--build fixes

5 files changed, 119 insertions, 43 deletions

diff --git a/README b/README
index eb8a8e374..99beaf694 100644
--- a/README
+++ b/README
@@ -278,6 +278,7 @@ David Thole (https://github.com/TheDarkTrumpet)
 Davide Beatrici (https://github.com/davidebeatrici)
         - steam.profile: correctly blacklist unneeded directories in user's home
         - minetest fixes
+        - map /dev/input with "--private-dev", add "--no-input" option to disable it
 David Hyrule (https://github.com/Svaag)
         - remove nou2f in ssh profile
 Deelvesh Bunjun (https://github.com/DeelveshBunjun)
@@ -553,6 +554,7 @@ Kishore96in (https://github.com/Kishore96in)
         - okular profile fixes
         -  jitsi-meet-desktop profile
         - konversatin profile fix
+        - added Neochat profile
 KOLANICH (https://github.com/KOLANICH)
         - added symlink fixer fix_private-bin.py in contrib section
         - update fix_private-bin.py
@@ -619,6 +621,8 @@ Melvin Vermeeren (https://github.com/melvinvermeeren)
         - added --noautopulse command line option
 Michael Haas (https://github.com/mhaas)
         - bugfixes
+Michael Hoffmann (https://github.com/brisad)
+        - added support for subdirs in private-etc
 Mike Frysinger (vapier@gentoo.org)
         - Gentoo compile patch
 mirabellette (https://github.com/mirabellette)
diff --git a/README.md b/README.md
index 4de1c2bc8..40e9eff41 100644
--- a/README.md
+++ b/README.md
@@ -336,3 +336,4 @@ pcsxr, PPSSPPSDL, openmw, openmw-launcher, jami-gnome, PCSX2, bcompare, b2sum, c
 sha256sum, sha384sum, sha512sum, sum, librewold-nightly, Quodlibet, tmux, sway, alienarena, alienarena-wrapper,
 ballbuster, ballbuster-wrapper, colorful, colorful-wrapper, gl-117, gl-117-wrapper, glaxium, glaxium-wrapper,
 pinball, pinball-wrapper, etr-wrapper, neverball-wrapper, neverputt-wrapper, supertuxkart-wrapper, firedragon
+neochat
diff --git a/RELNOTES b/RELNOTES
index fb384a419..788d5781a 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -12,6 +12,8 @@ firejail (0.9.65) baseline; urgency=low
   * compile time: --enable-force-nonewprivs
   * compile time: --disable-output
   * compile time: --enable-lts
+  * subdirs support in private-etc
+  * input devices support in private-dev, --no-input
   * new profiles: vmware-view, display-im6.q16, ipcalc, ipcalc-ng
   * ebook-convert, ebook-edit, ebook-meta, ebook-polish, lzop,
   * avidemux, calligragemini, vmware-player, vmware-workstation
@@ -22,7 +24,8 @@ firejail (0.9.65) baseline; urgency=low
   * alienarena, alienarena-wrapper, ballbuster, ballbuster-wrapper,
   * colorful, colorful-wrapper, gl-117, gl-117-wrapper, glaxium,
   * glaxium-wrapper, pinball, pinball-wrapper, etr-wrapper, firedragon
-  * neverball-wrapper, neverputt-wrapper, supertuxkart-wrapper
+  * neverball-wrapper, neverputt-wrapper, supertuxkart-wrapper,
+  * neochat
  -- netblue30 <netblue30@yahoo.com>  Tue, 9 Feb 2021 09:00:00 -0500
 
 firejail (0.9.64.4) baseline; urgency=low
diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c
index ac0cd455a..b35380b96 100644
--- a/src/fbuilder/build_fs.c
+++ b/src/fbuilder/build_fs.c
@@ -177,6 +177,74 @@ void build_var(const char *fname, FILE *fp) {
 //*******************************************
 // usr/share directory
 //*******************************************
+// todo: load the list from whitelist-usr-share-common.inc
+static char *share_skip[] = {
+        "/usr/share/alsa",
+        "/usr/share/applications",
+        "/usr/share/ca-certificates",
+        "/usr/share/crypto-policies",
+        "/usr/share/cursors",
+        "/usr/share/dconf",
+        "/usr/share/distro-info",
+        "/usr/share/drirc.d",
+        "/usr/share/enchant",
+        "/usr/share/enchant-2",
+        "/usr/share/file",
+        "/usr/share/fontconfig",
+        "/usr/share/fonts",
+        "/usr/share/fonts-config",
+        "/usr/share/gir-1.0",
+        "/usr/share/gjs-1.0",
+        "/usr/share/glib-2.0",
+        "/usr/share/glvnd",
+        "/usr/share/gtk-2.0",
+        "/usr/share/gtk-3.0",
+        "/usr/share/gtk-engines",
+        "/usr/share/gtksourceview-3.0",
+        "/usr/share/gtksourceview-4",
+        "/usr/share/hunspell",
+        "/usr/share/hwdata",
+        "/usr/share/icons",
+        "/usr/share/icu",
+        "/usr/share/knotifications5",
+        "/usr/share/kservices5",
+        "/usr/share/Kvantum",
+        "/usr/share/kxmlgui5",
+        "/usr/share/libdrm",
+        "/usr/share/libthai",
+        "/usr/share/locale",
+        "/usr/share/mime",
+        "/usr/share/misc",
+        "/usr/share/Modules",
+        "/usr/share/myspell",
+        "/usr/share/p11-kit",
+        "/usr/share/perl",
+        "/usr/share/perl5",
+        "/usr/share/pixmaps",
+        "/usr/share/pki",
+        "/usr/share/plasma",
+        "/usr/share/publicsuffix",
+        "/usr/share/qt",
+        "/usr/share/qt4",
+        "/usr/share/qt5",
+        "/usr/share/qt5ct",
+        "/usr/share/sounds",
+        "/usr/share/tcl8.6",
+        "/usr/share/tcltk",
+        "/usr/share/terminfo",
+        "/usr/share/texlive",
+        "/usr/share/texmf",
+        "/usr/share/themes",
+        "/usr/share/thumbnail.so",
+        "/usr/share/uim",
+        "/usr/share/vulkan",
+        "/usr/share/X11",
+        "/usr/share/xml",
+        "/usr/share/zenity",
+        "/usr/share/zoneinfo",
+        NULL
+};
+
 static FileDB *share_out = NULL;
 static void share_callback(char *ptr) {
         // extract the directory:
@@ -195,8 +263,17 @@ static void share_callback(char *ptr) {
         if (p2)
                 *p2 = '\0';
 
-        // store the file
-        share_out = filedb_add(share_out, ptr);
+        int i = 0;
+        int found = 0;
+        while (share_skip[i]) {
+                if (strncmp(ptr, share_skip[i], strlen(share_skip[i])) == 0) {
+                        found = 1;
+                        break;
+                }
+                i++;
+        }
+        if (!found)
+                share_out = filedb_add(share_out, ptr);
 }
 
 void build_share(const char *fname, FILE *fp) {
@@ -252,40 +329,36 @@ void build_tmp(const char *fname, FILE *fp) {
 // dev directory
 //*******************************************
 static char *dev_skip[] = {
+        "/dev/stdin",
+        "/dev/stdout",
+        "/dev/stderr",
         "/dev/zero",
         "/dev/null",
         "/dev/full",
         "/dev/random",
         "/dev/urandom",
+        "/dev/sr0",
+        "/dev/cdrom",
+        "/dev/cdrw",
+        "/dev/dvd",
+        "/dev/dvdrw",
+        "/dev/fd",
+        "/dev/pts",
+        "/dev/ptmx",
+        "/dev/log",
+
+        "/dev/aload",   // old ALSA devices, not covered in private-dev
+        "/dev/dsp",             // old OSS device, deprecated
+
         "/dev/tty",
         "/dev/snd",
         "/dev/dri",
-        "/dev/pts",
-        "/dev/nvidia0",
-        "/dev/nvidia1",
-        "/dev/nvidia2",
-        "/dev/nvidia3",
-        "/dev/nvidia4",
-        "/dev/nvidia5",
-        "/dev/nvidia6",
-        "/dev/nvidia7",
-        "/dev/nvidia8",
-        "/dev/nvidia9",
-        "/dev/nvidiactl",
-        "/dev/nvidia-modeset",
-        "/dev/nvidia-uvm",
-        "/dev/video0",
-        "/dev/video1",
-        "/dev/video2",
-        "/dev/video3",
-        "/dev/video4",
-        "/dev/video5",
-        "/dev/video6",
-        "/dev/video7",
-        "/dev/video8",
-        "/dev/video9",
+        "/dev/nvidia",
+        "/dev/video",
         "/dev/dvb",
-        "/dev/sr0",
+        "/dev/hidraw",
+        "/dev/usb",
+        "/dev/input",
         NULL
 };
 
@@ -295,7 +368,7 @@ static void dev_callback(char *ptr) {
         int i = 0;
         int found = 0;
         while (dev_skip[i]) {
-                if (strcmp(ptr, dev_skip[i]) == 0) {
+                if (strncmp(ptr, dev_skip[i], strlen(dev_skip[i])) == 0) {
                         found = 1;
                         break;
                 }
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c
index 0c1b57384..100630eb9 100644
--- a/src/fbuilder/build_profile.c
+++ b/src/fbuilder/build_profile.c
@@ -160,24 +160,21 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
 
                 fprintf(fp, "### home directory whitelisting\n");
                 build_home(trace_output, fp);
-                fprintf(fp, "\n");
 
-                fprintf(fp, "### filesystem\n");
-                fprintf(fp, "### /usr/share:\n");
+                fprintf(fp, "\n### /usr/share:\n");
                 build_share(trace_output, fp);
-                fprintf(fp, "### /var:\n");
+                fprintf(fp, "\n### /var:\n");
                 build_var(trace_output, fp);
-                fprintf(fp, "### /bin:\n");
+                fprintf(fp, "\n### /bin:\n");
                 build_bin(trace_output, fp);
-                fprintf(fp, "### /dev:\n");
+                fprintf(fp, "\n### /dev:\n");
                 build_dev(trace_output, fp);
-                fprintf(fp, "### /etc:\n");
+                fprintf(fp, "\n### /etc:\n");
                 build_etc(trace_output, fp);
-                fprintf(fp, "### /tmp:\n");
+                fprintf(fp, "\n### /tmp:\n");
                 build_tmp(trace_output, fp);
-                fprintf(fp, "\n");
 
-                fprintf(fp, "### security filters\n");
+                fprintf(fp, "\n### security filters\n");
                 fprintf(fp, "caps.drop all\n");
                 fprintf(fp, "nonewprivs\n");
                 fprintf(fp, "seccomp\n");
@@ -189,13 +186,11 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
                         fprintf(fp, "# Yama security module prevents creation of a whitelisted seccomp filter\n");
                 else
                         build_seccomp(strace_output, fp);
-                fprintf(fp, "\n");
 
-                fprintf(fp, "### network\n");
+                fprintf(fp, "\n### network\n");
                 build_protocol(trace_output, fp);
-                fprintf(fp, "\n");
 
-                fprintf(fp, "### environment\n");
+                fprintf(fp, "\n### environment\n");
                 fprintf(fp, "shell none\n");
 
                 if (!arg_debug) {