From 76041d5e973194a88203b9ee399ae71e552fdb45 Mon Sep 17 00:00:00 2001
From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com>
Date: Mon, 23 Mar 2020 12:04:14 +0100
Subject: thunderbird.profile: harden and enable the rules necessary to make
 Firefox open links

See issue #3291
---
 etc/thunderbird.profile | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile
index 6e888c163..b375247f4 100644
--- a/etc/thunderbird.profile
+++ b/etc/thunderbird.profile
@@ -17,12 +17,12 @@ writable-run-user
 #whitelist /var/spool/mail
 #writable-var
 
-# Uncomment the next 4 lines or put them in your thunderbird.local to
-# allow Firefox to load your profile when clicking a link in an email
-#noblacklist ${HOME}/.cache/mozilla
-#noblacklist ${HOME}/.mozilla
-#whitelist ${HOME}/.cache/mozilla/firefox
-#whitelist ${HOME}/.mozilla
+# These lines are needed to allow Firefox to load your profile when clicking a link in an email
+noblacklist ${HOME}/.cache/mozilla
+noblacklist ${HOME}/.mozilla
+whitelist ${HOME}/.cache/mozilla/firefox
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+read-only ${HOME}/.mozilla/firefox/profiles.ini
 
 noblacklist ${HOME}/.cache/thunderbird
 noblacklist ${HOME}/.gnupg
-- 
cgit v1.2.3-54-g00ecf


From b086e9305528cd6ea89ee22b1714fd9eb4f8c801 Mon Sep 17 00:00:00 2001
From: Davide Beatrici <git@davidebeatrici.dev>
Date: Tue, 24 Mar 2020 23:09:21 +0100
Subject: steam.profile: correctly blacklist unneeded directories in user's
 home

"noblacklist" directives prevent following ones from blacklisting the specified directory/file.

The profile currently has a "noblacklist" directive for each directory used by Steam and/or its games, which is fine.

However, there are no directives blacklisting the user's home, thus all directories and files inside it are accessible by Steam.

This commit fixes the issue by adding "whitelist" directives, which automatically blacklist the parent directory (in this case the user's home).

"mkdir" and "mkfile" directives are added so that the directories/files are created if they don't exist.

Thanks to @SkewedZeppelin for suggesting to keep "noblacklist" and use "mkdir" and "mkfile".
---
 etc/steam.profile | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/etc/steam.profile b/etc/steam.profile
index 499d21e6d..c6f0ca145 100644
--- a/etc/steam.profile
+++ b/etc/steam.profile
@@ -36,6 +36,34 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+mkdir ${HOME}/.killingfloor
+mkdir ${HOME}/.local/share/3909/PapersPlease
+mkdir ${HOME}/.local/share/aspyr-media
+mkdir ${HOME}/.local/share/cdprojektred
+mkdir ${HOME}/.local/share/feral-interactive
+mkdir ${HOME}/.local/share/Steam
+mkdir ${HOME}/.local/share/SuperHexagon
+mkdir ${HOME}/.local/share/Terraria
+mkdir ${HOME}/.local/share/vpltd
+mkdir ${HOME}/.local/share/vulkan
+mkdir ${HOME}/.steam
+mkfile ${HOME}/.steampath
+mkfile ${HOME}/.steampid
+whitelist ${HOME}/.killingfloor
+whitelist ${HOME}/.local/share/3909/PapersPlease
+whitelist ${HOME}/.local/share/aspyr-media
+whitelist ${HOME}/.local/share/cdprojektred
+whitelist ${HOME}/.local/share/feral-interactive
+whitelist ${HOME}/.local/share/Steam
+whitelist ${HOME}/.local/share/SuperHexagon
+whitelist ${HOME}/.local/share/Terraria
+whitelist ${HOME}/.local/share/vpltd
+whitelist ${HOME}/.local/share/vulkan
+whitelist ${HOME}/.steam
+whitelist ${HOME}/.steampath
+whitelist ${HOME}/.steampid
+whitelist ${HOME}/.steampid
+include whitelist-common.inc
 include whitelist-var-common.inc
 
 caps.drop all
-- 
cgit v1.2.3-54-g00ecf


From 45bf24a07fb6e20fcccf5d48e269e54015fad1c5 Mon Sep 17 00:00:00 2001
From: Lior Stern <liorst4@gmail.com>
Date: Tue, 31 Mar 2020 16:04:54 +0300
Subject: Preserve CFLAGS given to configure in common.mk.in

---
 src/common.mk.in | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/common.mk.in b/src/common.mk.in
index 945815a40..8104bc258 100644
--- a/src/common.mk.in
+++ b/src/common.mk.in
@@ -31,6 +31,7 @@ C_FILE_LIST       = $(sort $(wildcard *.c))
 OBJS = $(C_FILE_LIST:.c=.o)
 BINOBJS =  $(foreach file, $(OBJS), $file)
 
+CFLAGS = @CFLAGS@
 CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV)
 CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"'
 CFLAGS += $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_FIRETUNNEL) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX)
-- 
cgit v1.2.3-54-g00ecf