Update Librewolf profile and Add Sway profile

[vnepogodin]

Parent is shutting down then including firefox-common-addons.profile
error.log

[rusty-snake]

LGTM, some suggestions below.

Should we make sway redirect to i3?

[ghost]

LGTM, some suggestions below.

Should we make sway redirect to i3?

Sway is almost i3 the .config are also same the main diif is wayland and x11 but why need to redirect to i3. I think sway profile will also be cool. if not working then we can redirect to i3 for sure 👍

[rusty-snake]

Sway is almost i3

That's the reason.

[glitsj16]

@rusty-snake I agree it would make sense to implement sway as a redirect profile. Perhaps the term 'redirect' caused confusion in this context for other posters.

Sway is almost i3 the .config are also same the main diif is wayland and x11 but why need to redirect to i3. I think sway profile will also be cool. if not working then we can redirect to i3 for sure

@BL4CKH47H4CK3R I think there's some confusion here. The 'redirect' relates to how we use one main profile for common options that are shared among several applications. It does not impact the way sway will work, it only affects the way we write firejail profiles to avoid doing the same stuff all over again.

[ghost]

@glitsj16, I know that desktop environment or windows manager doesn't matter when I am using firejail. But I see people are creating profile like for i3 which is redundant so I told. Even archiso is enough to run firejail 😄

[rusty-snake]

Re-add include whitelist-usr-share-common.inc.

[vnepogodin]

Re-add include whitelist-usr-share-common.inc.

Why ?

[rusty-snake]

TL;DR: It whitelist lots of important /usr/share folders.
Always use include {allow,whitelist}-common.inc in PRs.

The role of {allow,whitelist}-common.inc is to make maintaining profiles easier and cause less breakage. Always use them in PRs unless you can 100% guarantee that they are not required. The paths to some resources can differ between distros, others depend on the HW where it runs or the configuration. Or the version you run. Have you tested that it works on every major distro, with any configuration, any DE, any HW? It's not enough that it can start there. Can it play audio? Is HTTPS working? What about spellchecking? Just the first line (whitelist /usr/share/alsa) can you guarantee that not whitelisting /usr/share/alase does not break sound? With raw alsa?

[vnepogodin]

TL;DR: It whitelist lots of important /usr/share folders.

Always use include {allow,whitelist}-common.inc in PRs.

The role of {allow,whitelist}-common.inc is to make maintaining profiles easier and cause less breakage. Always use them in PRs unless you can 100% guarantee that they are not required. The paths to some resources can differ between distros, others depend on the HW where it runs or the configuration. Or the version you run. Have you tested that it works on every major distro, with any configuration, any DE, any HW? It's not enough that it can start there. Can it play audio? Is HTTPS working? What about spellchecking? Just the first line (whitelist /usr/share/alsa) can you guarantee that not whitelisting /usr/share/alase does not break sound? With raw alsa?

I agree but how about ?

#4164 (comment)

[rusty-snake]

(Privacy is out of the scope of firejail, it's for security).

its not needed as it reveals lots of important /usr/share folders

It's not needed because it reveals important folders???!

like /usr/share/fonts which can used for font fingerprinting

This does not prevent font fingerprinting. Actually it makes the situation worse. If you whitelist /usr/share/fonts and don't install to much other fonts you have the same font FP as any other user of your distro. If you omit it and put on a gas mask you're even more unique.

and OS detection

Your OS can be detected anyway.

• Linux has an other TCP/IP-Stack then Window => Passive detection possible.
• Some math operations on floating point number has other results on Linux then Window. => Active detection via JavaScript
• Your scrollbar-width depends on your GTK-Theme and version => Active detection via JS or CSS possible.
• Your HTTP-UA contains your OS.
• Your JS-UA contains your OS, even with RFP.
• ...

Linux and windows common font are not same so its a problem.

Masking your fonts still does not make them the same.

Librewolf can launch

yes

work perfectly without this options

no (I'm 90% sure it can not open HTTPS on some system without wusc)

[rusty-snake]

BTW I don't think whitelist /usr/share/gnome-shell/search-providers/firefox-search-provider.ini (firefox-search-provider) is used.

[rusty-snake]

Based on https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=librewolf#n325 it's just private-bin librewolf,sh if anyone want to test ...

solved

[rusty-snake]

This PR has a a merge conflict, please rebase.

[rusty-snake]

Suggested change

	#private-bin bash,dbus-launch,dbus-send,env,librewolf,python*,sh,which
	#private-bin bash,dbus-launch,dbus-send,env,librewolf,sh,which

[vnepogodin]

I've had added before but it can't merge changes
1d8c94c

btw tested

[rusty-snake]

After a rebase (unlike a merge of master) it should work w/o conflicting. Rebasing and squashing some of the commits makes sense anyway if you look at the history. So if you can do an interactive rebase.

[vnepogodin]

done 😃

[rusty-snake]

merged, thanks!