6 files changed, 66 insertions, 3 deletions

diff --git a/src/firejail/cmdline.c b/src/firejail/cmdline.c
index cadf4795d..dcb0a5424 100644
--- a/src/firejail/cmdline.c
+++ b/src/firejail/cmdline.c
@@ -157,3 +157,47 @@ void build_cmdline(char **command_line, char **window_title, int argc, char **ar
         assert(*command_line);
         assert(*window_title);
 }
+
+void build_appimage_cmdline(char **command_line, char **window_title, int argc, char **argv, int index, char *apprun_path) {
+        // index == -1 could happen if we have --shell=none and no program was specified
+        // the program should exit with an error before entering this function
+        assert(index != -1);
+
+        unsigned argcount = argc - index;
+
+        int len1 = cmdline_length(argc, argv, index);  // length of argv w/o changes
+        int len2 = cmdline_length(1, &argv[index], 0); // apptest.AppImage
+        int len3 = cmdline_length(1, &apprun_path, 0); // /run/firejail/appimage/.appimage-23304/AppRun
+        int len4 = (len1 - len2 + len3) + 1;           // apptest.AppImage is replaced by /path/to/AppRun
+
+        if (len4 > ARG_MAX) {
+                errno = E2BIG;
+                errExit("cmdline_length");
+        }
+
+        // save created apprun in cfg.command_line
+        char *tmp1 = strdup(*command_line);
+        if (!tmp1)
+                errExit("strdup");
+
+        // TODO: deal with extra allocated memory.
+        char *command_line_tmp = malloc(len1 + len3 + 1);
+        if (!command_line_tmp)
+                        errExit("malloc");
+        *window_title = malloc(len1 + len3 + 1);
+        if (!*window_title)
+                        errExit("malloc");
+
+        // run default quote_cmdline
+        quote_cmdline(command_line_tmp, *window_title, len1, argc, argv, index);
+
+        assert(command_line_tmp);
+        assert(*window_title);
+
+        // 'fix' command_line now
+        if (asprintf(command_line, "'%s' %s", tmp1, command_line_tmp + len2) == -1)
+                errExit("asprintf");
+
+        // free strdup
+        free(tmp1);
+}
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 8fede5a69..36cf47435 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -208,7 +208,7 @@ typedef struct config_t {
         char *bin_private_keep; // keep list for private bin directory
         char *cwd;              // current working directory
         char *overlay_dir;
-   char *private_template; // template dir for tmpfs home
+        char *private_template; // template dir for tmpfs home
 
         // networking
         char *name;             // sandbox name
@@ -285,6 +285,7 @@ void clear_run_files(pid_t pid);
 
 extern int arg_private;         // mount private /home
 extern int arg_private_template; // private /home template
+extern int arg_allow_private_blacklist;  // blacklist things in private directories
 extern int arg_debug;           // print debug messages
 extern int arg_debug_check_filename;            // print debug messages for filename checking
 extern int arg_debug_blacklists;        // print debug messages for blacklists
@@ -564,6 +565,7 @@ void network_del_run_file(pid_t pid);
 void network_set_run_file(pid_t pid);
 
 // fs_etc.c
+void fs_machineid(void);
 void fs_private_dir_list(const char *private_dir, const char *private_run_dir, const char *private_list);
 
 // no_sandbox.c
@@ -681,6 +683,7 @@ long unsigned int appimage2_size(const char *fname);
 
 // cmdline.c
 void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index);
+void build_appimage_cmdline(char **command_line, char **window_title, int argc, char **argv, int index, char *apprun_path);
 
 // sbox.c
 // programs
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 890f281aa..e2fc09533 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -216,6 +216,15 @@ static void globbing(OPERATION op, const char *pattern, const char *noblacklist[
                                 exit(1);
                         }
                 }
+
+                // We don't usually need to blacklist things in private home directories
+                if (okay_to_blacklist
+                 && cfg.homedir
+                 && arg_private
+                 && (!arg_allow_private_blacklist)
+                 && (strncmp(path, cfg.homedir, strlen(cfg.homedir)) == 0))
+                        okay_to_blacklist = false;
+
                 if (okay_to_blacklist)
                         disable_file(op, path);
                 else if (arg_debug)
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c
index a27c0e41b..479383af2 100644
--- a/src/firejail/fs_etc.c
+++ b/src/firejail/fs_etc.c
@@ -21,6 +21,7 @@
 #include <sys/mount.h>
 #include <sys/stat.h>
 #include <sys/types.h>
+#include <time.h>
 #include <unistd.h>
 
 // spoof /etc/machine_id
diff --git a/src/firejail/main.c b/src/firejail/main.c
index b25bad9f2..15820f7dd 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -112,6 +112,7 @@ int arg_x11_block = 0;				// block X11
 int arg_x11_xorg = 0;                           // use X11 security extention
 int arg_allusers = 0;                           // all user home directories visible
 int arg_machineid = 0;                          // preserve /etc/machine-id
+int arg_allow_private_blacklist = 0;  // blacklist things in private directories
 
 int login_shell = 0;
 
@@ -1463,6 +1464,9 @@ int main(int argc, char **argv) {
                 else if (strcmp(argv[i], "--machine-id") == 0) {
                         arg_machineid = 1;
                 }
+                else if (strcmp(argv[i], "--allow-private-blacklist") == 0) {
+                        arg_allow_private_blacklist = 1;
+                }
                 else if (strcmp(argv[i], "--private") == 0) {
                         arg_private = 1;
                 }
@@ -2156,7 +2160,7 @@ int main(int argc, char **argv) {
                 if (arg_debug)
                         printf("Configuring appimage environment\n");
                 appimage_set(cfg.command_name);
-                cfg.window_title = "appimage";
+                build_appimage_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index, cfg.command_line);
         }
         else {
                 build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index);
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index db3c25a5a..1131abe5f 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -30,12 +30,14 @@ void usage(void) {
         printf("Options:\n");
         printf("    -- - signal the end of options and disables further option processing.\n");
         printf("    --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n");
+        printf("    --allow-private-blacklist - allow blacklisting things in private\n");
+        printf("\tdirectories.\n");
         printf("    --allusers - all user home directories are visible inside the sandbox.\n");
         printf("    --apparmor - enable AppArmor confinement.\n");
         printf("    --appimage - sandbox an AppImage application.\n");
         printf("    --audit[=test-program] - audit the sandbox.\n");
 #ifdef HAVE_NETWORK     
-        printf("    --bandwidth=name|pid - set  bandwidth  limits\n");
+        printf("    --bandwidth=name|pid - set bandwidth limits.\n");
 #endif
 #ifdef HAVE_BIND                
         printf("    --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n");