10 files changed, 82 insertions, 40 deletions

diff --git a/etc/dig.profile b/etc/dig.profile
index e609105b4..af71ff17f 100644
--- a/etc/dig.profile
+++ b/etc/dig.profile
@@ -46,7 +46,8 @@ private
 private-bin bash,dig,sh
 private-cache
 private-dev
-private-lib
+# Uncomment the next line (or put 'private-lib' in your dig.local) on non Debian/Ubuntu OS (see issue #3038)
+#private-lib
 private-tmp
 
 memory-deny-write-execute
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index 96957eeaf..b2837b443 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -315,6 +315,7 @@ blacklist ${HOME}/.config/keybase
 blacklist ${HOME}/.davfs2/secrets
 blacklist ${HOME}/.ecryptfs
 blacklist ${HOME}/.fetchmailrc
+blacklist ${HOME}/.fscrypt
 blacklist ${HOME}/.git-credential-cache
 blacklist ${HOME}/.git-credentials
 blacklist ${HOME}/.gnome2/keyrings
@@ -335,6 +336,7 @@ blacklist ${HOME}/.local/share/pki
 blacklist ${HOME}/.smbcredentials
 blacklist ${HOME}/.ssh
 blacklist ${HOME}/.vaults
+blacklist /.fscrypt
 blacklist /etc/davfs2/secrets
 blacklist /etc/group+
 blacklist /etc/group-
@@ -348,6 +350,7 @@ blacklist /etc/shadow+
 blacklist /etc/shadow-
 blacklist /etc/ssh
 blacklist /home/.ecryptfs
+blacklist /home/.fscrypt
 blacklist /var/backup
 
 # cloud provider configuration
diff --git a/etc/firejail-default b/etc/firejail-default
index e7831e145..a012f5440 100644
--- a/etc/firejail-default
+++ b/etc/firejail-default
@@ -22,12 +22,11 @@ dbus,
 
 ##########
 # With ptrace it is possible to inspect and hijack running programs.
-# Some browsers are also using ptrace for their sandboxing.
 ##########
 # Uncomment this line to allow all ptrace access
 #ptrace,
 # Allow obtaining some process information, but not ptrace(2)
-ptrace (read,readby) peer=firejail-default,
+ptrace (read,readby) peer=@{profile_name},
 
 ##########
 # Allow read access to whole filesystem and control it from firejail.
@@ -46,9 +45,6 @@ ptrace (read,readby) peer=firejail-default,
 ##########
 owner /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/trace w,
 owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/** w,
-owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/*.slave-socket w,
-owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/orcexec.* w,
-
 owner /{,run/firejail/mnt/oroot/}{run,dev}/shm/** w,
 
 # Allow writing to removable media
@@ -58,9 +54,6 @@ owner /{,var/}run/media/** w,
 /{,var/}run/systemd/journal/socket w,
 /{,var/}run/systemd/journal/dev-log w,
 
-# Needed for wine
-/{,var/}run/firejail/profile/@{PID} w,
-
 # Allow access to cups printing socket.
 /{,var/}run/cups/cups.sock w,
 
@@ -94,8 +87,10 @@ deny /proc/@{PID}/oom_score_adj w,
 ##########
 # Blacklist specific sensitive paths.
 ##########
-# Common backup directory
-deny /**/.snapshots/ rwx,
+deny /**/.fscrypt/ rw,
+deny /**/.fscrypt/** rwklmx,
+deny /**/.snapshots/ rw,
+deny /**/.snapshots/** rwklmx,
 
 ##########
 # Allow all networking functionality, and control it from Firejail.
@@ -111,7 +106,8 @@ network packet,
 ##########
 # There is no equivalent in Firejail for filtering signals.
 ##########
-signal,
+signal (send) peer=@{profile_name},
+signal (receive),
 
 ##########
 # We let Firejail deal with capabilities, but ensure that
diff --git a/etc/k3b.profile b/etc/k3b.profile
index 60da458ab..0c1da7ae1 100644
--- a/etc/k3b.profile
+++ b/etc/k3b.profile
@@ -20,17 +20,18 @@ include disable-xdg.inc
 
 include whitelist-var-common.inc
 
-caps.drop all
+caps.keep ipc_lock,sys_nice,sys_rawio,sys_resource
+# net none
 netfilter
 no3d
-nonewprivs
-noroot
+# nonewprivs - breaks privileged helpers
+# noroot - breaks privileged helpers
 nosound
 notv
 novideo
-protocol unix
-seccomp
+# protocol unix - breaks privileged helpers
+# seccomp - breaks privileged helpers
 shell none
-tracelog
 
+private-dev
 # private-tmp
diff --git a/etc/wine.profile b/etc/wine.profile
index 192c375cd..29e79c3f5 100644
--- a/etc/wine.profile
+++ b/etc/wine.profile
@@ -15,13 +15,20 @@ noblacklist ${HOME}/.wine
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
+include disable-passwdmgr.inc
 include disable-programs.inc
 
+# uncomment next line if seccomp breaks a program
+# allow-debuggers
 caps.drop all
+# net none
 netfilter
 nodvd
 nogroups
 nonewprivs
 noroot
 notv
+# novideo
 seccomp
+
+private-dev
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 3df551d4c..3e802efb5 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -1191,15 +1191,15 @@ void fs_private_cache(void) {
         // check if ~/.cache is a valid destination
         struct stat s;
         if (lstat(cache, &s) == -1) {
-                fwarning("cannot find %s, tmpfs not mounted\n", cache);
+                fwarning("skipping private-cache: cannot find %s\n", cache);
                 free(cache);
                 return;
         }
         if (!S_ISDIR(s.st_mode)) {
                 if (S_ISLNK(s.st_mode))
-                        fwarning("%s is a symbolic link, tmpfs not mounted\n", cache);
+                        fwarning("skipping private-cache: %s is a symbolic link\n", cache);
                 else
-                        fwarning("%s is not a directory; cannot mount a tmpfs on top of it\n", cache);
+                        fwarning("skipping private-cache: %s is not a directory\n", cache);
                 free(cache);
                 return;
         }
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index 25c167af1..2e8a8ad96 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -250,6 +250,9 @@ void fs_private_homedir(void) {
         int xflag = store_xauthority();
         int aflag = store_asoundrc();
 
+        // home directory outside /home?
+        int oflag = (strncmp(homedir, "/home/", 6) != 0);
+
         uid_t u = getuid();
         gid_t g = getgid();
 
@@ -259,20 +262,33 @@ void fs_private_homedir(void) {
         // get file descriptors for homedir and private_homedir, fails if there is any symlink
         int src = safe_fd(private_homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
         if (src == -1)
-                errExit("safe_fd");
+                errExit("opening private directory");
         int dst = safe_fd(homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
         if (dst == -1)
-                errExit("safe_fd");
-        // check if new home directory is owned by the user
-        struct stat s;
-        if (fstat(src, &s) == -1)
-                errExit("fstat");
-        if (s.st_uid != getuid()) {
-                fprintf(stderr, "Error: private directory is not owned by the current user\n");
-                exit(1);
+                errExit("opening home directory");
+        if (u != 0) {
+                struct stat s;
+                // sometimes system users are assigned home directories like /, /proc, ...
+                // require that a home directory outside /home is owned by the user
+                if (oflag) {
+                        if (fstat(dst, &s) == -1)
+                                errExit("fstat");
+                        if (s.st_uid != u) {
+                                fprintf(stderr, "Error: cannot mount private directory:\n"
+                                        "Home directory is not owned by the current user\n");
+                                exit(1);
+                        }
+                }
+                // check if new home directory is owned by the user
+                if (fstat(src, &s) == -1)
+                        errExit("fstat");
+                if (s.st_uid != u) {
+                        fprintf(stderr, "Error: private directory is not owned by the current user\n");
+                        exit(1);
+                }
+                if ((S_IRWXU & s.st_mode) != S_IRWXU)
+                        fwarning("no full permissions on private directory\n");
         }
-        if ((S_IRWXU & s.st_mode) != S_IRWXU)
-                fwarning("no full permissions on private directory\n");
         // mount via the links in /proc/self/fd
         char *proc_src, *proc_dst;
         if (asprintf(&proc_src, "/proc/self/fd/%d", src) == -1)
@@ -308,7 +324,7 @@ void fs_private_homedir(void) {
                         errExit("mounting home directory");
                 fs_logger("tmpfs /root");
         }
-        if (u == 0 || strncmp(homedir, "/home/", 6) != 0) {
+        if (oflag) {
                 // mask /home
                 if (arg_debug)
                         printf("Mounting a new /home directory\n");
@@ -317,7 +333,6 @@ void fs_private_homedir(void) {
                 fs_logger("tmpfs /home");
         }
 
-
         skel(homedir, u, g);
         if (xflag)
                 copy_xauthority();
@@ -377,6 +392,7 @@ void fs_private(void) {
                 }
                 else
                         // user directory is outside /home, mask it as well
+                        // check if directory is owned by the current user
                         fs_tmpfs(homedir, 1);
         }
 
@@ -385,7 +401,6 @@ void fs_private(void) {
                 copy_xauthority();
         if (aflag)
                 copy_asoundrc();
-
 }
 
 // check new private home directory (--private= option) - exit if it fails
@@ -531,6 +546,9 @@ void fs_private_home_list(void) {
         int xflag = store_xauthority();
         int aflag = store_asoundrc();
 
+        // home directory outside /home?
+        int oflag = (strncmp(homedir, "/home/", 6) != 0);
+
         uid_t uid = getuid();
         gid_t gid = getgid();
 
@@ -563,7 +581,19 @@ void fs_private_home_list(void) {
 
         int fd = safe_fd(homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
         if (fd == -1)
-                errExit("safe_fd");
+                errExit("opening home directory");
+        if (uid != 0 && oflag) {
+                // home directory outside /home should be owned by the user
+                struct stat s;
+                if (fstat(fd, &s) == -1)
+                        errExit("fstat");
+                if (s.st_uid != uid) {
+                        fprintf(stderr, "Error: cannot mount private directory:\n"
+                                "Home directory is not owned by the current user\n");
+                        exit(1);
+                }
+        }
+        // mount using the file descriptor
         char *proc;
         if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
                 errExit("asprintf");
@@ -584,7 +614,7 @@ void fs_private_home_list(void) {
                 if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME,  "mode=700,gid=0") < 0)
                         errExit("mounting home directory");
         }
-        if (uid == 0 || strncmp(homedir, "/home/", 6) != 0) {
+        if (oflag) {
                 // mask /home
                 if (arg_debug)
                         printf("Mounting a new /home directory\n");
@@ -600,5 +630,4 @@ void fs_private_home_list(void) {
 
         if (!arg_quiet)
                 fprintf(stderr, "Home directory installed in %0.2f ms\n", timetrace_end());
-
 }
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 5b39dd491..1786cfac2 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -262,7 +262,7 @@ static int has_link(const char *dir) {
 
 static void check_homedir(void) {
         assert(cfg.homedir);
-        if (cfg.homedir[0] != '/' || cfg.homedir[1] == '\0') { // system users sometimes have root directory as home
+        if (cfg.homedir[0] != '/') {
                 fprintf(stderr, "Error: invalid user directory \"%s\"\n", cfg.homedir);
                 exit(1);
         }
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 03cd9dadb..9a724331b 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -143,6 +143,10 @@ static int check_appimage(void) {
         return arg_appimage != 0;
 }
 
+static int check_netoptions(void) {
+        return (arg_nonetwork || any_bridge_configured());
+}
+
 static int check_nodbus(void) {
         return arg_nodbus != 0;
 }
@@ -161,6 +165,7 @@ static int check_allow_drm(void) {
 
 Cond conditionals[] = {
         {"HAS_APPIMAGE", check_appimage},
+        {"HAS_NET", check_netoptions},
         {"HAS_NODBUS", check_nodbus},
         {"HAS_X11", check_x11},
         {"BROWSER_DISABLE_U2F", check_disable_u2f},
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 4a84cc828..719a80c2c 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -103,7 +103,7 @@ Example: "?HAS_APPIMAGE: whitelist ${HOME}/special/appimage/dir"
 
 This example will load the whitelist profile line only if the \-\-appimage option has been specified on the command line.
 
-Currently the only conditionals supported this way are HAS_APPIMAGE, HAS_NODBUS and HAS_X11. The conditionals BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM
+Currently the only conditionals supported this way are HAS_APPIMAGE, HAS_NET, HAS_NODBUS and HAS_X11. The conditionals BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM
 can be enabled or disabled globally in Firejail's configuration file.
 
 The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines.