12 files changed, 44 insertions, 10 deletions
diff --git a/etc/pidgin.profile b/etc/pidgin.profile
index 444478149..bdd5404f5 100644
--- a/etc/pidgin.profile
+++ b/etc/pidgin.profile
@@ -6,9 +6,7 @@ include pidgin.local
 # Persistent global definitions
 include globals.local
-mkdir ${HOME}/.purple
 noblacklist ${HOME}/.purple
-whitelist ${HOME}/.purple
 ignore noexec ${RUNUSER}
 ignore noexec /dev/shm
@@ -20,6 +18,9 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
+mkdir ${HOME}/.purple
+whitelist ${HOME}/.purple
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/src/firejail/dbus.c b/src/firejail/dbus.c
index baa41e85e..b046b3279 100644
--- a/src/firejail/dbus.c
+++ b/src/firejail/dbus.c
@@ -19,7 +19,7 @@
 */
 #include "firejail.h"
-void dbus_session_disable(void) {
+void dbus_disable(void) {
        if (!checkcfg(CFG_DBUS)) {
                fwarning("D-Bus handling is disabled in Firejail configuration file\n");
                return;
@@ -43,6 +43,9 @@ void dbus_session_disable(void) {
        free(path);
        free(env_var);
+        // blacklist also system D-Bus socket
+        disable_file_or_dir("/run/dbus/system_bus_socket");
        // look for a possible abstract unix socket
        // --net=none
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 2e04084e3..e0f3a6a16 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -782,6 +782,6 @@ void set_x11_run_file(pid_t pid, int display);
 void set_profile_run_file(pid_t pid, const char *fname);
 // dbus.c
-void dbus_session_disable(void);
+void dbus_disable(void);
 #endif
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index f9d968427..bf7c0a4b2 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -27,7 +27,11 @@
 #include <glob.h>
 #include <dirent.h>
 #include <errno.h>
 #include <fcntl.h>
+#ifndef O_PATH
+# define O_PATH 010000000
+#endif
 #define MAX_BUF 4096
 #define EMPTY_STRING ("")
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index e35bf073d..b44d09acc 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -22,7 +22,6 @@
 #include <linux/limits.h>
 #include <glob.h>
 #include <dirent.h>
-#include <fcntl.h>
 #include <errno.h>
 #include <sys/stat.h>
 #include <sys/types.h>
@@ -31,6 +30,11 @@
 #include <grp.h>
 //#include <ftw.h>
+#include <fcntl.h>
+#ifndef O_PATH
+# define O_PATH 010000000
+#endif
 static void skel(const char *homedir, uid_t u, gid_t g) {
        char *fname;
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index d128065d3..bce44b9e5 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -24,9 +24,13 @@
 #include <fnmatch.h>
 #include <glob.h>
 #include <dirent.h>
-#include <fcntl.h>
 #include <errno.h>
+#include <fcntl.h>
+#ifndef O_PATH
+# define O_PATH 010000000
+#endif
 // mountinfo functionality test;
 // 1. enable TEST_MOUNTINFO definition
 // 2. run firejail --whitelist=/any/directory
diff --git a/src/firejail/mountinfo.c b/src/firejail/mountinfo.c
index 0717b2044..7369ad247 100644
--- a/src/firejail/mountinfo.c
+++ b/src/firejail/mountinfo.c
@@ -19,7 +19,11 @@
 */
 #include "firejail.h"
 #include <fcntl.h>
+#ifndef O_PATH
+# define O_PATH 010000000
+#endif
 #define MAX_BUF 4096
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c
index 26beaf35a..e3f237b8e 100644
--- a/src/firejail/pulseaudio.c
+++ b/src/firejail/pulseaudio.c
@@ -24,7 +24,11 @@
 #include <sys/mount.h>
 #include <dirent.h>
 #include <sys/wait.h>
 #include <fcntl.h>
+#ifndef O_PATH
+# define O_PATH 010000000
+#endif
 // disable pulseaudio socket
 void pulseaudio_disable(void) {
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 101a16d00..9f0a5f25c 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -923,7 +923,7 @@ int sandbox(void* sandbox_arg) {
        // Session D-BUS
        //****************************
        if (arg_nodbus)
-                dbus_session_disable();
+                dbus_disable();
        //****************************
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 3e2cd13d5..fff0bbf2f 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -29,7 +29,11 @@
 #include <sys/ioctl.h>
 #include <termios.h>
 #include <sys/wait.h>
 #include <fcntl.h>
+#ifndef O_PATH
+# define O_PATH 010000000
+#endif
 #define MAX_GROUPS 1024
 #define MAXBUF 4098
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index b0ed10b30..9d821d980 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -31,7 +31,11 @@
 #include <sys/wait.h>
 #include <errno.h>
 #include <limits.h>
 #include <fcntl.h>
+#ifndef O_PATH
+# define O_PATH 010000000
+#endif
 // Parse the DISPLAY environment variable and return a display number.
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 1b56dedcd..8f6948ef4 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1107,9 +1107,11 @@ $ nc dict.org 2628
 .br
 .TP
 \fB\-\-nodbus
-Disable D-Bus access. Only the regular UNIX socket is handled by this command. To
+Disable D-Bus access (both system and session buses). Only the regular
-disable the abstract socket you would need to request a new network namespace using
+UNIX sockets are handled by this command. To disable the abstract
-\-\-net command. Another option is to remove unix from \-\-protocol set.
+sockets you would need to request a new network namespace using
+\-\-net command. Another option is to remove unix from \-\-protocol
+set.
 .br
 .br