17 files changed, 105 insertions, 10 deletions

diff --git a/README b/README
index 1bb84e8df..2ddd309bd 100644
--- a/README
+++ b/README
@@ -368,6 +368,8 @@ John Mullee (https://github.com/jmullee)
 Jonas Heinrich (https://github.com/onny)
         - added signal-desktop profile
         - fixed franz profile
+Jose Riha (https://github.com/jose1711)
+        - added meteo-qt profile
 jrabe (https://github.com/jrabe)
         - disallow access to kdbx files
         - Epiphany profile
diff --git a/README.md b/README.md
index f6e4ead8c..c11402386 100644
--- a/README.md
+++ b/README.md
@@ -33,6 +33,10 @@ FAQ: https://firejail.wordpress.com/support/
 Travis-CI status: https://travis-ci.org/netblue30/firejail
 
 
+## Security vulnerabilities
+
+We take security bugs very seriously. If you believe you have found one, please report it by emailing us at netblue30@yahoo.com
+
 ## Compile and install
 `````
 $ git clone https://github.com/netblue30/firejail.git
@@ -95,7 +99,9 @@ If you keep additional Firejail security profiles in a public repository, please
 
 Use this issue to request new profiles: [#1139](https://github.com/netblue30/firejail/issues/1139)
 
-We also keep a list of profile fixes for previous released versions in [etc-fixes](https://github.com/netblue30/firejail/tree/master/etc-fixes) directory .
+You can also use this tool to get a list of syscalls needed by a program: [https://github.com/avilum/syscalls](https://github.com/avilum/syscalls).
+
+We also keep a list of profile fixes for previous released versions in [etc-fixes](https://github.com/netblue30/firejail/tree/master/etc-fixes) directory.
 `````
 
 `````
@@ -107,6 +113,6 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
 anki, assogiate, autokey-gtk, autokey-qt, autokey-run, autokey-shell, bzflag, celluoid, cheese, code-oss, crawl, crawl-tiles, crow, d-feet, dconf,
 dconf-editor, devhelp, exfalso, font-manager, freeciv, freecol, freeoffice-planmaker, freeoffice-presentations, freeoffice-textmaker, freemind,
 gconf-editor, geekbench, gnome-keyring, gnome-nettool, gnome-system-log, gramps, gsettings, inkview kid3, kid3-cli, kid3-qt, lincity-ng, lugaru,
-Maelstrom, manaplus, megaglest, mp3splt-gtk, mpdris2, mypaint, nano, netactview, newsboat, nomacs, nyx, opencity, openclonk, openttd, ostrichriders, pavucontrol,
+Maelstrom, manaplus, megaglest, meteo-qt, mp3splt-gtk, mpdris2, mypaint, nano, netactview, newsboat, nomacs, nyx, opencity, openclonk, openttd, ostrichriders, pavucontrol,
 pioneer, pragha, redshift, regextester, seahorse, seahorse-tool, scorched3d, secret-tool, simplescreenrecorder, slashem, subdownloader, sysprof,
 sysprof-cli, teeworlds, torcs, tremulous, transgui, utox, vulturesclaw, vultureseye, warsow, widelands, xfce4-mixer
diff --git a/RELNOTES b/RELNOTES
index 32a98b8e3..508511621 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -15,7 +15,7 @@ firejail (0.9.60~rc2) baseline; urgency=low
   * new profiles: oggsplt, flacsplt, gramps, newsboat, freeoffice-planmaker
   * new profiles: autokey-gtk, autokey-qt, autokey-run, autokey-shell
   * new profiles: freeoffice-presentations, freeoffice-textmaker, mp3wrap
-  * new profiles: inkview, mp3splt-gtk
+  * new profiles: inkview, meteo-qt, mp3splt-gtk
   * memory-deny-write-execute now also blocks memfd_create
   * drop support for flatpak/snap packages
  -- netblue30 <netblue30@yahoo.com>  Sun, 21 Apr 2019 08:00:00 -0500
diff --git a/etc/firejail.config b/etc/firejail.config
index 497d9633e..92df8ad1a 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -32,7 +32,7 @@
 
 # Disable /mnt, /media, /run/mount and /run/media access. By default access
 # to these directories is enabled. Unlike --disable-mnt profile option this
-# cannot be overridden by --noblacklist.
+# cannot be overridden by --noblacklist or --ignore.
 # disable-mnt no
 
 # Enable or disable file transfer support, default enabled.
diff --git a/etc/gnome-chess.profile b/etc/gnome-chess.profile
index 2f4626891..04409a5e4 100644
--- a/etc/gnome-chess.profile
+++ b/etc/gnome-chess.profile
@@ -18,7 +18,10 @@ include disable-xdg.inc
 
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
+machine-id
+net none
 no3d
 nodvd
 nogroups
@@ -35,6 +38,7 @@ tracelog
 
 disable-mnt
 private-bin fairymax,gnome-chess,hoichess,gnuchess
+private-cache
 private-dev
-private-etc alternatives,fonts,gnome-chess
+private-etc alternatives,dconf,fonts,gnome-chess,gtk-3.0
 private-tmp
diff --git a/etc/gpg.profile b/etc/gpg.profile
index 47e6e5265..51662b59c 100644
--- a/etc/gpg.profile
+++ b/etc/gpg.profile
@@ -29,8 +29,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
-# Causes gpg to hang
-#shell none
+shell none
 tracelog
 
 # private-bin gpg,gpg-agent
diff --git a/etc/seahorse.profile b/etc/seahorse.profile
index cd9f6c767..fc54a0716 100644
--- a/etc/seahorse.profile
+++ b/etc/seahorse.profile
@@ -50,7 +50,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
-# shell none - causes gpg to hang
+shell none
 tracelog
 
 disable-mnt
diff --git a/src/firecfg/firecfg.h b/src/firecfg/firecfg.h
index e847719cf..71e5d625d 100644
--- a/src/firecfg/firecfg.h
+++ b/src/firecfg/firecfg.h
@@ -17,6 +17,8 @@
  * with this program; if not, write to the Free Software Foundation, Inc.,
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
+#ifndef FIRECFG_H
+#define FIRECFG_H
 #define _GNU_SOURCE
 #include <stdio.h>
 #include <sys/types.h>
@@ -48,3 +50,5 @@ void sound(void);
 
 // desktop_files.c
 void fix_desktop_files(char *homedir);
+
+#endif
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index bbdf279ce..f904d65d2 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -316,6 +316,7 @@ extern int arg_notv;	// --notv
 extern int arg_nodvd;   // --nodvd
 extern int arg_nou2f;   // --nou2f
 extern int arg_nodbus; // -nodbus
+extern int arg_deterministic_exit_code; // always exit with first childs exit status
 
 extern int login_shell;
 extern int parent_to_child_fds[2];
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 2c7290854..7ac88f5a5 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -126,6 +126,7 @@ int arg_notv = 0;	// --notv
 int arg_nodvd = 0; // --nodvd
 int arg_nodbus = 0; // -nodbus
 int arg_nou2f = 0; // --nou2f
+int arg_deterministic_exit_code = 0;    // always exit with first childs exit status
 int login_shell = 0;
 
 
@@ -2290,6 +2291,9 @@ int main(int argc, char **argv) {
                                 return 1;
                         }
                 }
+                else if (strcmp(argv[i], "--deterministic-exit-code") == 0) {
+                        arg_deterministic_exit_code = 1;
+                }
                 else {
                         // double dash - positional params to follow
                         if (strcmp(argv[i], "--") == 0) {
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 801c8ba4c..8d228fae6 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -1313,6 +1313,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 return 0;
         }
 
+        if (strcmp(ptr, "deterministic-exit-code") == 0) {
+                arg_deterministic_exit_code = 1;
+                return 0;
+        }
+
         // rest of filesystem
         if (strncmp(ptr, "blacklist ", 10) == 0)
                 ptr += 10;
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 250247f8a..58245fa38 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -271,6 +271,7 @@ static int monitor_application(pid_t app_pid) {
         }
 
         int status = 0;
+        int app_status = 0;
         while (monitored_pid) {
                 usleep(20000);
                 char *msg;
@@ -295,6 +296,8 @@ static int monitor_application(pid_t app_pid) {
                                 sleep(1);
                                 break;
                         }
+                        else if (rv == app_pid)
+                                app_status = status;
 
                         // handle --timeout
                         if (options) {
@@ -352,8 +355,8 @@ static int monitor_application(pid_t app_pid) {
                         printf("Sandbox monitor: monitoring %d\n", monitored_pid);
         }
 
-        // return the latest exit status.
-        return status;
+        // return the appropriate exit status.
+        return arg_deterministic_exit_code ? app_status : status;
 }
 
 static void print_time(void) {
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index a8d5bfdda..af3bac839 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -66,6 +66,7 @@ static char *usage_str =
 #ifdef HAVE_NETWORK
         "    --defaultgw=address - configure default gateway.\n"
 #endif
+        "    --deterministic-exit-code - always exit with first childs status code.\n"
         "    --dns=address - set DNS server.\n"
         "    --dns.print=name|pid - print DNS configuration.\n"
         "    --env=name=value - set environment variable.\n"
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 23007725a..d3a563abd 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -667,6 +667,10 @@ instead of the default one.
 Join the sandbox identified by name or start a new one.
 Same as "firejail --join=sandboxname" command if sandbox with specified name exists, otherwise same as "name sandboxname".
 
+.TP
+\fBdeterministic-exit-code
+Always exit firejail with the first childs exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic.
+
 .SH FILES
 /etc/firejail/filename.profile, $HOME/.config/firejail/filename.profile
 
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 1fa2a6546..c4e8b9175 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -410,6 +410,10 @@ Example:
 $ firejail \-\-disable-mnt firefox
 
 .TP
+\fB\-\-deterministic-exit-code
+Always exit firejail with the first childs exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic.
+
+.TP
 \fB\-\-dns=address
 Set a DNS server for the sandbox. Up to three DNS servers can be defined.
 Use this option if you don't trust the DNS setup on your network.
diff --git a/test/environment/deterministic-exit-code.exp b/test/environment/deterministic-exit-code.exp
new file mode 100755
index 000000000..165b9ebe0
--- /dev/null
+++ b/test/environment/deterministic-exit-code.exp
@@ -0,0 +1,55 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2019 Firejail Authors
+# License GPL v2
+
+set timeout 4
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "({ nohup bash -c \"sleep 0.2; exit 53\" &> /dev/null & } &)\r"
+send -- "exit 35\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Parent is shutting down"
+}
+after 300
+
+send -- "echo $?\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "53"
+}
+after 100
+
+send -- "firejail --deterministic-exit-code\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "({ nohup bash -c \"sleep 0.2; exit 53\" &> /dev/null & } &)\r"
+send -- "exit 35\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Parent is shutting down"
+}
+after 300
+
+send -- "echo $?\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "35"
+}
+after 100
+
+
+puts "\nall done\n"
diff --git a/test/environment/environment.sh b/test/environment/environment.sh
index 85d6c0873..5b4aa32f4 100755
--- a/test/environment/environment.sh
+++ b/test/environment/environment.sh
@@ -116,3 +116,6 @@ echo "TESTING: rlimit errors (test/environment/rlimit-bad.exp)"
 
 echo "TESTING: rlimit errors profile (test/environment/rlimit-bad-profile.exp)"
 ./rlimit-bad-profile.exp
+
+echo "TESTING: deterministic exit code (test/environment/deterministic-exit-code.exp"
+./deterministic-exit-code.exp