Merge branch 'master' of https://github.com/netblue30/firejail

25 files changed, 307 insertions, 19 deletions

diff --git a/README b/README
index 8aa1bf691..08b5180d2 100644
--- a/README
+++ b/README
@@ -547,13 +547,14 @@ rusty-snake (https://github.com/rusty-snake)
         - added profiles: kid3-qt, kid3-cli, anki, utox
         - fixed profiles: kdenlive, bibletime, rhythmbox, gajim, seahorse
         - fixed profiles: libreoffice, gnome-maps, wget, seahorse-tool
-        - fixed profiles: gnome-logs, klavaro, default
+        - fixed profiles: gnome-logs, atom, brackets, gnome-builder, geany
+        - fixed profiles: vim, emacs, pycharm-community, gedit, klavaro
+        - fixed profiles: default
         - hardened profiles: disable-common.inc, disable-programs.inc
         - hardened profiles: gajim, evince, ffmpeg, feh-network.inc, qtox
         - hardened profiles: gnome-clocks, meld, minetest, youtube-dl
         - hardened profiles: bibletime, whois, etr, display, feh
         - gnome-mpv was renamed to celluloid
-        - updates for ~/.cargo and ~/.python-history
 Salvo 'LtWorf' Tomaselli (https://github.com/ltworf)
         - fixed ktorrent profile
 sarneaud (https://github.com/sarneaud)
diff --git a/README.md b/README.md
index 1a5b20a66..846e9d374 100644
--- a/README.md
+++ b/README.md
@@ -102,4 +102,4 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
 ## Current development version: 0.9.59
 
 ## New profiles:
-anki, assogiate, autokey-gtk, autokey-qt, autokey-run, autokey-shell, bzflag, celluoid, code-oss, crawl, crawl-tiles, crow, d-feet, dconf, dconf-editor, devhelp, exfalso, font-manager, freeciv, freecol, freemind, gconf-editor, geekbench, gnome-keyring, gnome-nettool, gnome-system-log, gsettings, kid3, kid3-cli, kid3-qt, klavaro, lincity-ng, lugaru, Maelstrom, manaplus, megaglest, mpdris2, mypaint, nano, netactview, nomacs, nyx, opencity, openclonk, openttd, ostrichriders, pavucontrol, pioneer, pragha, redshift, regextester, seahorse, seahorse-tool, scorched3d, secret-tool, simplescreenrecorder, slashem, subdownloader, sysprof, sysprof-cli, teeworlds, torcs, tremulous, transgui, utox, vulturesclaw, vultureseye, warsow, widelands, xfce4-mixer
+anki, assogiate, autokey-gtk, autokey-qt, autokey-run, autokey-shell, bzflag, celluoid, cheese, code-oss, crawl, crawl-tiles, crow, d-feet, dconf, dconf-editor, devhelp, exfalso, font-manager, freeciv, freecol, freemind, gconf-editor, geekbench, gnome-keyring, gnome-nettool, gnome-system-log, gsettings, kid3, kid3-cli, kid3-qt, klavaro, lincity-ng, lugaru, Maelstrom, manaplus, megaglest, mpdris2, mypaint, nano, netactview, nomacs, nyx, opencity, openclonk, openttd, ostrichriders, pavucontrol, pioneer, pragha, redshift, regextester, seahorse, seahorse-tool, scorched3d, secret-tool, simplescreenrecorder, slashem, subdownloader, sysprof, sysprof-cli, teeworlds, torcs, tremulous, transgui, utox, vulturesclaw, vultureseye, warsow, widelands, xfce4-mixer
diff --git a/RELNOTES b/RELNOTES
index 80b5e58ff..4ced2cde6 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -11,7 +11,7 @@ firejail (0.9.59) baseline; urgency=low
   * new profiles: teeworlds, torcs, tremulous, warsow, lugaru, manaplus
   * new profiles: pioneer, scorched3d, widelands, freemind, kid3, kid3-qt
   * new profiles: kid3-cli, nomacs, freecol, opencity, openclonk, slashem
-  * new profiles: vultureseye, vulturesclaw, anki, utox
+  * new profiles: vultureseye, vulturesclaw, anki, cheese, utox
   * new profiles: autokey-gtk, autokey-qt, autokey-run, autokey-shell
   * memory-deny-write-execute now also blocks memfd_create
   * drop support for flatpak/snap packages
diff --git a/etc/Cheese.profile b/etc/Cheese.profile
new file mode 100644
index 000000000..4bfce53a9
--- /dev/null
+++ b/etc/Cheese.profile
@@ -0,0 +1,7 @@
+# Firejail profile for cheese
+# This file is overwritten after every install/update
+
+
+# Temporary fix for https://github.com/netblue30/firejail/issues/2624
+# Redirect
+include cheese.profile
diff --git a/etc/authenticator.profile b/etc/authenticator.profile
index f989ab1ba..5f1c64682 100644
--- a/etc/authenticator.profile
+++ b/etc/authenticator.profile
@@ -6,6 +6,7 @@ include authenticator.local
 # Persistent global definitions
 include globals.local
 
+noblacklist ${HOME}/.cache/Authenticator
 noblacklist ${HOME}/.config/Authenticator
 
 # Allow python (blacklisted by disable-interpreters.inc)
@@ -25,7 +26,7 @@ include disable-programs.inc
 
 # apparmor
 caps.drop all
-net none
+netfilter
 no3d
 # nodbus - makes settings immutable
 nodvd
@@ -36,15 +37,14 @@ nosound
 notv
 nou2f
 # novideo
-protocol unix
+protocol unix,inet,inet6
 seccomp
 shell none
 
 disable-mnt
-# private-bin authenticator
-private-cache
+# private-bin authenticator,python*
 private-dev
-private-etc alternatives,fonts,ld.so.cache
+private-etc alternatives,ca-certificates,fonts,ld.so.cache,ssl
 private-tmp
 
 # memory-deny-write-execute - breaks on Arch
diff --git a/etc/cheese.profile b/etc/cheese.profile
new file mode 100644
index 000000000..b6cb0c9ce
--- /dev/null
+++ b/etc/cheese.profile
@@ -0,0 +1,43 @@
+# Firejail profile for cheese
+# Description: taking pictures and movies from a webcam
+# This file is overwritten after every install/update
+# Persistent local customizations
+include cheese.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${VIDEOS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist ${VIDEOS}
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin cheese
+private-cache
+private-etc alternatives,fonts,drirc,clutter-1.0,gtk-3.0,dconf
+private-tmp
diff --git a/etc/chromium-common.profile b/etc/chromium-common.profile
index 3c7423316..63983d93b 100644
--- a/etc/chromium-common.profile
+++ b/etc/chromium-common.profile
@@ -7,7 +7,7 @@ include chromium-common.local
 #include globals.local
 
 # noexec ${HOME} breaks DRM binaries.
-ignore noexec ${HOME}
+?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
 
 noblacklist ${HOME}/.pki
 noblacklist ${HOME}/.local/share/pki
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 96fd80daf..7e12b97b2 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -5,6 +5,7 @@ include disable-programs.local
 blacklist ${HOME}/Arduino
 blacklist ${HOME}/Monero/wallets
 blacklist ${HOME}/Nextcloud/Notes
+blacklist ${HOME}/SoftMaker
 blacklist ${HOME}/Standard Notes Backups
 blacklist ${HOME}/wallet.dat
 blacklist ${HOME}/.*coin
@@ -339,6 +340,7 @@ blacklist ${HOME}/.googleearth/Temp/
 blacklist ${HOME}/.googleearth/myplaces.backup.kml
 blacklist ${HOME}/.googleearth/myplaces.kml
 blacklist ${HOME}/.gradle
+blacklist ${HOME}/.gramps
 blacklist ${HOME}/.guayadeque
 blacklist ${HOME}/.hashcat
 blacklist ${HOME}/.hedgewars
@@ -549,6 +551,7 @@ blacklist ${HOME}/.multimc5
 blacklist ${HOME}/.nanorc
 blacklist ${HOME}/.netactview
 blacklist ${HOME}/.neverball
+blacklist ${HOME}/.newsboat
 blacklist ${HOME}/.nv
 blacklist ${HOME}/.nylas-mail
 blacklist ${HOME}/.opencity
@@ -625,6 +628,7 @@ blacklist /tmp/ssh-*
 # ${HOME}/.cache directory
 blacklist ${HOME}/.cache/0ad
 blacklist ${HOME}/.cache/8pecxstudios
+blacklist ${HOME}/.cache/Authenticator
 blacklist ${HOME}/.cache/Clementine
 blacklist ${HOME}/.cache/Enox
 blacklist ${HOME}/.cache/Franz
diff --git a/etc/evince.profile b/etc/evince.profile
index b1f984784..1a429d673 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -43,7 +43,7 @@ private-bin evince,evince-previewer,evince-thumbnailer
 private-cache
 private-dev
 private-etc alternatives,fonts,group,machine-id,passwd
-private-lib evince,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,gconv
+private-lib evince,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.*,gconv
 private-tmp
 
 # memory-deny-write-execute - might break application (https://github.com/netblue30/firejail/issues/1803)
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile
index a2a34f33f..080d9e81a 100644
--- a/etc/firefox-common.profile
+++ b/etc/firefox-common.profile
@@ -7,7 +7,7 @@ include firefox-common.local
 #include globals.local
 
 # noexec ${HOME} breaks DRM binaries.
-ignore noexec ${HOME}
+?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
 
 # Uncomment the following line to allow access to common programs/addons/plugins.
 #include firefox-common-addons.inc
diff --git a/etc/firejail.config b/etc/firejail.config
index b37edf7a5..497d9633e 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -5,9 +5,6 @@
 # Enable AppArmor functionality, default enabled.
 # apparmor yes
 
-# Disable U2F in browsers, default enabled.
-# browser-disable-u2f yes
-
 # Number of ARP probes sent when assigning an IP address for --net option,
 # default 2. This is a partial implementation of RFC 5227. A 0.5 seconds
 # timeout is implemented for each probe. Increase this number to 4 if your
@@ -18,6 +15,12 @@
 # Enable or disable bind support, default enabled.
 # bind yes
 
+# Allow (DRM) execution in browsers, default disabled.
+# browser-allow-drm no
+
+# Disable U2F in browsers, default enabled.
+# browser-disable-u2f yes
+
 # Enable or disable cgroup support, default enabled.
 # cgroup yes
 
diff --git a/etc/freeoffice-planmaker.profile b/etc/freeoffice-planmaker.profile
new file mode 100644
index 000000000..8a53c63e3
--- /dev/null
+++ b/etc/freeoffice-planmaker.profile
@@ -0,0 +1,38 @@
+# Firejail profile for freeoffice-planmaker
+# This file is overwritten after every install/update
+# Persistent local customizations
+include freeoffice-planmaker.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/SoftMaker
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+# include disable-xdg.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+private-cache
+private-dev
+private-tmp
diff --git a/etc/freeoffice-presentations.profile b/etc/freeoffice-presentations.profile
new file mode 100644
index 000000000..63be4da7f
--- /dev/null
+++ b/etc/freeoffice-presentations.profile
@@ -0,0 +1,38 @@
+# Firejail profile for freeoffice-presentations
+# This file is overwritten after every install/update
+# Persistent local customizations
+include freeoffice-presentations.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/SoftMaker
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+# include disable-xdg.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+private-cache
+private-dev
+private-tmp
diff --git a/etc/freeoffice-textmaker.profile b/etc/freeoffice-textmaker.profile
new file mode 100644
index 000000000..4bca5a98c
--- /dev/null
+++ b/etc/freeoffice-textmaker.profile
@@ -0,0 +1,38 @@
+# Firejail profile for freeoffice-textmaker
+# This file is overwritten after every install/update
+# Persistent local customizations
+include freeoffice-textmaker.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/SoftMaker
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+# include disable-xdg.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+private-cache
+private-dev
+private-tmp
diff --git a/etc/gajim.profile b/etc/gajim.profile
index 36121c4b9..ee84a0994 100644
--- a/etc/gajim.profile
+++ b/etc/gajim.profile
@@ -42,7 +42,7 @@ nonewprivs
 noroot
 notv
 nou2f
-protocol unix,inet,inet6
+protocol unix,inet,inet6,netlink
 seccomp
 shell none
 tracelog
diff --git a/etc/gramps.profile b/etc/gramps.profile
new file mode 100644
index 000000000..764c14b60
--- /dev/null
+++ b/etc/gramps.profile
@@ -0,0 +1,53 @@
+# Firejail profile for gramps
+# Description: genealogy program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gramps.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.gramps
+
+# Allow python (blacklisted by disable-interpreters.inc)
+#noblacklist ${PATH}/python2*
+noblacklist ${PATH}/python3*
+#noblacklist /usr/lib/python2*
+noblacklist /usr/lib/python3*
+#noblacklist /usr/local/lib/python2*
+noblacklist /usr/local/lib/python3*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.gramps
+whitelist ${HOME}/.gramps
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+disable-mnt
+private-cache
+private-dev
+private-tmp
diff --git a/etc/midori.profile b/etc/midori.profile
index d59a6a16b..e4d39cd70 100644
--- a/etc/midori.profile
+++ b/etc/midori.profile
@@ -14,7 +14,7 @@ noblacklist ${HOME}/.pki
 noblacklist ${HOME}/.local/share/pki
 
 # noexec ${HOME} breaks DRM binaries.
-ignore noexec ${HOME}
+?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/min.profile b/etc/min.profile
index eec81677d..c89df0a95 100644
--- a/etc/min.profile
+++ b/etc/min.profile
@@ -12,7 +12,7 @@ noblacklist ${HOME}/.pki
 noblacklist ${HOME}/.local/share/pki
 
 # noexec ${HOME} breaks DRM binaries.
-ignore noexec ${HOME}
+?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/mpv.profile b/etc/mpv.profile
index c2ae9c6f9..34542b11b 100644
--- a/etc/mpv.profile
+++ b/etc/mpv.profile
@@ -1,6 +1,7 @@
 # Firejail profile for mpv
 # Description: Video player based on MPlayer/mplayer2
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include mpv.local
 # Persistent global definitions
@@ -44,4 +45,5 @@ shell none
 tracelog
 
 private-bin mpv,youtube-dl,python*,env
+private-cache
 private-dev
diff --git a/etc/newsboat.profile b/etc/newsboat.profile
new file mode 100644
index 000000000..e063abe53
--- /dev/null
+++ b/etc/newsboat.profile
@@ -0,0 +1,47 @@
+# Firejail profile for Newsboat
+# Description: RSS program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include newsboat.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.newsboat
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.newsboat
+whitelist ${HOME}/.newsboat
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol inet,inet6
+seccomp
+shell none
+
+disable-mnt
+private-bin newsboat
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl,terminfo
+private-tmp
+
+memory-deny-write-execute
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 41b75ee81..9f5f7a7a8 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -5,6 +5,7 @@
 0ad
 2048-qt
 Builder
+Cheese
 Cryptocat
 Cyberfox
 Discord
@@ -93,6 +94,7 @@ calligrawords
 catfish
 celluloid
 checkbashisms
+cheese
 cherrytree
 chromium
 chromium-browser
@@ -198,6 +200,9 @@ freeciv-gtk3
 freeciv-mp-gtk3
 freecol
 freemind
+freeoffice-planmaker
+freeoffice-presentations
+freeoffice-textmaker
 freshclam
 frozen-bubble
 gajim
@@ -254,6 +259,7 @@ gpa
 gpicview
 gpredict
 gradio
+gramps
 gthumb
 guayadeque
 gucharmap
@@ -385,6 +391,7 @@ netactview
 nethack
 netsurf
 neverball
+newsboat
 nheko
 nitroshare
 nitroshare-cli
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 54f6ea023..7ca72bf30 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -111,6 +111,7 @@ int checkcfg(int val) {
                         PARSE_YESNO(CFG_DISABLE_MNT, "disable-mnt")
                         PARSE_YESNO(CFG_XPRA_ATTACH, "xpra-attach")
                         PARSE_YESNO(CFG_BROWSER_DISABLE_U2F, "browser-disable-u2f")
+                        PARSE_YESNO(CFG_BROWSER_ALLOW_DRM, "browser-allow-drm")
 #undef PARSE_YESNO
 
                         // netfilter
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index b2c18d79f..2e04084e3 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -702,6 +702,7 @@ enum {
         CFG_ARP_PROBES,
         CFG_XPRA_ATTACH,
         CFG_BROWSER_DISABLE_U2F,
+        CFG_BROWSER_ALLOW_DRM,
         CFG_PRIVATE_LIB,
         CFG_APPARMOR,
         CFG_DBUS,
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 667b03652..c8619f7e2 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -151,10 +151,15 @@ static int check_disable_u2f(void) {
         return checkcfg(CFG_BROWSER_DISABLE_U2F) != 0;
 }
 
+static int check_allow_drm(void) {
+        return checkcfg(CFG_BROWSER_ALLOW_DRM) != 0;
+}
+
 Cond conditionals[] = {
         {"HAS_APPIMAGE", check_appimage},
         {"HAS_NODBUS", check_nodbus},
         {"BROWSER_DISABLE_U2F", check_disable_u2f},
+        {"BROWSER_ALLOW_DRM", check_allow_drm},
         { NULL, NULL }
 };
 
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index dde815d05..20b547355 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -94,7 +94,7 @@ Example: "?HAS_APPIMAGE: whitelist ${HOME}/special/appimage/dir"
 
 This example will load the whitelist profile line only if the \-\-appimage option has been specified on the command line.
 
-Currently the only conditionals supported are HAS_APPIMAGE, HAS_NODBUS and BROWSER_DISABLE_U2F.
+Currently the only conditionals supported are HAS_APPIMAGE, HAS_NODBUS, BROWSER_DISABLE_U2F, and BROWSER_ALLOW_DRM.
 
 The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines.