13 files changed, 141 insertions, 67 deletions

diff --git a/README.md b/README.md
index 609533a91..df594a465 100644
--- a/README.md
+++ b/README.md
@@ -18,7 +18,7 @@ prefix your command with “firejail”:
 
 `````
 $ firejail firefox            # starting Mozilla Firefox
-$ firejail transmission-gtk   # starting Transmission BitTorrent 
+$ firejail transmission-gtk   # starting Transmission BitTorrent
 $ firejail vlc                # starting VideoLAN Client
 $ sudo firejail /etc/init.d/nginx start
 `````
@@ -88,5 +88,5 @@ amarok, ark, atool, bleachbit, brasero, dolphin, dragon, elinks, enchant, exifto
 gjs, gnome-books, gnome-clocks, gnome-documents, gnome-maps, gnome-music, gnome-photos, gnome-weather,
 goobox, gpa, gpg, gpg-agent, highlight, img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext,
 simple-scan, skanlite, ssh-agent, tracker, transmission-cli, transmission-show, w3m, xfburn, xpra, wget,
-xed, pluma, Cryptocat, Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5, 
-PDFSam, Pithos, Xonotic, wireshark
+xed, pluma, Cryptocat, Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5,
+PDFSam, Pithos, Xonotic, wireshark, keepassx2
diff --git a/RELNOTES b/RELNOTES
index 064553f98..fbfd99093 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -16,9 +16,9 @@ firejail (0.9.45) baseline; urgency=low
   * feature: config support for firejail prompt in terminal
   * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire,
   * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma,
-  * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator, 
+  * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator,
   * new profiles: Gnome Contacts, JD-GUI, Lollypop, MultiMC5, PDFSam, Pithos,
-  * new profies: Xonotic, wireshark
+  * new profies: Xonotic, wireshark, keepassx2
   * bugfixes
  -- netblue30 <netblue30@yahoo.com>  Sun, 23 Oct 2016 08:00:00 -0500
 
@@ -32,7 +32,7 @@ firejail (0.9.44) baseline; urgency=low
   * feature: support starting/joining sandbox is a single command
     (--join-or-start)
   * feature: X11 detection support for --audit
-  * feature: assign a name to the interface connected to the bridge 
+  * feature: assign a name to the interface connected to the bridge
     (--veth-name)
   * feature: all user home directories are visible (--allusers)
   * feature: add files to sandbox container (--put)
@@ -265,7 +265,7 @@ firejail (0.9.24) baseline; urgency=low
   * two build patches from Reiner Herman (tickets 11, 12)
   * man page patch from Reiner Herman (ticket 13)
   * output patch (ticket 15) from sshirokov
-  
+
  -- netblue30 <netblue30@yahoo.com>  Sun, 5 Apr 2015 08:00:00 -0500
 
 firejail (0.9.22) baseline; urgency=low
@@ -330,7 +330,7 @@ firejail (0.9.16) baseline; urgency=low
  -- netblue30 <netblue30@yahoo.com>  Tue, 4 Nov 2014 10:00:00 -0500
 
 firejail (0.9.14) baseline; urgency=low
-  * Linux capabilities and seccomp filters are automatically enabled in 
+  * Linux capabilities and seccomp filters are automatically enabled in
     chroot mode (--chroot option) if the sandbox is started as regular user
   * Added support for user defined seccomp blacklists
   * Added syscall trace support
@@ -382,7 +382,7 @@ firejail (0.9.8.1) baseline; urgency=low
   * FIxed a number of bugs introduced in 0.9.8
 
  -- netblue30 <netblue30@yahoo.com>  Fri, 25 Jul 2014 07:25:00 -0500
-  
+
 firejail (0.9.8) baseline; urgency=low
   * Implemented nowrap mode for firejail --list command option
   * Added --top option in both firejail and firemon
@@ -391,7 +391,7 @@ firejail (0.9.8) baseline; urgency=low
   * bugfixes
 
  -- netblue30 <netblue30@yahoo.com>  Tue, 24 Jul 2014 08:51:00 -0500
-  
+
 firejail (0.9.6) baseline; urgency=low
 
   * Mounting tmpfs on top of /var/log, required by several server programs
@@ -430,7 +430,7 @@ firejail (0.9.2) baseline; urgency=low
   * Added an expect-based testing framework for the project
   * Added bash completion support
   * Added support for multiple networks
-  
+
  -- netblue30 <netblue30@yahoo.com>  Fri, 25 Apr 2014 08:00:00 -0500
 
 firejail (0.9) baseline; urgency=low
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index 2da44a67c..efe5c850d 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -39,19 +39,19 @@ blacklist /usr/share/applications/veracrypt.*
 blacklist /usr/share/pixmaps/veracrypt.*
 blacklist ${HOME}/.VeraCrypt
 
-# TrueCrypt                                                                                                                                                                                                         
-blacklist ${PATH}/truecrypt                                                                                                                                                                                         
-blacklist ${PATH}/truecrypt-uninstall.sh                                                                                                                                                                            
-blacklist /usr/share/truecrypt                                                                                                                                                                                      
-blacklist /usr/share/applications/truecrypt.*                                                                                                                                                                       
-blacklist /usr/share/pixmaps/truecrypt.*                                                                                                                                                                            
-blacklist ${HOME}/.TrueCrypt 
-
-# zuluCrypt                                                                                                                                                                                                         
-blacklist ${HOME}/.zuluCrypt                                                                                                                                                                                        
-blacklist ${HOME}/.zuluCrypt-socket                                                                                                                                                                                 
-blacklist ${PATH}/zuluCrypt-cli                                                                                                                                                                                     
-blacklist ${PATH}/zuluMount-cli                                                                                                                                                                                                                                                                                                                                                              
+# TrueCrypt
+blacklist ${PATH}/truecrypt
+blacklist ${PATH}/truecrypt-uninstall.sh
+blacklist /usr/share/truecrypt
+blacklist /usr/share/applications/truecrypt.*
+blacklist /usr/share/pixmaps/truecrypt.*
+blacklist ${HOME}/.TrueCrypt
+
+# zuluCrypt
+blacklist ${HOME}/.zuluCrypt
+blacklist ${HOME}/.zuluCrypt-socket
+blacklist ${PATH}/zuluCrypt-cli
+blacklist ${PATH}/zuluMount-cli
 
 # var
 blacklist /var/spool/cron
@@ -154,7 +154,7 @@ blacklist /etc/ssh
 blacklist /var/backup
 blacklist /home/.ecryptfs
 
-# system directories    
+# system directories
 blacklist /sbin
 blacklist /usr/sbin
 blacklist /usr/local/sbin
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index a9ca487c5..279a65d6e 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -148,7 +148,7 @@ blacklist ${HOME}/.config/xreader
 blacklist ${HOME}/.config/xviewer
 blacklist ${HOME}/.config/zathura
 blacklist ${HOME}/.config/zoomus.conf
-blacklist ${HOME}/.conkeror.mozdev.org 
+blacklist ${HOME}/.conkeror.mozdev.org
 blacklist ${HOME}/.dillo
 blacklist ${HOME}/.dosbox
 blacklist ${HOME}/.dropbox-dist
diff --git a/etc/keepassx2.profile b/etc/keepassx2.profile
new file mode 100644
index 000000000..d8621773f
--- /dev/null
+++ b/etc/keepassx2.profile
@@ -0,0 +1,22 @@
+# keepassx password manager profile
+noblacklist ${HOME}/.config/keepassx
+noblacklist ${HOME}/.keepassx
+noblacklist ${HOME}/keepassx.kdbx
+ 
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+caps.drop all
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix
+seccomp
+netfilter
+shell none
+
+private-tmp
+private-dev 
diff --git a/platform/debian/conffiles b/platform/debian/conffiles
index 97e7cf884..57657f208 100644
--- a/platform/debian/conffiles
+++ b/platform/debian/conffiles
@@ -111,6 +111,7 @@
 /etc/firejail/keepass.profile
 /etc/firejail/keepass2.profile
 /etc/firejail/keepassx.profile
+/etc/firejail/keepassx2.profile
 /etc/firejail/kmail.profile
 /etc/firejail/konversation.profile
 /etc/firejail/less.profile
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index c4f52e256..fe65a5077 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -190,6 +190,7 @@ ranger
 keepass
 keepass2
 keepassx
+keepassx2
 pluma
 tracker
 wireshark
@@ -204,4 +205,3 @@ gnome-weather
 ark
 atool
 file-roller
-
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index adddf626b..890f281aa 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -532,29 +532,35 @@ void fs_proc_sys_dev_boot(void) {
         disable_file(BLACKLIST_FILE, "/dev/port");
 
         
-        // disable various ipc sockets
-        struct stat s; 
 
-        // disable /run/user/{uid}/gnupg
-        char *fnamegpg;
-        if (asprintf(&fnamegpg, "/run/user/%d/gnupg", getuid()) == -1)
-                errExit("asprintf");
-        if (stat(fnamegpg, &s) == -1) 
-            mkdir_attr(fnamegpg, 0700, getuid(), getgid());
-        if (stat(fnamegpg, &s) == 0)
-                disable_file(BLACKLIST_FILE, fnamegpg);
-        free(fnamegpg);
-
-        // disable /run/user/{uid}/systemd
-        char *fnamesysd;
-        if (asprintf(&fnamesysd, "/run/user/%d/systemd", getuid()) == -1)
+        // disable various ipc sockets in /run/user
+        struct stat s; 
+        
+        char *fname;
+        if (asprintf(&fname, "/run/usr/%d", getuid()) == -1)
                 errExit("asprintf");
-        if (stat(fnamesysd, &s) == -1) 
-                mkdir_attr(fnamesysd, 0755, getuid(), getgid());
-        if (stat(fnamesysd, &s) == 0)
-                disable_file(BLACKLIST_FILE, fnamesysd);
-        free(fnamesysd);
-
+        if (is_dir(fname)) { // older distros don't have this directory
+                // disable /run/user/{uid}/gnupg
+                char *fnamegpg;
+                if (asprintf(&fnamegpg, "/run/user/%d/gnupg", getuid()) == -1)
+                        errExit("asprintf");
+                if (stat(fnamegpg, &s) == -1) 
+                    mkdir_attr(fnamegpg, 0700, getuid(), getgid());
+                if (stat(fnamegpg, &s) == 0)
+                        disable_file(BLACKLIST_FILE, fnamegpg);
+                free(fnamegpg);
+                
+                // disable /run/user/{uid}/systemd
+                char *fnamesysd;
+                if (asprintf(&fnamesysd, "/run/user/%d/systemd", getuid()) == -1)
+                        errExit("asprintf");
+                if (stat(fnamesysd, &s) == -1) 
+                        mkdir_attr(fnamesysd, 0755, getuid(), getgid());
+                if (stat(fnamesysd, &s) == 0)
+                        disable_file(BLACKLIST_FILE, fnamesysd);
+                free(fnamesysd);
+        }
+        free(fname);
         
 // todo: investigate
 #if 0
diff --git a/test/fcopy/dircopy.exp b/test/fcopy/dircopy.exp
index 00b0204ae..dc8c80569 100755
--- a/test/fcopy/dircopy.exp
+++ b/test/fcopy/dircopy.exp
@@ -21,30 +21,58 @@ expect {
         timeout {puts "TESTING ERROR 0\n";exit}
         "dest/"
 }
+after 100
+
+send -- "find dest\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "dest/"
+}
+after 100
+
+send -- "find dest\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
         "dest/a"
 }
+after 100
+
+send -- "find dest\r"
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
         "dest/a/b"
 }
+after 100
+
+send -- "find dest\r"
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
         "dest/a/b/file4"
 }
+after 100
+
+send -- "find dest\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
         "dest/a/file3"
 }
+after 100
+
+send -- "find dest\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
         "dest/dircopy.exp"
 }
+after 100
+
+send -- "find dest\r"
 expect {
         timeout {puts "TESTING ERROR 6\n";exit}
         "dest/file2"
 }
+after 100
+
+send -- "find dest\r"
 expect {
         timeout {puts "TESTING ERROR 7\n";exit}
         "dest/file1"
diff --git a/test/fs/private-whitelist.exp b/test/fs/private-whitelist.exp
index 4dadeacb1..6a1ad535c 100755
--- a/test/fs/private-whitelist.exp
+++ b/test/fs/private-whitelist.exp
@@ -34,6 +34,7 @@ expect {
         "3" {puts "3\n"}
         "4" {puts "4\n"}
         "5" {puts "5\n"}
+        "6" {puts "6\n"}
 }
 
 sleep 1
diff --git a/test/fs/whitelist-dev.exp b/test/fs/whitelist-dev.exp
index a19d5cedf..a2002bc0a 100755
--- a/test/fs/whitelist-dev.exp
+++ b/test/fs/whitelist-dev.exp
@@ -14,7 +14,7 @@ expect {
 }
 sleep 1
 
-send -- "ls -l /dev | find /dev | wc -l\r"
+send -- "find /dev | wc -l\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
         "2"
@@ -23,17 +23,17 @@ after 100
 send -- "exit\r"
 sleep 1
 
-send -- "firejail --whitelist=/var/tmp --debug\r"
+send -- "firejail --private-dev --debug\r"
 expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
+        timeout {puts "TESTING ERROR 2\n";exit}
         "Child process initialized"
 }
 sleep 1
 
-send -- "ls -l /dev | find /dev | wc -l\r"
+send -- "ls -l /dev | wc -l\r"
 expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "2"
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "13"
 }
 after 100
 send -- "exit\r"
diff --git a/test/utils/cpu-print.exp b/test/utils/cpu-print.exp
index ca2e57313..0a6f46102 100755
--- a/test/utils/cpu-print.exp
+++ b/test/utils/cpu-print.exp
@@ -7,18 +7,34 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail --name=test --cpu=1,2\r"
+send -- "firejail --name=test --cpu=0\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
         "Child process initialized"
 }
-sleep 2
+sleep 1
+send -- "cat /proc/self/status | grep Cpus\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Cpus_allowed_list:     0"
+}
+after 100
+send -- "exit\r"
+sleep 1
+
+
+send -- "firejail --name=test --cpu=1\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 1
 
 spawn $env(SHELL)
 send -- "firejail --cpu.print=test\r"
 expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "Cpus_allowed_list:     1-2"
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Cpus_allowed_list:     1"
 }
 after 100
 puts "\nall done\n"
diff --git a/test/utils/trace.exp b/test/utils/trace.exp
index 78a04b273..eedc0f23f 100755
--- a/test/utils/trace.exp
+++ b/test/utils/trace.exp
@@ -53,15 +53,15 @@ expect {
 sleep 1
 
 send -- "firejail --trace wget -q debian.org\r"
-expect {
-        timeout {puts "TESTING ERROR 8.1\n";exit}
-        "Child process initialized"
-}
-expect {
-        timeout {puts "TESTING ERROR 8.2\n";exit}
-        "bash:open /dev/tty" {puts "OK\n";}
-        "bash:open64 /dev/tty" {puts "OK\n";}
-}
+#expect {
+#       timeout {puts "TESTING ERROR 8.1\n";exit}
+#       "Child process initialized"
+#}
+#expect {
+#       timeout {puts "TESTING ERROR 8.2\n";exit}
+#       "bash:open /dev/tty" {puts "OK\n";}
+#       "bash:open64 /dev/tty" {puts "OK\n";}
+#}
 expect {
         timeout {puts "TESTING ERROR 8.3\n";exit}
         "wget:fopen64 /etc/wgetrc" {puts "OK\n";}