mirror of
https://github.com/netblue30/firejail.git
synced 2026-05-21 06:45:29 -06:00
601aa5c6aa
The current `bijiben.profile` sets an environment variable to disable
its internal webkit/bubblewrap sandbox but now a different variable
needs to be set[1]:
WEBKIT_FORCE_SANDBOX no longer allows disabling the sandbox. Use WEBKIT_DISABLE_SANDBOX_THIS_IS_DANGEROUS=1 instead.
This may be needed to make the profile work, but disabling the sandbox
affects the security in webkit[2], so update the variable and disable
bijiben by default in firecfg.config.
Note: Upstream replaced bijiben by gnome-notes[3] [4].
Relates to #2995.
[1] 0678a98c86/Source/WebKit/UIProcess/Launcher/glib/ProcessLauncherGLib.cpp (L117)
[2] https://github.com/netblue30/firejail/issues/2995
[3] https://archlinux.org/packages/extra/x86_64/gnome-notes/
[4] https://wiki.gnome.org/Apps/Notes
66 lines
1.5 KiB
Text
66 lines
1.5 KiB
Text
# Firejail profile for bijiben
|
|
# Description: Simple Note Viewer
|
|
# This file is overwritten after every install/update
|
|
# Persistent local customizations
|
|
include bijiben.local
|
|
# Persistent global definitions
|
|
include globals.local
|
|
|
|
noblacklist ${HOME}/.local/share/bijiben
|
|
|
|
include disable-common.inc
|
|
include disable-devel.inc
|
|
include disable-exec.inc
|
|
include disable-interpreters.inc
|
|
include disable-programs.inc
|
|
include disable-shell.inc
|
|
include disable-xdg.inc
|
|
|
|
mkdir ${HOME}/.local/share/bijiben
|
|
whitelist ${HOME}/.local/share/bijiben
|
|
whitelist ${HOME}/.cache/tracker
|
|
whitelist /usr/libexec/webkit2gtk-4.0
|
|
whitelist /usr/share/bijiben
|
|
whitelist /usr/share/tracker
|
|
whitelist /usr/share/tracker3
|
|
include whitelist-common.inc
|
|
include whitelist-runuser-common.inc
|
|
include whitelist-usr-share-common.inc
|
|
include whitelist-var-common.inc
|
|
|
|
apparmor
|
|
caps.drop all
|
|
machine-id
|
|
net none
|
|
nodvd
|
|
nogroups
|
|
noinput
|
|
nonewprivs
|
|
noroot
|
|
nosound
|
|
notv
|
|
nou2f
|
|
novideo
|
|
protocol unix
|
|
seccomp
|
|
seccomp.block-secondary
|
|
tracelog
|
|
|
|
disable-mnt
|
|
private-bin bijiben
|
|
#private-cache # access to .cache/tracker is required
|
|
private-dev
|
|
private-etc @x11
|
|
private-tmp
|
|
|
|
dbus-user filter
|
|
dbus-user.own org.gnome.Notes
|
|
dbus-user.talk ca.desrt.dconf
|
|
dbus-user.talk org.freedesktop.Tracker1
|
|
dbus-system none
|
|
|
|
# Warning: Disabling the webkit sandbox may be needed to make firejail work
|
|
# with webkit2gtk, but this is not recommended (see #2995).
|
|
# Add the following line to bijiben.local at your own risk:
|
|
#env WEBKIT_DISABLE_SANDBOX_THIS_IS_DANGEROUS=1
|
|
restrict-namespaces
|