22 files changed, 120 insertions, 2 deletions
diff --git a/README.md b/README.md
index 255384e2e..ba8ae77ac 100644
--- a/README.md
+++ b/README.md
@@ -98,6 +98,69 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir
 `````
 # Current development version: 0.9.51
+## Whitelisting /var
+Add "include /etc/firejail/whitelist-var-common.inc" to an application profile and test it. If it's working,
+send a pull request. I did it so far for some more common applications like Firefox, Chromium etc.
+## Profile build  tool
+`````
+$ firejail --build appname
+`````
+The command builds a whitelisted profile. If /usr/bin/strace is installed on the system, it also
+builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox,
+with only --caps.drop=all and --nonewprivs. Programs that raise user privileges are not supported
+in order to allow strace to run. Chromium and Chromium-based browsers will not work.
+Example:
+`````
+$ firejail --build vlc ~/Videos/test.mp4
+[...]
+############################################
+# vlc profile
+############################################
+# Persistent global definitions
+# include /etc/firejail/globals.local
+### basic blacklisting
+include /etc/firejail/disable-common.inc
+# include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+# include /etc/firejail/disable-programs.inc
+### home directory whitelisting
+whitelist ~/Videos
+whitelist ~/.local/share/vlc
+whitelist ~/.config/vlc
+include /etc/firejail/whitelist-common.inc
+### filesystem
+private-tmp
+private-dev
+private-etc vdpau_wrapper.cfg,udev,drirc,fonts,xdg,gtk-3.0,machine-id,selinux,
+whitelist /var/lib/menu-xdg
+### security filters
+caps.drop all
+nonewprivs
+seccomp
+# seccomp.keep futex,poll,rt_sigtimedwait,ioctl,fdatasync,stat,writev,read,recvmsg,mprotect,write,sendto,clock_nanosleep,open,dup3,mmap,rt_sigprocmask,close,fstat,lstat,lseek,munmap,brk,rt_sigaction,rt_sigreturn,access,madvise,shmget,shmat,shmctl,alarm,getpid,socket,connect,recvfrom,sendmsg,shutdown,getsockname,getpeername,setsockopt,getsockopt,clone,execve,uname,shmdt,fcntl,flock,ftruncate,getdents,rename,mkdir,unlink,readlink,chmod,getrlimit,sysinfo,getuid,getgid,setuid,setgid,geteuid,getegid,getppid,getpgrp,setresuid,getresuid,setresgid,getresgid,statfs,fstatfs,prctl,arch_prctl,sched_getaffinity,set_tid_address,fadvise64,clock_getres,tgkill,set_robust_list,eventfd2,pipe2,getrandom,memfd_create
+# 82 syscalls total
+# Probably you will need to add more syscalls to seccomp.keep. Look for
+# seccomp errors in /var/log/syslog or /var/log/audit/audit.log while
+# running your sandbox.
+### network
+protocol unix,netlink,
+net none
+### environment
+shell none
+$
+`````
 ## New command line options
 `````
      --writable-run-user
diff --git a/RELNOTES b/RELNOTES
index 85c554b32..d4302c134 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,6 +1,7 @@
 firejail (0.9.51) baseline; urgency=low
  * work in progress!
  * feature: --writable-run-user
+  * feature: profile build tool (--build)
 -- netblue30 <netblue30@yahoo.com>  Thu, 14 Sep 2017 20:00:00 -0500
 firejail (0.9.50~rc1) baseline; urgency=low
diff --git a/etc/catfish.profile b/etc/catfish.profile
index 498f3b6ee..5fc585d90 100644
--- a/etc/catfish.profile
+++ b/etc/catfish.profile
@@ -8,8 +8,13 @@ include /etc/firejail/globals.local
 # We can't blacklist much since catfish
 # is for finding files/content
 noblacklist ~/.config/catfish
+include /etc/firejail/disable-common.inc
+# include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
-include /etc/firejail/disable-devel.inc
+whitelist /var/lib/mlocate
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 net none
diff --git a/etc/chromium.profile b/etc/chromium.profile
index 9be99e68a..0c7058a11 100644
--- a/etc/chromium.profile
+++ b/etc/chromium.profile
@@ -23,6 +23,7 @@ whitelist ~/.config/chromium
 whitelist ~/.config/chromium-flags.conf
 whitelist ~/.pki
 include /etc/firejail/whitelist-common.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.keep sys_chroot,sys_admin
 netfilter
diff --git a/etc/evince.profile b/etc/evince.profile
index 5c6215bb2..f503b9a8e 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 netfilter
 no3d
diff --git a/etc/firefox.profile b/etc/firefox.profile
index 1bd45ebd1..f65b020a9 100644
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@@ -59,6 +59,7 @@ whitelist ~/.wine-pipelight64
 whitelist ~/.zotero
 whitelist ~/dwhelper
 include /etc/firejail/whitelist-common.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 netfilter
diff --git a/etc/galculator.profile b/etc/galculator.profile
index 37f147f0f..dbc22a889 100644
--- a/etc/galculator.profile
+++ b/etc/galculator.profile
@@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc
 mkdir ~/.config/galculator
 whitelist ~/.config/galculator
 include /etc/firejail/whitelist-common.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 net none
diff --git a/etc/gimp.profile b/etc/gimp.profile
index aa77d6105..292c2aac9 100644
--- a/etc/gimp.profile
+++ b/etc/gimp.profile
@@ -11,6 +11,8 @@ include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 net none
 nodvd
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile
index 6547c73df..326222426 100644
--- a/etc/gnome-calculator.profile
+++ b/etc/gnome-calculator.profile
@@ -11,6 +11,7 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/whitelist-common.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 netfilter
diff --git a/etc/inkscape.profile b/etc/inkscape.profile
index 1d24f5d7d..3266d8230 100644
--- a/etc/inkscape.profile
+++ b/etc/inkscape.profile
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 netfilter
 nodvd
diff --git a/etc/leafpad.profile b/etc/leafpad.profile
index e7557651b..c9addba21 100644
--- a/etc/leafpad.profile
+++ b/etc/leafpad.profile
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 netfilter
 no3d
diff --git a/etc/mousepad.profile b/etc/mousepad.profile
index 36365fc2f..60205ffda 100644
--- a/etc/mousepad.profile
+++ b/etc/mousepad.profile
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 netfilter
 nodvd
diff --git a/etc/mpv.profile b/etc/mpv.profile
index 0592751ef..eb8a88a4b 100644
--- a/etc/mpv.profile
+++ b/etc/mpv.profile
@@ -13,6 +13,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 netfilter
 nogroups
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile
index 0bb721c64..6a8d6c679 100644
--- a/etc/transmission-gtk.profile
+++ b/etc/transmission-gtk.profile
@@ -19,6 +19,7 @@ whitelist  ${DOWNLOADS}
 whitelist ~/.cache/transmission
 whitelist ~/.config/transmission
 include /etc/firejail/whitelist-common.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 netfilter
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile
index 08964bbab..4db8e19ce 100644
--- a/etc/transmission-qt.profile
+++ b/etc/transmission-qt.profile
@@ -19,6 +19,7 @@ whitelist  ${DOWNLOADS}
 whitelist ~/.cache/transmission
 whitelist ~/.config/transmission
 include /etc/firejail/whitelist-common.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 netfilter
diff --git a/etc/vlc.profile b/etc/vlc.profile
index bccde7a3d..c3a4d58d0 100644
--- a/etc/vlc.profile
+++ b/etc/vlc.profile
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 netfilter
 # nogroups
diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc
index ba4b91451..ef95a7e5e 100644
--- a/etc/whitelist-common.inc
+++ b/etc/whitelist-common.inc
@@ -16,6 +16,7 @@ whitelist ~/.drirc
 whitelist ~/.mime.types
 whitelist ~/.local/share/applications
 read-only ~/.local/share/applications
+whitelist ~/.config/ibus
 # fonts
 whitelist ~/.fonts
diff --git a/etc/whitelist-var-common.inc b/etc/whitelist-var-common.inc
new file mode 100644
index 000000000..bd3473acc
--- /dev/null
+++ b/etc/whitelist-var-common.inc
@@ -0,0 +1,10 @@
+# Local customizations come here
+include /etc/firejail/whitelist-var-common.local
+# common /var whitelist for all profiles
+whitelist /var/lib/dbus
+whitelist /var/lib/menu-xdg
+whitelist /var/cache/fontconfig
+whitelist /var/tmp
+whitelist /var/run
diff --git a/platform/debian/conffiles b/platform/debian/conffiles
index d0e236e61..af6547f7f 100644
--- a/platform/debian/conffiles
+++ b/platform/debian/conffiles
@@ -357,3 +357,4 @@
 /etc/firejail/zoom.profile
 /etc/firejail/yandex-browser.profile
 /etc/firejail/itch.profile
+/etc/firejail/whitelist-var-common.inc
diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c
index 76281a54d..dcd86e069 100644
--- a/src/fbuilder/build_fs.c
+++ b/src/fbuilder/build_fs.c
@@ -148,7 +148,11 @@ void build_etc(const char *fname) {
 //*******************************************
 static FileDB *var_out = NULL;
 static void var_callback(char *ptr) {
-        if (strncmp(ptr, "/var/lib/menu-xdg", 17) == 0)
+        if (strcmp(ptr, "/var/lib") == 0)
+                ;
+        else if (strcmp(ptr, "/var/cache") == 0)
+                ;
+        else if (strncmp(ptr, "/var/lib/menu-xdg", 17) == 0)
                var_out = filedb_add(var_out, "/var/lib/menu-xdg");
        else if (strncmp(ptr, "/var/cache/fontconfig", 21) == 0)
                var_out = filedb_add(var_out, "/var/cache/fontconfig");
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index fc7dbd69c..f09eb6416 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -44,6 +44,7 @@ void usage(void) {
        printf("    --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n");
 #endif
        printf("    --blacklist=filename - blacklist directory or file.\n");
+        printf("    --build - build a whitelisted profile for the application.\n");
        printf("    -c - execute command and exit.\n");
        printf("    --caps - enable default Linux capabilities filter.\n");
        printf("    --caps.drop=all - drop all capabilities.\n");
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 2dd3abbb7..f205bfa30 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -154,6 +154,18 @@ $ firejail "\-\-blacklist=/home/username/My Virtual Machines"
 .br
 $ firejail \-\-blacklist=/home/username/My\\ Virtual\\ Machines
 .TP
+\fB\-\-build
+The command builds a whitelisted profile. If /usr/bin/strace is installed on the system, it also
+builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox,
+with only --caps.drop=all and --nonewprivs. Programs that raise user privileges are not supported
+in order to allow strace to run. Chromium and Chromium-based browsers will not work.
+.br
+.br
+Example:
+.br
+$ firejail --build vlc ~/Videos/test.mp4
+.TP
 \fB\-c
 Execute command and exit.
 .TP

diff --git a/README.md b/README.md index 255384e2e..ba8ae77ac 100644 --- a/README.md +++ b/README.md
@@ -98,6 +98,69 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir
98	`````	98	`````
99	# Current development version: 0.9.51	99	# Current development version: 0.9.51
100		100
		101	## Whitelisting /var
		102
		103	Add "include /etc/firejail/whitelist-var-common.inc" to an application profile and test it. If it's working,
		104	send a pull request. I did it so far for some more common applications like Firefox, Chromium etc.
		105
		106	## Profile build tool
		107	`````
		108	$ firejail --build appname
		109	`````
		110	The command builds a whitelisted profile. If /usr/bin/strace is installed on the system, it also
		111	builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox,
		112	with only --caps.drop=all and --nonewprivs. Programs that raise user privileges are not supported
		113	in order to allow strace to run. Chromium and Chromium-based browsers will not work.
		114
		115	Example:
		116	`````
		117	$ firejail --build vlc ~/Videos/test.mp4
		118
		119	[...]
		120
		121	############################################
		122	# vlc profile
		123	############################################
		124	# Persistent global definitions
		125	# include /etc/firejail/globals.local
		126
		127	### basic blacklisting
		128	include /etc/firejail/disable-common.inc
		129	# include /etc/firejail/disable-devel.inc
		130	include /etc/firejail/disable-passwdmgr.inc
		131	# include /etc/firejail/disable-programs.inc
		132
		133	### home directory whitelisting
		134	whitelist ~/Videos
		135	whitelist ~/.local/share/vlc
		136	whitelist ~/.config/vlc
		137	include /etc/firejail/whitelist-common.inc
		138
		139	### filesystem
		140	private-tmp
		141	private-dev
		142	private-etc vdpau_wrapper.cfg,udev,drirc,fonts,xdg,gtk-3.0,machine-id,selinux,
		143	whitelist /var/lib/menu-xdg
		144
		145	### security filters
		146	caps.drop all
		147	nonewprivs
		148	seccomp
		149	# seccomp.keep futex,poll,rt_sigtimedwait,ioctl,fdatasync,stat,writev,read,recvmsg,mprotect,write,sendto,clock_nanosleep,open,dup3,mmap,rt_sigprocmask,close,fstat,lstat,lseek,munmap,brk,rt_sigaction,rt_sigreturn,access,madvise,shmget,shmat,shmctl,alarm,getpid,socket,connect,recvfrom,sendmsg,shutdown,getsockname,getpeername,setsockopt,getsockopt,clone,execve,uname,shmdt,fcntl,flock,ftruncate,getdents,rename,mkdir,unlink,readlink,chmod,getrlimit,sysinfo,getuid,getgid,setuid,setgid,geteuid,getegid,getppid,getpgrp,setresuid,getresuid,setresgid,getresgid,statfs,fstatfs,prctl,arch_prctl,sched_getaffinity,set_tid_address,fadvise64,clock_getres,tgkill,set_robust_list,eventfd2,pipe2,getrandom,memfd_create
		150	# 82 syscalls total
		151	# Probably you will need to add more syscalls to seccomp.keep. Look for
		152	# seccomp errors in /var/log/syslog or /var/log/audit/audit.log while
		153	# running your sandbox.
		154
		155	### network
		156	protocol unix,netlink,
		157	net none
		158
		159	### environment
		160	shell none
		161	$
		162	`````
		163
101	## New command line options	164	## New command line options
102	`````	165	`````
103	--writable-run-user	166	--writable-run-user


diff --git a/RELNOTES b/RELNOTES index 85c554b32..d4302c134 100644 --- a/RELNOTES +++ b/RELNOTES
@@ -1,6 +1,7 @@
1	firejail (0.9.51) baseline; urgency=low	1	firejail (0.9.51) baseline; urgency=low
2	* work in progress!	2	* work in progress!
3	* feature: --writable-run-user	3	* feature: --writable-run-user
		4	* feature: profile build tool (--build)
4	-- netblue30 <netblue30@yahoo.com> Thu, 14 Sep 2017 20:00:00 -0500	5	-- netblue30 <netblue30@yahoo.com> Thu, 14 Sep 2017 20:00:00 -0500
5		6
6	firejail (0.9.50~rc1) baseline; urgency=low	7	firejail (0.9.50~rc1) baseline; urgency=low


diff --git a/etc/catfish.profile b/etc/catfish.profile index 498f3b6ee..5fc585d90 100644 --- a/etc/catfish.profile +++ b/etc/catfish.profile
@@ -8,8 +8,13 @@ include /etc/firejail/globals.local
8	# We can't blacklist much since catfish	8	# We can't blacklist much since catfish
9	# is for finding files/content	9	# is for finding files/content
10	noblacklist ~/.config/catfish	10	noblacklist ~/.config/catfish
		11	include /etc/firejail/disable-common.inc
		12	# include /etc/firejail/disable-devel.inc
		13	include /etc/firejail/disable-passwdmgr.inc
		14	include /etc/firejail/disable-programs.inc
11		15
12	include /etc/firejail/disable-devel.inc	16	whitelist /var/lib/mlocate
		17	include /etc/firejail/whitelist-var-common.inc
13		18
14	caps.drop all	19	caps.drop all
15	net none	20	net none


diff --git a/etc/chromium.profile b/etc/chromium.profile index 9be99e68a..0c7058a11 100644 --- a/etc/chromium.profile +++ b/etc/chromium.profile
@@ -23,6 +23,7 @@ whitelist ~/.config/chromium
23	whitelist ~/.config/chromium-flags.conf	23	whitelist ~/.config/chromium-flags.conf
24	whitelist ~/.pki	24	whitelist ~/.pki
25	include /etc/firejail/whitelist-common.inc	25	include /etc/firejail/whitelist-common.inc
		26	include /etc/firejail/whitelist-var-common.inc
26		27
27	caps.keep sys_chroot,sys_admin	28	caps.keep sys_chroot,sys_admin
28	netfilter	29	netfilter


diff --git a/etc/evince.profile b/etc/evince.profile index 5c6215bb2..f503b9a8e 100644 --- a/etc/evince.profile +++ b/etc/evince.profile
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc
12	include /etc/firejail/disable-passwdmgr.inc	12	include /etc/firejail/disable-passwdmgr.inc
13	include /etc/firejail/disable-programs.inc	13	include /etc/firejail/disable-programs.inc
14		14
		15	include /etc/firejail/whitelist-var-common.inc
		16
15	caps.drop all	17	caps.drop all
16	netfilter	18	netfilter
17	no3d	19	no3d


diff --git a/etc/firefox.profile b/etc/firefox.profile index 1bd45ebd1..f65b020a9 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile
@@ -59,6 +59,7 @@ whitelist ~/.wine-pipelight64
59	whitelist ~/.zotero	59	whitelist ~/.zotero
60	whitelist ~/dwhelper	60	whitelist ~/dwhelper
61	include /etc/firejail/whitelist-common.inc	61	include /etc/firejail/whitelist-common.inc
		62	include /etc/firejail/whitelist-var-common.inc
62		63
63	caps.drop all	64	caps.drop all
64	netfilter	65	netfilter


diff --git a/etc/galculator.profile b/etc/galculator.profile index 37f147f0f..dbc22a889 100644 --- a/etc/galculator.profile +++ b/etc/galculator.profile
@@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc
15	mkdir ~/.config/galculator	15	mkdir ~/.config/galculator
16	whitelist ~/.config/galculator	16	whitelist ~/.config/galculator
17	include /etc/firejail/whitelist-common.inc	17	include /etc/firejail/whitelist-common.inc
		18	include /etc/firejail/whitelist-var-common.inc
18		19
19	caps.drop all	20	caps.drop all
20	net none	21	net none


diff --git a/etc/gimp.profile b/etc/gimp.profile index aa77d6105..292c2aac9 100644 --- a/etc/gimp.profile +++ b/etc/gimp.profile
@@ -11,6 +11,8 @@ include /etc/firejail/disable-common.inc
11	include /etc/firejail/disable-passwdmgr.inc	11	include /etc/firejail/disable-passwdmgr.inc
12	include /etc/firejail/disable-programs.inc	12	include /etc/firejail/disable-programs.inc
13		13
		14	include /etc/firejail/whitelist-var-common.inc
		15
14	caps.drop all	16	caps.drop all
15	net none	17	net none
16	nodvd	18	nodvd


diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile index 6547c73df..326222426 100644 --- a/etc/gnome-calculator.profile +++ b/etc/gnome-calculator.profile
@@ -11,6 +11,7 @@ include /etc/firejail/disable-devel.inc
11	include /etc/firejail/disable-passwdmgr.inc	11	include /etc/firejail/disable-passwdmgr.inc
12	include /etc/firejail/disable-programs.inc	12	include /etc/firejail/disable-programs.inc
13	include /etc/firejail/whitelist-common.inc	13	include /etc/firejail/whitelist-common.inc
		14	include /etc/firejail/whitelist-var-common.inc
14		15
15	caps.drop all	16	caps.drop all
16	netfilter	17	netfilter


diff --git a/etc/inkscape.profile b/etc/inkscape.profile index 1d24f5d7d..3266d8230 100644 --- a/etc/inkscape.profile +++ b/etc/inkscape.profile
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc
12	include /etc/firejail/disable-passwdmgr.inc	12	include /etc/firejail/disable-passwdmgr.inc
13	include /etc/firejail/disable-programs.inc	13	include /etc/firejail/disable-programs.inc
14		14
		15	include /etc/firejail/whitelist-var-common.inc
		16
15	caps.drop all	17	caps.drop all
16	netfilter	18	netfilter
17	nodvd	19	nodvd


diff --git a/etc/leafpad.profile b/etc/leafpad.profile index e7557651b..c9addba21 100644 --- a/etc/leafpad.profile +++ b/etc/leafpad.profile
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc
12	include /etc/firejail/disable-passwdmgr.inc	12	include /etc/firejail/disable-passwdmgr.inc
13	include /etc/firejail/disable-programs.inc	13	include /etc/firejail/disable-programs.inc
14		14
		15	include /etc/firejail/whitelist-var-common.inc
		16
15	caps.drop all	17	caps.drop all
16	netfilter	18	netfilter
17	no3d	19	no3d


diff --git a/etc/mousepad.profile b/etc/mousepad.profile index 36365fc2f..60205ffda 100644 --- a/etc/mousepad.profile +++ b/etc/mousepad.profile
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc
12	include /etc/firejail/disable-passwdmgr.inc	12	include /etc/firejail/disable-passwdmgr.inc
13	include /etc/firejail/disable-programs.inc	13	include /etc/firejail/disable-programs.inc
14		14
		15	include /etc/firejail/whitelist-var-common.inc
		16
15	caps.drop all	17	caps.drop all
16	netfilter	18	netfilter
17	nodvd	19	nodvd


diff --git a/etc/mpv.profile b/etc/mpv.profile index 0592751ef..eb8a88a4b 100644 --- a/etc/mpv.profile +++ b/etc/mpv.profile
@@ -13,6 +13,8 @@ include /etc/firejail/disable-devel.inc
13	include /etc/firejail/disable-passwdmgr.inc	13	include /etc/firejail/disable-passwdmgr.inc
14	include /etc/firejail/disable-programs.inc	14	include /etc/firejail/disable-programs.inc
15		15
		16	include /etc/firejail/whitelist-var-common.inc
		17
16	caps.drop all	18	caps.drop all
17	netfilter	19	netfilter
18	nogroups	20	nogroups


diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index 0bb721c64..6a8d6c679 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile
@@ -19,6 +19,7 @@ whitelist ${DOWNLOADS}
19	whitelist ~/.cache/transmission	19	whitelist ~/.cache/transmission
20	whitelist ~/.config/transmission	20	whitelist ~/.config/transmission
21	include /etc/firejail/whitelist-common.inc	21	include /etc/firejail/whitelist-common.inc
		22	include /etc/firejail/whitelist-var-common.inc
22		23
23	caps.drop all	24	caps.drop all
24	netfilter	25	netfilter


diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index 08964bbab..4db8e19ce 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile
@@ -19,6 +19,7 @@ whitelist ${DOWNLOADS}
19	whitelist ~/.cache/transmission	19	whitelist ~/.cache/transmission
20	whitelist ~/.config/transmission	20	whitelist ~/.config/transmission
21	include /etc/firejail/whitelist-common.inc	21	include /etc/firejail/whitelist-common.inc
		22	include /etc/firejail/whitelist-var-common.inc
22		23
23	caps.drop all	24	caps.drop all
24	netfilter	25	netfilter


diff --git a/etc/vlc.profile b/etc/vlc.profile index bccde7a3d..c3a4d58d0 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc
12	include /etc/firejail/disable-passwdmgr.inc	12	include /etc/firejail/disable-passwdmgr.inc
13	include /etc/firejail/disable-programs.inc	13	include /etc/firejail/disable-programs.inc
14		14
		15	include /etc/firejail/whitelist-var-common.inc
		16
15	caps.drop all	17	caps.drop all
16	netfilter	18	netfilter
17	# nogroups	19	# nogroups


diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc index ba4b91451..ef95a7e5e 100644 --- a/etc/whitelist-common.inc +++ b/etc/whitelist-common.inc
@@ -16,6 +16,7 @@ whitelist ~/.drirc
16	whitelist ~/.mime.types	16	whitelist ~/.mime.types
17	whitelist ~/.local/share/applications	17	whitelist ~/.local/share/applications
18	read-only ~/.local/share/applications	18	read-only ~/.local/share/applications
		19	whitelist ~/.config/ibus
19		20
20	# fonts	21	# fonts
21	whitelist ~/.fonts	22	whitelist ~/.fonts


diff --git a/etc/whitelist-var-common.inc b/etc/whitelist-var-common.inc new file mode 100644 index 000000000..bd3473acc --- /dev/null +++ b/etc/whitelist-var-common.inc
@@ -0,0 +1,10 @@
		1	# Local customizations come here
		2	include /etc/firejail/whitelist-var-common.local
		3
		4	# common /var whitelist for all profiles
		5
		6	whitelist /var/lib/dbus
		7	whitelist /var/lib/menu-xdg
		8	whitelist /var/cache/fontconfig
		9	whitelist /var/tmp
		10	whitelist /var/run


diff --git a/platform/debian/conffiles b/platform/debian/conffiles index d0e236e61..af6547f7f 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles
@@ -357,3 +357,4 @@
357	/etc/firejail/zoom.profile	357	/etc/firejail/zoom.profile
358	/etc/firejail/yandex-browser.profile	358	/etc/firejail/yandex-browser.profile
359	/etc/firejail/itch.profile	359	/etc/firejail/itch.profile
		360	/etc/firejail/whitelist-var-common.inc


diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c index 76281a54d..dcd86e069 100644 --- a/src/fbuilder/build_fs.c +++ b/src/fbuilder/build_fs.c
@@ -148,7 +148,11 @@ void build_etc(const char *fname) {
148	//*******************************************	148	//*******************************************
149	static FileDB *var_out = NULL;	149	static FileDB *var_out = NULL;
150	static void var_callback(char *ptr) {	150	static void var_callback(char *ptr) {
151	if (strncmp(ptr, "/var/lib/menu-xdg", 17) == 0)	151	if (strcmp(ptr, "/var/lib") == 0)
		152	;
		153	else if (strcmp(ptr, "/var/cache") == 0)
		154	;
		155	else if (strncmp(ptr, "/var/lib/menu-xdg", 17) == 0)
152	var_out = filedb_add(var_out, "/var/lib/menu-xdg");	156	var_out = filedb_add(var_out, "/var/lib/menu-xdg");
153	else if (strncmp(ptr, "/var/cache/fontconfig", 21) == 0)	157	else if (strncmp(ptr, "/var/cache/fontconfig", 21) == 0)
154	var_out = filedb_add(var_out, "/var/cache/fontconfig");	158	var_out = filedb_add(var_out, "/var/cache/fontconfig");


diff --git a/src/firejail/usage.c b/src/firejail/usage.c index fc7dbd69c..f09eb6416 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c
@@ -44,6 +44,7 @@ void usage(void) {
44	printf(" --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n");	44	printf(" --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n");
45	#endif	45	#endif
46	printf(" --blacklist=filename - blacklist directory or file.\n");	46	printf(" --blacklist=filename - blacklist directory or file.\n");
		47	printf(" --build - build a whitelisted profile for the application.\n");
47	printf(" -c - execute command and exit.\n");	48	printf(" -c - execute command and exit.\n");
48	printf(" --caps - enable default Linux capabilities filter.\n");	49	printf(" --caps - enable default Linux capabilities filter.\n");
49	printf(" --caps.drop=all - drop all capabilities.\n");	50	printf(" --caps.drop=all - drop all capabilities.\n");


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 2dd3abbb7..f205bfa30 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -154,6 +154,18 @@ $ firejail "\-\-blacklist=/home/username/My Virtual Machines"
154	.br	154	.br
155	$ firejail \-\-blacklist=/home/username/My\\ Virtual\\ Machines	155	$ firejail \-\-blacklist=/home/username/My\\ Virtual\\ Machines
156	.TP	156	.TP
		157	\fB\-\-build
		158	The command builds a whitelisted profile. If /usr/bin/strace is installed on the system, it also
		159	builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox,
		160	with only --caps.drop=all and --nonewprivs. Programs that raise user privileges are not supported
		161	in order to allow strace to run. Chromium and Chromium-based browsers will not work.
		162	.br
		163
		164	.br
		165	Example:
		166	.br
		167	$ firejail --build vlc ~/Videos/test.mp4
		168	.TP
157	\fB\-c	169	\fB\-c
158	Execute command and exit.	170	Execute command and exit.
159	.TP	171	.TP