12 files changed, 80 insertions, 1 deletions

diff --git a/etc/profile-a-l/bnox.profile b/etc/profile-a-l/bnox.profile
index 031f3f4bd..6e8f0d7d1 100644
--- a/etc/profile-a-l/bnox.profile
+++ b/etc/profile-a-l/bnox.profile
@@ -5,6 +5,11 @@ include bnox.local
 # Persistent global definitions
 include globals.local
 
+# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
 noblacklist ${HOME}/.cache/bnox
 noblacklist ${HOME}/.config/bnox
 
diff --git a/etc/profile-a-l/brave.profile b/etc/profile-a-l/brave.profile
index 35c59f5a3..904d3e94f 100644
--- a/etc/profile-a-l/brave.profile
+++ b/etc/profile-a-l/brave.profile
@@ -8,6 +8,12 @@ include globals.local
 
 # noexec /tmp is included in chromium-common.profile and breaks Brave
 ignore noexec /tmp
+# TOR is installed in ${HOME}
+ignore noexec ${HOME}
+# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
 
 noblacklist ${HOME}/.cache/BraveSoftware
 noblacklist ${HOME}/.config/BraveSoftware
diff --git a/etc/profile-a-l/chromium-browser-privacy.profile b/etc/profile-a-l/chromium-browser-privacy.profile
new file mode 100644
index 000000000..09eaa2d12
--- /dev/null
+++ b/etc/profile-a-l/chromium-browser-privacy.profile
@@ -0,0 +1,17 @@
+# Firejail profile for chromium-browser-privacy
+# This file is overwritten after every install/update
+# Persistent local customizations
+include chromium-browser-privacy.local
+
+noblacklist ${HOME}/.cache/ungoogled-chromium
+noblacklist ${HOME}/.config/ungoogled-chromium
+
+mkdir ${HOME}/.cache/ungoogled-chromium
+mkdir ${HOME}/.config/ungoogled-chromium
+whitelist ${HOME}/.cache/ungoogled-chromium
+whitelist ${HOME}/.config/ungoogled-chromium
+
+# private-bin basename,bash,chromium-browser-privacy,dirname,mkdir,readlink,sed,touch,which,xdg-settings
+
+# Redirect
+include chromium.profile
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile
index 899400d25..6a9cf99b0 100644
--- a/etc/profile-a-l/chromium-common.profile
+++ b/etc/profile-a-l/chromium-common.profile
@@ -16,16 +16,25 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
+# include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 
 mkdir ${HOME}/.pki
 mkdir ${HOME}/.local/share/pki
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.pki
 whitelist ${HOME}/.local/share/pki
+whitelist /usr/share/chromium
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
+# Uncomment the next line (or add it to your chromium-common.local)
+# if your kernel allows unprivileged userns clone.
+#include chromium-common-hardened.inc
+
 apparmor
 caps.keep sys_admin,sys_chroot
 netfilter
@@ -36,8 +45,10 @@ notv
 shell none
 
 disable-mnt
+private-cache
 ?BROWSER_DISABLE_U2F: private-dev
-# private-tmp - problems with multiple browser sessions
+# problems with multiple browser sessions
+#private-tmp
 
 # prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector
 # dbus-user none
diff --git a/etc/profile-a-l/dnox.profile b/etc/profile-a-l/dnox.profile
index e02395771..51ba6f8b7 100644
--- a/etc/profile-a-l/dnox.profile
+++ b/etc/profile-a-l/dnox.profile
@@ -5,6 +5,11 @@ include dnox.local
 # Persistent global definitions
 include globals.local
 
+# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
 noblacklist ${HOME}/.cache/dnox
 noblacklist ${HOME}/.config/dnox
 
diff --git a/etc/profile-a-l/enox.profile b/etc/profile-a-l/enox.profile
index d8ac8b24a..d982433e2 100644
--- a/etc/profile-a-l/enox.profile
+++ b/etc/profile-a-l/enox.profile
@@ -5,6 +5,11 @@ include enox.local
 # Persistent global definitions
 include globals.local
 
+# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
 noblacklist ${HOME}/.cache/Enox
 noblacklist ${HOME}/.config/Enox
 
diff --git a/etc/profile-a-l/flashpeak-slimjet.profile b/etc/profile-a-l/flashpeak-slimjet.profile
index b841bce75..310fb378f 100644
--- a/etc/profile-a-l/flashpeak-slimjet.profile
+++ b/etc/profile-a-l/flashpeak-slimjet.profile
@@ -5,6 +5,11 @@ include flashpeak-slimjet.local
 # Persistent global definitions
 include globals.local
 
+# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
 noblacklist ${HOME}/.cache/slimjet
 noblacklist ${HOME}/.config/slimjet
 
diff --git a/etc/profile-a-l/google-chrome-beta.profile b/etc/profile-a-l/google-chrome-beta.profile
index a62e4cf74..ebe5e870b 100644
--- a/etc/profile-a-l/google-chrome-beta.profile
+++ b/etc/profile-a-l/google-chrome-beta.profile
@@ -5,6 +5,11 @@ include google-chrome-beta.local
 # Persistent global definitions
 include globals.local
 
+# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
 noblacklist ${HOME}/.cache/google-chrome-beta
 noblacklist ${HOME}/.config/google-chrome-beta
 
diff --git a/etc/profile-a-l/google-chrome-unstable.profile b/etc/profile-a-l/google-chrome-unstable.profile
index 14547eab2..4d303f71b 100644
--- a/etc/profile-a-l/google-chrome-unstable.profile
+++ b/etc/profile-a-l/google-chrome-unstable.profile
@@ -5,6 +5,11 @@ include google-chrome-unstable.local
 # Persistent global definitions
 include globals.local
 
+# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
 noblacklist ${HOME}/.cache/google-chrome-unstable
 noblacklist ${HOME}/.config/google-chrome-unstable
 
diff --git a/etc/profile-a-l/google-chrome.profile b/etc/profile-a-l/google-chrome.profile
index 66f76caa0..ed2595f72 100644
--- a/etc/profile-a-l/google-chrome.profile
+++ b/etc/profile-a-l/google-chrome.profile
@@ -5,6 +5,11 @@ include google-chrome.local
 # Persistent global definitions
 include globals.local
 
+# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
 noblacklist ${HOME}/.cache/google-chrome
 noblacklist ${HOME}/.config/google-chrome
 
diff --git a/etc/profile-a-l/inox.profile b/etc/profile-a-l/inox.profile
index 1b3db73b4..a5cac12f2 100644
--- a/etc/profile-a-l/inox.profile
+++ b/etc/profile-a-l/inox.profile
@@ -5,6 +5,11 @@ include inox.local
 # Persistent global definitions
 include globals.local
 
+# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
 noblacklist ${HOME}/.cache/inox
 noblacklist ${HOME}/.config/inox
 
diff --git a/etc/profile-a-l/iridium.profile b/etc/profile-a-l/iridium.profile
index ebb39b0a3..3037d00e9 100644
--- a/etc/profile-a-l/iridium.profile
+++ b/etc/profile-a-l/iridium.profile
@@ -5,6 +5,11 @@ include iridium.local
 # Persistent global definitions
 include globals.local
 
+# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
 noblacklist ${HOME}/.cache/iridium
 noblacklist ${HOME}/.config/iridium