fixes

8 files changed, 122 insertions, 23 deletions

diff --git a/etc/chromium.profile b/etc/chromium.profile
index 980e539d5..03745c1ce 100644
--- a/etc/chromium.profile
+++ b/etc/chromium.profile
@@ -9,8 +9,7 @@ include /etc/firejail/disable-common.inc
 #
 
 netfilter
-whitelist ~/Downloads
-whitelist ~/Загрузки
+whitelist ${DOWNLOADS}
 whitelist ~/.config/chromium
 include /etc/firejail/whitelist-common.inc
 
diff --git a/etc/firefox.profile b/etc/firefox.profile
index 7b3febbae..aa7808c37 100644
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@@ -9,9 +9,8 @@ seccomp
 protocol unix,inet,inet6,netlink
 netfilter
 noroot
+whitelist ${DOWNLOADS}
 whitelist ~/.mozilla
-whitelist ~/Downloads
-whitelist ~/Загрузки
 whitelist ~/.cache/mozilla/firefox
 whitelist ~/dwhelper
 whitelist ~/.zotero
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index d018554d5..95238a956 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -27,11 +27,84 @@
 #include <fcntl.h>
 #include <errno.h>
 
+static char *dentry[] = {
+        "Downloads",
+        "Загрузки",
+        "Téléchargement",
+        NULL
+};
+
+#define MAXBUF 4098
+static char *resolve_downloads(void) {
+        char *fname;
+        struct stat s;
+
+        // try a well known download directory name
+        int i = 0;
+        while (dentry[i] != NULL) {
+                if (asprintf(&fname, "%s/%s", cfg.homedir, dentry[i]) == -1)
+                        errExit("asprintf");
+                
+                if (stat(fname, &s) == 0) {
+                        free(fname);
+                        if (arg_debug)
+                                printf("Downloads directory resolved as \"Downloads\"\n");
+                        
+                        char *rv;
+                        if (asprintf(&rv, "whitelist ~/%s", dentry[i]) == -1)
+                                errExit("asprintf");
+                        return rv;
+                }
+                free(fname);
+                i++;
+        }
+
+        // try a name form ~/.config/user-dirs.dirs
+        if (asprintf(&fname, "%s/.config/user-dirs.dirs", cfg.homedir) == -1)
+                errExit("asprintf");
+        FILE *fp = fopen(fname, "r");
+        if (!fp) {
+                free(fname);
+                return NULL;
+        }               
+        free(fname);
+        
+        // extract downloads directory
+        char buf[MAXBUF];
+        while (fgets(buf, MAXBUF, fp)) {
+                char *ptr = buf;
+                
+                // skip blanks
+                while (*ptr == ' ' || *ptr == '\t')
+                        ptr++;
+                if (*ptr == '\0' || *ptr == '\n' || *ptr == '#')
+                        continue;
+
+                if (strncmp(ptr, "XDG_DOWNLOAD_DIR=\"$HOME/", 24) == 0) {
+                        char *ptr1 = strchr(ptr + 24, '"');
+                        if (ptr1) {
+                                *ptr1 = '\0';
+                                fclose(fp);
+                                if (arg_debug)
+                                        printf("Downloads directory resolved as \"%s\"\n", ptr + 24);
+                                
+                                char *rv;
+                                if (asprintf(&rv, "whitelist ~/%s", ptr + 24) == -1)
+                                        errExit("asprintf");
+                                return rv;
+                        }
+                }
+        }
+        fclose(fp);
+        
+        return NULL;
+}
+
 static int mkpath(const char* path, mode_t mode) {
         assert(path && *path);
         
         mode |= 0111;
-        
+
         // create directories with uid/gid as root or as current user if inside home directory
         uid_t uid = getuid();
         gid_t gid = getgid();
@@ -211,6 +284,25 @@ void fs_whitelist(void) {
                         continue;
                 }
 
+                // resolve ${DOWNLOADS}
+                if (strcmp(entry->data + 10, "${DOWNLOADS}") == 0) {
+                        char *tmp = resolve_downloads();
+                        if (tmp)
+                                entry->data = tmp;
+                        else {
+                                *entry->data = '\0';
+                                fprintf(stderr, "***\n");
+                                fprintf(stderr, "*** Error: cannot whitelist Downloads directory\n");
+                                fprintf(stderr, "***\n");
+                                fprintf(stderr, "*** Any file saved in this directory will be lost when the sandbox is closed.\n");
+                                fprintf(stderr, "*** Please contact the developer. Workaround:\n");
+                                fprintf(stderr, "***\n");
+                                fprintf(stderr, "***       firejail --ignore=whitelist program-name\n");
+                                fprintf(stderr, "***\n");
+                                continue;
+                        }
+                }
+
                 // replace ~/ or ${HOME} into /home/username
                 new_name = expand_home(entry->data + 10, cfg.homedir);
                 assert(new_name);
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 02eab1a86..2981683aa 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -737,7 +737,7 @@ int main(int argc, char **argv) {
                 }
                 else if (strncmp(argv[i], "--ignore=", 9) == 0) {
                         if (custom_profile) {
-                                fprintf(stderr, "Error: please use --profile after --include\n");
+                                fprintf(stderr, "Error: please use --profile after --ignore\n");
                                 exit(1);
                         }
 
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 0d9479a02..45f7ec364 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -574,13 +574,15 @@ void invalid_filename(const char *fname) {
         assert(fname);
         const char *ptr = fname;
         
-        if (arg_debug && arg_debug_check_filename)
+        if (arg_debug_check_filename)
                 printf("Checking filename %s\n", fname);
         
         if (strncmp(ptr, "${HOME}", 7) == 0)
                 ptr = fname + 7;
         else if (strncmp(ptr, "${PATH}", 7) == 0)
                 ptr = fname + 7;
+        else if (strcmp(fname, "${DOWNLOADS}") == 0)
+                return;
 
         int len = strlen(ptr);
         // file globbing ('*') is allowed
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 39e0dbaf7..4f9f0cba9 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -155,8 +155,15 @@ Define a custom whitelist Linux capabilities filter.
 Example:
 .br
 $ sudo firejail \-\-caps.keep=chown,net_bind_service,setgid,\\
-setuid "/etc/init.d/nginx start && sleep inf"
+setuid /etc/init.d/nginx start
+.br
 
+.br
+A short note about mixing \-\-whitelist and \-\-read-only options. Whitelisted directories
+should be made read-only independently. Making a parent directory read-only, will not
+make the whitelist read-only. Example:
+.br
+$ firejail --whitelist=~/work --read-only=~/ --read-only=~/work
 .TP
 \fB\-\-caps.print=name
 Print the caps filter for the sandbox identified by name.
diff --git a/test/ignore.exp b/test/ignore.exp
index 8f8076fb3..c5ea25684 100755
--- a/test/ignore.exp
+++ b/test/ignore.exp
@@ -7,7 +7,7 @@ match_max 100000
 send -- "firejail --profile=ignore.profile --ignore=seccomp \r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Error: please use --profile after --include"
+        "Error: please use --profile after --ignore"
 }
 
 send -- "firejail --debug --ignore=seccomp\r"
diff --git a/test/invalid_filename.exp b/test/invalid_filename.exp
index 93beff8a1..e496e4aaf 100755
--- a/test/invalid_filename.exp
+++ b/test/invalid_filename.exp
@@ -23,7 +23,7 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail --debug --noprofile --blacklist=\"bla&&bla\"\r"
+send -- "firejail --debug-check-filename --noprofile --blacklist=\"bla&&bla\"\r"
 expect {
         timeout {puts "TESTING ERROR 1.1\n";exit}
         "Checking filename bla&&bla"
@@ -38,7 +38,7 @@ expect {
 }
 after 100
 
-send -- "firejail --debug --noprofile --cgroup=\"bla&&bla\"\r"
+send -- "firejail --debug-check-filename --noprofile --cgroup=\"bla&&bla\"\r"
 expect {
         timeout {puts "TESTING ERROR 2.1\n";exit}
         "Checking filename bla&&bla"
@@ -53,7 +53,7 @@ expect {
 }
 after 100
 
-send -- "firejail --debug --noprofile --chroot=\"bla&&bla\"\r"
+send -- "firejail --debug-check-filename --noprofile --chroot=\"bla&&bla\"\r"
 expect {
         timeout {puts "TESTING ERROR 3.1\n";exit}
         "Checking filename bla&&bla"
@@ -68,7 +68,7 @@ expect {
 }
 after 100
 
-send -- "firejail --debug --noprofile --netfilter=\"bla&&bla\"\r"
+send -- "firejail --debug-check-filename --noprofile --netfilter=\"bla&&bla\"\r"
 expect {
         timeout {puts "TESTING ERROR 4.1\n";exit}
         "Checking filename bla&&bla"
@@ -83,7 +83,7 @@ expect {
 }
 after 100
 
-send -- "firejail --debug --noprofile --output=\"bla&&bla\"\r"
+send -- "firejail --debug-check-filename --noprofile --output=\"bla&&bla\"\r"
 expect {
         timeout {puts "TESTING ERROR 5.2\n";exit}
         "Error:"
@@ -94,7 +94,7 @@ expect {
 }
 after 100
 
-send -- "firejail --debug --noprofile --private=\"bla&&bla\"\r"
+send -- "firejail --debug-check-filename --noprofile --private=\"bla&&bla\"\r"
 expect {
         timeout {puts "TESTING ERROR 6.1\n";exit}
         "Checking filename bla&&bla"
@@ -109,7 +109,7 @@ expect {
 }
 after 100
 
-send -- "firejail --debug --noprofile --private-bin=\"bla&&bla\"\r"
+send -- "firejail --debug-check-filename --noprofile --private-bin=\"bla&&bla\"\r"
 expect {
         timeout {puts "TESTING ERROR 7.1\n";exit}
         "Checking filename bla&&bla"
@@ -124,7 +124,7 @@ expect {
 }
 after 100
 
-send -- "firejail --debug --noprofile --private-home=\"bla&&bla\"\r"
+send -- "firejail --debug-check-filename --noprofile --private-home=\"bla&&bla\"\r"
 expect {
         timeout {puts "TESTING ERROR 8.1\n";exit}
         "Checking filename bla&&bla"
@@ -140,7 +140,7 @@ expect {
 after 100
 
 
-send -- "firejail --debug --noprofile --private-etc=\"bla&&bla\"\r"
+send -- "firejail --debug-check-filename --noprofile --private-etc=\"bla&&bla\"\r"
 expect {
         timeout {puts "TESTING ERROR 9.1\n";exit}
         "Checking filename bla&&bla"
@@ -155,7 +155,7 @@ expect {
 }
 after 100
 
-send -- "firejail --debug --profile=\"bla&&bla\"\r"
+send -- "firejail --debug-check-filename --profile=\"bla&&bla\"\r"
 expect {
         timeout {puts "TESTING ERROR 10.1\n";exit}
         "Checking filename bla&&bla"
@@ -170,7 +170,7 @@ expect {
 }
 after 100
 
-send -- "firejail --debug --read-only=\"bla&&bla\"\r"
+send -- "firejail --debug-check-filename --read-only=\"bla&&bla\"\r"
 expect {
         timeout {puts "TESTING ERROR 11.1\n";exit}
         "Checking filename bla&&bla"
@@ -185,7 +185,7 @@ expect {
 }
 after 100
 
-send -- "firejail --debug --shell=\"bla&&bla\"\r"
+send -- "firejail --debug-check-filename --shell=\"bla&&bla\"\r"
 expect {
         timeout {puts "TESTING ERROR 12.1\n";exit}
         "Checking filename bla&&bla"
@@ -200,7 +200,7 @@ expect {
 }
 after 100
 
-send -- "firejail --debug --tmpfs=\"bla&&bla\"\r"
+send -- "firejail --debug-check-filename --tmpfs=\"bla&&bla\"\r"
 expect {
         timeout {puts "TESTING ERROR 13.1\n";exit}
         "Checking filename bla&&bla"
@@ -215,7 +215,7 @@ expect {
 }
 after 100
 
-send -- "firejail --debug --whitelist=\"bla&&bla\"\r"
+send -- "firejail --debug-check-filename --whitelist=\"bla&&bla\"\r"
 expect {
         timeout {puts "TESTING ERROR 14.1\n";exit}
         "Checking filename bla&&bla"