3 files changed, 8 insertions, 3 deletions
diff --git a/etc/spotify.profile b/etc/spotify.profile
index 7f40d4399..4e2718c95 100644
--- a/etc/spotify.profile
+++ b/etc/spotify.profile
@@ -9,7 +9,6 @@ blacklist ${HOME}/.bashrc
 blacklist /lost+found
 blacklist /sbin
 blacklist /srv
-blacklist /sys
 noblacklist ${HOME}/.cache/spotify
 noblacklist ${HOME}/.config/spotify
diff --git a/etc/start-tor-browser.profile b/etc/start-tor-browser.profile
index fe9760ad4..6069c5174 100644
--- a/etc/start-tor-browser.profile
+++ b/etc/start-tor-browser.profile
@@ -17,6 +17,7 @@ include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 netfilter
+nodbus
 nodvd
 nogroups
 nonewprivs
@@ -24,8 +25,9 @@ noroot
 notv
 novideo
 protocol unix,inet,inet6
-seccomp
+seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
 shell none
+# tracelog may cause issues, see github issue #1930
 tracelog
 disable-mnt
diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile
index c8eecfc4a..f175b6590 100644
--- a/etc/torbrowser-launcher.profile
+++ b/etc/torbrowser-launcher.profile
@@ -20,9 +20,11 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-interpreters.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-xdg.inc
 mkdir ${HOME}/.config/torbrowser
 mkdir ${HOME}/.local/share/torbrowser
+whitelist ${DOWNLOADS}
 whitelist ${HOME}/.config/torbrowser
 whitelist ${HOME}/.local/share/torbrowser
 include /etc/firejail/whitelist-common.inc
@@ -30,6 +32,7 @@ include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 netfilter
+nodbus
 nodvd
 nogroups
 nonewprivs
@@ -37,8 +40,9 @@ noroot
 notv
 novideo
 protocol unix,inet,inet6
-seccomp
+seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
 shell none
+# tracelog may cause issues, see github issue #1930
 tracelog
 disable-mnt

diff --git a/etc/spotify.profile b/etc/spotify.profile index 7f40d4399..4e2718c95 100644 --- a/etc/spotify.profile +++ b/etc/spotify.profile
@@ -9,7 +9,6 @@ blacklist ${HOME}/.bashrc
9	blacklist /lost+found	9	blacklist /lost+found
10	blacklist /sbin	10	blacklist /sbin
11	blacklist /srv	11	blacklist /srv
12	blacklist /sys
13		12
14	noblacklist ${HOME}/.cache/spotify	13	noblacklist ${HOME}/.cache/spotify
15	noblacklist ${HOME}/.config/spotify	14	noblacklist ${HOME}/.config/spotify


diff --git a/etc/start-tor-browser.profile b/etc/start-tor-browser.profile index fe9760ad4..6069c5174 100644 --- a/etc/start-tor-browser.profile +++ b/etc/start-tor-browser.profile
@@ -17,6 +17,7 @@ include /etc/firejail/whitelist-var-common.inc
17		17
18	caps.drop all	18	caps.drop all
19	netfilter	19	netfilter
		20	nodbus
20	nodvd	21	nodvd
21	nogroups	22	nogroups
22	nonewprivs	23	nonewprivs
@@ -24,8 +25,9 @@ noroot
24	notv	25	notv
25	novideo	26	novideo
26	protocol unix,inet,inet6	27	protocol unix,inet,inet6
27	seccomp	28	seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
28	shell none	29	shell none
		30	# tracelog may cause issues, see github issue #1930
29	tracelog	31	tracelog
30		32
31	disable-mnt	33	disable-mnt


diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile index c8eecfc4a..f175b6590 100644 --- a/etc/torbrowser-launcher.profile +++ b/etc/torbrowser-launcher.profile
@@ -20,9 +20,11 @@ include /etc/firejail/disable-devel.inc
20	include /etc/firejail/disable-interpreters.inc	20	include /etc/firejail/disable-interpreters.inc
21	include /etc/firejail/disable-passwdmgr.inc	21	include /etc/firejail/disable-passwdmgr.inc
22	include /etc/firejail/disable-programs.inc	22	include /etc/firejail/disable-programs.inc
		23	include /etc/firejail/disable-xdg.inc
23		24
24	mkdir ${HOME}/.config/torbrowser	25	mkdir ${HOME}/.config/torbrowser
25	mkdir ${HOME}/.local/share/torbrowser	26	mkdir ${HOME}/.local/share/torbrowser
		27	whitelist ${DOWNLOADS}
26	whitelist ${HOME}/.config/torbrowser	28	whitelist ${HOME}/.config/torbrowser
27	whitelist ${HOME}/.local/share/torbrowser	29	whitelist ${HOME}/.local/share/torbrowser
28	include /etc/firejail/whitelist-common.inc	30	include /etc/firejail/whitelist-common.inc
@@ -30,6 +32,7 @@ include /etc/firejail/whitelist-var-common.inc
30		32
31	caps.drop all	33	caps.drop all
32	netfilter	34	netfilter
		35	nodbus
33	nodvd	36	nodvd
34	nogroups	37	nogroups
35	nonewprivs	38	nonewprivs
@@ -37,8 +40,9 @@ noroot
37	notv	40	notv
38	novideo	41	novideo
39	protocol unix,inet,inet6	42	protocol unix,inet,inet6
40	seccomp	43	seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
41	shell none	44	shell none
		45	# tracelog may cause issues, see github issue #1930
42	tracelog	46	tracelog
43		47
44	disable-mnt	48	disable-mnt