2 files changed, 26 insertions, 5 deletions

diff --git a/etc/google-play-music-desktop-player.profile b/etc/google-play-music-desktop-player.profile
new file mode 100644
index 000000000..56d09d5b2
--- /dev/null
+++ b/etc/google-play-music-desktop-player.profile
@@ -0,0 +1,16 @@
+# Google Play Music desktop player profile
+noblacklist ~/.config/Google Play Music Desktop Player
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+caps.drop all
+seccomp
+protocol unix,inet,inet6,netlink
+noroot
+
+#whitelist ~/.pulse
+#whitelist ~/.config/pulse
+whitelist ~/.config/Google Play Music Desktop Player
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index af1ddf93b..4c2510021 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -726,7 +726,16 @@ static void disable_firejail_config(void) {
 // build a basic read-only filesystem
 void fs_basic_fs(void) {
         if (arg_debug)
-                printf("Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr, /etc, /var\n");
+                printf("Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr");
+        if (!arg_writable_etc) {
+                fs_rdonly("/etc");
+                if (arg_debug) printf(", /etc");
+        }
+        if (!arg_writable_var) {
+                fs_rdonly("/var");
+                if (arg_debug) printf(", /var");
+        }
+        if (arg_debug) printf("\n");
         fs_rdonly("/bin");
         fs_rdonly("/sbin");
         fs_rdonly("/lib");
@@ -734,10 +743,6 @@ void fs_basic_fs(void) {
         fs_rdonly("/lib32");
         fs_rdonly("/libx32");
         fs_rdonly("/usr");
-        if (!arg_writable_etc)
-                fs_rdonly("/etc");
-        if (!arg_writable_var)
-                fs_rdonly("/var");
 
         // update /var directory in order to support multiple sandboxes running on the same root directory
         if (!arg_private_dev)