11 files changed, 219 insertions, 10 deletions
diff --git a/README.md b/README.md
index 90e3f7fcc..d3f5db872 100644
--- a/README.md
+++ b/README.md
@@ -98,6 +98,52 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir
 `````
 # Current development version: 0.9.53
+## Spectre mitigation
+If your gcc compiler version supports it, -mindirect-branch=thunk is inserted into EXTRA_CFLAGS during software configuration.
+The patch was introduced in gcc version 8, and it was backported to gcc 7. You'll also find it
+on older versions, for example on Debian stable running on gcc 6.3.0.  This is how you check it:
+`````
+$ ./configure --prefix=/usr
+checking for gcc... gcc
+checking whether the C compiler works... yes
+checking for C compiler default output file name... a.out
+checking for suffix of executables...
+checking whether we are cross compiling... no
+checking for suffix of object files... o
+checking whether we are using the GNU C compiler... yes
+checking whether gcc accepts -g... yes
+checking for gcc option to accept ISO C89... none needed
+checking for a BSD-compatible install... /usr/bin/install -c
+checking for ranlib... ranlib
+checking for Spectre mitigation support in gcc compiler... yes
+[...]
+Configuration options:
+   prefix: /usr
+   sysconfdir: /etc
+   seccomp: -DHAVE_SECCOMP
+   <linux/seccomp.h>: -DHAVE_SECCOMP_H
+   apparmor:
+   global config: -DHAVE_GLOBALCFG
+   chroot: -DHAVE_CHROOT
+   bind: -DHAVE_BIND
+   network: -DHAVE_NETWORK
+   user namespace: -DHAVE_USERNS
+   X11 sandboxing support: -DHAVE_X11
+   whitelisting: -DHAVE_WHITELIST
+   private home support: -DHAVE_PRIVATE_HOME
+   file transfer support: -DHAVE_FILE_TRANSFER
+   overlayfs support: -DHAVE_OVERLAYFS
+   git install support:
+   busybox workaround: no
+   Spectre compiler patch: yes
+   EXTRA_LDFLAGS:
+   EXTRA_CFLAGS:  -mindirect-branch=thunk
+   fatal warnings:
+   Gcov instrumentation:
+   Install contrib scripts: yes
+`````
 ## AppImage development
 Support for private-bin, private-lib and shell none has been disabled while running AppImage archives.
@@ -246,4 +292,5 @@ firefox-common-addons.inc in firefox-common.profile.
 Basilisk browser, Tor Browser language packs, PlayOnLinux, sylpheed, discord-canary,
 pycharm-community, pycharm-professional, Pitivi, OnionShare, Fritzing, Kaffeine, pdfchain,
-tilp, vivaldi-snapshot, bitcoin-qt, VS Code, falkon, gnome-builder, lobase, asunder
+tilp, vivaldi-snapshot, bitcoin-qt, VS Code, falkon, gnome-builder, lobase, asunder,
+gnome-recipes, akonadi_control
diff --git a/RELNOTES b/RELNOTES
index a031e697e..681e2a865 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -9,6 +9,7 @@ firejail (0.9.53) baseline; urgency=low
     All users of Firefox-based browsers who use addons and plugins
     that read/write from ${HOME} will need to uncomment the includes for
     firefox-common-addons.inc in firefox-common.profile.
+  * Spectre mitigation patch for gcc compiler
  * AppArmor support for overlayfs and chroot sandboxes
  * AppArmor support for AppImages
  * Enable AppArmor by default for Firefox, Chromium, Transmission
@@ -27,7 +28,8 @@ firejail (0.9.53) baseline; urgency=low
  * new profiles: basilisk, Tor Browser language packs, PlayOnLinux, sylpheed,
  * new profiles: discord-canary, pycharm-community, pycharm-professional,
  * new profiles: pdfchain, tilp, vivaldi-snapshot, bitcoin-qt, kaffeine,
-  * new profiles: falkon, gnome-builder, asunder, VS Code,
+  * new profiles: falkon, gnome-builder, asunder, VS Code, gnome-recipes
+  * new profiles: akonadi_control
 -- netblue30 <netblue30@yahoo.com>  Thu, 1 Mar 2018 08:00:00 -0500
 firejail (0.9.52) baseline; urgency=low
diff --git a/etc/akonadi_control.profile b/etc/akonadi_control.profile
new file mode 100644
index 000000000..0443774dd
--- /dev/null
+++ b/etc/akonadi_control.profile
@@ -0,0 +1,45 @@
+# Firejail profile for akonadi_control
+# Persistent local customizations
+include /etc/firejail/akonadi_control.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+noblacklist ${HOME}/.cache/akonadi*
+noblacklist ${HOME}/.config/akonadi*
+noblacklist ${HOME}/.config/baloorc
+noblacklist ${HOME}/.local/share/akonadi/*
+noblacklist ${HOME}/.local/share/contacts
+noblacklist ${HOME}/.local/share/local-mail
+noblacklist /usr/sbin
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
+# depending on your setup it might be possible to
+# enable some of the commented options below
+# apparmor
+caps.drop all
+ipc-namespace
+no3d
+netfilter
+nodvd
+nogroups
+# nonewprivs
+# noroot
+nosound
+notv
+novideo
+# protocol unix,inet,inet6
+# seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice
+tracelog
+private-dev
+# private-tmp - breaks programs that depend on akonadi
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 0d542c6d8..3f0d7b337 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -73,6 +73,7 @@ blacklist ${HOME}/.config/Slack
 blacklist ${HOME}/.config/Thunar
 blacklist ${HOME}/.config/VirtualBox
 blacklist ${HOME}/.config/Wire
+blacklist ${HOME}/.config/akonadi*
 blacklist ${HOME}/.config/akregatorrc
 blacklist ${HOME}/.config/ardour4
 blacklist ${HOME}/.config/ardour5
@@ -106,6 +107,7 @@ blacklist ${HOME}/.config/digikam
 blacklist ${HOME}/.config/digikamrc
 blacklist ${HOME}/.config/dolphinrc
 blacklist ${HOME}/.config/dragonplayerrc
+blacklist ${HOME}/.config/emailidentities
 blacklist ${HOME}/.config/enchant
 blacklist ${HOME}/.config/eog
 blacklist ${HOME}/.config/epiphany
@@ -144,6 +146,7 @@ blacklist ${HOME}/.config/katevirc
 blacklist ${HOME}/.config/kdenliverc
 blacklist ${HOME}/.config/kgetrc
 blacklist ${HOME}/.config/klipperrc
+blacklist ${HOME}/.config/kmail2rc
 blacklist ${HOME}/.config/kritarc
 blacklist ${HOME}/.config/kwriterc
 blacklist ${HOME}/.config/kdeconnect
@@ -346,12 +349,14 @@ blacklist ${HOME}/.local/share/SuperHexagon
 blacklist ${HOME}/.local/share/TelegramDesktop
 blacklist ${HOME}/.local/share/Terraria
 blacklist ${HOME}/.local/share/TpLogger
+blacklist ${HOME}/.local/share/akonadi/*
 blacklist ${HOME}/.local/share/akregator
 blacklist ${HOME}/.local/share/aspyr-media
 blacklist ${HOME}/.local/share/baloo
 blacklist ${HOME}/.local/share/caja-python
 blacklist ${HOME}/.local/share/cdprojektred
 blacklist ${HOME}/.local/share/clipit
+blacklist ${HOME}/.local/share/contacts
 blacklist ${HOME}/.local/share/data/Mumble
 blacklist ${HOME}/.local/share/data/MusE
 blacklist ${HOME}/.local/share/data/MuseScore
@@ -369,6 +374,7 @@ blacklist ${HOME}/.local/share/gnome-2048
 blacklist ${HOME}/.local/share/gnome-chess
 blacklist ${HOME}/.local/share/gnome-music
 blacklist ${HOME}/.local/share/gnome-photos
+blacklist ${HOME}/.local/share/gnome-recipes
 blacklist ${HOME}/.local/share/gnome-ring
 blacklist ${HOME}/.local/share/gnome-twitch
 blacklist ${HOME}/.local/share/gwenview
@@ -376,11 +382,13 @@ blacklist ${HOME}/.local/share/kaffeine
 blacklist ${HOME}/.local/share/kate
 blacklist ${HOME}/.local/share/kdenlive
 blacklist ${HOME}/.local/share/kget
+blacklist ${HOME}/.local/share/kmail2
 blacklist ${HOME}/.local/share/krita
 blacklist ${HOME}/.local/share/ktorrentrc
 blacklist ${HOME}/.local/share/ktorrent
 blacklist ${HOME}/.local/share/kwrite
 blacklist ${HOME}/.local/share/liferea
+blacklist ${HOME}/.local/share/local-mail
 blacklist ${HOME}/.local/share/lollypop
 blacklist ${HOME}/.local/share/maps-places.json
 blacklist ${HOME}/.local/share/meld
@@ -495,6 +503,7 @@ blacklist ${HOME}/.cache/Franz
 blacklist ${HOME}/.cache/INRIA
 blacklist ${HOME}/.cache/MusicBrainz
 blacklist ${HOME}/.cache/QuiteRss
+blacklist ${HOME}/.cache/akonadi*
 blacklist ${HOME}/.cache/attic
 blacklist ${HOME}/.cache/borg
 blacklist ${HOME}/.cache/calibre
diff --git a/etc/gnome-recipes.profile b/etc/gnome-recipes.profile
new file mode 100644
index 000000000..2392440a6
--- /dev/null
+++ b/etc/gnome-recipes.profile
@@ -0,0 +1,45 @@
+# Firejail profile for gnome-recipes
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/gnome-recipes.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+noblacklist ${HOME}/.local/share/gnome-recipes
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+mkdir ${HOME}/.cache/gnome-recipes
+whitelist ${HOME}/.cache/gnome-recipes
+include /etc/firejail/whitelist-common.inc
+include /etc/firejail/whitelist-var-common.inc
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+disable-mnt
+private-bin gnome-recipes,tar
+private-dev
+private-etc ca-certificates,fonts,ssl
+# private-lib works for me with Gnome Shell 3.26.2, Mutter WM (Arch Linux)
+# not widely tested though, leaving it to devs discretion to enable it later
+#private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.4,libgnutls.so.30,libjpeg.so.8,libp11-kit.so.0,libproxy.so.1,librsvg-2.so.2
+private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/kmail.profile b/etc/kmail.profile
index ca774f4ec..3ee8370cb 100644
--- a/etc/kmail.profile
+++ b/etc/kmail.profile
@@ -5,6 +5,18 @@ include /etc/firejail/kmail.local
 # Persistent global definitions
 include /etc/firejail/globals.local
+# if akonadi has a mysql backend, starting it inside this sandbox will fail
+# one solution is to have akonadi already running when kmail is launched
+noblacklist ${HOME}/.cache/akonadi*
+noblacklist ${HOME}/.config/akonadi*
+noblacklist ${HOME}/.config/baloorc
+noblacklist ${HOME}/.config/emailidentities
+noblacklist ${HOME}/.config/kmail2rc
+noblacklist ${HOME}/.local/share/akonadi/*
+noblacklist ${HOME}/.local/share/contacts
+noblacklist ${HOME}/.local/share/kmail2
+noblacklist ${HOME}/.local/share/local-mail
 noblacklist ${HOME}/.gnupg
 include /etc/firejail/disable-common.inc
@@ -12,6 +24,7 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+# apparmor
 caps.drop all
 netfilter
 nodvd
@@ -22,11 +35,14 @@ nosound
 notv
 novideo
 protocol unix,inet,inet6,netlink
-# blacklisting of chroot system calls breaks kmail
+# we need to allow chroot and ioprio_set system calls
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
 # tracelog
 # writable-run-user is needed for signing and encrypting emails
 writable-run-user
 private-dev
-# private-tmp - breaks akonadi and opening of email attachments
+# private-tmp - interrupts connection to akonadi, breaks opening of email attachments
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/knotes.profile b/etc/knotes.profile
index 94ada7855..091c3a8e5 100644
--- a/etc/knotes.profile
+++ b/etc/knotes.profile
@@ -5,10 +5,12 @@ include /etc/firejail/knotes.local
 # Persistent global definitions
 include /etc/firejail/globals.local
+noblacklist ${HOME}/.config/akonadi*
 noblacklist ${HOME}/.config/knotesrc
+noblacklist ${HOME}/.local/share/akonadi/*
 include /etc/firejail/disable-common.inc
-# include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
@@ -22,10 +24,14 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix
 seccomp
 shell none
 tracelog
 private-dev
-#private-tmp - problems on kubuntu 17.04
+# private-tmp - interrupts connection to akonadi
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/openbox.profile b/etc/openbox.profile
index 5bab7ce7d..ec4b47c29 100644
--- a/etc/openbox.profile
+++ b/etc/openbox.profile
@@ -14,3 +14,6 @@ netfilter
 noroot
 protocol unix,inet,inet6
 seccomp
+read-only ${HOME}/.config/openbox/autostart
+read-only ${HOME}/.config/openbox/environment
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index e29f95886..2ffaa8b98 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -16,6 +16,7 @@ VirtualBox
 Wire
 Xephyr
 abrowser
+akonadi_control
 akregator
 amarok
 amule
@@ -154,6 +155,7 @@ gnome-maps
 gnome-mplayer
 gnome-music
 gnome-photos
+gnome-recipes
 gnome-twitch
 gnome-weather
 goobox
diff --git a/src/firejail/run_files.c b/src/firejail/run_files.c
index 57a0e19df..361ad1414 100644
--- a/src/firejail/run_files.c
+++ b/src/firejail/run_files.c
@@ -20,6 +20,7 @@
 #include "firejail.h"
 #include "../include/pid.h"
+#define BUFLEN 4096
 static void delete_x11_run_file(pid_t pid) {
        char *fname;
@@ -74,7 +75,36 @@ void delete_run_files(pid_t pid) {
        delete_profile_run_file(pid);
 }
+static char *newname(char *name) {
+        char *rv;
+        pid_t pid;
+        // try the name
+        if (name2pid(name, &pid))
+                return name;
+        // try name-1 to 9
+        int i;
+        for (i = 1; i < 10; i++) {
+                if (asprintf(&rv, "%s-%d", name, i) == -1)
+                        errExit("asprintf");
+                if (name2pid(rv, &pid)) {
+                        fwarning("Sandbox name changed to %s\n", rv);
+                        return rv;
+                }
+                free(rv);
+        }
+        // return name-pid
+        if (asprintf(&rv, "%s-%d", name, getpid()) == -1)
+                errExit("asprintf");
+        return rv;
+}
 void set_name_run_file(pid_t pid) {
+        cfg.name = newname(cfg.name);
        char *fname;
        if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_NAME_DIR, pid) == -1)
                errExit("asprintf");
diff --git a/src/lib/pid.c b/src/lib/pid.c
index f138efc8c..3c804716d 100644
--- a/src/lib/pid.c
+++ b/src/lib/pid.c
@@ -188,10 +188,11 @@ static void print_elem(unsigned index, int nowrap) {
        uid_t uid = pids[index].uid;
        char *cmd = pid_proc_cmdline(index);
        char *user = pid_get_user_name(uid);
-        char *allocated = user;
+        char *user_allocated = user;
        // extract sandbox name - pid == index
        char *sandbox_name = "";
+        char *sandbox_name_allocated = NULL;
        char *fname;
        if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_NAME_DIR, index) == -1)
                errExit("asprintf");
@@ -202,6 +203,7 @@ static void print_elem(unsigned index, int nowrap) {
                        sandbox_name = malloc(s.st_size + 1);
                        if (!sandbox_name)
                                errExit("malloc");
+                        sandbox_name_allocated = sandbox_name;
                        char *rv = fgets(sandbox_name, s.st_size + 1, fp);
                        if (!rv)
                                *sandbox_name = '\0';
@@ -241,8 +243,10 @@ static void print_elem(unsigned index, int nowrap) {
                else
                        printf("%s%u:\n", indent, index);
        }
-        if (allocated)
+        if (user_allocated)
-                free(allocated);
+                free(user_allocated);
+        if (sandbox_name_allocated)
+                free(sandbox_name_allocated);
 }
 // recursivity!!!