13 files changed, 67 insertions, 11 deletions

diff --git a/README b/README
index beb5e61d9..41db7fc8e 100644
--- a/README
+++ b/README
@@ -411,6 +411,8 @@ smithsohu (https://github.com/smitsohu)
         - fixed device discovery for simple-scan
         - add novideo support in many profiles
         - improve server profiles, harden musescore
+        - snap profile cleanup
+        - tighten some capability sets further
 soredake (https://github.com/soredake)
         - fix steam startup with >=llvm-4
 SpotComms (https://github.com/SpotComms)
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile
index a1ccfbe22..86af9c7b3 100644
--- a/etc/dnscrypt-proxy.profile
+++ b/etc/dnscrypt-proxy.profile
@@ -17,7 +17,7 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
 caps
-# caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot,sys_resource
+# caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot
 no3d
 nodvd
 nonewprivs
diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile
index ce159c343..d4cd0530e 100644
--- a/etc/dnsmasq.profile
+++ b/etc/dnsmasq.profile
@@ -17,6 +17,7 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
 caps
+# caps.keep net_admin,net_bind_service,net_raw,setgid,setuid
 no3d
 nodvd
 nonewprivs
diff --git a/etc/snap.profile b/etc/snap.profile
index 238dffeab..38aef7c23 100644
--- a/etc/snap.profile
+++ b/etc/snap.profile
@@ -14,5 +14,3 @@ include /etc/firejail/disable-programs.inc
 whitelist ${DOWNLOADS}
 whitelist ~/snap
 include /etc/firejail/whitelist-common.inc
-nodvd
-notv
diff --git a/etc/unbound.profile b/etc/unbound.profile
index afc903e88..2a38aa7c6 100644
--- a/etc/unbound.profile
+++ b/etc/unbound.profile
@@ -17,7 +17,7 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
 caps
-# caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot,sys_resource
+# caps.keep net_bind_service,setgid,setuid,sys_chroot,sys_resource
 no3d
 nodvd
 nonewprivs
diff --git a/etc/wireshark.profile b/etc/wireshark.profile
index 57f4f2f5b..f1a17ba93 100644
--- a/etc/wireshark.profile
+++ b/etc/wireshark.profile
@@ -12,7 +12,7 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
-# caps.drop all
+caps.keep dac_override,net_admin,net_raw
 netfilter
 no3d
 # nogroups - breaks unprivileged wireshark usage
@@ -21,6 +21,7 @@ no3d
 nodvd
 nosound
 notv
+novideo
 # protocol unix,inet,inet6,netlink
 # seccomp - breaks unprivileged wireshark usage
 shell none
diff --git a/gcov.sh b/gcov.sh
index 092b755af..df1fcb51b 100755
--- a/gcov.sh
+++ b/gcov.sh
@@ -8,12 +8,13 @@ gcov_init() {
         /usr/lib/firejail/fseccomp --help > /dev/null
         /usr/lib/firejail/ftee --help > /dev/null
         /usr/lib/firejail/fcopy --help > /dev/null
+        /usr/lib/firejail/fldd --help > /dev/null
         firecfg --help > /dev/null
         sudo chown $USER:$USER `find .`
 }
 
 generate() {
-        lcov -q --capture -d src/firejail -d src/firemon -d  src/fcopy -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg --output-file gcov-file-new
+        lcov -q --capture -d src/firejail -d src/firemon -d  src/fcopy -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file-new
         lcov --add-tracefile gcov-file-old --add-tracefile gcov-file-new  --output-file gcov-file
         rm -fr gcov-dir
         genhtml -q gcov-file --output-directory gcov-dir
@@ -24,7 +25,7 @@ generate() {
 
 
 gcov_init
-lcov -q --capture -d src/firejail -d src/firemon -d  src/fcopy -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg --output-file gcov-file-old
+lcov -q --capture -d src/firejail -d src/firemon -d  src/fcopy -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd  --output-file gcov-file-old
 
 #make test-environment
 #generate
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 8074fcd74..656942440 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -107,7 +107,9 @@ static void set_caps(void) {
                 caps_default_filter();
         
         // drop discretionary access control capabilities for root sandboxes
-        caps_drop_dac_override();
+        // if caps.keep, the user has to set it manually in the list
+        if (!arg_caps_keep)
+                caps_drop_dac_override();
 }
 
 void save_nogroups(void) {
diff --git a/src/fldd/main.c b/src/fldd/main.c
index 947c6b4ae..5fda45266 100644
--- a/src/fldd/main.c
+++ b/src/fldd/main.c
@@ -265,6 +265,11 @@ printf("\n");
         }
 
 
+        if (strcmp(argv[1], "--help") == 0) {
+                usage();
+                return 0;
+        }
+
         // check program access
         if (access(argv[1], R_OK)) {
                 fprintf(stderr, "Error fldd: cannot access %s\n", argv[1]);
diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c
index abdedb957..d0692b2ef 100644
--- a/src/fseccomp/syscall.c
+++ b/src/fseccomp/syscall.c
@@ -110,7 +110,6 @@ static const SyscallGroupList sysgroups[] = {
         { .name = "@default", .list =
           "@cpu-emulation,"
           "@debug,"
-          "@module,"
           "@obsolete,"
           "@privileged,"
           "@resources,"
diff --git a/test/fs/fs.sh b/test/fs/fs.sh
index 9e7ead3c9..e67ccc476 100755
--- a/test/fs/fs.sh
+++ b/test/fs/fs.sh
@@ -28,6 +28,9 @@ echo "TESTING: kmsg access (test/fs/kmsg.exp)"
 echo "TESTING: read/write /var/tmp (test/fs/fs_var_tmp.exp)"
 ./fs_var_tmp.exp
 
+echo "TESTING: private-lib (test/fs/private-lib.exp)"
+./private-lib.exp
+
 echo "TESTING: read/write /var/lock (test/fs/fs_var_lock.exp)"
 ./fs_var_lock.exp
 
diff --git a/test/fs/private-lib.exp b/test/fs/private-lib.exp
new file mode 100755
index 000000000..dd418da0f
--- /dev/null
+++ b/test/fs/private-lib.exp
@@ -0,0 +1,44 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2017 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --private-lib --private-bin=sh,bash,dash,ps,grep,ls,find,echo \r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+after 100
+
+send -- "find /bin; echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "rm" {puts "TESTING ERROR 3\n";exit}
+        "cp" {puts "TESTING ERROR 4\n";exit}
+        "done"
+}
+after 100
+
+send -- "find /lib; echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "modules" {puts "TESTING ERROR 6\n";exit}
+        "firmware" {puts "TESTING ERROR 7\n";exit}
+        "libc.so"
+}
+after 100
+
+send -- "find /usr/lib; echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "grub" {puts "TESTING ERROR 9\n";exit}
+        "mozilla" {puts "TESTING ERROR 10\n";exit}
+        "libdl.so"
+}
+after 100
+
+puts "\nall done\n"
diff --git a/test/utils/seccomp-print.exp b/test/utils/seccomp-print.exp
index 5a76d7fcc..b3ab5e13c 100755
--- a/test/utils/seccomp-print.exp
+++ b/test/utils/seccomp-print.exp
@@ -22,11 +22,11 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
-        "init_module"
+        "delete_module"
 }
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
-        "delete_module"
+        "init_module"
 }
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}