4 files changed, 16 insertions, 0 deletions

diff --git a/RELNOTES b/RELNOTES
index 3e044a9f9..f8ef7393b 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -35,7 +35,10 @@ firejail (0.9.71) baseline; urgency=low
   * build: deduplicate makefiles (#5478)
   * ci: bump ubuntu to 22.04 and use newer compilers / analyzers (#5275)
   * ci: ignore git-related paths and the project license (#5249)
+  * ci: Harden GitHub Actions (StepSecurity) (#5439)
   * ci: sort and ignore more paths (#5481)
+  * ci: whitelist needed endpoints and block access to sudo (#5485)
+  * docs: fix typos (#5189 #5349)
   * docs: mention risk of SUID binaries and also firejail-users(5) (#5288
     #5290)
   * docs: set vim filetype on man pages for syntax highlighting (#5296)
diff --git a/etc/apparmor/firejail-local b/etc/apparmor/firejail-local
index 59c8f7f8a..e7236b0bc 100644
--- a/etc/apparmor/firejail-local
+++ b/etc/apparmor/firejail-local
@@ -14,5 +14,11 @@
 # Uncomment to opt-in to apparmor for brave + tor
 #owner @{HOME}/.config/BraveSoftware/Brave-Browser/biahpgbdmdkfgndcmfiipgcebobojjkp/*/** ix,
 
+# Uncomment to opt-in to apparmor for firefox DRM (gmp-widevinecdm)
+#owner @{HOME}/.mozilla/firefox/*/gm*/** ix,
+
+# Uncomment to opt-in to apparmor for firefox native-messaging-hosts under ${HOME}
+#owner @{HOME}/.mozilla/native-messaging-hosts/** ix,
+
 # Uncomment to opt-in to apparmor for torbrowser-launcher
 #owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/** ix,
diff --git a/etc/profile-a-l/firefox-common-addons.profile b/etc/profile-a-l/firefox-common-addons.profile
index b2b7c362a..6dc1fca8a 100644
--- a/etc/profile-a-l/firefox-common-addons.profile
+++ b/etc/profile-a-l/firefox-common-addons.profile
@@ -2,8 +2,13 @@
 # Persistent customizations should go in a .local file.
 include firefox-common-addons.local
 
+# Prevent whitelisting in ${RUNUSER}
 ignore whitelist ${RUNUSER}/*firefox*
+ignore whitelist ${RUNUSER}/psd/*firefox*
+ignore whitelist ${RUNUSER}/kpxc_server
+ignore whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer
 ignore include whitelist-runuser-common.inc
+
 ignore private-cache
 
 noblacklist ${HOME}/.cache/youtube-dl
diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile
index 36e3405b0..491ce2eeb 100644
--- a/etc/profile-a-l/firefox-common.profile
+++ b/etc/profile-a-l/firefox-common.profile
@@ -8,6 +8,8 @@ include firefox-common.local
 
 # noexec ${HOME} breaks DRM binaries.
 ?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
+# noexec ${RUNUSER} breaks DRM binaries when using profile-sync-daemon.
+?BROWSER_ALLOW_DRM: ignore noexec ${RUNUSER}
 
 # Add the next line to your firefox-common.local to allow access to common programs/addons/plugins.
 #include firefox-common-addons.profile