Merge branch 'master' of https://github.com/netblue30/firejail

author: smitsohu <smitsohu@gmail.com> 2018-10-13 21:58:52 +0200
committer: smitsohu <smitsohu@gmail.com> 2018-10-13 21:58:52 +0200
commit: f64ec79cd3dc91f19ebf8c41306e812548102b1f (patch)
tree: f6a5958418ac6e41ec00064eb69f7df013b2f5d6
parent: improve clean_pathname() function: drop realloc (diff)
parent: Update gnome-pie profile (#2191) (diff)
download: firejail-f64ec79cd3dc91f19ebf8c41306e812548102b1f.tar.gz
firejail-f64ec79cd3dc91f19ebf8c41306e812548102b1f.tar.zst
firejail-f64ec79cd3dc91f19ebf8c41306e812548102b1f.zip
46 files changed, 508 insertions, 18 deletions
diff --git a/README b/README
index 5f1bb35c5..c122a006b 100644
--- a/README
+++ b/README
@@ -123,6 +123,8 @@ bn0785ac (https://github.com/bn0785ac)
        - fix inox, add snox profile
 BogDan Vatra (https://github.com/bog-dan-ro)
        - zoom profile
+Brad Ackerman
+        - blacklist Bitwarden config in disable-passwdmgr.inc
 Bruno Nova (https://github.com/brunonova)
        - whitelist fix
        - bash arguments fix
@@ -277,7 +279,13 @@ glitsj16 (https://github.com/glitsj16)
        - profile fixes: file, strings, claws-mail,
        - new profiles: QMediathekView, aria2c, Authenticator, checkbashisms
        - new profiles: devilspie, devilspie2, easystroke, github-desktop, min
-        - new profiles: bsdcat, bsdcpio, bsdtar, lzmadec
+        - new profiles: bsdcat, bsdcpio, bsdtar, lzmadec, lbunzip2, lbzcat
+        - new profiles: lbzip2, lzcat, lzcmp, lzdiff, lzegrep, lzfgrep, lzgrep
+        - new profiles: lzless, lzma, lzmainfo, lzmore, unlzma, unxz, xzcat
+        - new profiles: xzcmp, xzdiff, xzegrep, xzfgrep, xzgrep, xzless, xzmore
+        - new profiles: lzip, artha, nitroshare, nitroshare-cli, nitroshare-nmh
+        - new profiles: nirtoshare-send, nitroshare-ui, mencoder, gnome-pie
+        - new profiles: masterpdfeditor
 graywolf (https://github.com/graywolf)
        - spelling fix
 greigdp (https://github.com/greigdp)
diff --git a/README.md b/README.md
index cb6c62d69..8ce9a84fa 100644
--- a/README.md
+++ b/README.md
@@ -134,5 +134,8 @@ The new LTS branch is here: https://github.com/netblue30/firejail/tree/LTSbase
 # New profiles:
 QMediathekView, aria2c, Authenticator, checkbashisms, devilspie, devilspie2, easystroke, github-desktop, min,
-bsdcat, bsdcpio, bsdtar, lzmadec
+bsdcat, bsdcpio, bsdtar, lzmadec, lbunzip2, lbzcat, lbzip2, lzcat, lzcmp, lzdiff, lzegrep, lzfgrep, lzgrep,
+lzless, lzma, lzmainfo, lzmore, unlzma, unxz, xzcat, xzcmp, xzdiff, xzegrep, xzfgrep, xzgrep, xzless, xzmore,
+lzip, artha, nitroshare, nitroshare-cli, nitroshare-nmh, nirtoshare-send, nitroshare-ui, mencoder, gnome-pie,
+masterpdfeditor
diff --git a/RELNOTES b/RELNOTES
index 3ae5fe5de..85f0c2b7a 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -3,7 +3,13 @@ firejail (0.9.56.1) baseline; urgency=low
  * --disable-mnt rework
  * new profiles: QMediathekView, aria2c, Authenticator, checkbashisms
  * new profiles: devilspie, devilspie2, easystroke, github-desktop, min
-  * new profiles: bsdcat, bsdcpio, bsdtar, lzmadec
+  * new profiles: bsdcat, bsdcpio, bsdtar, lzmadec, lbunzip2, lbzcat
+  * new profiles: lbzip2, lzcat, lzcmp, lzdiff, lzegrep, lzfgrep, lzgrep
+  * new profiles: lzless, lzma, lzmainfo, lzmore, unlzma, unxz, xzcat
+  * new profiles: xzcmp, xzdiff, xzegrep, xzfgrep, xzgrep, xzless, xzmore
+  * new profiles: lzip, artha, nitroshare, nitroshare-cli, nitroshare-nmh
+  * new profiles: nirtoshare-send, nitroshare-ui, mencoder, gnome-pie
+  * new profiles: masterpdfeditor
 -- netblue30 <netblue30@yahoo.com>  Thu, 11 Oct 2018 08:00:00 -0500
 firejail (0.9.56) baseline; urgency=low
diff --git a/etc/artha.profile b/etc/artha.profile
new file mode 100644
index 000000000..befe9295f
--- /dev/null
+++ b/etc/artha.profile
@@ -0,0 +1,46 @@
+# Firejail profile for artha
+# Description: A free cross-platform English thesaurus based on WordNet
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/artha.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+noblacklist ${HOME}/.config/artha.conf
+noblacklist ${HOME}/.config/enchant
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-interpreters.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+# nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+disable-mnt
+private-bin artha,enchant,notify-send
+private-cache
+private-dev
+private-etc fonts
+private-lib libnotify.so.*
+private-tmp
+memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/disable-passwdmgr.inc b/etc/disable-passwdmgr.inc
index 6ef11780e..19fd871d3 100644
--- a/etc/disable-passwdmgr.inc
+++ b/etc/disable-passwdmgr.inc
@@ -2,6 +2,7 @@
 # Persistent customizations should go in a .local file.
 include /etc/firejail/disable-passwdmgr.local
+blacklist ${HOME}/.config/Bitwarden
 blacklist ${HOME}/.config/KeePass
 blacklist ${HOME}/.config/keepass
 blacklist ${HOME}/.config/keepassx
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 251362b77..0f48a320b 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -52,6 +52,7 @@ blacklist ${HOME}/.config/Beaker Browser
 blacklist ${HOME}/.config/Brackets
 blacklist ${HOME}/.config/Clementine
 blacklist ${HOME}/.config/Code
+blacklist ${HOME}/.config/Code Industry
 blacklist ${HOME}/.config/Cryptocat
 blacklist ${HOME}/.config/Franz
 blacklist ${HOME}/.config/FreeCAD
@@ -72,6 +73,7 @@ blacklist ${HOME}/.config/Mumble
 blacklist ${HOME}/.config/MusE
 blacklist ${HOME}/.config/MuseScore
 blacklist ${HOME}/.config/MusicBrainz
+blacklist ${HOME}/.config/Nathan Osman
 blacklist ${HOME}/.config/Nylas Mail
 blacklist ${HOME}/.config/Qlipper
 blacklist ${HOME}/.config/QMediathekView
@@ -91,6 +93,7 @@ blacklist ${HOME}/.config/akregatorrc
 blacklist ${HOME}/.config/ardour4
 blacklist ${HOME}/.config/ardour5
 blacklist ${HOME}/.config/arkrc
+blacklist ${HOME}/.config/artha.conf
 blacklist ${HOME}/.config/asunder
 blacklist ${HOME}/.config/atril
 blacklist ${HOME}/.config/audacious
@@ -142,6 +145,7 @@ blacklist ${HOME}/.config/ghb
 blacklist ${HOME}/.config/globaltime
 blacklist ${HOME}/.config/gnome-mplayer
 blacklist ${HOME}/.config/gnome-mpv
+blacklist ${HOME}/.config/gnome-pie
 blacklist ${HOME}/.config/google-chrome
 blacklist ${HOME}/.config/google-chrome-beta
 blacklist ${HOME}/.config/google-chrome-unstable
@@ -191,6 +195,7 @@ blacklist ${HOME}/.config/nautilus
 blacklist ${HOME}/.config/nemo
 blacklist ${HOME}/.config/netsurf
 blacklist ${HOME}/.config/nheko
+blacklist ${HOME}/.config/NitroShare
 blacklist ${HOME}/.config/okularpartrc
 blacklist ${HOME}/.config/okularrc
 blacklist ${HOME}/.config/onionshare
@@ -458,6 +463,7 @@ blacklist ${HOME}/.local/share/xplayer
 blacklist ${HOME}/.local/share/xreader
 blacklist ${HOME}/.local/share/zathura
 blacklist ${HOME}/.lv2
+blacklist ${HOME}/.masterpdfeditor
 blacklist ${HOME}/.mcabber
 blacklist ${HOME}/.mcabberrc
 blacklist ${HOME}/.mediathek3
diff --git a/etc/gnome-pie.profile b/etc/gnome-pie.profile
new file mode 100644
index 000000000..41f6de346
--- /dev/null
+++ b/etc/gnome-pie.profile
@@ -0,0 +1,43 @@
+# Firejail profile for gnome-pie
+# Description: Alternative AppMenu
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/gnome-pie.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+noblacklist ${HOME}/.config/gnome-pie
+#include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+#include /etc/firejail/disable-interpreters.inc
+include /etc/firejail/disable-passwdmgr.inc
+#include /etc/firejail/disable-programs.inc
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+disable-mnt
+private-cache
+private-dev
+private-etc fonts
+private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*
+private-tmp
+memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/lbunzip2.profile b/etc/lbunzip2.profile
new file mode 100644
index 000000000..180eea2c8
--- /dev/null
+++ b/etc/lbunzip2.profile
@@ -0,0 +1,7 @@
+# Firejail profile alias for gzip
+# Description: GNU compression utilities
+# This file is overwritten after every install/update
+# Redirect
+include /etc/firejail/gzip.profile
diff --git a/etc/lbzcat.profile b/etc/lbzcat.profile
new file mode 100644
index 000000000..180eea2c8
--- /dev/null
+++ b/etc/lbzcat.profile
@@ -0,0 +1,7 @@
+# Firejail profile alias for gzip
+# Description: GNU compression utilities
+# This file is overwritten after every install/update
+# Redirect
+include /etc/firejail/gzip.profile
diff --git a/etc/lbzip2.profile b/etc/lbzip2.profile
new file mode 100644
index 000000000..180eea2c8
--- /dev/null
+++ b/etc/lbzip2.profile
@@ -0,0 +1,7 @@
+# Firejail profile alias for gzip
+# Description: GNU compression utilities
+# This file is overwritten after every install/update
+# Redirect
+include /etc/firejail/gzip.profile
diff --git a/etc/lzcat.profile b/etc/lzcat.profile
new file mode 100644
index 000000000..cd79eebc6
--- /dev/null
+++ b/etc/lzcat.profile
@@ -0,0 +1,7 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+# Redirect
+include /etc/firejail/cpio.profile
diff --git a/etc/lzcmp.profile b/etc/lzcmp.profile
new file mode 100644
index 000000000..cd79eebc6
--- /dev/null
+++ b/etc/lzcmp.profile
@@ -0,0 +1,7 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+# Redirect
+include /etc/firejail/cpio.profile
diff --git a/etc/lzdiff.profile b/etc/lzdiff.profile
new file mode 100644
index 000000000..cd79eebc6
--- /dev/null
+++ b/etc/lzdiff.profile
@@ -0,0 +1,7 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+# Redirect
+include /etc/firejail/cpio.profile
diff --git a/etc/lzegrep.profile b/etc/lzegrep.profile
new file mode 100644
index 000000000..cd79eebc6
--- /dev/null
+++ b/etc/lzegrep.profile
@@ -0,0 +1,7 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+# Redirect
+include /etc/firejail/cpio.profile
diff --git a/etc/lzfgrep.profile b/etc/lzfgrep.profile
new file mode 100644
index 000000000..cd79eebc6
--- /dev/null
+++ b/etc/lzfgrep.profile
@@ -0,0 +1,7 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+# Redirect
+include /etc/firejail/cpio.profile
diff --git a/etc/lzgrep.profile b/etc/lzgrep.profile
new file mode 100644
index 000000000..cd79eebc6
--- /dev/null
+++ b/etc/lzgrep.profile
@@ -0,0 +1,7 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+# Redirect
+include /etc/firejail/cpio.profile
diff --git a/etc/lzip.profile b/etc/lzip.profile
new file mode 100644
index 000000000..cd79eebc6
--- /dev/null
+++ b/etc/lzip.profile
@@ -0,0 +1,7 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+# Redirect
+include /etc/firejail/cpio.profile
diff --git a/etc/lzless.profile b/etc/lzless.profile
new file mode 100644
index 000000000..cd79eebc6
--- /dev/null
+++ b/etc/lzless.profile
@@ -0,0 +1,7 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+# Redirect
+include /etc/firejail/cpio.profile
diff --git a/etc/lzma.profile b/etc/lzma.profile
new file mode 100644
index 000000000..cd79eebc6
--- /dev/null
+++ b/etc/lzma.profile
@@ -0,0 +1,7 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+# Redirect
+include /etc/firejail/cpio.profile
diff --git a/etc/lzmainfo.profile b/etc/lzmainfo.profile
new file mode 100644
index 000000000..cd79eebc6
--- /dev/null
+++ b/etc/lzmainfo.profile
@@ -0,0 +1,7 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+# Redirect
+include /etc/firejail/cpio.profile
diff --git a/etc/lzmore.profile b/etc/lzmore.profile
new file mode 100644
index 000000000..cd79eebc6
--- /dev/null
+++ b/etc/lzmore.profile
@@ -0,0 +1,7 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+# Redirect
+include /etc/firejail/cpio.profile
diff --git a/etc/masterpdfeditor.profile b/etc/masterpdfeditor.profile
new file mode 100644
index 000000000..cc80679fc
--- /dev/null
+++ b/etc/masterpdfeditor.profile
@@ -0,0 +1,50 @@
+# Firejail profile for masterpdfeditor
+# Description: A complete solution for creating and editing PDF files
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/masterpdfeditor.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+noblacklist ${HOME}/.config/Code Industry
+noblacklist ${HOME}/.masterpdfeditor
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-interpreters.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+# disable-mnt
+# private
+private-bin masterpdfeditor*
+private-cache
+private-dev
+private-etc fonts
+# private-lib
+private-tmp
+# memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/masterpdfeditor4.profile b/etc/masterpdfeditor4.profile
new file mode 100644
index 000000000..7ab9c9421
--- /dev/null
+++ b/etc/masterpdfeditor4.profile
@@ -0,0 +1,12 @@
+# Firejail profile for masterpdfeditor4
+# Description: A complete solution for creating and editing PDF files
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/masterpdfeditor4.local
+# Persistent global definitions
+# added by included profile
+#include /etc/firejail/globals.local
+# Redirect
+include /etc/firejail/masterpdfeditor.profile
diff --git a/etc/masterpdfeditor5.profile b/etc/masterpdfeditor5.profile
new file mode 100644
index 000000000..86faf5da0
--- /dev/null
+++ b/etc/masterpdfeditor5.profile
@@ -0,0 +1,12 @@
+# Firejail profile for masterpdfeditor5
+# Description: A complete solution for creating and editing PDF files
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/masterpdfeditor5.local
+# Persistent global definitions
+# added by included profile
+#include /etc/firejail/globals.local
+# Redirect
+include /etc/firejail/masterpdfeditor.profile
diff --git a/etc/mencoder.profile b/etc/mencoder.profile
new file mode 100644
index 000000000..9306d268e
--- /dev/null
+++ b/etc/mencoder.profile
@@ -0,0 +1,28 @@
+# Firejail profile for mencoder
+# Description: Free command line video decoding, encoding and filtering tool
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/mencoder.local
+# Persistent global definitions
+# added by included profile
+#include /etc/firejail/globals.local
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-interpreters.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+net none
+no3d
+nodbus
+nosound
+notv
+nou2f
+protocol unix
+seccomp
+shell none
+private-bin mencoder
+include /etc/firejail/mplayer.profile
diff --git a/etc/nitroshare-cli.profile b/etc/nitroshare-cli.profile
new file mode 100644
index 000000000..a9ad197e9
--- /dev/null
+++ b/etc/nitroshare-cli.profile
@@ -0,0 +1,7 @@
+# Firejail profile alias for nitroshare
+# Description: Network File Transfer Application
+# This file is overwritten after every install/update
+# Redirect
+include /etc/firejail/nitroshare.profile
diff --git a/etc/nitroshare-nmh.profile b/etc/nitroshare-nmh.profile
new file mode 100644
index 000000000..a9ad197e9
--- /dev/null
+++ b/etc/nitroshare-nmh.profile
@@ -0,0 +1,7 @@
+# Firejail profile alias for nitroshare
+# Description: Network File Transfer Application
+# This file is overwritten after every install/update
+# Redirect
+include /etc/firejail/nitroshare.profile
diff --git a/etc/nitroshare-send.profile b/etc/nitroshare-send.profile
new file mode 100644
index 000000000..a9ad197e9
--- /dev/null
+++ b/etc/nitroshare-send.profile
@@ -0,0 +1,7 @@
+# Firejail profile alias for nitroshare
+# Description: Network File Transfer Application
+# This file is overwritten after every install/update
+# Redirect
+include /etc/firejail/nitroshare.profile
diff --git a/etc/nitroshare-ui.profile b/etc/nitroshare-ui.profile
new file mode 100644
index 000000000..a9ad197e9
--- /dev/null
+++ b/etc/nitroshare-ui.profile
@@ -0,0 +1,7 @@
+# Firejail profile alias for nitroshare
+# Description: Network File Transfer Application
+# This file is overwritten after every install/update
+# Redirect
+include /etc/firejail/nitroshare.profile
diff --git a/etc/nitroshare.profile b/etc/nitroshare.profile
new file mode 100644
index 000000000..f02599ac6
--- /dev/null
+++ b/etc/nitroshare.profile
@@ -0,0 +1,50 @@
+# Firejail profile for nitroshare
+# Description: Network File Transfer Application
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/nitroshare.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+noblacklist ${HOME}/.config/Nathan Osman
+noblacklist ${HOME}/.config/NitroShare
+# Allow python (blacklisted by disable-interpreters.inc)
+noblacklist ${PATH}/python2*
+noblacklist ${PATH}/python3*
+noblacklist /usr/lib/python2*
+noblacklist /usr/lib/python3*
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-interpreters.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+caps.drop all
+netfilter
+no3d
+# nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+disable-mnt
+private-bin awk,grep,nitroshare,nitroshare-cli,nitroshare-nmh,nitroshare-send,nitroshare-ui
+private-cache
+private-dev
+private-etc ca-certificates,dconf,fonts,hostname,hosts,ld.so.cache,machine-id,nsswitch.conf,ssl
+# private-lib libnitroshare.so.*,libqhttpengine.so.*,libqmdnsengine.so.*,nitroshare
+private-tmp
+# memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/unlzma.profile b/etc/unlzma.profile
new file mode 100644
index 000000000..cd79eebc6
--- /dev/null
+++ b/etc/unlzma.profile
@@ -0,0 +1,7 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+# Redirect
+include /etc/firejail/cpio.profile
diff --git a/etc/unxz.profile b/etc/unxz.profile
new file mode 100644
index 000000000..cd79eebc6
--- /dev/null
+++ b/etc/unxz.profile
@@ -0,0 +1,7 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+# Redirect
+include /etc/firejail/cpio.profile
diff --git a/etc/xzcat.profile b/etc/xzcat.profile
new file mode 100644
index 000000000..cd79eebc6
--- /dev/null
+++ b/etc/xzcat.profile
@@ -0,0 +1,7 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+# Redirect
+include /etc/firejail/cpio.profile
diff --git a/etc/xzcmp.profile b/etc/xzcmp.profile
new file mode 100644
index 000000000..cd79eebc6
--- /dev/null
+++ b/etc/xzcmp.profile
@@ -0,0 +1,7 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+# Redirect
+include /etc/firejail/cpio.profile
diff --git a/etc/xzdiff.profile b/etc/xzdiff.profile
new file mode 100644
index 000000000..cd79eebc6
--- /dev/null
+++ b/etc/xzdiff.profile
@@ -0,0 +1,7 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+# Redirect
+include /etc/firejail/cpio.profile
diff --git a/etc/xzegrep.profile b/etc/xzegrep.profile
new file mode 100644
index 000000000..cd79eebc6
--- /dev/null
+++ b/etc/xzegrep.profile
@@ -0,0 +1,7 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+# Redirect
+include /etc/firejail/cpio.profile
diff --git a/etc/xzfgrep.profile b/etc/xzfgrep.profile
new file mode 100644
index 000000000..cd79eebc6
--- /dev/null
+++ b/etc/xzfgrep.profile
@@ -0,0 +1,7 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+# Redirect
+include /etc/firejail/cpio.profile
diff --git a/etc/xzgrep.profile b/etc/xzgrep.profile
new file mode 100644
index 000000000..cd79eebc6
--- /dev/null
+++ b/etc/xzgrep.profile
@@ -0,0 +1,7 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+# Redirect
+include /etc/firejail/cpio.profile
diff --git a/etc/xzless.profile b/etc/xzless.profile
new file mode 100644
index 000000000..cd79eebc6
--- /dev/null
+++ b/etc/xzless.profile
@@ -0,0 +1,7 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+# Redirect
+include /etc/firejail/cpio.profile
diff --git a/etc/xzmore.profile b/etc/xzmore.profile
new file mode 100644
index 000000000..cd79eebc6
--- /dev/null
+++ b/etc/xzmore.profile
@@ -0,0 +1,7 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+# Redirect
+include /etc/firejail/cpio.profile
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index ddc4b676d..dba078ca2 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -35,6 +35,7 @@ ardour5
 arduino
 ark
 arm
+artha
 # atom
 # atom-beta
 asunder
@@ -270,6 +271,8 @@ lximage-qt
 lxmusic
 lynx
 macrofusion
+masterpdfeditor4
+masterpdfeditor5
 mate-calc
 mate-calculator
 mate-color-select
@@ -305,6 +308,7 @@ ncdu
 netsurf
 neverball
 nheko
+nitroshare
 nylas
 obs
 odt2txt
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index cae767667..441042233 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -32,6 +32,7 @@
 #define RUN_FIREJAIL_DIR        "/run/firejail"
 #define RUN_FIREJAIL_APPIMAGE_DIR       "/run/firejail/appimage"
 #define RUN_FIREJAIL_NAME_DIR   "/run/firejail/name" // also used in src/lib/pid.c - todo: move it in a common place
+#define RUN_FIREJAIL_LIB_DIR            "/run/firejail/lib"
 #define RUN_FIREJAIL_X11_DIR    "/run/firejail/x11"
 #define RUN_FIREJAIL_NETWORK_DIR        "/run/firejail/network"
 #define RUN_FIREJAIL_BANDWIDTH_DIR      "/run/firejail/bandwidth"
@@ -790,16 +791,32 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc,
 // sbox.c
 // programs
-#define PATH_FNET (LIBDIR "/firejail/fnet")
+#define PATH_FNET_MAIN (LIBDIR "/firejail/fnet")                // when called from main thread
-#define PATH_FNETFILTER (LIBDIR "/firejail/fnetfilter")
+#define PATH_FNET (RUN_FIREJAIL_LIB_DIR "/fnet")        // when called from sandbox thread
+//#define PATH_FNETFILTER (LIBDIR "/firejail/fnetfilter")
+#define PATH_FNETFILTER (RUN_FIREJAIL_LIB_DIR "/fnetfilter")
 #define PATH_FIREMON (PREFIX "/bin/firemon")
 #define PATH_FIREJAIL (PREFIX "/bin/firejail")
-#define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp")
+//#define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp")
+#define PATH_FSECCOMP ( RUN_FIREJAIL_LIB_DIR "/fseccomp")
+// FSEC_PRINT is run outside of sandbox by --seccomp.print
+// it is also run from inside the sandbox by --debug; in this case we do an access(filename, X_OK) test first
 #define PATH_FSEC_PRINT (LIBDIR "/firejail/fsec-print")
-#define PATH_FSEC_OPTIMIZE (LIBDIR "/firejail/fsec-optimize")
-#define PATH_FCOPY (LIBDIR "/firejail/fcopy")
+//#define PATH_FSEC_OPTIMIZE (LIBDIR "/firejail/fsec-optimize")
+#define PATH_FSEC_OPTIMIZE (RUN_FIREJAIL_LIB_DIR "/fsec-optimize")
+//#define PATH_FCOPY (LIBDIR "/firejail/fcopy")
+#define PATH_FCOPY (RUN_FIREJAIL_LIB_DIR "/fcopy")
 #define SBOX_STDIN_FILE "/run/firejail/mnt/sbox_stdin"
-#define PATH_FLDD (LIBDIR "/firejail/fldd")
+//#define PATH_FLDD (LIBDIR "/firejail/fldd")
+#define PATH_FLDD (RUN_FIREJAIL_LIB_DIR "/fldd")
 // bitmapped filters for sbox_run
 #define SBOX_ROOT (1 << 0)                      // run the sandbox as root
diff --git a/src/firejail/fs_lib2.c b/src/firejail/fs_lib2.c
index ea5edfabe..2c21e5dc7 100644
--- a/src/firejail/fs_lib2.c
+++ b/src/firejail/fs_lib2.c
@@ -38,6 +38,7 @@ typedef struct liblist_t {
 static LibList libc_list[] = {
        { "libselinux.so.", 0 },
+        { "libapparmor.so.", 0},
        { "ld-linux-x86-64.so.", 0 },
        { "libanl.so.", 0 },
        { "libc.so.", 0 },
diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c
index e3c750767..cdb4c6514 100644
--- a/src/firejail/network_main.c
+++ b/src/firejail/network_main.c
@@ -157,7 +157,7 @@ void net_configure_veth_pair(Bridge *br, const char *ifname, pid_t child) {
        char *cstr;
        if (asprintf(&cstr, "%d", child) == -1)
                errExit("asprintf");
-        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 7, PATH_FNET, "create", "veth", dev, ifname, br->dev, cstr);
+        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 7, PATH_FNET_MAIN, "create", "veth", dev, ifname, br->dev, cstr);
        free(cstr);
        char *msg;
@@ -332,42 +332,42 @@ void network_main(pid_t child) {
                        net_configure_veth_pair(&cfg.bridge0, "eth0", child);
                }
                else
-                        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge0.devsandbox, cfg.bridge0.dev, cstr);
+                        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET_MAIN, "create", "macvlan", cfg.bridge0.devsandbox, cfg.bridge0.dev, cstr);
        }
        if (cfg.bridge1.configured) {
                if (cfg.bridge1.macvlan == 0)
                        net_configure_veth_pair(&cfg.bridge1, "eth1", child);
                else
-                        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge1.devsandbox, cfg.bridge1.dev, cstr);
+                        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET_MAIN, "create", "macvlan", cfg.bridge1.devsandbox, cfg.bridge1.dev, cstr);
        }
        if (cfg.bridge2.configured) {
                if (cfg.bridge2.macvlan == 0)
                        net_configure_veth_pair(&cfg.bridge2, "eth2", child);
                else
-                        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge2.devsandbox, cfg.bridge2.dev, cstr);
+                        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET_MAIN, "create", "macvlan", cfg.bridge2.devsandbox, cfg.bridge2.dev, cstr);
        }
        if (cfg.bridge3.configured) {
                if (cfg.bridge3.macvlan == 0)
                        net_configure_veth_pair(&cfg.bridge3, "eth3", child);
                else
-                        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge3.devsandbox, cfg.bridge3.dev, cstr);
+                        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET_MAIN, "create", "macvlan", cfg.bridge3.devsandbox, cfg.bridge3.dev, cstr);
        }
        // move interfaces in sandbox
        if (cfg.interface0.configured) {
-                sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface0.dev, cstr);
+                sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET_MAIN, "moveif", cfg.interface0.dev, cstr);
        }
        if (cfg.interface1.configured) {
-                sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface1.dev, cstr);
+                sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET_MAIN, "moveif", cfg.interface1.dev, cstr);
        }
        if (cfg.interface2.configured) {
-                sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface2.dev, cstr);
+                sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET_MAIN, "moveif", cfg.interface2.dev, cstr);
        }
        if (cfg.interface3.configured) {
-                sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface3.dev, cstr);
+                sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET_MAIN, "moveif", cfg.interface3.dev, cstr);
        }
        free(cstr);
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c
index f519ed85f..236f7f427 100644
--- a/src/firejail/preproc.c
+++ b/src/firejail/preproc.c
@@ -62,6 +62,10 @@ void preproc_build_firejail_dir(void) {
                create_empty_dir_as_root(RUN_FIREJAIL_APPIMAGE_DIR, 0755);
        }
+        if (stat(RUN_FIREJAIL_LIB_DIR, &s)) {
+                create_empty_dir_as_root(RUN_FIREJAIL_LIB_DIR, 0755);
+        }
        if (stat(RUN_MNT_DIR, &s)) {
                create_empty_dir_as_root(RUN_MNT_DIR, 0755);
        }
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 8eede6f93..3abeb174e 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -587,6 +587,9 @@ int sandbox(void* sandbox_arg) {
        }
        // ... and mount a tmpfs on top of /run/firejail/mnt directory
        preproc_mount_mnt_dir();
+        // bind-mount firejail binaries and helper programs
+        if (mount(LIBDIR "/firejail", RUN_FIREJAIL_LIB_DIR, "none", MS_BIND, NULL) < 0)
+                errExit("mounting " RUN_FIREJAIL_LIB_DIR);
        //****************************
        // log sandbox data
author	smitsohu <smitsohu@gmail.com>	2018-10-13 21:58:52 +0200
committer	smitsohu <smitsohu@gmail.com>	2018-10-13 21:58:52 +0200
commit	f64ec79cd3dc91f19ebf8c41306e812548102b1f (patch)
tree	f6a5958418ac6e41ec00064eb69f7df013b2f5d6
parent	improve clean_pathname() function: drop realloc (diff)
parent	Update gnome-pie profile (#2191) (diff)
download	firejail-f64ec79cd3dc91f19ebf8c41306e812548102b1f.tar.gz firejail-f64ec79cd3dc91f19ebf8c41306e812548102b1f.tar.zst firejail-f64ec79cd3dc91f19ebf8c41306e812548102b1f.zip