Merge branch 'master' of https://github.com/netblue30/firejail

22 files changed, 165 insertions, 89 deletions

diff --git a/README.md b/README.md
index d6a7877ca..9e61e5633 100644
--- a/README.md
+++ b/README.md
@@ -101,17 +101,15 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
 `````
 ## Current development version: 0.9.57
 
-## New Long Term Support (LTS) version
+## New Long Term Support (0.9.56-LTS) version released
 
-We are rebasing our Long Term Support branch of Firejail. The current LTS version (0.9.38.x) is more than two years old.
 The new version updates the code base to 0.9.56. We target a reduction of approx. 40% of the code by removing rarely
 used features (chroot, overlay, rlimits, cgroups), incomplete features (private-bin, private-lib),
 and a lot of instrumentation (build profile feature, tracing, auditing, etc). Sandbox-specific security features such as
 seccomp, capabilities, filesystem whitelist/blacklist and networking are updated and hardened.
 
-We have an rc1 release out, the final version will follow in the next few weeks:
 `````
-firejail (0.9.56-LTS~rc1) baseline; urgency=low
+firejail (0.9.56-LTS) baseline; urgency=low
   * code based on Firejail version 0.9.56
   * much smaller code base for SUID executable
   * command line options removed:
@@ -124,7 +122,7 @@ firejail (0.9.56-LTS~rc1) baseline; urgency=low
      --disable-globalcfg, --disable-network, --disable-userns,
      --disable-whitelist, --disable-suid, --enable-fatal-warnings,
      --enable-busybox-workaround
- -- netblue30 <netblue30@yahoo.com>  Wed, 3 Oct 2018 08:00:00 -0500
+ -- netblue30 <netblue30@yahoo.com>  Sun, 21 Oct 2018 08:00:00 -0500
 `````
 
 The new LTS branch is here: https://github.com/netblue30/firejail/tree/LTSbase
diff --git a/etc/chromium-common.profile b/etc/chromium-common.profile
index e7062c5b8..13ed13058 100644
--- a/etc/chromium-common.profile
+++ b/etc/chromium-common.profile
@@ -27,7 +27,7 @@ nodbus
 nodvd
 nogroups
 notv
-nou2f
+?BROWSER_DISABLE_U2F: nou2f
 shell none
 
 disable-mnt
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index d220f381b..74b653385 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -3,9 +3,9 @@
 include disable-common.local
 
 # The following block breaks trash functionality in file managers
-#read-only  ${HOME}/.local
+#read-only ${HOME}/.local
 #read-write ${HOME}/.local/share
-blacklist   ${HOME}/.local/share/Trash
+blacklist ${HOME}/.local/share/Trash
 
 # History files in $HOME and clipboard managers
 blacklist-nolog ${HOME}/.*_history
@@ -122,7 +122,7 @@ read-only ${HOME}/.local/share/kssl
 blacklist /run/user/*/kdeinit5__*
 # blacklist /run/user/*/ksocket-*/kdeinit4__*
 # blacklist /tmp/ksocket-*/kdeinit4__*
-#  - causes issues when kdeinit4 gets killed; enable on KDE Plasma 4
+# causes issues when kdeinit4 gets killed; enable on KDE Plasma 4
 
 # gnome
 # contains extensions, last used times of applications, and notifications
@@ -133,7 +133,7 @@ blacklist ${HOME}/.config/systemd
 blacklist ${HOME}/.local/share/systemd
 blacklist /var/lib/systemd
 # blacklist /var/run/systemd
-#  - creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf
+# creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf
 
 # VirtualBox
 blacklist ${HOME}/.VirtualBox
@@ -173,7 +173,7 @@ blacklist /var/lib/mysqld/mysql.sock
 blacklist /var/lib/pacman
 blacklist /var/lib/upower
 # blacklist /var/log - a virtual /var/log directory (mostly empty) is build up by default for
-#          every sandbox, unless --writeble-var-log switch is activated
+# every sandbox, unless --writeble-var-log switch is activated
 blacklist /var/mail
 blacklist /var/opt
 blacklist /var/run/acpid.socket
diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc
index 5c41692da..43ccb358b 100644
--- a/etc/disable-devel.inc
+++ b/etc/disable-devel.inc
@@ -4,8 +4,14 @@ include disable-devel.local
 
 # development tools
 
+# clang/llvm
+blacklist ${PATH}/clang*
+blacklist ${PATH}/lldb*
+blacklist ${PATH}/llvm*
+# see issue #2106 - it disables hardware acceleration in Firefox on Radeon GPU
+# blacklist /usr/lib/llvm*
+
 # GCC
-#blacklist /usr/lib/gcc - seems to create problems on Gentoo
 blacklist ${PATH}/as
 blacklist ${PATH}/cc
 blacklist ${PATH}/c++*
@@ -21,40 +27,35 @@ blacklist ${PATH}/*-g++*
 blacklist ${PATH}/*-gcc*
 blacklist ${PATH}/*-g++*
 blacklist /usr/include
+# seems to create problems on Gentoo
+#blacklist /usr/lib/gcc
 
-# clang/llvm
-blacklist ${PATH}/clang*
-blacklist ${PATH}/lldb*
-blacklist ${PATH}/llvm*
-# see issue #2106 - it disables hardware acceleration in Firefox on Radeon GPU
-# blacklist /usr/lib/llvm*
-
-# tcc - Tiny C Compiler
-blacklist ${PATH}/tcc
-blacklist ${PATH}/x86_64-tcc
-blacklist /usr/lib/tcc
-
-# Valgrind
-blacklist ${PATH}/valgrind*
-blacklist /usr/lib/valgrind
+#Go
+blacklist ${PATH}/gccgo
+blacklist ${PATH}/go
+blacklist ${PATH}/gofmt
 
 # Java
 blacklist ${PATH}/java
 blacklist ${PATH}/javac
-blacklist /usr/lib/java
 blacklist /etc/java
+blacklist /usr/lib/java
 blacklist /usr/share/java
 
-#Go
-blacklist ${PATH}/gccgo
-blacklist ${PATH}/go
-blacklist ${PATH}/gofmt
+#OpenSSL
+blacklist ${PATH}/openssl
+blacklist ${PATH}/openssl-1.0
 
 #Rust
 blacklist ${PATH}/rust-gdb
 blacklist ${PATH}/rust-lldb
 blacklist ${PATH}/rustc
 
-#OpenSSL
-blacklist ${PATH}/openssl
-blacklist ${PATH}/openssl-1.0
+# tcc - Tiny C Compiler
+blacklist ${PATH}/tcc
+blacklist ${PATH}/x86_64-tcc
+blacklist /usr/lib/tcc
+
+# Valgrind
+blacklist ${PATH}/valgrind*
+blacklist /usr/lib/valgrind
diff --git a/etc/disable-interpreters.inc b/etc/disable-interpreters.inc
index 0d5f5737e..22f58bb85 100644
--- a/etc/disable-interpreters.inc
+++ b/etc/disable-interpreters.inc
@@ -4,8 +4,8 @@ include disable-interpreters.local
 
 # Lua
 blacklist ${PATH}/lua*
-blacklist /usr/lib/lua
 blacklist /usr/include/lua*
+blacklist /usr/lib/lua
 blacklist /usr/share/lua
 
 # Node.js
diff --git a/etc/disable-passwdmgr.inc b/etc/disable-passwdmgr.inc
index 72e1a66ee..316378cb8 100644
--- a/etc/disable-passwdmgr.inc
+++ b/etc/disable-passwdmgr.inc
@@ -8,6 +8,7 @@ blacklist ${HOME}/.config/keepass
 blacklist ${HOME}/.config/keepassx
 blacklist ${HOME}/.config/keepassxc
 blacklist ${HOME}/.config/Sinew Software Systems
+blacklist ${HOME}/.fpm
 blacklist ${HOME}/.keepass
 blacklist ${HOME}/.keepassx
 blacklist ${HOME}/.keepassxc
@@ -15,4 +16,3 @@ blacklist ${HOME}/.lastpass
 blacklist ${HOME}/.local/share/KeePass
 blacklist ${HOME}/.local/share/keepass
 blacklist ${HOME}/.password-store
-blacklist ${HOME}/.fpm
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 9e94d8aa1..4ef0f2f53 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -2,10 +2,12 @@
 # Persistent customizations should go in a .local file.
 include disable-programs.local
 
+blacklist ${HOME}/Arduino
 blacklist ${HOME}/Monero/wallets
 blacklist ${HOME}/Nextcloud/Notes
 blacklist ${HOME}/Standard Notes Backups
 blacklist ${HOME}/snap
+blacklist ${HOME}/wallet.dat
 blacklist ${HOME}/.*coin
 blacklist ${HOME}/.8pecxstudios
 blacklist ${HOME}/.AndroidStudio*
@@ -35,9 +37,9 @@ blacklist ${HOME}/.anydesk
 blacklist ${HOME}/.arduino15
 blacklist ${HOME}/.aria2
 blacklist ${HOME}/.arm
+blacklist ${HOME}/.asunder_album_artist
 blacklist ${HOME}/.asunder_album_genre
 blacklist ${HOME}/.asunder_album_title
-blacklist ${HOME}/.asunder_album_artist
 blacklist ${HOME}/.atom
 blacklist ${HOME}/.attic
 blacklist ${HOME}/.audacity-data
@@ -315,9 +317,9 @@ blacklist ${HOME}/.kde/share/apps/khtml
 blacklist ${HOME}/.kde/share/apps/konqsidebartng
 blacklist ${HOME}/.kde/share/apps/konqueror
 blacklist ${HOME}/.kde/share/apps/kopete
-blacklist ${HOME}/.kde/share/apps/okular
 blacklist ${HOME}/.kde/share/apps/khtml
 blacklist ${HOME}/.kde/share/apps/ktorrent
+blacklist ${HOME}/.kde/share/apps/okular
 blacklist ${HOME}/.kde/share/config/baloofilerc
 blacklist ${HOME}/.kde/share/config/baloorc
 blacklist ${HOME}/.kde/share/config/digikam
@@ -540,8 +542,6 @@ blacklist ${HOME}/.xmr-stak
 blacklist ${HOME}/.xonotic
 blacklist ${HOME}/.xpdfrc
 blacklist ${HOME}/.zoom
-blacklist ${HOME}/Arduino
-blacklist ${HOME}/wallet.dat
 blacklist /tmp/akonadi-*
 blacklist /tmp/ssh-*
 
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile
index 31b071fe1..722a398cb 100644
--- a/etc/firefox-common.profile
+++ b/etc/firefox-common.profile
@@ -37,7 +37,7 @@ nogroups
 nonewprivs
 noroot
 notv
-nou2f
+?BROWSER_DISABLE_U2F: nou2f
 protocol unix,inet,inet6,netlink
 seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
 shell none
diff --git a/etc/firejail.config b/etc/firejail.config
index d7106e76c..00f2c1b5d 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -5,6 +5,9 @@
 # Enable AppArmor functionality, default enabled.
 # apparmor yes
 
+# Disable U2F in browsers, default enabled.
+# browser-disable-u2f yes
+
 # Number of ARP probes sent when assigning an IP address for --net option,
 # default 2. This is a partial implementation of RFC 5227. A 0.5 seconds
 # timeout is implemented for each probe. Increase this number to 4 if your
diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc
index 38ec5d85d..9c1b7b92c 100644
--- a/etc/whitelist-common.inc
+++ b/etc/whitelist-common.inc
@@ -20,6 +20,10 @@ whitelist ${HOME}/.local/share/icons
 whitelist ${HOME}/.local/share/mime
 whitelist ${HOME}/.mime.types
 
+# dconf
+mkdir ${HOME}/.config/dconf
+whitelist ${HOME}/.config/dconf
+
 # fonts
 whitelist ${HOME}/.cache/fontconfig
 whitelist ${HOME}/.config/fontconfig
@@ -48,11 +52,8 @@ whitelist ${HOME}/.kde4/share/config/gtkrc-2.0
 whitelist ${HOME}/.local/share/themes
 whitelist ${HOME}/.themes
 
-# dconf
-mkdir ${HOME}/.config/dconf
-whitelist ${HOME}/.config/dconf
-
 # qt/kde
+whitelist ${HOME}/.cache/kioexec/krun
 whitelist ${HOME}/.config/Kvantum
 whitelist ${HOME}/.config/Trolltech.conf
 whitelist ${HOME}/.config/kdeglobals
@@ -73,4 +74,3 @@ whitelist ${HOME}/.kde4/share/config/ksslcablacklist
 whitelist ${HOME}/.kde4/share/config/oxygenrc
 whitelist ${HOME}/.kde4/share/icons
 whitelist ${HOME}/.local/share/qt5ct
-whitelist ${HOME}/.cache/kioexec/krun
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 50f952e91..45e28fe40 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -371,6 +371,15 @@ int checkcfg(int val) {
                                 else
                                         goto errout;
                         }
+                        // browser-disable-u2f
+                        else if (strncmp(ptr, "browser-disable-u2f ", 20) == 0) {
+                                if (strcmp(ptr + 20, "yes") == 0)
+                                        cfg_val[CFG_BROWSER_DISABLE_U2F] = 1;
+                                else if (strcmp(ptr + 20, "no") == 0)
+                                        cfg_val[CFG_BROWSER_DISABLE_U2F] = 0;
+                                else
+                                        goto errout;
+                        }
                         else
                                 goto errout;
 
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 7f6ed2586..8a397e3d8 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -461,7 +461,6 @@ void fs_mnt(const int enforce);
 
 // profile.c
 // find and read the profile specified by name from dir directory
-int profile_find(const char *name, const char *dir, int add_ext);
 int profile_find_firejail(const char *name, int add_ext);
 // read a profile file
 void profile_read(const char *fname);
@@ -771,6 +770,7 @@ enum {
         CFG_JOIN,
         CFG_ARP_PROBES,
         CFG_XPRA_ATTACH,
+        CFG_BROWSER_DISABLE_U2F,
         CFG_PRIVATE_LIB,
         CFG_APPARMOR,
         CFG_DBUS,
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 23d9a1d51..4cb87aaa6 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -2244,21 +2244,18 @@ int main(int argc, char **argv) {
                                 return 1;
                         }
                 }
-                else if (strcmp(argv[i], "--") == 0) {
+                else {
                         // double dash - positional params to follow
-                        arg_doubledash = 1;
-                        i++;
-                        if (i  >= argc) {
-                                fprintf(stderr, "Error: program name not found\n");
-                                exit(1);
+                        if (strcmp(argv[i], "--") == 0) {
+                                arg_doubledash = 1;
+                                i++;
+                                if (i  >= argc) {
+                                        fprintf(stderr, "Error: program name not found\n");
+                                        exit(1);
+                                }
                         }
-                        extract_command_name(i, argv);
-                        prog_index = i;
-                        break;
-                }
-                else {
                         // is this an invalid option?
-                        if (*argv[i] == '-') {
+                        else if (*argv[i] == '-') {
                                 fprintf(stderr, "Error: invalid %s command line option\n", argv[i]);
                                 return 1;
                         }
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index c7c8fd9fa..5f5d94ddf 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -25,7 +25,8 @@ extern char *xephyr_screen;
 #define MAX_READ 8192                             // line buffer for profile files
 
 // find and read the profile specified by name from dir directory
-int profile_find(const char *name, const char *dir, int add_ext) {
+// return  1 if a profile was found
+static int profile_find(const char *name, const char *dir, int add_ext) {
         EUID_ASSERT();
         assert(name);
         assert(dir);
@@ -64,6 +65,7 @@ int profile_find(const char *name, const char *dir, int add_ext) {
 }
 
 // search and read the profile specified by name from firejail directories
+// return  1 if a profile was found
 int profile_find_firejail(const char *name, int add_ext) {
         // look for a profile in ~/.config/firejail directory
         char *usercfgdir;
@@ -139,6 +141,7 @@ int profile_check_conditional(char *ptr, int lineno, const char *fname) {
                 bool value;     // true if set
         } conditionals[] = {
                 {"HAS_APPIMAGE", strlen("HAS_APPIMAGE"), arg_appimage!=0},
+                {"BROWSER_DISABLE_U2F", strlen("BROWSER_DISABLE_U2F"), checkcfg(CFG_BROWSER_DISABLE_U2F)!=0},
                 NULL
         }, *cond = conditionals;
         char *tmp = ptr, *msg = NULL;
@@ -1437,7 +1440,13 @@ void profile_read(const char *fname) {
                                 ptr2++;
                         // profile path contains no / chars, do a search
                         if (*ptr2 == '\0') {
-                                profile_find_firejail(newprofile, 0);
+                                int rv = profile_find_firejail(newprofile, 0); // returns 1 if a profile was found in sysconfig directory
+                                if (!rv) {
+                                        // maybe this is a file in the local working directory?
+                                        // it will stop the sandbox if not!
+                                        // Note: if the file ends in .local it will not stop the program
+                                        profile_read(newprofile);
+                                }
                         }
                         else {
                                 profile_read(newprofile);
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index e26b5f989..251346bd5 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -94,7 +94,7 @@ Example: "?HAS_APPIMAGE: whitelist ${HOME}/special/appimage/dir"
 
 This example will load the whitelist profile line only if the \-\-appimage option has been specified on the command line.
 
-Currently the only conditional supported is HAS_APPIMAGE.
+Currently the only conditionals supported are HAS_APPIMAGE and BROWSER_DISABLE_U2F.
 
 The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines.
 
diff --git a/test/profiles/profile_appname.exp b/test/profiles/profile_appname.exp
new file mode 100755
index 000000000..c70e7ad57
--- /dev/null
+++ b/test/profiles/profile_appname.exp
@@ -0,0 +1,25 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2018 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --profile=firefox\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Reading profile /etc/firejail/firefox.profile"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Reading profile /etc/firejail/firefox-common.profile"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "shell=none configured, but no program specified"
+}
+
+after 100
+puts "\nall done\n"
diff --git a/test/profiles/profile_noperm.exp b/test/profiles/profile_noperm.exp
index b3b031cb2..9f8cb54e2 100755
--- a/test/profiles/profile_noperm.exp
+++ b/test/profiles/profile_noperm.exp
@@ -7,7 +7,7 @@ match_max 100000
 send -- "firejail --profile=/etc/shadow\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "cannot access profile"
+        "inaccessible profile file"
 }
 after 100
 puts "\nall done\n"
diff --git a/test/profiles/profile_recursivity.exp b/test/profiles/profile_recursivity.exp
new file mode 100755
index 000000000..66e4510bf
--- /dev/null
+++ b/test/profiles/profile_recursivity.exp
@@ -0,0 +1,25 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2018 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --profile=test3.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Reading profile test3.profile"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Reading profile test3.profile"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "maximum profile include level was reached"
+}
+
+after 100
+puts "\nall done\n"
diff --git a/test/profiles/profile_syntax2.exp b/test/profiles/profile_syntax2.exp
index 4d621f3ec..da34b67e8 100755
--- a/test/profiles/profile_syntax2.exp
+++ b/test/profiles/profile_syntax2.exp
@@ -7,7 +7,7 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail --debug --profile=test2.profile\r"
+send -- "firejail --profile=test2.profile\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
         "Reading profile test2.profile"
@@ -18,29 +18,8 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
-        "Mounting a new /home directory"
+        "cannot access profile file"
 }
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "Disable /bin/rmdir" {puts "Most Linux platforms\n"}
-        "Disable /usr/bin/rmdir" { puts "OpenSUSE platform\n"}
-}
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "Drop CAP_SYS_MODULE"
-}
-expect {
-        timeout {puts "TESTING ERROR 5\n";exit}
-        "seccomp entries in /run/firejail/mnt/seccomp"
-}
-expect {
-        timeout {puts "TESTING ERROR 7\n";exit}
-        "jeq mount"
-}
-expect {
-        timeout {puts "TESTING ERROR 8\n";exit}
-        "Child process initialized"
-}
-send -- "exit\r"
+
 after 100
 puts "\nall done\n"
diff --git a/test/profiles/profiles.sh b/test/profiles/profiles.sh
index 7c3549aea..a3d24ac0c 100755
--- a/test/profiles/profiles.sh
+++ b/test/profiles/profiles.sh
@@ -6,6 +6,33 @@
 export MALLOC_CHECK_=3
 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
 
+echo "TESTING: profile recursivity (test/profiles/profile_recursivity.exp)"
+./profile_recursivity.exp
+
+echo "TESTING: profile application name (test/profiles/profile_appname.exp)"
+./profile_appname.exp
+
+echo "TESTING: profile syntax (test/profiles/profile_syntax.exp)"
+./profile_syntax.exp
+
+echo "TESTING: profile syntax 2 (test/profiles/profile_syntax2.exp)"
+./profile_syntax2.exp
+
+echo "TESTING: ignore command (test/profiles/ignore.exp)"
+./ignore.exp
+
+echo "TESTING: profile read-only (test/profiles/profile_readonly.exp)"
+./profile_readonly.exp
+
+echo "TESTING: profile read-only links (test/profiles/profile_readonly.exp)"
+./profile_followlnk.exp
+
+echo "TESTING: profile no permissions (test/profiles/profile_noperm.exp)"
+./profile_noperm.exp
+
+
+
+
 echo "TESTING: default profiles installed in /etc"
 PROFILES=`ls /etc/firejail/*.profile`
 for PROFILE in $PROFILES
diff --git a/test/profiles/test2.profile b/test/profiles/test2.profile
index e219d800d..9fbd5219a 100644
--- a/test/profiles/test2.profile
+++ b/test/profiles/test2.profile
@@ -1,4 +1,6 @@
-caps    
+caps
 seccomp
   private
   include test.profile
+  include test.local
+  include test25.profile
diff --git a/test/profiles/test3.profile b/test/profiles/test3.profile
new file mode 100644
index 000000000..c28ddadb5
--- /dev/null
+++ b/test/profiles/test3.profile
@@ -0,0 +1 @@
+include test3.profile
\ No newline at end of file