Merge branch 'master' of ssh://github.com/netblue30/firejail

7 files changed, 50 insertions, 41 deletions

diff --git a/RELNOTES b/RELNOTES
index 49b88ac08..405888cc4 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -2,7 +2,8 @@ firejail (0.9.67) baseline; urgency=low
   * work in progress
   * deprecated --disable-whitelist at compile time
   * deprecated whitelist=yes/no in /etc/firejail/firejail.config
-  * new profiles: microsoft-edge-beta
+  * new profiles: microsoft-edge-beta, clion-eap, lifeograph, zim
+  * new profiles: io.github.lainsce.Notejot, rednotebook
  -- netblue30 <netblue30@yahoo.com>  Mon, 28 Jun 2021 09:00:00 -0500
 
 firejail (0.9.66) baseline; urgency=low
diff --git a/etc/profile-a-l/chromium-common-hardened.inc.profile b/etc/profile-a-l/chromium-common-hardened.inc.profile
index 87a0a0994..19addd285 100644
--- a/etc/profile-a-l/chromium-common-hardened.inc.profile
+++ b/etc/profile-a-l/chromium-common-hardened.inc.profile
@@ -6,5 +6,4 @@ caps.drop all
 nonewprivs
 noroot
 protocol unix,inet,inet6,netlink
-# kcmp is required for ozone-platform=wayland, see #3783.
-seccomp !chroot,!kcmp
+seccomp !chroot
diff --git a/etc/profile-a-l/code.profile b/etc/profile-a-l/code.profile
index e19b78908..fdf94ec41 100644
--- a/etc/profile-a-l/code.profile
+++ b/etc/profile-a-l/code.profile
@@ -5,6 +5,21 @@ include code.local
 # Persistent global definitions
 include globals.local
 
+# Disabled until someone reported positive feedback
+ignore include disable-devel.inc
+ignore include disable-exec.inc
+ignore include disable-interpreters.inc
+ignore include disable-xdg.inc
+ignore whitelist ${DOWNLOADS}
+ignore include whitelist-common.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore include whitelist-var-common.inc
+ignore apparmor
+ignore disable-mnt
+ignore dbus-user none
+ignore dbus-system none
+
 noblacklist ${HOME}/.config/Code
 noblacklist ${HOME}/.config/Code - OSS
 noblacklist ${HOME}/.vscode
@@ -13,31 +28,13 @@ noblacklist ${HOME}/.vscode-oss
 # Allows files commonly used by IDEs
 include allow-common-devel.inc
 
-include disable-common.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-noinput
-nonewprivs
-noroot
 nosound
-notv
-nou2f
-novideo
-protocol unix,inet,inet6,netlink
-seccomp
-shell none
-
-private-cache
-private-dev
-private-tmp
 
 # Disabling noexec ${HOME} for now since it will
 # probably interfere with running some programmes
 # in VS Code
 # noexec ${HOME}
 noexec /tmp
+
+# Redirect
+include electron.profile
diff --git a/etc/profile-a-l/kodi.profile b/etc/profile-a-l/kodi.profile
index b7091f1fc..f909728a5 100644
--- a/etc/profile-a-l/kodi.profile
+++ b/etc/profile-a-l/kodi.profile
@@ -12,6 +12,12 @@ ignore noexec ${HOME}
 #ignore nogroups
 #ignore noroot
 #ignore private-dev
+# Add the following to your kodi.local if you use the Lutris Kodi Addon
+#noblacklist /sbin
+#noblacklist /usr/sbin
+#noblacklist ${HOME}/.cache/lutris
+#noblacklist ${HOME}/.config/lutris
+#noblacklist ${HOME}/.local/share/lutris
 
 noblacklist ${HOME}/.kodi
 noblacklist ${MUSIC}
diff --git a/etc/profile-m-z/minitube.profile b/etc/profile-m-z/minitube.profile
index 3fe3428d0..b8a551b6c 100644
--- a/etc/profile-m-z/minitube.profile
+++ b/etc/profile-m-z/minitube.profile
@@ -47,7 +47,7 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6,netlink
-seccomp !kcmp
+seccomp
 shell none
 tracelog
 
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt
index 3992c984a..38f789923 100644
--- a/etc/templates/syscalls.txt
+++ b/etc/templates/syscalls.txt
@@ -89,18 +89,24 @@ Inheritance of groups
 What to do if seccomp breaks a program
 --------------------------------------
 
+Start `journalctl --grep=SECCOMP --follow` in a terminal and run
+`firejail --seccomp-error-action=log /path/to/program` in a second terminal.
+Now switch back to the first terminal (where `journalctl` is running) and look
+for the numbers of the blocked syscall(s) (`syscall=<NUMBER>`). As soon as you
+have found them, you can stop `journalctl` (^C) and execute
+`firejail --debug-syscalls | grep NUMBER` to get the name of the syscall.
+In the particular case that it is a 32bit syscall on a 64bit system, use `ausyscall i386 NUMBER`.
+Now you can add a seccomp exception using `seccomp !NAME`.
+
+If the blocked syscall is ptrace, consider to add allow-debuggers to the profile.
+
 ```
-$ journalctl --grep=syscall --follow
-<...> audit[…]: SECCOMP <...> syscall=161 <...>
-$ firejail --debug-syscalls | grep 161
-161 - chroot
+term1$ journalctl --grep=SECCOMP --follow
+term2$ firejail --seccomp-error-action=log /usr/bin/signal-desktop
+term1$ (journalctl --grep=SECCOMP --follow)
+audit[1234]: SECCOMP ... comm="signal-desktop" exe="/usr/bin/signal-desktop" sig=31 arch=c000003e syscall=161 ...
+^C
+term1$ firejail --debug-syscalls | grep "^161[[:space:]]"
+161     - chroot
 ```
 Profile: `seccomp -> seccomp !chroot`
-
-Start `journalctl --grep=syscall --follow` in a terminal, then start the broken
-program. Now you see one or more long lines containing `syscall=NUMBER` somewhere.
-Stop journalctl (^C) and execute `firejail --debug-syscalls | grep NUMBER`. You
-will see something like `NUMBER  - NAME`, because you now know the name of the
-syscall, you can add an exception to seccomp by putting `!NAME` to seccomp.
-
-If the blocked syscall is ptrace, consider to add allow-debuggers to the profile.
diff --git a/src/tools/profcleaner.sh b/src/tools/profcleaner.sh
index 709008e08..96402aed6 100755
--- a/src/tools/profcleaner.sh
+++ b/src/tools/profcleaner.sh
@@ -38,8 +38,8 @@ else
 fi
 
 sed -i -E \
-        -e "s/^(# |#)?blacklist/\1deny/" \
-        -e "s/^(# |#)?noblacklist/\1nodeny/" \
-        -e "s/^(# |#)?whitelist/\1allow/" \
-        -e "s/^(# |#)?nowhitelist/\1noallow/" \
+        -e "s/^(# |#)?(ignore )?blacklist/\1\2deny/" \
+        -e "s/^(# |#)?(ignore )?noblacklist/\1\2nodeny/" \
+        -e "s/^(# |#)?(ignore )?whitelist/\1\2allow/" \
+        -e "s/^(# |#)?(ignore )?nowhitelist/\1\2noallow/" \
         "${profiles[@]}"