable-programs.inc |
20 | 21 | ||
21 | mkdir ${HOME}/.cache/spotify | 22 | mkdir ${HOME}/.cache/spotify |
@@ -34,6 +35,7 @@ nodvd | |||
34 | nogroups | 35 | nogroups |
35 | noinput | 36 | noinput |
36 | nonewprivs | 37 | nonewprivs |
38 | noprinters | ||
37 | noroot | 39 | noroot |
38 | notv | 40 | notv |
39 | nou2f | 41 | nou2f |
@@ -50,8 +52,11 @@ private-opt spotify | |||
50 | private-srv none | 52 | private-srv none |
51 | private-tmp | 53 | private-tmp |
52 | 54 | ||
53 | # dbus needed for MPRIS | 55 | dbus-user filter |
54 | # dbus-user none | 56 | dbus-user.own org.mpris.MediaPlayer2.spotify |
55 | # dbus-system none | 57 | dbus-user.talk org.freedesktop.Notifications |
58 | dbus-user.talk org.freedesktop.secrets | ||
59 | dbus-user.talk org.mpris.MediaPlayer2.Player | ||
60 | dbus-system none | ||
56 | 61 | ||
57 | restrict-namespaces | 62 | restrict-namespaces |
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile index 63d629a32..99317c9dc 100644 --- a/etc/profile-m-z/steam.profile +++ b/etc/profile-m-z/steam.profile | |||
@@ -133,9 +133,9 @@ whitelist ${HOME}/.steampid | |||
133 | include whitelist-common.inc | 133 | include whitelist-common.inc |
134 | include whitelist-var-common.inc | 134 | include whitelist-var-common.inc |
135 | 135 | ||
136 | # NOTE: The following were intentionally left out as they are alternative | 136 | # Note: The following were intentionally left out as they are alternative |
137 | # (i.e.: unnecessary and/or legacy) paths whose existence may potentially | 137 | # (i.e.: unnecessary and/or legacy) paths whose existence may potentially |
138 | # clobber other paths (see #4225). If you use any, either add the entry to | 138 | # clobber other paths (see #4225). If you use any, either add the entry to |
139 | # steam.local or move the contents to a path listed above (or open an issue if | 139 | # steam.local or move the contents to a path listed above (or open an issue if |
140 | # it's missing above). | 140 | # it's missing above). |
141 | #mkdir ${HOME}/.config/RogueLegacyStorageContainer | 141 | #mkdir ${HOME}/.config/RogueLegacyStorageContainer |
diff --git a/etc/profile-m-z/thunderbird.profile b/etc/profile-m-z/thunderbird.profile index 5df207e25..f2405a7d3 100644 --- a/etc/profile-m-z/thunderbird.profile +++ b/etc/profile-m-z/thunderbird.profile | |||
@@ -47,10 +47,7 @@ whitelist ${HOME}/.thunderbird | |||
47 | 47 | ||
48 | whitelist /usr/share/gnupg | 48 | whitelist /usr/share/gnupg |
49 | whitelist /usr/share/gnupg2 | 49 | whitelist /usr/share/gnupg2 |
50 | whitelist /usr/share/mozilla | ||
51 | whitelist /usr/share/thunderbird | 50 | whitelist /usr/share/thunderbird |
52 | whitelist /usr/share/webext | ||
53 | include whitelist-usr-share-common.inc | ||
54 | 51 | ||
55 | # machine-id breaks audio in browsers; enable or put it in your thunderbird.local when sound is not required | 52 | # machine-id breaks audio in browsers; enable or put it in your thunderbird.local when sound is not required |
56 | #machine-id | 53 | #machine-id |
diff --git a/etc/profile-m-z/tin.profile b/etc/profile-m-z/tin.profile index a03a6caa0..35ff14e88 100644 --- a/etc/profile-m-z/tin.profile +++ b/etc/profile-m-z/tin.profile | |||
@@ -24,8 +24,8 @@ include disable-xdg.inc | |||
24 | mkdir ${HOME}/.tin | 24 | mkdir ${HOME}/.tin |
25 | mkfile ${HOME}/.newsrc | 25 | mkfile ${HOME}/.newsrc |
26 | # Note: files/directories directly in ${HOME} can't be whitelisted, as | 26 | # Note: files/directories directly in ${HOME} can't be whitelisted, as |
27 | # tin saves .newsrc by renaming a temporary file, which is not possible for | 27 | # tin saves .newsrc by renaming a temporary file, which is not possible for |
28 | # bind-mounted files. | 28 | # bind-mounted files. |
29 | #whitelist ${HOME}/.newsrc | 29 | #whitelist ${HOME}/.newsrc |
30 | #whitelist ${HOME}/.tin | 30 | #whitelist ${HOME}/.tin |
31 | #include whitelist-common.inc | 31 | #include whitelist-common.inc |
diff --git a/etc/profile-m-z/trojita.profile b/etc/profile-m-z/trojita.profile index ba68ccb53..2578eb0be 100644 --- a/etc/profile-m-z/trojita.profile +++ b/etc/profile-m-z/trojita.profile | |||
@@ -7,7 +7,6 @@ include trojita.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.abook | 9 | noblacklist ${HOME}/.abook |
10 | noblacklist ${HOME}/.mozilla | ||
11 | noblacklist ${HOME}/.cache/flaska.net/trojita | 10 | noblacklist ${HOME}/.cache/flaska.net/trojita |
12 | noblacklist ${HOME}/.config/flaska.net | 11 | noblacklist ${HOME}/.config/flaska.net |
13 | 12 | ||
@@ -19,11 +18,16 @@ include disable-programs.inc | |||
19 | include disable-shell.inc | 18 | include disable-shell.inc |
20 | include disable-xdg.inc | 19 | include disable-xdg.inc |
21 | 20 | ||
21 | # The lines below are needed to find the default Firefox profile name, to allow | ||
22 | # opening links in an existing instance of Firefox (note that it still fails if | ||
23 | # there isn't a Firefox instance running with the default profile; see #5352) | ||
24 | noblacklist ${HOME}/.mozilla | ||
25 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | ||
26 | |||
22 | mkdir ${HOME}/.abook | 27 | mkdir ${HOME}/.abook |
23 | mkdir ${HOME}/.cache/flaska.net/trojita | 28 | mkdir ${HOME}/.cache/flaska.net/trojita |
24 | mkdir ${HOME}/.config/flaska.net | 29 | mkdir ${HOME}/.config/flaska.net |
25 | whitelist ${HOME}/.abook | 30 | whitelist ${HOME}/.abook |
26 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | ||
27 | whitelist ${HOME}/.cache/flaska.net/trojita | 31 | whitelist ${HOME}/.cache/flaska.net/trojita |
28 | whitelist ${HOME}/.config/flaska.net | 32 | whitelist ${HOME}/.config/flaska.net |
29 | include whitelist-common.inc | 33 | include whitelist-common.inc |
@@ -49,7 +53,6 @@ seccomp | |||
49 | tracelog | 53 | tracelog |
50 | 54 | ||
51 | # disable-mnt | 55 | # disable-mnt |
52 | # Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile. | ||
53 | private-bin trojita | 56 | private-bin trojita |
54 | private-cache | 57 | private-cache |
55 | private-dev | 58 | private-dev |
@@ -58,6 +61,8 @@ private-tmp | |||
58 | 61 | ||
59 | dbus-user filter | 62 | dbus-user filter |
60 | dbus-user.talk org.freedesktop.secrets | 63 | dbus-user.talk org.freedesktop.secrets |
64 | # allow D-Bus communication with firefox for opening links | ||
65 | dbus-user.talk org.mozilla.* | ||
61 | dbus-system none | 66 | dbus-system none |
62 | 67 | ||
63 | restrict-namespaces | 68 | restrict-namespaces |
diff --git a/etc/profile-m-z/waterfox.profile b/etc/profile-m-z/waterfox.profile index 18f1ca79a..bf6f45e41 100644 --- a/etc/profile-m-z/waterfox.profile +++ b/etc/profile-m-z/waterfox.profile | |||
@@ -12,6 +12,7 @@ mkdir ${HOME}/.cache/waterfox | |||
12 | mkdir ${HOME}/.waterfox | 12 | mkdir ${HOME}/.waterfox |
13 | whitelist ${HOME}/.cache/waterfox | 13 | whitelist ${HOME}/.cache/waterfox |
14 | whitelist ${HOME}/.waterfox | 14 | whitelist ${HOME}/.waterfox |
15 | whitelist /usr/share/waterfox | ||
15 | 16 | ||
16 | # Add the next lines to your watefox.local if you want to use the migration wizard. | 17 | # Add the next lines to your watefox.local if you want to use the migration wizard. |
17 | #noblacklist ${HOME}/.mozilla | 18 | #noblacklist ${HOME}/.mozilla |