adding mincore syscall to the default seccomp filter and some independent profiles

10 files changed, 24 insertions, 8 deletions

diff --git a/README.md b/README.md
index a86e24388..35b712667 100644
--- a/README.md
+++ b/README.md
@@ -144,6 +144,13 @@ The new LTS branch is here: https://github.com/netblue30/firejail/tree/LTSbase
 
 ## New profiles:
 
+`````
+$ ls etc/*.profile | wc -l
+608
+`````
+We have more than 600 application profiles on mainline!
+
+
 QMediathekView, aria2c, Authenticator, checkbashisms, devilspie, devilspie2, easystroke, github-desktop, min,
 bsdcat, bsdcpio, bsdtar, lzmadec, lbunzip2, lbzcat, lbzip2, lzcat, lzcmp, lzdiff, lzegrep, lzfgrep, lzgrep,
 lzless, lzma, lzmainfo, lzmore, unlzma, unxz, xzcat, xzcmp, xzdiff, xzegrep, xzfgrep, xzgrep, xzless, xzmore,
diff --git a/RELNOTES b/RELNOTES
index 0ba81018e..381f9ebb8 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -2,6 +2,12 @@ firejail (0.9.56.1) baseline; urgency=low
   * work in progress
   * --disable-mnt rework
   * --net.print command
+  * GitLab CI/CD integration: disto specific builds
+  * profile parser enhancements and conditional handling support
+     for HAS_APPIMAGE, HAS_NODBUS, BROWSER_DISABLE_U2F
+  * profile name support
+  * added explicit nonewprivs support to join option
+  * add mincore syscall to default seccomp list
   * new profiles: QMediathekView, aria2c, Authenticator, checkbashisms
   * new profiles: devilspie, devilspie2, easystroke, github-desktop, min
   * new profiles: bsdcat, bsdcpio, bsdtar, lzmadec, lbunzip2, lbzcat
diff --git a/etc/clementine.profile b/etc/clementine.profile
index 147b0de4b..1cf478ead 100644
--- a/etc/clementine.profile
+++ b/etc/clementine.profile
@@ -27,7 +27,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 # blacklisting of ioprio_set system calls breaks clementine
-seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice
+seccomp.drop mincore,@cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice
 
 private-dev
 private-tmp
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile
index ad8a0a0b7..288afa8a2 100644
--- a/etc/firefox-common.profile
+++ b/etc/firefox-common.profile
@@ -40,7 +40,7 @@ noroot
 notv
 ?BROWSER_DISABLE_U2F: nou2f
 protocol unix,inet,inet6,netlink
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp.drop mincore,@clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
 shell none
 #disable tracelog, it breaks or causes major issues with many firefox based browsers, see github issue #1930
 #tracelog
diff --git a/etc/kmail.profile b/etc/kmail.profile
index 1f8403ef1..85eb74998 100644
--- a/etc/kmail.profile
+++ b/etc/kmail.profile
@@ -50,7 +50,7 @@ nou2f
 novideo
 protocol unix,inet,inet6,netlink
 # we need to allow chroot, io_getevents, ioprio_set, io_setup, io_submit system calls
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp.drop mincore,@clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
 # tracelog
 # writable-run-user is needed for signing and encrypting emails
 writable-run-user
diff --git a/etc/mpd.profile b/etc/mpd.profile
index e06b83aa9..c532edeb2 100644
--- a/etc/mpd.profile
+++ b/etc/mpd.profile
@@ -30,7 +30,7 @@ novideo
 protocol unix,inet,inet6
 # blacklisting of ioprio_set system calls breaks auto-updating of
 # MPD's database when files in music_directory are changed
-seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice
+seccomp.drop mincore,@cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice
 shell none
 
 #private-bin mpd,bash
diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile
index ac9f9bfd9..7193a04ed 100644
--- a/etc/qutebrowser.profile
+++ b/etc/qutebrowser.profile
@@ -41,5 +41,5 @@ noroot
 notv
 protocol unix,inet,inet6,netlink
 # blacklisting of chroot system calls breaks qt webengine
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp.drop mincore,@clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
 # tracelog
diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile
index a9244683f..dd444103e 100644
--- a/etc/torbrowser-launcher.profile
+++ b/etc/torbrowser-launcher.profile
@@ -41,7 +41,7 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp.drop mincore,@clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
 shell none
 # tracelog may cause issues, see github issue #1930
 #tracelog
diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c
index 3b10c4473..b17d86a0b 100644
--- a/src/fseccomp/syscall.c
+++ b/src/fseccomp/syscall.c
@@ -168,7 +168,10 @@ static const SyscallGroupList sysgroups[] = {
           "umount,"
 #endif
 #ifdef SYS_userfaultfd
-          "userfaultfd"
+          "userfaultfd,"
+#endif
+#ifdef SYS_mincore      // 0.9.57
+          "mincore"
 #endif
         },
         { .name = "@default-nodebuggers", .list =
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 2d0bd26d0..0d402ef36 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1700,7 +1700,7 @@ Enable seccomp filter and blacklist the syscalls in the default list (@default).
 _sysctl, acct, add_key, adjtimex, afs_syscall, bdflush, bpf, break, chroot, clock_adjtime, clock_settime,
 create_module, delete_module, fanotify_init, finit_module, ftime, get_kernel_syms, getpmsg, gtty, init_module,
 io_cancel, io_destroy, io_getevents, io_setup, io_submit, ioperm, iopl, ioprio_set, kcmp, kexec_file_load,
-kexec_load, keyctl, lock, lookup_dcookie, mbind, migrate_pages, modify_ldt, mount, move_pages, mpx,
+kexec_load, keyctl, lock, lookup_dcookie, mbind, migrate_pages, modify_ldt, mount, mincore, move_pages, mpx,
 name_to_handle_at, nfsservctl, ni_syscall, open_by_handle_at, pciconfig_iobase, pciconfig_read, pciconfig_write, perf_event_open,
 personality, pivot_root, process_vm_readv, process_vm_writev, prof, profil, ptrace, putpmsg,
 query_module, reboot, remap_file_pages, request_key, rtas, s390_mmio_read, s390_mmio_write, s390_runtime_instr,