18 files changed, 205 insertions, 45 deletions

diff --git a/README b/README
index 7384a8c99..368feb827 100644
--- a/README
+++ b/README
@@ -435,6 +435,7 @@ Pixel Fairy (https://github.com/xahare)
 PizzaDude (https://github.com/pizzadude)
         - add mpv support to smplayer
         - added profile for torbrowser-launcher
+        - added profile for sayonara and qmmp
 probonopd (https://github.com/probonopd)
         - automatic build on Travis CI
 pshpsh (https://github.com/pshpsh)
diff --git a/README.md b/README.md
index cb040852a..3c53809c5 100644
--- a/README.md
+++ b/README.md
@@ -337,10 +337,10 @@ enable/disable apparmor functionality globally. By default the flag is enabled.
 AppArmor deployment: we are starting apparmor by default for the following programs:
 - web browsers: firefox (firefox-common.profile), chromium (chromium-common.profile)
 - torrent clients: transmission-qt, transmission-gtk, qbittorrent
-- media players: vlc, mpv, audacious, kodi, smplayer
+- media players: mpv, audacious, kodi, smplayer
 - media editing: kdenlive, audacity, handbrake, inkscape, gimp, krita, openshot
 - archive managers: ark, engrampa, file-roller
-- etc.: digikam, libreoffice, okular, gwenview, galculator, kcalc
+- etc.: digikam, okular, gwenview, galculator, kcalc
 
 Checking apparmor status:
 `````
@@ -376,4 +376,4 @@ gnome-recipes, akonadi_control, evince-previewer, evince-thumbnailer, blender-2.
 thunderbird-beta, ncdu, gnome-logs, gcloud, musixmatch, gunzip, bunzip2, enchant,
 enchant-2, enchant-lsmod, enchant-lsmod-2, Discord, acat, adiff, als, apack, arepack,
 aunpack profiles, ppsspp, scallion, clion, baloo_filemetadata_temp_extractor,
-AnyDesk, webstorm, xmind
+AnyDesk, webstorm, xmind, qmmp, sayonara
diff --git a/RELNOTES b/RELNOTES
index 4945e3d3c..f73793740 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -34,6 +34,7 @@ firejail (0.9.54~rc1) baseline; urgency=low
   * private-dev support for overlay and chroot sandboxes
   * private-tmp support for overlay and chroot sandboxes
   * added sandbox name support in firemon
+  * firemon/prctl enhancements
   * new profiles: basilisk, Tor Browser language packs, PlayOnLinux, sylpheed,
   * new profiles: discord-canary, pycharm-community, pycharm-professional,
   * new profiles: pdfchain, tilp, vivaldi-snapshot, bitcoin-qt, kaffeine,
@@ -43,7 +44,8 @@ firejail (0.9.54~rc1) baseline; urgency=low
   * new profiles: musixmatch, gunzip, bunzip2, enchant-lsmod, enchant-lsmod-2,
   * new profiles: enchant, enchant-2, Discord, acat, adiff, als, apack,
   * new profiles: arepack, aunpack profiles, ppsspp, scallion, clion,
-  * new profiles: baloo_filemetadata_temp_extractor, AnyDesk, webstorm, xmind
+  * new profiles: baloo_filemetadata_temp_extractor, AnyDesk, webstorm, xmind,
+  * new profiles: qmmp, sayonara
  -- netblue30 <netblue30@yahoo.com>  Sun, 6 May 2018 08:00:00 -0500
 
 firejail (0.9.52) baseline; urgency=low
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index ea334c289..c7605d660 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -16,6 +16,7 @@ blacklist ${HOME}/.LuminanceHDR
 blacklist ${HOME}/.Mathematica
 blacklist ${HOME}/.Natron
 blacklist ${HOME}/.PyCharm*
+blacklist ${HOME}/.Sayonara
 blacklist ${HOME}/.Skype
 blacklist ${HOME}/.Steam
 blacklist ${HOME}/.Steampath
@@ -465,6 +466,7 @@ blacklist ${HOME}/.passwd-s3fs
 blacklist ${HOME}/.pingus
 blacklist ${HOME}/.purple
 blacklist ${HOME}/.qemu-launcher
+blacklist ${HOME}/.qmmp
 blacklist ${HOME}/.redeclipse
 blacklist ${HOME}/.remmina
 blacklist ${HOME}/.repo_.gitconfig.json
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile
index 9ebcdba6c..b0de1f1a3 100644
--- a/etc/firefox-common.profile
+++ b/etc/firefox-common.profile
@@ -35,7 +35,8 @@ notv
 protocol unix,inet,inet6,netlink
 seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
 shell none
-tracelog
+#disable tracelog, it breaks or causes major issues with many firefox based browsers, see github issue #1930
+#tracelog
 
 disable-mnt
 private-dev
diff --git a/etc/picard.profile b/etc/picard.profile
index 9e0d4ab55..484b0e6b2 100644
--- a/etc/picard.profile
+++ b/etc/picard.profile
@@ -9,7 +9,9 @@ noblacklist ${HOME}/.cache/MusicBrainz
 noblacklist ${HOME}/.config/MusicBrainz
 
 # Allow python (blacklisted by disable-interpreters.inc)
+noblacklist ${PATH}/python2*
 noblacklist ${PATH}/python3*
+noblacklist /usr/lib/python2*
 noblacklist /usr/lib/python3*
 
 include /etc/firejail/disable-common.inc
diff --git a/etc/qmmp.profile b/etc/qmmp.profile
new file mode 100644
index 000000000..d785ddbbe
--- /dev/null
+++ b/etc/qmmp.profile
@@ -0,0 +1,34 @@
+# Firejail profile for qmmp
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/qmmp.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+noblacklist ${HOME}/.qmmp
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+caps.drop all
+netfilter
+# no3d
+nodbus
+nogroups
+nonewprivs
+noroot
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+private-bin qmmp
+private-dev
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/sayonara.profile b/etc/sayonara.profile
new file mode 100644
index 000000000..756bd99eb
--- /dev/null
+++ b/etc/sayonara.profile
@@ -0,0 +1,33 @@
+# Firejail profile for sayonara player
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/sayonara.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+noblacklist ${HOME}/.Sayonara
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+caps.drop all
+netfilter
+no3d
+nogroups
+nonewprivs
+noroot
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+private-bin sayonara
+private-dev
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile
index a63798731..a33707ee4 100644
--- a/etc/torbrowser-launcher.profile
+++ b/etc/torbrowser-launcher.profile
@@ -41,7 +41,7 @@ shell none
 tracelog
 
 disable-mnt
-private-bin bash,cp,dirname,env,expr,file,getconf,gpg,grep,id,ln,mkdir,python*,readlink,rm,sed,sh,tail,test,tor-browser-en,torbrowser-launcher
+private-bin bash,cp,dirname,env,expr,file,getconf,gpg,grep,id,ln,mkdir,python*,readlink,rm,sed,sh,tail,tclsh,test,tor-browser-en,torbrowser-launcher
 private-dev
 private-etc fonts,hostname,hosts,resolv.conf,pki,ssl,ca-certificates,crypto-policies,alsa,asound.conf,pulse,machine-id,ld.so.cache
 private-tmp
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index da8937717..1bfc9e66e 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -316,6 +316,7 @@ psi-plus
 qbittorrent
 qemu-launcher
 qlipper
+qmmp
 qpdfview
 qtox
 quassel
@@ -333,6 +334,7 @@ ristretto
 rocketchat
 rtorrent
 runenpass.sh
+sayonara
 scallion
 scribus
 sdat2img
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index efc0dfd8d..d873a36f5 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -794,6 +794,7 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc,
 #define SBOX_CAPS_NETWORK (1 << 4)      // caps filter for programs running network programs
 #define SBOX_ALLOW_STDIN (1 << 5)               // don't close stdin
 #define SBOX_STDIN_FROM_FILE (1 << 6)   // open file and redirect it to stdin
+#define SBOX_CAPS_HIDEPID (1 << 7)      // hidepid caps filter for running firemon
 
 // run sbox
 int sbox_run(unsigned filter, int num, ...);
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index ea0631da5..0562c7424 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -484,29 +484,44 @@ void fs_rdonly(const char *dir) {
 
 static void fs_rdwr(const char *dir) {
         assert(dir);
-        // check directory exists
+        // check directory exists and ensure we have a resolved path
+        // the resolved path allows to run a sanity check after the mount
+        char *path = realpath(dir, NULL);
+        if (path == NULL)
+                return;
+        // allow only user owned directories, except the user is root
+        uid_t u = getuid();
         struct stat s;
-        int rv = stat(dir, &s);
-        if (rv == 0) {
-                // if the file is outside /home directory, allow only root user
-                uid_t u = getuid();
-                if (u != 0 && s.st_uid != u) {
-                        fwarning("you are not allowed to change %s to read-write\n", dir);
-                        return;
-                }
-
-                // mount --bind /bin /bin
-                // mount --bind -o remount,rw /bin
-                unsigned long flags = 0;
-                get_mount_flags(dir, &flags);
-                if ((flags & MS_RDONLY) == 0)
-                        return;
-                flags &= ~MS_RDONLY;
-                if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0 ||
-                    mount(NULL, dir, NULL, flags|MS_BIND|MS_REMOUNT|MS_REC, NULL) < 0)
-                        errExit("mount read-write");
-                fs_logger2("read-write", dir);
+        int rv = stat(path, &s);
+        if (rv) {
+                free(path);
+                return;
+        }
+        if (u != 0 && s.st_uid != u) {
+                fwarning("you are not allowed to change %s to read-write\n", path);
+                free(path);
+                return;
+        }
+        // mount --bind /bin /bin
+        // mount --bind -o remount,rw /bin
+        unsigned long flags = 0;
+        get_mount_flags(path, &flags);
+        if ((flags & MS_RDONLY) == 0) {
+                free(path);
+                return;
         }
+        flags &= ~MS_RDONLY;
+        if (mount(path, path, NULL, MS_BIND|MS_REC, NULL) < 0 ||
+            mount(NULL, path, NULL, flags|MS_BIND|MS_REMOUNT|MS_REC, NULL) < 0)
+                errExit("mount read-write");
+        fs_logger2("read-write", path);
+
+        // run a check on /proc/self/mountinfo to validate the mount
+        MountData *mptr = get_last_mount();
+        if (strncmp(mptr->dir, path, strlen(path)) != 0)
+                errLogExit("invalid read-write mount");
+
+        free(path);
 }
 
 void fs_noexec(const char *dir) {
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 2e47dd938..9d28f3352 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -551,21 +551,21 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
         }
         else if (strcmp(argv[i], "--list") == 0) {
                 if (pid_hidepid())
-                        sbox_run(SBOX_ROOT| SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--list");
+                        sbox_run(SBOX_ROOT| SBOX_CAPS_HIDEPID | SBOX_SECCOMP, 2, PATH_FIREMON, "--list");
                 else
                         sbox_run(SBOX_USER| SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--list");
                 exit(0);
         }
         else if (strcmp(argv[i], "--tree") == 0) {
                 if (pid_hidepid())
-                        sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--tree");
+                        sbox_run(SBOX_ROOT | SBOX_CAPS_HIDEPID | SBOX_SECCOMP, 2, PATH_FIREMON, "--tree");
                 else
                         sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--tree");
                 exit(0);
         }
         else if (strcmp(argv[i], "--top") == 0) {
                 if (pid_hidepid())
-                        sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN,
+                        sbox_run(SBOX_ROOT | SBOX_CAPS_HIDEPID | SBOX_SECCOMP | SBOX_ALLOW_STDIN,
                                 2, PATH_FIREMON, "--top");
                 else
                         sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN,
@@ -577,7 +577,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                 if (checkcfg(CFG_NETWORK)) {
                         struct stat s;
                         if (stat("/proc/sys/kernel/grsecurity", &s) == 0 || pid_hidepid())
-                                sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN,
+                                sbox_run(SBOX_ROOT | SBOX_CAPS_HIDEPID | SBOX_SECCOMP | SBOX_ALLOW_STDIN,
                                         2, PATH_FIREMON, "--netstats");
                         else
                                 sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN,
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c
index eaaba86c0..15d44e4cc 100644
--- a/src/firejail/pulseaudio.c
+++ b/src/firejail/pulseaudio.c
@@ -178,10 +178,10 @@ void pulseaudio_init(void) {
 
                 // check /proc/self/mountinfo to confirm the mount is ok
                 MountData *mptr = get_last_mount();
-                if (strncmp(mptr->dir, homeusercfg, strlen(homeusercfg)) != 0)
-                        errLogExit("invalid mount on top of %s (should be %s)\n", mptr->dir, homeusercfg);
-                if (strncmp(mptr->fstype, "tmpfs", 5) != 0)
-                        errLogExit("invalid mount on top of %s (filesystem type is %s)\n", mptr->dir, mptr->fstype);
+                if (strcmp(mptr->dir, homeusercfg) != 0)
+                        errLogExit("invalid pulseaudio mount");
+                if (strcmp(mptr->fstype, "tmpfs") != 0)
+                        errLogExit("invalid pulseaudio mount");
 
                 char *p;
                 if (asprintf(&p, "%s/client.conf", homeusercfg) == -1)
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c
index 53df20a54..c11daad58 100644
--- a/src/firejail/sbox.c
+++ b/src/firejail/sbox.c
@@ -166,6 +166,13 @@ int sbox_run(unsigned filter, int num, ...) {
                         caps_set(set);
 #endif
                 }
+                else if (filter & SBOX_CAPS_HIDEPID) {
+#ifndef HAVE_GCOV // the following filter will prevent GCOV from saving info in .gcda files
+                        uint64_t set = ((uint64_t) 1) << CAP_SYS_PTRACE;
+                        set |=  ((uint64_t) 1) << CAP_SYS_PACCT;
+                        caps_set(set);
+#endif
+                }
 
                 if (filter & SBOX_SECCOMP) {
                         if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 0eace3215..ec8775370 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -1196,10 +1196,11 @@ void x11_xorg(void) {
 
         // check /proc/self/mountinfo to confirm the mount is ok
         MountData *mptr = get_last_mount();
-        if (strncmp(mptr->dir, dest, strlen(dest)) != 0)
-                errLogExit("invalid mount on top of %s (should be %s)\n", mptr->dir, dest);
-        if (strncmp(mptr->fstype, "tmpfs", 5) != 0)
-                errLogExit("invalid mount on top of %s (filesystem type is %s)\n", mptr->dir, mptr->fstype);
+        if (strcmp(mptr->dir, dest) != 0)
+                errLogExit("invalid .Xauthority mount");
+        if (strcmp(mptr->fstype, "tmpfs") != 0)
+                errLogExit("invalid .Xauthority mount");
+
         free(dest);
 #endif
 }
diff --git a/src/firemon/procevent.c b/src/firemon/procevent.c
index 301e5397b..5b16191be 100644
--- a/src/firemon/procevent.c
+++ b/src/firemon/procevent.c
@@ -94,10 +94,21 @@ static int pid_is_firejail(pid_t pid) {
                 // list of firejail arguments that don't trigger sandbox creation
                 // the initial -- is not included
                 char *exclude_args[] = {
-                        "ls", "list", "tree", "x11", "help", "version", "top", "netstats", "debug-syscalls",
-                        "debug-errnos", "debug-protocols", "protocol.print",  "debug.caps",
-                        "shutdown", "bandwidth", "caps.print", "cpu.print", "debug-caps",
-                        "fs.print", "get", "overlay-clean", NULL
+                        // all print options
+                        "apparmor.print", "caps.print", "cpu.print", "dns.print", "fs.print", "netfilter.print",
+                        "netfilter6.print", "profile.print", "protocol.print", "seccomp.print",
+                        // debug
+                        "debug-caps", "debug-errnos", "debug-protocols", "debug-syscalls",
+                        // file transfer
+                        "ls", "get", "put",
+                        // stats
+                        "tree", "list", "top",
+                        // network
+                        "netstats", "bandwidth",
+                        // etc
+                        "help", "version", "overlay-clean",
+
+                        NULL // end of list marker
                 };
 
                 int i;
@@ -291,6 +302,7 @@ static int procevent_monitor(const int sock, pid_t mypid) {
                                                 child %= max_pids;
                                                 pids[child].level = pids[pid].level + 1;
                                                 pids[child].uid = pid_get_uid(child);
+                                                pids[child].parent = pid;
                                         }
                                         sprintf(lineptr, " fork");
                                         break;
@@ -318,12 +330,22 @@ static int procevent_monitor(const int sock, pid_t mypid) {
                                         sprintf(lineptr, " exit");
                                         break;
 
+
+
                                 case PROC_EVENT_UID:
                                         pid = proc_ev->event_data.id.process_tgid;
 #ifdef DEBUG_PRCTL
         printf("%s: %d, event uid, pid %d\n", __FUNCTION__, __LINE__, pid);
 #endif
-                                        sprintf(lineptr, " uid ");
+                                        if (pids[pid].level == 1 ||
+                                            pids[pids[pid].parent].level == 1) {
+                                                sprintf(lineptr, "\n");
+                                                continue;
+                                        }
+                                        else
+                                                sprintf(lineptr, " uid (%d:%d)",
+                                                        proc_ev->event_data.id.r.ruid,
+                                                        proc_ev->event_data.id.e.euid);
                                         break;
 
                                 case PROC_EVENT_GID:
@@ -331,9 +353,19 @@ static int procevent_monitor(const int sock, pid_t mypid) {
 #ifdef DEBUG_PRCTL
         printf("%s: %d, event gid, pid %d\n", __FUNCTION__, __LINE__, pid);
 #endif
-                                        sprintf(lineptr, " gid ");
+                                        if (pids[pid].level == 1 ||
+                                            pids[pids[pid].parent].level == 1) {
+                                                sprintf(lineptr, "\n");
+                                                continue;
+                                        }
+                                        else
+                                                sprintf(lineptr, " gid (%d:%d)",
+                                                        proc_ev->event_data.id.r.rgid,
+                                                        proc_ev->event_data.id.e.egid);
                                         break;
 
+
+
                                 case PROC_EVENT_SID:
                                         pid = proc_ev->event_data.sid.process_tgid;
 #ifdef DEBUG_PRCTL
diff --git a/test/hidepid-howto b/test/hidepid-howto
new file mode 100644
index 000000000..f207c9109
--- /dev/null
+++ b/test/hidepid-howto
@@ -0,0 +1,27 @@
+1. Find an unused user group for hidepid exception:
+
+$ id
+uid=1000(netblue) gid=100(users) groups=100(users),10(wheel),90(network),
+92(audio),93(optical),95(storage),98(power)
+
+From /etc/group I pick up a group I am not part of:
+
+$ cat /etc/group
+[...]
+xmms2:x:618:
+rtkit:x:133:
+vboxsf:x:109:
+git:x:617:
+[...]
+
+I'll use group 618 (xmms2)
+
+2. Set hidepid and allow xmms2 users to bypass hidepid
+
+$ sudo mount -o remount,rw,hidepid=2,gid=618 /proc
+$ cat /proc/mounts | grep proc
+proc /proc proc rw,nosuid,nodev,noexec,relatime,gid=618,hidepid=2 0 0
+
+3. Test "firejail --list", "firejail --top", "firejail --tree", "firejail --netstats"
+
+