14 files changed, 56 insertions, 32 deletions

diff --git a/etc/asunder.profile b/etc/asunder.profile
index ce68f8897..0fbc3a158 100644
--- a/etc/asunder.profile
+++ b/etc/asunder.profile
@@ -10,8 +10,6 @@ noblacklist ${HOME}/.asunder_album_genre
 noblacklist ${HOME}/.asunder_album_title
 noblacklist ${HOME}/.asunder_album_artist
 
-
-
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
@@ -29,7 +27,6 @@ protocol unix,inet,inet6
 seccomp
 shell none
 
-
 #private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc
 private-dev
 private-tmp
diff --git a/etc/atool.profile b/etc/atool.profile
index c2e772f9d..4cc3f02de 100644
--- a/etc/atool.profile
+++ b/etc/atool.profile
@@ -14,6 +14,7 @@ include /etc/firejail/disable-programs.inc
 
 caps.drop all
 netfilter
+net none
 no3d
 nodvd
 nogroups
diff --git a/etc/brasero.profile b/etc/brasero.profile
index f90d4688a..90a7b176e 100644
--- a/etc/brasero.profile
+++ b/etc/brasero.profile
@@ -13,6 +13,7 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
 caps.drop all
+net none
 nogroups
 nonewprivs
 noroot
diff --git a/etc/frozen-bubble.profile b/etc/frozen-bubble.profile
index 0660137e0..ca38ed1b8 100644
--- a/etc/frozen-bubble.profile
+++ b/etc/frozen-bubble.profile
@@ -10,6 +10,7 @@ blacklist /run/user/*/bus
 noblacklist ${HOME}/.frozen-bubble
 
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
@@ -29,6 +30,7 @@ protocol unix,netlink
 seccomp
 shell none
 
+disable-mnt
 # private-bin frozen-bubble
 private-dev
 # private-etc none
diff --git a/etc/gnome-twitch.profile b/etc/gnome-twitch.profile
index 9c94404d1..9e8f2a241 100644
--- a/etc/gnome-twitch.profile
+++ b/etc/gnome-twitch.profile
@@ -30,6 +30,7 @@ protocol unix,inet,inet6
 seccomp
 shell none
 
+disable-mnt
 private-dev
 private-tmp
 
diff --git a/etc/open-invaders.profile b/etc/open-invaders.profile
index 331bfa939..191f8d87b 100644
--- a/etc/open-invaders.profile
+++ b/etc/open-invaders.profile
@@ -10,6 +10,7 @@ blacklist /run/user/*/bus
 noblacklist ${HOME}/.openinvaders
 
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
diff --git a/etc/pingus.profile b/etc/pingus.profile
index 65aeedd86..ec7eff632 100644
--- a/etc/pingus.profile
+++ b/etc/pingus.profile
@@ -10,6 +10,7 @@ blacklist /run/user/*/bus
 noblacklist ${HOME}/.pingus
 
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
diff --git a/etc/simutrans.profile b/etc/simutrans.profile
index 89d1f2925..8b4113d2f 100644
--- a/etc/simutrans.profile
+++ b/etc/simutrans.profile
@@ -10,6 +10,7 @@ blacklist /run/user/*/bus
 noblacklist ${HOME}/.simutrans
 
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
diff --git a/etc/spotify.profile b/etc/spotify.profile
index 5a6227a8a..c973783a9 100644
--- a/etc/spotify.profile
+++ b/etc/spotify.profile
@@ -44,7 +44,7 @@ tracelog
 disable-mnt
 private-bin spotify,bash,sh,zenity
 private-dev
-private-etc fonts,ld.so.cache,machine-id,pulse,resolv.conf
+private-etc fonts,group,ld.so.cache,machine-id,pulse,resolv.conf
 private-opt spotify
 private-tmp
 
diff --git a/etc/supertux2.profile b/etc/supertux2.profile
index 2b5bb07c3..d60d7fa5f 100644
--- a/etc/supertux2.profile
+++ b/etc/supertux2.profile
@@ -10,6 +10,7 @@ blacklist /run/user/*/bus
 noblacklist ${HOME}/.local/share/supertux2
 
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
@@ -29,6 +30,7 @@ protocol unix,netlink
 seccomp
 shell none
 
+disable-mnt
 # private-bin supertux2
 private-dev
 # private-etc none
diff --git a/etc/terasology.profile b/etc/terasology.profile
index 3d27134c4..ea25938d3 100644
--- a/etc/terasology.profile
+++ b/etc/terasology.profile
@@ -1,7 +1,7 @@
 # Firejail profile for terasology
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/default.local
+include /etc/firejail/terasology.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
diff --git a/src/firejail/main.c b/src/firejail/main.c
index dad9befd3..38db165e8 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -835,12 +835,24 @@ int main(int argc, char **argv) {
         // get starting timestamp
         start_timestamp = getticks();
 
+        if (check_arg(argc, argv, "--quiet", 1))
+                arg_quiet = 1;
+
         // build /run/firejail directory structure
         preproc_build_firejail_dir();
-        preproc_clean_run();
+        char *container_name = getenv("container");
+        if (!container_name || strcmp(container_name, "firejail")) {
+                lockfd_directory = open(RUN_DIRECTORY_LOCK_FILE, O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR);
+                if (lockfd_directory != -1) {
+                        int rv = fchown(lockfd_directory, 0, 0);
+                        (void) rv;
+                        flock(lockfd_directory, LOCK_EX);
+                }
+                preproc_clean_run();
+                flock(lockfd_directory, LOCK_UN);
+                close(lockfd_directory);
+        }
 
-        if (check_arg(argc, argv, "--quiet", 1))
-                arg_quiet = 1;
         if (check_arg(argc, argv, "--allow-debuggers", 1)) {
                 // check kernel version
                 struct utsname u;
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c
index 1f4cf9e54..45399bd48 100644
--- a/src/firejail/preproc.c
+++ b/src/firejail/preproc.c
@@ -107,6 +107,31 @@ void preproc_mount_mnt_dir(void) {
         }
 }
 
+static void clean_dir(const char *name, int *pidarr, int start_pid, int max_pids) {
+        DIR *dir;
+        if (!(dir = opendir(name))) {
+                fwarning("cannot clean %s directory\n", name);
+                return; // we live to fight another day!
+        }
+
+        // clean leftover files
+        struct dirent *entry;
+        char *end;
+        while ((entry = readdir(dir)) != NULL) {
+                pid_t pid = strtol(entry->d_name, &end, 10);
+                pid %= max_pids;
+                if (end == entry->d_name || *end)
+                        continue;
+
+                if (pid < start_pid)
+                        continue;
+                if (pidarr[pid] == 0)
+                        delete_run_files(pid);
+        }
+        closedir(dir);
+}
+
+
 // clean run directory
 void preproc_clean_run(void) {
         int max_pids=32769;
@@ -153,29 +178,9 @@ void preproc_clean_run(void) {
         }
         closedir(dir);
 
-        // open /run/firejail/profile directory
-        if (!(dir = opendir(RUN_FIREJAIL_PROFILE_DIR))) {
-                // sleep 2 seconds and try again
-                sleep(2);
-                if (!(dir = opendir(RUN_FIREJAIL_PROFILE_DIR))) {
-                        fprintf(stderr, "Error: cannot open %s directory\n", RUN_FIREJAIL_PROFILE_DIR);
-                        exit(1);
-                }
-        }
-
-        // read /run/firejail/profile directory and clean leftover files
-        while ((entry = readdir(dir)) != NULL) {
-                pid_t pid = strtol(entry->d_name, &end, 10);
-                pid %= max_pids;
-                if (end == entry->d_name || *end)
-                        continue;
-
-                if (pid < start_pid)
-                        continue;
-                if (pidarr[pid] == 0)
-                        delete_run_files(pid);
-        }
-        closedir(dir);
+        // clean profile and name directories
+        clean_dir(RUN_FIREJAIL_PROFILE_DIR, pidarr, start_pid, max_pids);
+        clean_dir(RUN_FIREJAIL_NAME_DIR, pidarr, start_pid, max_pids);
 
         free(pidarr);
 }
diff --git a/src/firejail/run_files.c b/src/firejail/run_files.c
index 42303c07b..57a0e19df 100644
--- a/src/firejail/run_files.c
+++ b/src/firejail/run_files.c
@@ -70,8 +70,8 @@ void delete_run_files(pid_t pid) {
         delete_bandwidth_run_file(pid);
         delete_network_run_file(pid);
         delete_name_run_file(pid);
-        delete_profile_run_file(pid);
         delete_x11_run_file(pid);
+        delete_profile_run_file(pid);
 }
 
 void set_name_run_file(pid_t pid) {