Some Firejail 0.9.64 Profile Tweaks.
-
Hiya. For any Nixers who happen to occupy this specific Venn Diagram intersectionality:
- Use Firejail, AND have just recently OR will soon update to 0.9.64
- Run each/any/all of these in FJ:
2.1 chromium,
2.2 firefox [vanilla, Dev.Ed, Nightly],
2.3 keepassxc,
2.4 thunderbird,
2.5 vivaldi-snapshot,
2.6 vivaldi-stable
If so, you might wish to consider modifying the applicable FJ 0.9.64 profile files as follows.
chromium-common.profile
Replace line 17 with:####### Steffie 26/10/20: This following line worked up to & including FJ 0.9.62, but with 0.9.64 i had to disable it otherwise both Vivaldi-Snapshot & Vivaldi-Stable [but weirdly NOT Chromium itself] had broken h.264 video. ####### include disable-exec.inc
firefox-common.profile
Replace line 20 with:####### Steffie 26/10/20: This following line worked up to & including FJ 0.9.62, but with 0.9.64 i had to disable it otherwise all the Firefoxes had broken h.264 video [NB: identical problem arose at the same time with both Vivaldi-Snapshot & Vivaldi-Stable [but weirdly NOT Chromium itself] for `chromium-common.profile`]. ####### include disable-exec.inc
keepassxc.profile
Replace lines 75-77 with:# ### Uncomment or add to your keepassxc.local to allow Notifications. ### Steffie 23/10/20: I did indeed now need to enable the following TWO lines, otherwise the serious problem i first discovered back in FJ 0.9.52 reappears here in FJ 0.9.64, viz "BREAKS critical functionality for Settings “Show a system tray icon” + “Hide window to system tray when minimised”. This works fine in ~50, but in ~52 NO system tray icon appears, so if I minimise KeePassXC with those options active, the KeePassXC window completely vanishes & cannot be recovered [despite still seen running in KSysGuard & FireTools]". dbus-user.talk org.freedesktop.Notifications dbus-user.talk org.kde.StatusNotifierWatcher
thunderbird.profile
Delete all lines below line 8, & replace with [NB: here my surgery was extreme, & maybe people might not wish to use this]:# Users have thunderbird set to open a browser by clicking a link in an email # We are not allowed to blacklist browser-specific directories ### Steffie 1/3/19: Vivaldi-Snapshot: ### NB: after hours of experimenting today [& years of frustration] i discovered that finally i CAN make Thunderbird [running in Firejail] email web-links open in Vivaldi-Snapshot [even when it's in FJ], but ONLY if i copy `/etc/firejail/thunderbird.profile` into my `/home/steffie/.config/firejail`, & then DELETE all lines below #10. I don't understand any other way to have my cake & eat it, don't know if this is really crippling my TB-FJ protection, but presumably it's still somewhat better than the only other alternative [if i still want TB links opening in V] of running TB totally naked [sans FJ altogether]. # Note that the methods canvassed in https://github.com/netblue30/firejail/issues/1955 did NOT help me. ### Steffie 6/9/19: Firefox-Nightly, Developer, Std: ### Prior to Thunderbird 68, when any of the Firefox variants were my default browser, i could still use the FULL `/etc/firejail/thunderbird.profile` AND happily one-click open email links in the browser. Since Mozilla recently did the big jump up from TB-60 to TB-68, that convenience is lost [a weird secondary FF window instead opens, with none of my AddOns & none of my Preferences - ugh]. Hence now, regardless of using Vivaldis or Firefoxes, i need to use this neutered Profile instead of the full one.
That TB one really still needs heaps more analysis so i can identify the specific commands borking the usability, instead of doing such massive amputations.
vivaldi-snapshot.profile
Insert the following into line 8:# Allow HTML5 Proprietary Media & DRM/EME (Widevine) [Steffie 3/4/20: Copied from `/etc/firejail/vivaldi.profile`, coz otherwise HTML5 streaming breaks in FJ (but is ok Naked)]. ignore apparmor ignore noexec /var noblacklist /var/opt whitelist /var/opt/vivaldi-snapshot writable-var
Insert the following into line 16:
# nodbus breaks vivaldi sync [Steffie 3/4/20: Copied from `/etc/firejail/vivaldi.profile`]. # ignore nodbus # Steffie 25/10/20: The preceding line applied til FJ 0.9.62, but in 0.9.64 i found the new version of `/etc/firejail/vivaldi.profile`now uses instead the following two lines: ignore dbus-user none ignore dbus-system none
Fyi, to use Vivaldi-Stable in FJ, you do not need to do any edits to FJ's latest V-S files, because:
/etc/firejail/vivaldi-stable.profile
pretty much does nothing else but to call:# Redirect include vivaldi.profile
...and then
/etc/firejail/vivaldi.profile
already contains the "good" extra lines i've copied into Snapshot [it's weird that the FJ Devs get Stable right but Snapshot wrong for some years now] then at the bottom calls:# Redirect include chromium-common.profile
...which file is now already edited up above near the beginning of this post.
Hope this might help some other users. Each time a new FJ version arrives i usually feel both excited & trepidacious.
-