====== Firejail ======

===== Firefox modifications =====

~/.config/firejail/firefox-common.local

<code>
# private-tmp does not work with kerberos (at least not when CCACHE it is stored in /tmp)
#ignore private-tmp

# To keep screen on when playing videos
#ignore nodbus


# private-tmp does not work with kerberos (at least not when CCACHE it is stored in /tmp)
ignore private-tmp

# Uncomment or put in your firefox.local to enable native notifications.
dbus-user.talk org.freedesktop.Notifications
# Uncomment or put in your firefox.local to allow to inhibit screensavers
dbus-user.talk org.freedesktop.ScreenSaver
# Uncomment or put in your firefox.local for plasma browser integration
dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
dbus-user.talk org.kde.JobViewServer
dbus-user.talk org.kde.kuiserver

# To allow nss mymachines to query nspawn machine names
# Probably should be replaced by some other more specific rule though.
ignore dbus-system none

# Allow ICAClient to access its config etc.
whitelist ${HOME}/.ICAClient
</code>

===== Spotify =====
# Workaround after spotify-client 1:1.1.84.716.gc5f8b819-2 that installs files that are not owned by root

<code>
chown root:root -R /usr/share/spotify
</code>

===== Firefox in /usr/local/firefox =====
Apparmor will stop firejail from executing firefox from /usr/local/firefox

Fix by creating file /etc/apparmor.d/local/firejail-default
<code>
# Allow running firefox from /usr/local/firefox
#/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}firefox/** ix,
/usr/local/firefox/** ix,
</code>