diff --git a/exportFilter.c b/exportFilter.c index 62558c0..ca49627 100644 --- a/exportFilter.c +++ b/exportFilter.c @@ -60,7 +60,7 @@ int main(int argc, char *argv[]) DENY_RULE (acct); DENY_RULE (add_key); DENY_RULE (adjtimex); - DENY_RULE (chroot); + /* DENY_RULE (chroot); required by firefox */ DENY_RULE (clock_adjtime); DENY_RULE (create_module); DENY_RULE (delete_module); @@ -112,7 +112,7 @@ int main(int argc, char *argv[]) /* end of syscall filter list */ - filter_fd = open("/tmp/seccomp_filter.bpf", O_CREAT | O_WRONLY, 0644); + filter_fd = open("seccomp_filter.bpf", O_CREAT | O_WRONLY, 0644); if (filter_fd == -1) { rc = -errno; goto out; diff --git a/profiles/firefox b/profiles/firefox index 05205e0..2ff9077 100644 --- a/profiles/firefox +++ b/profiles/firefox @@ -32,6 +32,7 @@ set -euo pipefail --ro-bind /etc/fonts /etc/fonts \ --ro-bind /etc/mime.types /etc/mime.types \ --ro-bind /etc/pulse /etc/pulse \ + --ro-bind /etc/asound.conf /etc/asound.conf \ --tmpfs /run \ --ro-bind ~/.Xauthority /home/jail/.Xauthority \ --bind ~/.mozilla /home/jail/.mozilla \ diff --git a/profiles/firefox-wayland b/profiles/firefox-wayland index 68d6e4d..e0a8949 100644 --- a/profiles/firefox-wayland +++ b/profiles/firefox-wayland @@ -30,6 +30,7 @@ set -euo pipefail --ro-bind /etc/fonts /etc/fonts \ --ro-bind /etc/mime.types /etc/mime.types \ --ro-bind /etc/pulse /etc/pulse \ + --ro-bind /etc/asound.conf /etc/asound.conf \ --tmpfs /run \ --ro-bind /run/user/"$(id -u)"/wayland-0 /run/user/"$(id -u)"/wayland-0 \ --bind ~/.mozilla /home/jail/.mozilla \ @@ -41,6 +42,7 @@ set -euo pipefail --setenv HOME /home/jail \ --setenv USER nobody \ --setenv LOGNAME nobody \ + --setenv MOZ_ENABLE_WAYLAND 1 \ --unshare-user-try \ --unshare-pid \ --unshare-uts \ diff --git a/profiles/seccomp_default_filter.bpf b/profiles/seccomp_default_filter.bpf index 62f06bc..17dbfb8 100644 Binary files a/profiles/seccomp_default_filter.bpf and b/profiles/seccomp_default_filter.bpf differ