diff options
| -rw-r--r-- | README.md | 42 | ||||
| -rw-r--r-- | etc/firefox.profile | 6 | ||||
| -rw-r--r-- | firefox-whitelist.png | bin | 0 -> 53657 bytes |
3 files changed, 27 insertions, 21 deletions
| @@ -34,34 +34,34 @@ FAQ: https://l3net.wordpress.com/projects/firejail/firejail-faq/ | |||
| 34 | 34 | ||
| 35 | 35 | ||
| 36 | 36 | ||
| 37 | ## Known Problems | 37 | ## New features in the development version |
| 38 | 38 | ||
| 39 | ### PulseAudio 7.0 | 39 | ### Whitelisting in default Firefox profile |
| 40 | 40 | ||
| 41 | The srbchannel IPC mechanism, introduced in PulseAudio 6.0, was enabled by default in release 7.0. | 41 | The next release will bring in default whitelisting for Firefox files and folders under /home/user. |
| 42 | Arch Linux users are reporting sound problems when running applications in Firejail sandbox. | 42 | If you start the sandbox without any other options, this is what you'll get: |
| 43 | A preliminary fix was introduced on master branch. The fix is available in release 0.9.32, and disables PulseAudio shared memory functionality | ||
| 44 | inside the sandbox. If you are seeing any problems, | ||
| 45 | please let us know here: https://github.com/netblue30/firejail/issues/69 | ||
| 46 | 43 | ||
| 47 | If you are unable to update Firejail, or if you want to continue using the latest released version, these are some workarounds: | 44 |  |
| 48 | 45 | ||
| 49 | * Running ALSA | 46 | The code is located in etc/firefox.inc file: |
| 50 | 47 | ||
| 51 | By default, if Firefox fails to connect to PulseAudio, it will connect directly to ALSA. | ||
| 52 | Also by default, ALSA comes with the sound volume down. You would need to install *alsamixer* | ||
| 53 | (*alsa-utils* package) or *gnome-alsamixer*, run it, and crank up the volume (both Master and PCM). | ||
| 54 | |||
| 55 | * Disable shm functionality in PulseAudio | ||
| 56 | ````` | 48 | ````` |
| 57 | $ mkdir -p ~/.config/pulse | 49 | whitelist ~/.mozilla |
| 58 | $ cd ~/.config/pulse | 50 | whitelist ~/Downloads |
| 59 | $ cp /etc/pulse/client.conf . | 51 | whitelist ~/dwhelper |
| 60 | $ echo "enable-shm = no" >> client.conf | 52 | whitelist ~/.zotero |
| 53 | whitelist ~/.lastpass | ||
| 61 | ````` | 54 | ````` |
| 62 | * Disable srbchannel IPC mechanism in version 7.0 | ||
| 63 | 55 | ||
| 64 | Edit /etc/pulse/default.pa – change the line "load-module module-native-protocol-unix" | 56 | I intend to bring in all files and directories used by Firefox addons and plugins. So far I have |
| 65 | to "load-module module-native-protocol-unix srbchannel=no" and restart PulseAudio daemon. | 57 | [Video DownloadHelper](https://addons.mozilla.org/en-US/firefox/addon/video-downloadhelper/), |
| 58 | [Zotero](https://www.zotero.org/download/) and | ||
| 59 | [LastPass](https://addons.mozilla.org/en-US/firefox/addon/lastpass-password-manager/). | ||
| 60 | If you're using a anything else, please let me know. | ||
| 66 | 61 | ||
| 62 | ### --ignore option | ||
| 67 | 63 | ||
| 64 | Ignore commands in profile files. Example: | ||
| 65 | ````` | ||
| 66 | $ firejail --ignore=seccomp wine | ||
| 67 | ````` | ||
diff --git a/etc/firefox.profile b/etc/firefox.profile index ec95324c8..2e8081ad3 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile | |||
| @@ -9,6 +9,12 @@ seccomp | |||
| 9 | netfilter | 9 | netfilter |
| 10 | noroot | 10 | noroot |
| 11 | shell none | 11 | shell none |
| 12 | whitelist ~/.mozilla | ||
| 13 | whitelist ~/Downloads | ||
| 14 | whitelist ~/dwhelper | ||
| 15 | whitelist ~/.zotero | ||
| 16 | whitelist ~/.lastpass | ||
| 17 | |||
| 12 | 18 | ||
| 13 | 19 | ||
| 14 | 20 | ||
diff --git a/firefox-whitelist.png b/firefox-whitelist.png new file mode 100644 index 000000000..e98cb4b02 --- /dev/null +++ b/firefox-whitelist.png | |||
| Binary files differ | |||
