minor improvements

exportFilter.c

@@ -60,7 +60,7 @@ int main(int argc, char *argv[])
     DENY_RULE (acct);
     DENY_RULE (add_key);
     DENY_RULE (adjtimex);
-    DENY_RULE (chroot);
+    /* DENY_RULE (chroot); required by firefox */
     DENY_RULE (clock_adjtime);
     DENY_RULE (create_module);
     DENY_RULE (delete_module);
@@ -112,7 +112,7 @@ int main(int argc, char *argv[])
     /* end of syscall filter list */
     
     
-    filter_fd = open("/tmp/seccomp_filter.bpf", O_CREAT | O_WRONLY, 0644);
+    filter_fd = open("seccomp_filter.bpf", O_CREAT | O_WRONLY, 0644);
     if (filter_fd == -1) {
         rc = -errno;
         goto out;

profiles/firefox

@@ -32,6 +32,7 @@ set -euo pipefail
      --ro-bind /etc/fonts /etc/fonts \
      --ro-bind /etc/mime.types /etc/mime.types \
      --ro-bind /etc/pulse /etc/pulse \
+     --ro-bind /etc/asound.conf /etc/asound.conf \
      --tmpfs /run \
      --ro-bind ~/.Xauthority /home/jail/.Xauthority \
      --bind ~/.mozilla /home/jail/.mozilla \

profiles/firefox-wayland

@@ -30,6 +30,7 @@ set -euo pipefail
      --ro-bind /etc/fonts /etc/fonts \
      --ro-bind /etc/mime.types /etc/mime.types \
      --ro-bind /etc/pulse /etc/pulse \
+     --ro-bind /etc/asound.conf /etc/asound.conf \
      --tmpfs /run \
      --ro-bind /run/user/"$(id -u)"/wayland-0 /run/user/"$(id -u)"/wayland-0 \
      --bind ~/.mozilla /home/jail/.mozilla \
@@ -41,6 +42,7 @@ set -euo pipefail
      --setenv HOME /home/jail \
      --setenv USER nobody \
      --setenv LOGNAME nobody \
+     --setenv MOZ_ENABLE_WAYLAND 1 \
      --unshare-user-try \
      --unshare-pid \
      --unshare-uts \