~/.config/firejail/firefox-common.local

# private-tmp does not work with kerberos (at least not when CCACHE it is stored in /tmp)
#ignore private-tmp

# To keep screen on when playing videos
#ignore nodbus


# private-tmp does not work with kerberos (at least not when CCACHE it is stored in /tmp)
ignore private-tmp

# Uncomment or put in your firefox.local to enable native notifications.
dbus-user.talk org.freedesktop.Notifications
# Uncomment or put in your firefox.local to allow to inhibit screensavers
dbus-user.talk org.freedesktop.ScreenSaver
# Uncomment or put in your firefox.local for plasma browser integration
dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
dbus-user.talk org.kde.JobViewServer
dbus-user.talk org.kde.kuiserver

# To allow nss mymachines to query nspawn machine names
# Probably should be replaced by some other more specific rule though.
ignore dbus-system none

# Allow ICAClient to access its config etc.
whitelist ${HOME}/.ICAClient

~/.config/firejail/spotify.local

# Workaround after spotify-client 1:1.1.84.716.gc5f8b819-2 that installs symlink for /usr/bin/spotify

#private-bin bash,cat,dirname,find,grep,head,rm,sh,spotify,tclsh,touch,zenity
private-bin bash,cat,dirname,find,grep,head,rm,sh,tclsh,touch,zenity
ignore private-bin

Also need to change firetools to launch /usr/share/spotify/spotify instead of /usr/bin/spotify which is now just a symlink