21 files changed, 159 insertions, 38 deletions

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 4f8f7e4fc..e5e86d8e0 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -53,7 +53,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@0c670bbf0414f39666df6ce8e718ec5662c21e03
+      uses: github/codeql-action/init@2ca79b6fa8d3ec278944088b4aa5f46912db5d63
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -64,7 +64,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@0c670bbf0414f39666df6ce8e718ec5662c21e03
+      uses: github/codeql-action/autobuild@2ca79b6fa8d3ec278944088b4aa5f46912db5d63
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -78,4 +78,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@0c670bbf0414f39666df6ce8e718ec5662c21e03
+      uses: github/codeql-action/analyze@2ca79b6fa8d3ec278944088b4aa5f46912db5d63
diff --git a/Makefile b/Makefile
index 11e19ec37..eb49f9ac9 100644
--- a/Makefile
+++ b/Makefile
@@ -179,8 +179,8 @@ uninstall: config.mk
         rm -f $(DESTDIR)$(bindir)/firejail
         rm -f $(DESTDIR)$(bindir)/firemon
         rm -f $(DESTDIR)$(bindir)/firecfg
+        rm -f $(DESTDIR)$(bindir)/jailcheck
         rm -fr $(DESTDIR)$(libdir)/firejail
-        rm -fr $(DESTDIR)$(libdir)/jailcheck
         rm -fr $(DESTDIR)$(datarootdir)/doc/firejail
         for man in $(MANPAGES); do \
                 rm -f $(DESTDIR)$(mandir)/man5/$$man*; \
@@ -189,6 +189,9 @@ uninstall: config.mk
         rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firejail
         rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firemon
         rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firecfg
+        rm -f $(DESTDIR)$(datarootdir)/zsh/site-functions/_firejail
+        rm -f $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect/firejail.vim
+        rm -f $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax/firejail.vim
         @echo "If you want to install a different version of firejail, you might also need to run 'rm -fr $(DESTDIR)$(sysconfdir)/firejail', see #2038."
 
 DISTFILES = \
diff --git a/README b/README
index 713f5ca3f..99c7b17f0 100644
--- a/README
+++ b/README
@@ -182,6 +182,8 @@ avoidr (https://github.com/avoidr)
         - added mcabber profile
         - fixed mpv profile
         - various other fixes
+Азалия Смарагдова/ChrysoliteAzalea (https://github.com/ChrysoliteAzalea)
+        -  add support for custom AppArmor profiles (--apparmor=)
 backspac (https://github.com/backspac)
         - firecfg fixes
         - add steam-runtime alias
diff --git a/README.md b/README.md
index 22fd03b9f..30e67bb16 100644
--- a/README.md
+++ b/README.md
@@ -182,6 +182,43 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
 
 Milestone page: https://github.com/netblue30/firejail/milestone/1
 
+### Restrict namespaces
+
+`````
+       --restrict-namespaces
+              Install a seccomp filter that  blocks  attempts  to  create  new
+              cgroup, ipc, net, mount, pid, time, user or uts namespaces.
+
+              Example:
+              $ firejail --restrict-namespaces
+
+       --restrict-namespaces=cgroup,ipc,net,mnt,pid,time,user,uts
+              Install  a  seccomp filter that blocks attempts to create any of
+              the specified namespaces. The filter examines the  arguments  of
+              clone, unshare and setns system calls and returns error EPERM to
+              the process (or kills it or logs the attempt, see  --seccomp-er‐
+              ror-action below) if necessary. Note that the filter is not able
+              to examine the arguments of clone3 system calls, and always  re‐
+              sponds to these calls with error ENOSYS.
+
+              Example:
+              $ firejail --restrict-namespaces=user,net
+`````
+
+#### Support for custom AppArmor profiles
+
+`````
+      --apparmor
+              Enable AppArmor confinement with the "firejail-default" AppArmor
+              profile.   For more information, please see APPARMOR section be‐
+              low.
+
+       --apparmor=profile_name
+              Enable AppArmor confinement  with  a  custom  AppArmor  profile.
+              Note  that  profile  in question must already be loaded into the
+              kernel.  For more information, please see APPARMOR  section  be‐
+`````
+
 ### Profile Statistics
 
 A small tool to print profile statistics. Compile and install as usual. The tool is installed in /usr/lib/firejail directory.
@@ -221,4 +258,4 @@ Stats:
 
 ### New profiles:
 
-onionshare, onionshare-cli, opera-developer, songrec
+onionshare, onionshare-cli, opera-developer, songrec, gdu
diff --git a/RELNOTES b/RELNOTES
index d2fe40101..63da0ae5d 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,7 +1,10 @@
 firejail (0.9.71) baseline; urgency=low
   * work in progress
-  * feat: On failing to remount a fuse filesystem, give warning instead of
-  * erroring out (#5240 #5242)
+  * feature: restrict namespaces (--restrict-namespaces) inplemented as
+    a seccomp filter for both 64 and 32 bit architectures
+  * feature: On failing to remount a fuse filesystem, give warning instead of
+    erroring out (#5240 #5242)
+  * feature: support for custom AppArmor profiles (--apparmor=) (#5274)
   * build: deduplicate configure-time vars into new config files (#5140)
   * build: fix file mode of shell scripts (644 -> 755) (#5206)
   * build: reduce autoconf input files from 32 to 2 (#5219)
diff --git a/config.sh.in b/config.sh.in
index 3d54ff189..155f2158e 100644
--- a/config.sh.in
+++ b/config.sh.in
@@ -1,3 +1,7 @@
 # @configure_input@
-NAME=@PACKAGE_NAME@
-VERSION=@PACKAGE_VERSION@
+#
+# shellcheck shell=sh
+# shellcheck disable=SC2034
+
+NAME="@PACKAGE_NAME@"
+VERSION="@PACKAGE_VERSION@"
diff --git a/contrib/vim/syntax/firejail.vim b/contrib/vim/syntax/firejail.vim
index 9099a0808..0c8ebdbd8 100644
--- a/contrib/vim/syntax/firejail.vim
+++ b/contrib/vim/syntax/firejail.vim
@@ -52,7 +52,7 @@ syn match fjVar /\v\$\{(CFG|DESKTOP|DOCUMENTS|DOWNLOADS|HOME|MUSIC|PATH|PICTURES
 
 " Commands grabbed from: src/firejail/profile.c
 " Generate list with: { rg -o 'strn?cmp\(ptr, "([^"]+) "' -r '$1' src/firejail/profile.c; echo private-lib; } | grep -vEx '(include|ignore|caps\.drop|caps\.keep|protocol|restrict-namespaces|seccomp|seccomp\.drop|seccomp\.keep|env|rmenv|net|ip)' | sort -u | tr $'\n' '|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword)
-syn match fjCommand /\v(bind|blacklist|blacklist-nolog|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-cwd|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained
+syn match fjCommand /\v(apparmor|bind|blacklist|blacklist-nolog|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-cwd|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained
 " Generate list with: rg -o 'strn?cmp\(ptr, "([^ "]*[^ ])"' -r '$1' src/firejail/profile.c | grep -vEx '(include|rlimit|quiet)' | sed -e 's/\./\\./' | sort -u | tr $'\n' '|' # include/rlimit are false positives, quiet is special-cased below
 syn match fjCommand /\v(allow-debuggers|allusers|apparmor|caps|deterministic-exit-code|deterministic-shutdown|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-fd|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noprinters|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-cwd|private-dev|private-lib|private-tmp|seccomp|seccomp\.32|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained
 syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained
diff --git a/etc/profile-a-l/audacity.profile b/etc/profile-a-l/audacity.profile
index b517620db..2831fec72 100644
--- a/etc/profile-a-l/audacity.profile
+++ b/etc/profile-a-l/audacity.profile
@@ -20,7 +20,8 @@ include disable-xdg.inc
 
 include whitelist-var-common.inc
 
-apparmor
+## Enabling App Armor appears to break some Fedora / Arch installs
+#apparmor
 caps.drop all
 net none
 no3d
diff --git a/etc/profile-a-l/gdu.profile b/etc/profile-a-l/gdu.profile
new file mode 100644
index 000000000..783183bea
--- /dev/null
+++ b/etc/profile-a-l/gdu.profile
@@ -0,0 +1,46 @@
+# Firejail profile for gdu
+# Description: Fast disk usage analyzer with console interface
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include gdu.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}/wayland-*
+
+include disable-exec.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+# block the socket syscall to simulate an be empty protocol line, see #639
+seccomp socket
+seccomp.block-secondary
+x11 none
+
+private-dev
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
+
+# gdu has built-in delete (d), empty (e) dir/file support and shell spawning (b) features.
+# Depending on workflow and use case the sandbox can be hardened by adding the
+# lines below to your gdu.local if you don't need/want these functionalities.
+#include disable-shell.inc
+#private-bin gdu
+#read-only ${HOME}
diff --git a/etc/profile-m-z/makepkg.profile b/etc/profile-m-z/makepkg.profile
index dd2f0b318..4ec6ef82e 100644
--- a/etc/profile-m-z/makepkg.profile
+++ b/etc/profile-m-z/makepkg.profile
@@ -1,4 +1,5 @@
 # Firejail profile for makepkg
+# Description: A utility to automate the building of Arch Linux packages
 # This file is overwritten after every install/update
 quiet
 # Persistent local customizations
diff --git a/etc/profile-m-z/neomutt.profile b/etc/profile-m-z/neomutt.profile
index 5d482adca..9000b7972 100644
--- a/etc/profile-m-z/neomutt.profile
+++ b/etc/profile-m-z/neomutt.profile
@@ -50,31 +50,11 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.Mail
-mkdir ${HOME}/.bogofilter
-mkdir ${HOME}/.config/mutt
-mkdir ${HOME}/.config/nano
-mkdir ${HOME}/.config/neomutt
-mkdir ${HOME}/.elinks
-mkdir ${HOME}/.emacs.d
-mkdir ${HOME}/.gnupg
 mkdir ${HOME}/.mail
-mkdir ${HOME}/.mutt
-mkdir ${HOME}/.neomutt
-mkdir ${HOME}/.vim
-mkdir ${HOME}/.w3m
 mkdir ${HOME}/Mail
 mkdir ${HOME}/mail
 mkdir ${HOME}/postponed
 mkdir ${HOME}/sent
-mkfile ${HOME}/.emacs
-mkfile ${HOME}/.mailcap
-mkfile ${HOME}/.msmtprc
-mkfile ${HOME}/.muttrc
-mkfile ${HOME}/.nanorc
-mkfile ${HOME}/.neomuttrc
-mkfile ${HOME}/.signature
-mkfile ${HOME}/.viminfo
-mkfile ${HOME}/.vimrc
 whitelist ${DOCUMENTS}
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.Mail
diff --git a/etc/profile-m-z/vmware.profile b/etc/profile-m-z/vmware.profile
index 627bb57a8..74c951fe6 100644
--- a/etc/profile-m-z/vmware.profile
+++ b/etc/profile-m-z/vmware.profile
@@ -38,6 +38,6 @@ tracelog
 #disable-mnt
 # Add the next line to your vmware.local to enable private-bin.
 #private-bin env,bash,sh,ovftool,vmafossexec,vmaf_*,vmnet-*,vmplayer,vmrest,vmrun,vmss2core,vmstat,vmware,vmware-*
-private-etc alsa,alternatives,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix
+private-etc alsa,alternatives,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,mtab,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix
 dbus-user none
 dbus-system none
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 71cec5eaf..1e10258d5 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -289,6 +289,7 @@ gapplication
 gcalccmd
 gcloud
 gconf-editor
+gdu
 geany
 geary
 gedit
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 167b6a843..0a4dffb75 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -338,6 +338,7 @@ extern int arg_writable_run_user;	// writable /run/user
 extern int arg_writable_var_log; // writable /var/log
 extern int arg_appimage;        // appimage
 extern int arg_apparmor;        // apparmor
+extern char *apparmor_profile;  // apparmor profile
 extern int arg_allow_debuggers; // allow debuggers
 extern int arg_x11_block;       // block X11
 extern int arg_x11_xorg;        // use X11 security extension
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 55f623138..29c25dfc5 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -133,6 +133,7 @@ int arg_writable_run_user = 0;			// writable /run/user
 int arg_writable_var_log = 0;           // writable /var/log
 int arg_appimage = 0;                           // appimage
 int arg_apparmor = 0;                           // apparmor
+char *apparmor_profile = NULL;  // apparmor profile
 int arg_allow_debuggers = 0;                    // allow debuggers
 int arg_x11_block = 0;                          // block X11
 int arg_x11_xorg = 0;                           // use X11 security extension
@@ -1287,8 +1288,14 @@ int main(int argc, char **argv, char **envp) {
                 // filtering
                 //*************************************
 #ifdef HAVE_APPARMOR
-                else if (strcmp(argv[i], "--apparmor") == 0)
+                else if (strcmp(argv[i], "--apparmor") == 0) {
                         arg_apparmor = 1;
+                        apparmor_profile = "firejail-default";
+                }
+                else if (strncmp(argv[i], "--apparmor=", 11) == 0) {
+                        arg_apparmor = 1;
+                        apparmor_profile = argv[i] + 11;
+                }
 #endif
                 else if (strncmp(argv[i], "--protocol=", 11) == 0) {
                         if (checkcfg(CFG_SECCOMP)) {
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index dc1aff49a..82f8a393b 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -939,6 +939,17 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
         if (strcmp(ptr, "apparmor") == 0) {
 #ifdef HAVE_APPARMOR
                 arg_apparmor = 1;
+                apparmor_profile = "firejail-default";
+#endif
+                return 0;
+        }
+        
+        if (strncmp(ptr, "apparmor ", 9) == 0) {
+#ifdef HAVE_APPARMOR
+                arg_apparmor = 1;
+                apparmor_profile = strdup(ptr + 9);
+                if (!apparmor_profile)
+                        errExit("strdup");
 #endif
                 return 0;
         }
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index b1b3407b4..9299268a3 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -130,7 +130,7 @@ static void set_caps(void) {
 static void set_apparmor(void) {
         EUID_ASSERT();
         if (checkcfg(CFG_APPARMOR) && arg_apparmor) {
-                if (aa_change_onexec("firejail-default")) {
+                if (aa_stack_onexec(apparmor_profile)) {
                         fwarning("Cannot confine the application using AppArmor.\n"
                                 "Maybe firejail-default AppArmor profile is not loaded into the kernel.\n"
                                 "As root, run \"aa-enforce firejail-default\" to load it.\n");
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index c3c17393c..e11081eed 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -30,7 +30,9 @@ static char *usage_str =
         "    -- - signal the end of options and disables further option processing.\n"
         "    --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n"
         "    --allusers - all user home directories are visible inside the sandbox.\n"
-        "    --apparmor - enable AppArmor confinement.\n"
+        "    --apparmor - enable AppArmor confinement with the default profile.\n"
+        "    --apparmor=profile_name - enable AppArmor confinement with a\n"
+        "\tcustom profile.\n"
         "    --apparmor.print=name|pid - print apparmor status.\n"
         "    --appimage - sandbox an AppImage application.\n"
 #ifdef HAVE_NETWORK
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index ecfcabb87..138aae8af 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -478,7 +478,11 @@ Allow tools such as strace and gdb inside the sandbox by whitelisting system cal
 #ifdef HAVE_APPARMOR
 .TP
 \fBapparmor
-Enable AppArmor confinement.
+Enable AppArmor confinement with the "firejail-default" AppArmor profile.
+.TP
+\fBapparmor profile_name
+Enable AppArmor confinement with a custom AppArmor profile.
+Note that the profile in question must already be loaded into the kernel.
 #endif
 .TP
 \fBcaps
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 029c9dd36..2d8adb0b7 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -67,6 +67,17 @@ Firejail allows the user to manage application security using security profiles.
 Each profile defines a set of permissions for a specific application or group
 of applications. The software includes security profiles for a number of more common
 Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc.
+.\" TODO: Explain the security/usability tradeoffs from #4601.
+.PP
+Firejail is currently implemented as an SUID binary, which means that if a
+malicious or compromised user account manages to exploit a bug in Firejail,
+that could ultimately lead to a privilege escalation to root.
+To mitigate this, it is recommended to only allow trusted users to run firejail
+(see firejail-users(5) for details on how to achieve that).
+For more details on the security/usability tradeoffs of Firejail, see:
+.UR https://github.com/netblue30/firejail/discussions/4601
+#4601
+.UE
 .PP
 Alternative sandbox technologies like snap (https://snapcraft.io/) and flatpak (https://flatpak.org/)
 are not supported. Snap and flatpak packages have their own native management tools and will
@@ -122,7 +133,13 @@ $ firejail --allusers
 #ifdef HAVE_APPARMOR
 .TP
 \fB\-\-apparmor
-Enable AppArmor confinement. For more information, please see \fBAPPARMOR\fR section below.
+Enable AppArmor confinement with the "firejail-default" AppArmor profile.
+For more information, please see \fBAPPARMOR\fR section below.
+.TP
+\fB\-\-apparmor=profile_name
+Enable AppArmor confinement with a custom AppArmor profile.
+Note that profile in question must already be loaded into the kernel.
+For more information, please see \fBAPPARMOR\fR section below.
 .TP
 \fB\-\-apparmor.print=name|pid
 Print the AppArmor confinement status for the sandbox identified by name or by PID.
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in
index 605000e31..2b67c2a00 100644
--- a/src/zsh_completion/_firejail.in
+++ b/src/zsh_completion/_firejail.in
@@ -171,7 +171,8 @@ _firejail_args=(
     '--writable-var-log[use the real /var/log directory, not a clone]'
 
 #ifdef HAVE_APPARMOR
-    '--apparmor[enable AppArmor confinement]'
+    '--apparmor[enable AppArmor confinement with the default profile]'
+    '--apparmor=-[enable AppArmor confinement with a custom profile]: :'
     '--apparmor.print=-[print apparmor status name|pid]:firejail:_all_firejails'
 #endif