Merge branch 'master' into revert-allow-deny-etc

16 files changed, 399 insertions, 114 deletions

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 688101d13..0f868d6c4 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -34,6 +34,13 @@ If you want to write a new profile, the easiest way to do this is to use the
 [profile template](https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template).
 If you have already written a profile, please make sure it follows the rules described in the template.
 
+If you add a new command, here's the checklist:
+
+ - [ ] Update manpages: firejail(1) and firejail-profile(5)
+ - [ ] Update shell completions
+ - [ ] Update vim syntax files
+ - [ ] Update --help
+
 # Editing the wiki
 
 You are highly encouraged to add your own tips and tricks to the [wiki](https://github.com/netblue30/firejail/wiki).
diff --git a/README.md b/README.md
index c635bf811..2fd8e3009 100644
--- a/README.md
+++ b/README.md
@@ -236,3 +236,5 @@ $ ./profstats *.profile
 ```
 
 ### New profiles:
+
+clion-eap, lifeograph, io.github.lainsce.Notejot, rednotebook, zim, microsoft-edge-beta
diff --git a/RELNOTES b/RELNOTES
index 905c25096..49b88ac08 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -2,6 +2,7 @@ firejail (0.9.67) baseline; urgency=low
   * work in progress
   * deprecated --disable-whitelist at compile time
   * deprecated whitelist=yes/no in /etc/firejail/firejail.config
+  * new profiles: microsoft-edge-beta
  -- netblue30 <netblue30@yahoo.com>  Mon, 28 Jun 2021 09:00:00 -0500
 
 firejail (0.9.66) baseline; urgency=low
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index fd907034f..44983dd14 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -320,6 +320,7 @@ blacklist ${HOME}/.config/meld
 blacklist ${HOME}/.config/menulibre.cfg
 blacklist ${HOME}/.config/meteo-qt
 blacklist ${HOME}/.config/mfusion
+blacklist ${HOME}/.config/microsoft-edge-beta
 blacklist ${HOME}/.config/microsoft-edge-dev
 blacklist ${HOME}/.config/midori
 blacklist ${HOME}/.config/mirage
@@ -449,6 +450,7 @@ blacklist ${HOME}/.config/youtube-music-desktop-app
 blacklist ${HOME}/.config/youtube-viewer
 blacklist ${HOME}/.config/youtubemusic-nativefier-040164
 blacklist ${HOME}/.config/zathura
+blacklist ${HOME}/.config/zim
 blacklist ${HOME}/.config/zoomus.conf
 blacklist ${HOME}/.conkeror.mozdev.org
 blacklist ${HOME}/.crawl
@@ -684,6 +686,7 @@ blacklist ${HOME}/.local/share/godot
 blacklist ${HOME}/.local/share/gradio
 blacklist ${HOME}/.local/share/gwenview
 blacklist ${HOME}/.local/share/i2p
+blacklist ${HOME}/.local/share/io.github.lainsce.Notejot
 blacklist ${HOME}/.local/share/jami
 blacklist ${HOME}/.local/share/kaffeine
 blacklist ${HOME}/.local/share/kalgebra
@@ -840,6 +843,7 @@ blacklist ${HOME}/.qgis2
 blacklist ${HOME}/.qmmp
 blacklist ${HOME}/.quodlibet
 blacklist ${HOME}/.redeclipse
+blacklist ${HOME}/.rednotebook
 blacklist ${HOME}/.remmina
 blacklist ${HOME}/.repo_.gitconfig.json
 blacklist ${HOME}/.repoconfig
@@ -1010,6 +1014,7 @@ blacklist ${HOME}/.cache/gummi
 blacklist ${HOME}/.cache/icedove
 blacklist ${HOME}/.cache/inkscape
 blacklist ${HOME}/.cache/inox
+blacklist ${HOME}/.cache/io.github.lainsce.Notejot
 blacklist ${HOME}/.cache/iridium
 blacklist ${HOME}/.cache/JetBrains/CLion*
 blacklist ${HOME}/.cache/kcmshell5
@@ -1031,6 +1036,7 @@ blacklist ${HOME}/.cache/liferea
 blacklist ${HOME}/.cache/lutris
 blacklist ${HOME}/.cache/marker
 blacklist ${HOME}/.cache/matrix-mirage
+blacklist ${HOME}/.cache/microsoft-edge-beta
 blacklist ${HOME}/.cache/microsoft-edge-dev
 blacklist ${HOME}/.cache/midori
 blacklist ${HOME}/.cache/minetest
@@ -1066,6 +1072,7 @@ blacklist ${HOME}/.cache/qBittorrent
 blacklist ${HOME}/.cache/quodlibet
 blacklist ${HOME}/.cache/qupzilla
 blacklist ${HOME}/.cache/qutebrowser
+blacklist ${HOME}/.cache/rednotebook
 blacklist ${HOME}/.cache/rhythmbox
 blacklist ${HOME}/.cache/shotwell
 blacklist ${HOME}/.cache/simple-scan
@@ -1096,3 +1103,4 @@ blacklist ${HOME}/.cache/yandex-browser
 blacklist ${HOME}/.cache/yandex-browser-beta
 blacklist ${HOME}/.cache/youtube-dl
 blacklist ${HOME}/.cache/youtube-viewer
+blacklist ${HOME}/.cache/zim
diff --git a/etc/profile-a-l/avidemux.profile b/etc/profile-a-l/avidemux.profile
index 1ecc03da1..7f9d0f6e7 100644
--- a/etc/profile-a-l/avidemux.profile
+++ b/etc/profile-a-l/avidemux.profile
@@ -23,6 +23,7 @@ mkdir ${HOME}/.config/avidemux3_qt5rc
 whitelist ${HOME}/.avidemux6
 whitelist ${HOME}/.config/avidemux3_qt5rc
 whitelist ${VIDEOS}
+
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/lifeograph.profile b/etc/profile-a-l/lifeograph.profile
new file mode 100644
index 000000000..b9ed0de8e
--- /dev/null
+++ b/etc/profile-a-l/lifeograph.profile
@@ -0,0 +1,58 @@
+# Firejail profile for lifeograph
+# Description: Lifeograph is a diary program to take personal notes
+# This file is overwritten after every install/update
+# Persistent local customizations
+include lifeograph.local
+# Persistent global definitions
+include globals.local
+
+nodeny ${DOCUMENTS}
+
+deny /usr/libexec
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+allow ${DOCUMENTS}
+allow /usr/share/lifeograph
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin lifeograph
+private-cache
+private-dev
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,pango,X11
+private-tmp
+
+dbus-user filter
+dbus-user.talk ca.desrt.dconf
+dbus-system none
diff --git a/etc/profile-m-z/io.github.lainsce.Notejot.profile b/etc/profile-m-z/io.github.lainsce.Notejot.profile
new file mode 100644
index 000000000..a8029db72
--- /dev/null
+++ b/etc/profile-m-z/io.github.lainsce.Notejot.profile
@@ -0,0 +1,61 @@
+# Firejail profile for notejot
+# Description: Jot your ideas
+# This file is overwritten after every install/update
+# Persistent local customizations
+include io.github.lainsce.Notejot.local
+# Persistent global definitions
+include globals.local
+
+nodeny ${HOME}/.cache/io.github.lainsce.Notejot
+nodeny ${HOME}/.local/share/io.github.lainsce.Notejot
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/io.github.lainsce.Notejot
+mkdir ${HOME}/.local/share/io.github.lainsce.Notejot
+allow ${HOME}/.cache/io.github.lainsce.Notejot
+allow ${HOME}/.local/share/io.github.lainsce.Notejot
+allow /usr/libexec/webkit2gtk-4.0
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin io.github.lainsce.Notejot
+private-cache
+private-dev
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,pango,X11
+private-tmp
+
+dbus-user filter
+dbus-user.own io.github.lainsce.Notejot
+dbus-user.talk ca.desrt.dconf
+dbus-system none
diff --git a/etc/profile-m-z/rednotebook.profile b/etc/profile-m-z/rednotebook.profile
new file mode 100644
index 000000000..67281c518
--- /dev/null
+++ b/etc/profile-m-z/rednotebook.profile
@@ -0,0 +1,67 @@
+# Firejail profile for rednotebook
+# Description: Daily journal with calendar, templates and keyword searching
+# This file is overwritten after every install/update
+# Persistent local customizations
+include rednotebook.local
+# Persistent global definitions
+include globals.local
+
+nodeny ${HOME}/.cache/rednotebook
+nodeny ${HOME}/.rednotebook
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+
+mkdir ${HOME}/.cache/rednotebook
+mkdir ${HOME}/.rednotebook
+allow ${HOME}/.cache/rednotebook
+allow ${HOME}/.rednotebook
+allow ${DESKTOP}
+allow ${DOCUMENTS}
+allow ${DOWNLOADS}
+allow ${MUSIC}
+allow ${PICTURES}
+allow ${VIDEOS}
+allow /usr/libexec/webkit2gtk-4.0
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin python3*,rednotebook
+private-cache
+private-dev
+private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,pango,X11
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/zim.profile b/etc/profile-m-z/zim.profile
new file mode 100644
index 000000000..5ae9cddb3
--- /dev/null
+++ b/etc/profile-m-z/zim.profile
@@ -0,0 +1,72 @@
+# Firejail profile for Zim
+# Description: Desktop wiki & notekeeper
+# This file is overwritten after every install/update
+# Persistent local customizations
+include zim.local
+# Persistent global definitions
+include globals.local
+
+nodeny ${HOME}/.cache/zim
+nodeny ${HOME}/.config/zim
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+deny /usr/libexec
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+
+mkdir ${HOME}/.cache/zim
+mkdir ${HOME}/.config/zim
+mkdir ${HOME}/Notebooks
+allow ${HOME}/.cache/zim
+allow ${HOME}/.config/zim
+allow ${HOME}/Notebooks
+allow ${DESKTOP}
+allow ${DOCUMENTS}
+allow ${DOWNLOADS}
+allow ${MUSIC}
+allow ${PICTURES}
+allow ${VIDEOS}
+allow /usr/share/zim
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin python*,zim
+private-cache
+private-dev
+private-etc alternatives,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,pango,X11
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 7052f7509..3b0ad0aed 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -45,8 +45,8 @@ amule
 amuled
 android-studio
 anydesk
-apostrophe
 apktool
+apostrophe
 # ar - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
 arch-audit
 archaudit-report
@@ -143,8 +143,8 @@ clawsker
 clementine
 clion
 clion-eap
-clipit
 clipgrab
+clipit
 cliqz
 clocks
 cmus
@@ -168,6 +168,7 @@ crow
 cryptocat
 cvlc
 cyberfox
+d-feet
 darktable
 dconf-editor
 ddgr
@@ -198,13 +199,12 @@ dragon
 drawio
 drill
 dropbox
-d-feet
 easystroke
-ebook-viewer
 ebook-convert
 ebook-edit
 ebook-meta
 ebook-polish
+ebook-viewer
 electron-mail
 electrum
 element-desktop
@@ -295,8 +295,8 @@ gimp-2.10
 gimp-2.8
 gist
 gist-paste
-gitg
 git-cola
+gitg
 github-desktop
 gitter
 # gjs -- https://github.com/netblue30/firejail/issues/3333#issuecomment-612601102
@@ -387,14 +387,15 @@ icecat
 icedove
 iceweasel
 idea
-ideaIC
 idea.sh
+ideaIC
 imagej
 img2txt
 impressive
 inkscape
 inkview
 inox
+io.github.lainsce.Notejot
 ipcalc
 ipcalc-ng
 iridium
@@ -453,6 +454,7 @@ librecad
 libreoffice
 librewolf
 librewolf-nightly
+lifeograph
 liferea
 lightsoff
 lincity-ng
@@ -508,6 +510,7 @@ mendeleydesktop
 menulibre
 meteo-qt
 microsoft-edge
+microsoft-edge-beta
 microsoft-edge-dev
 midori
 min
@@ -524,7 +527,6 @@ mp3splt-gtk
 mp3wrap
 mpDris2
 mpg123
-mpg123.bin
 mpg123-alsa
 mpg123-id3dump
 mpg123-jack
@@ -534,6 +536,7 @@ mpg123-oss
 mpg123-portaudio
 mpg123-pulse
 mpg123-strip
+mpg123.bin
 mplayer
 mpsyt
 mpv
@@ -675,6 +678,7 @@ qupzilla
 qutebrowser
 rambox
 redeclipse
+rednotebook
 redshift
 regextester
 remmina
@@ -735,8 +739,8 @@ steam
 steam-native
 steam-runtime
 stellarium
-strawberry
 straw-viewer
+strawberry
 strings
 studio.sh
 subdownloader
@@ -863,10 +867,10 @@ wire-desktop
 wireshark
 wireshark-gtk
 wireshark-qt
+wordwarvi
 wpp
 wps
 wpspdf
-wordwarvi
 x2goclient
 xbill
 xcalc
@@ -908,6 +912,7 @@ zaproxy
 zart
 zathura
 zeal
+zim
 zoom
 # zpaq - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
 # zstd - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
diff --git a/src/firejail/main.c b/src/firejail/main.c
index f64994e02..655e6e9d0 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -985,24 +985,16 @@ int main(int argc, char **argv, char **envp) {
         int arg_caps_cmdline = 0;       // caps requested on command line (used to break out of --chroot)
         char **ptr;
 
-#ifndef HAVE_SUID
-        if (geteuid() != 0) {
-                fprintf(stderr, "Error: Firejail needs to be SUID.\n");
-                fprintf(stderr, "Assuming firejail is installed in /usr/bin, execute the following command as root:\n");
-                fprintf(stderr, "  chmod u+s /usr/bin/firejail\n");
-        }
-#endif
-
         // sanitize the umask
         orig_umask = umask(022);
 
-        // check standard streams before printing anything
-        fix_std_streams();
-
         // drop permissions by default and rise them when required
         EUID_INIT();
         EUID_USER();
 
+        // check standard streams before opening any file
+        fix_std_streams();
+
         // argument count should be larger than 0
         if (argc == 0 || !argv || strlen(argv[0]) == 0) {
                 fprintf(stderr, "Error: argv is invalid\n");
@@ -1012,16 +1004,6 @@ int main(int argc, char **argv, char **envp) {
                 exit(1);
         }
 
-        // Stash environment variables
-        for (i = 0, ptr = envp; ptr && *ptr && i < MAX_ENVS; i++, ptr++)
-                env_store(*ptr, SETENV);
-
-        // sanity check for environment variables
-        if (i >= MAX_ENVS) {
-                fprintf(stderr, "Error: too many environment variables\n");
-                exit(1);
-        }
-
         // sanity check for arguments
         for (i = 0; i < argc; i++) {
                 if (*argv[i] == 0) {
@@ -1034,82 +1016,29 @@ int main(int argc, char **argv, char **envp) {
                 }
         }
 
+        // Stash environment variables
+        for (i = 0, ptr = envp; ptr && *ptr && i < MAX_ENVS; i++, ptr++)
+                env_store(*ptr, SETENV);
+
+        // sanity check for environment variables
+        if (i >= MAX_ENVS) {
+                fprintf(stderr, "Error: too many environment variables\n");
+                exit(1);
+        }
+
         // Reapply a minimal set of environment variables
         env_apply_whitelist();
 
-        // check if the user is allowed to use firejail
-        init_cfg(argc, argv);
-
-        // get starting timestamp, process --quiet
-        timetrace_start();
+        // process --quiet
         const char *env_quiet = env_get("FIREJAIL_QUIET");
         if (check_arg(argc, argv, "--quiet", 1) || (env_quiet && strcmp(env_quiet, "yes") == 0))
                 arg_quiet = 1;
 
-        // cleanup at exit
-        EUID_ROOT();
-        atexit(clear_atexit);
-
-        // build /run/firejail directory structure
-        preproc_build_firejail_dir();
-        const char *container_name = env_get("container");
-        if (!container_name || strcmp(container_name, "firejail")) {
-                lockfd_directory = open(RUN_DIRECTORY_LOCK_FILE, O_WRONLY | O_CREAT | O_CLOEXEC, S_IRUSR | S_IWUSR);
-                if (lockfd_directory != -1) {
-                        int rv = fchown(lockfd_directory, 0, 0);
-                        (void) rv;
-                        flock(lockfd_directory, LOCK_EX);
-                }
-                preproc_clean_run();
-                flock(lockfd_directory, LOCK_UN);
-                close(lockfd_directory);
-        }
-        EUID_USER();
-
-        // --ip=dhcp - we need access to /sbin and /usr/sbin directories in order to run ISC DHCP client (dhclient)
-        // these paths are disabled in disable-common.inc
-        if ((i = check_arg(argc, argv, "--ip", 0)) != 0) {
-                if (strncmp(argv[i] + 4, "=dhcp", 5) == 0) {
-                        profile_add("noblacklist /sbin");
-                        profile_add("noblacklist /usr/sbin");
-                }
-        }
-
-        // for appimages we need to remove "include disable-shell.inc from the profile
-        // a --profile command can show up before --appimage
-        if (check_arg(argc, argv, "--appimage", 1))
-                arg_appimage = 1;
-
-        // process allow-debuggers
-        if (check_arg(argc, argv, "--allow-debuggers", 1)) {
-                // check kernel version
-                struct utsname u;
-                int rv = uname(&u);
-                if (rv != 0)
-                        errExit("uname");
-                int major;
-                int minor;
-                if (2 != sscanf(u.release, "%d.%d", &major, &minor)) {
-                        fprintf(stderr, "Error: cannot extract Linux kernel version: %s\n", u.version);
-                        exit(1);
-                }
-                if (major < 4 || (major == 4 && minor < 8)) {
-                        fprintf(stderr, "Error: --allow-debuggers is disabled on Linux kernels prior to 4.8. "
-                                "A bug in ptrace call allows a full bypass of the seccomp filter. "
-                                "Your current kernel version is %d.%d.\n", major, minor);
-                        exit(1);
-                }
-
-                arg_allow_debuggers = 1;
-                char *cmd = strdup("noblacklist ${PATH}/strace");
-                if (!cmd)
-                        errExit("strdup");
-                profile_add(cmd);
-        }
+        // check if the user is allowed to use firejail
+        init_cfg(argc, argv);
 
-        // profile builder
-        if (check_arg(argc, argv, "--build", 0)) // supports both --build and --build=filename
-                run_builder(argc, argv); // this function will not return
+        // get starting timestamp
+        timetrace_start();
 
         // check argv[0] symlink wrapper if this is not a login shell
         if (*argv[0] != '-')
@@ -1134,15 +1063,40 @@ int main(int argc, char **argv, char **envp) {
                         __builtin_unreachable();
                 }
         }
-        EUID_ASSERT();
 
+        // profile builder
+        if (check_arg(argc, argv, "--build", 0)) // supports both --build and --build=filename
+                run_builder(argc, argv); // this function will not return
 
-        // check firejail directories
         EUID_ROOT();
-        delete_run_files(sandbox_pid);
+#ifndef HAVE_SUID
+        if (geteuid() != 0) {
+                fprintf(stderr, "Error: Firejail needs to be SUID.\n");
+                fprintf(stderr, "Assuming firejail is installed in /usr/bin, execute the following command as root:\n");
+                fprintf(stderr, "  chmod u+s /usr/bin/firejail\n");
+        }
+#endif
+
+        // build /run/firejail directory structure
+        preproc_build_firejail_dir();
+        const char *container_name = env_get("container");
+        if (!container_name || strcmp(container_name, "firejail")) {
+                lockfd_directory = open(RUN_DIRECTORY_LOCK_FILE, O_WRONLY | O_CREAT | O_CLOEXEC, S_IRUSR | S_IWUSR);
+                if (lockfd_directory != -1) {
+                        int rv = fchown(lockfd_directory, 0, 0);
+                        (void) rv;
+                        flock(lockfd_directory, LOCK_EX);
+                }
+                preproc_clean_run();
+                flock(lockfd_directory, LOCK_UN);
+                close(lockfd_directory);
+        }
+
+        delete_run_files(getpid());
+        atexit(clear_atexit);
         EUID_USER();
 
-        //check if the parent is sshd daemon
+        // check if the parent is sshd daemon
         int parent_sshd = 0;
         {
                 pid_t ppid = getppid();
@@ -1199,7 +1153,8 @@ int main(int argc, char **argv, char **envp) {
         }
         EUID_ASSERT();
 
-        // is this a login shell, or a command passed by sshd, insert command line options from /etc/firejail/login.users
+        // is this a login shell, or a command passed by sshd,
+        // insert command line options from /etc/firejail/login.users
         if (*argv[0] == '-' || parent_sshd) {
                 if (argc == 1)
                         login_shell = 1;
@@ -1251,6 +1206,47 @@ int main(int argc, char **argv, char **envp) {
 #endif
         EUID_ASSERT();
 
+        // --ip=dhcp - we need access to /sbin and /usr/sbin directories in order to run ISC DHCP client (dhclient)
+        // these paths are disabled in disable-common.inc
+        if ((i = check_arg(argc, argv, "--ip", 0)) != 0) {
+                if (strncmp(argv[i] + 4, "=dhcp", 5) == 0) {
+                        profile_add("noblacklist /sbin");
+                        profile_add("noblacklist /usr/sbin");
+                }
+        }
+
+        // process allow-debuggers
+        if (check_arg(argc, argv, "--allow-debuggers", 1)) {
+                // check kernel version
+                struct utsname u;
+                int rv = uname(&u);
+                if (rv != 0)
+                        errExit("uname");
+                int major;
+                int minor;
+                if (2 != sscanf(u.release, "%d.%d", &major, &minor)) {
+                        fprintf(stderr, "Error: cannot extract Linux kernel version: %s\n", u.version);
+                        exit(1);
+                }
+                if (major < 4 || (major == 4 && minor < 8)) {
+                        fprintf(stderr, "Error: --allow-debuggers is disabled on Linux kernels prior to 4.8. "
+                                "A bug in ptrace call allows a full bypass of the seccomp filter. "
+                                "Your current kernel version is %d.%d.\n", major, minor);
+                        exit(1);
+                }
+
+                arg_allow_debuggers = 1;
+                char *cmd = strdup("noblacklist ${PATH}/strace");
+                if (!cmd)
+                        errExit("strdup");
+                profile_add(cmd);
+        }
+
+        // for appimages we need to remove "include disable-shell.inc from the profile
+        // a --profile command can show up before --appimage
+        if (check_arg(argc, argv, "--appimage", 1))
+                arg_appimage = 1;
+
         // check for force-nonewprivs in /etc/firejail/firejail.config file
         if (checkcfg(CFG_FORCE_NONEWPRIVS))
                 arg_nonewprivs = 1;
@@ -2680,8 +2676,9 @@ int main(int argc, char **argv, char **envp) {
                 //*************************************
                 else if (strncmp(argv[i], "--timeout=", 10) == 0)
                         cfg.timeout = extract_timeout(argv[i] + 10);
-                else if (strcmp(argv[i], "--appimage") == 0)
-                        arg_appimage = 1;
+                else if (strcmp(argv[i], "--appimage") == 0) {
+                        // already handled
+                }
                 else if (strcmp(argv[i], "--shell=none") == 0) {
                         arg_shell_none = 1;
                         if (cfg.shell) {
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c
index 665bef73d..0e5562d90 100644
--- a/src/firejail/no_sandbox.c
+++ b/src/firejail/no_sandbox.c
@@ -49,6 +49,7 @@ int check_namespace_virt(void) {
         // check PID 1 container environment variable
         EUID_ROOT();
         FILE *fp = fopen("/proc/1/environ", "re");
+        EUID_USER();
         if (fp) {
                 int c = 0;
                 while (c != EOF) {
@@ -69,7 +70,6 @@ int check_namespace_virt(void) {
                                 // found it
                                 if (is_container(buf + 10)) {
                                         fclose(fp);
-                                        EUID_USER();
                                         return 1;
                                 }
                         }
@@ -79,7 +79,6 @@ int check_namespace_virt(void) {
                 fclose(fp);
         }
 
-        EUID_USER();
         return 0;
 }
 
diff --git a/src/firejail/output.c b/src/firejail/output.c
index 835dff2db..ce10ab157 100644
--- a/src/firejail/output.c
+++ b/src/firejail/output.c
@@ -50,13 +50,21 @@ void check_output(int argc, char **argv) {
         if (!outindex)
                 return;
 
-
-        // check filename
         drop_privs(0);
         char *outfile = argv[outindex];
         outfile += (enable_stderr)? 16:9;
+
+        // check filename
         invalid_filename(outfile, 0); // no globbing
 
+        // expand user home directory
+        if (outfile[0] == '~') {
+                char *full;
+                if (asprintf(&full, "%s%s", cfg.homedir, outfile + 1) == -1)
+                        errExit("asprintf");
+                outfile = full;
+        }
+
         // do not accept directories, links, and files with ".."
         if (strstr(outfile, "..") || is_link(outfile) || is_dir(outfile)) {
                 fprintf(stderr, "Error: invalid output file. Links, directories and files with \"..\" are not allowed.\n");
diff --git a/src/firejail/util.c b/src/firejail/util.c
index de31ebdd6..094a68c60 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -1513,8 +1513,7 @@ void check_homedir(const char *dir) {
                 exit(1);
         }
         // symlinks are rejected in many places
-        if (has_link(dir)) {
-                fprintf(stderr, "No full support for symbolic links in path of user directory.\n"
+        if (has_link(dir))
+                fmessage("No full support for symbolic links in path of user directory.\n"
                         "Please provide resolved path in password database (/etc/passwd).\n\n");
-        }
 }
diff --git a/test/profiles/profile_syntax.exp b/test/profiles/profile_syntax.exp
index 258089a39..a2cccb0d4 100755
--- a/test/profiles/profile_syntax.exp
+++ b/test/profiles/profile_syntax.exp
@@ -22,7 +22,7 @@ expect {
 }
 
 sleep 1
-send -- "ls -l /etc/shadow\r"
+send -- "ls -l /dev/console\r"
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
         "root root"
diff --git a/test/profiles/test.profile b/test/profiles/test.profile
index 26d6de849..27cb99606 100644
--- a/test/profiles/test.profile
+++ b/test/profiles/test.profile
@@ -1,5 +1,5 @@
 blacklist /sbin/iptables
-blacklist /etc/shadow
+blacklist /dev/console
 blacklist /bin/rmdir
 blacklist ${PATH}/umount
 blacklist ${PATH}/mount