9 files changed, 70 insertions, 37 deletions

diff --git a/RELNOTES b/RELNOTES
index 2bab5ddc2..fe871134b 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,6 +1,10 @@
 firejail (0.9.53) baseline; urgency=low
   * work in progress
   * seccomp syscall list update for glibc 2.26-10
+  * IPv6 DNS support
+  * whitelist support for overlay and chroot sandboxes
+  * private-dev support for overlay and chroot sandboxes
+  * private-tmp support for overlay and chroot sandboxes
   * new profiles: basilisk, Tor Browser language packs, PlayOnLinux, sylpheed, discord-canary
   * new profiles: pycharm-community, pycharm-professional
  -- netblue30 <netblue30@yahoo.com>  Tue, 12 Dec 2017 08:00:00 -0500
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 8cfcaa838..4d9c4d85f 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -416,6 +416,7 @@ blacklist ${HOME}/.passwd-s3fs
 blacklist ${HOME}/.pingus
 blacklist ${HOME}/.purple
 blacklist ${HOME}/.qemu-launcher
+blacklist ${HOME}/.redeclipse
 blacklist ${HOME}/.remmina
 blacklist ${HOME}/.repo_.gitconfig.json
 blacklist ${HOME}/.repoconfig
@@ -453,6 +454,7 @@ blacklist ${HOME}/.wireshark
 blacklist ${HOME}/.wine64
 blacklist ${HOME}/.xiphos
 blacklist ${HOME}/.xmms
+blacklist ${HOME}/.xmr-stak
 blacklist ${HOME}/.xonotic
 blacklist ${HOME}/.xpdfrc
 blacklist ${HOME}/.zoom
diff --git a/etc/xmr-stak-cpu.profile b/etc/redeclipse.profile
index 9cc6e0c1f..f0a993c54 100644
--- a/etc/xmr-stak-cpu.profile
+++ b/etc/redeclipse.profile
@@ -1,27 +1,28 @@
-# Firejail profile for xmr-stak-cpu
+# Firejail profile for redeclipse
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/xmr-stak-cpu.local
+include /etc/firejail/redeclipse.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
+noblacklist ${HOME}/.redeclipse
 
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
+mkdir ${HOME}/.redeclipse
+whitelist ${HOME}/.redeclipse
+include /etc/firejail/whitelist-common.inc
 include /etc/firejail/whitelist-var-common.inc
 
 caps.drop all
-ipc-namespace
 netfilter
-no3d
 nodvd
 nogroups
 nonewprivs
 noroot
-nosound
 notv
 novideo
 protocol unix,inet,inet6
@@ -29,14 +30,8 @@ seccomp
 shell none
 
 disable-mnt
-private
-private-bin xmr-stak-cpu
 private-dev
-private-etc xmr-stak-cpu.json
-private-lib
-private-opt none
 private-tmp
 
-memory-deny-write-execute
 noexec ${HOME}
 noexec /tmp
diff --git a/etc/xmr-stak.profile b/etc/xmr-stak.profile
new file mode 100644
index 000000000..151a4c694
--- /dev/null
+++ b/etc/xmr-stak.profile
@@ -0,0 +1,44 @@
+# Firejail profile for xmr-stak
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/xmr-stak.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+noblacklist ${HOME}/.xmr-stak
+noblacklist /usr/lib/llvm*
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+mkdir ${HOME}/.xmr-stak
+include /etc/firejail/whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+disable-mnt
+private ${HOME}/.xmr-stak
+private-bin xmr-stak
+private-dev
+private-etc ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
+#private-lib libxmrstak_opencl_backend,libxmrstak_cuda_backend
+private-opt cuda
+private-tmp
+
+memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/xonotic.profile b/etc/xonotic.profile
index d17d2b612..7a466db9b 100644
--- a/etc/xonotic.profile
+++ b/etc/xonotic.profile
@@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc
 mkdir ${HOME}/.xonotic
 whitelist ${HOME}/.xonotic
 include /etc/firejail/whitelist-common.inc
+include /etc/firejail/whitelist-var-common.inc
 
 caps.drop all
 netfilter
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 1cd9d9c1f..e9e1db287 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -293,6 +293,7 @@ qupzilla
 qutebrowser
 rambox
 ranger
+redeclipse
 remmina
 rhythmbox
 ricochet
@@ -393,7 +394,7 @@ xfce4-dict
 xfce4-notes
 xiphos
 xmms
-xmr-stak-cpu
+xmr-stak
 xonotic
 xonotic-glx
 xonotic-sdl
diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c
index 7436b7755..631276c0b 100644
--- a/src/firejail/appimage.c
+++ b/src/firejail/appimage.c
@@ -109,10 +109,12 @@ void appimage_set(const char *appimage) {
         EUID_ROOT();
 
         if (size == 0) {
+                fmessage("Mounting appimage type 1\n");
                 if (mount(devloop, mntdir, "iso9660",MS_MGC_VAL|MS_RDONLY,  mode) < 0)
                         errExit("mounting appimage");
         }
         else {
+                fmessage("Mounting appimage type 2\n");
                 if (mount(devloop, mntdir, "squashfs",MS_MGC_VAL|MS_RDONLY,  mode) < 0)
                         errExit("mounting appimage");
         }
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index ed0a253b3..47bb94a52 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -763,14 +763,8 @@ int sandbox(void* sandbox_arg) {
                         fs_private();
         }
 
-        if (arg_private_dev) {
-                if (cfg.chrootdir)
-                        fwarning("private-dev feature is disabled in chroot\n");
-                else if (arg_overlay)
-                        fwarning("private-dev feature is disabled in overlay\n");
-                else
-                        fs_private_dev();
-        }
+        if (arg_private_dev)
+                fs_private_dev();
 
         if (arg_private_etc) {
                 if (cfg.chrootdir)
@@ -835,16 +829,10 @@ int sandbox(void* sandbox_arg) {
         }
 
         if (arg_private_tmp) {
-                if (cfg.chrootdir)
-                        fwarning("private-tmp feature is disabled in chroot\n");
-                else if (arg_overlay)
-                        fwarning("private-tmp feature is disabled in overlay\n");
-                else {
-                        // private-tmp is implemented as a whitelist
-                        EUID_USER();
-                        fs_private_tmp();
-                        EUID_ROOT();
-                }
+                // private-tmp is implemented as a whitelist
+                EUID_USER();
+                fs_private_tmp();
+                EUID_ROOT();
         }
 
         //****************************
@@ -877,12 +865,7 @@ int sandbox(void* sandbox_arg) {
         // apply the profile file
         //****************************
         // apply all whitelist commands ...
-        if (cfg.chrootdir)
-                fwarning("whitelist feature is disabled in chroot\n");
-        else if (arg_overlay)
-                fwarning("whitelist feature is disabled in overlay\n");
-        else
-                fs_whitelist();
+        fs_whitelist();
 
         // ... followed by blacklist commands
         fs_blacklist(); // mkdir and mkfile are processed all over again
diff --git a/src/firemon/apparmor.c b/src/firemon/apparmor.c
index 0fe287e8f..0b921f8a2 100644
--- a/src/firemon/apparmor.c
+++ b/src/firemon/apparmor.c
@@ -18,9 +18,10 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "firemon.h"
-#include <sys/apparmor.h>
 
 #ifdef HAVE_APPARMOR
+#include <sys/apparmor.h>
+
 static void print_apparmor(int pid) {
         char *label = NULL;
         char *mode = NULL;