38 files changed, 118 insertions, 50 deletions
diff --git a/README b/README
index c8cdbb6d8..fa67c1252 100644
--- a/README
+++ b/README
@@ -103,6 +103,7 @@ Fred-Barclay (https://github.com/Fred-Barclay)
        - pidgin private-bin conversion
        - added eom profile
        - added gnome-chess profile
+        - added DOSBox profile
 Jaykishan Mutkawoa (https://github.com/jmutkawoa)
        - cpio profile
 Paupiah Yash (https://github.com/CaffeinatedStud)
diff --git a/README.md b/README.md
index 6785e3f7a..ebd39de5b 100644
--- a/README.md
+++ b/README.md
@@ -197,5 +197,5 @@ Browsers: Palemoon
 ## New security profiles
 Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, xz, xzdec, gzip, cpio, less, Atom Beta, Atom, jitsi, eom, uudeview
-tar (gtar), unzip, unrar, file, skypeforlinux, gnome-chess, inox, Slack, Gajim IM client
+tar (gtar), unzip, unrar, file, skypeforlinux, gnome-chess, inox, Slack, Gajim IM client, DOSBox
diff --git a/RELNOTES b/RELNOTES
index 62171af35..3c69b0a1c 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -39,7 +39,7 @@ firejail (0.9.42~rc2) baseline; urgency=low
  * profiles: pix, audacity, xz, xzdec, gzip, cpio, less
  * profiles: Atom Beta, Atom, jitsi, eom, uudeview
  * profiles: tar (gtar), unzip, unrar, file, skypeforlinux,
-  * profiles: inox, Slack, gnome-chess. Gajim IM client
+  * profiles: inox, Slack, gnome-chess. Gajim IM client, DOSBox
  * bugfixes
 -- netblue30 <netblue30@yahoo.com>  Thu, 26 Aug 2016 08:00:00 -0500
diff --git a/etc/0ad.profile b/etc/0ad.profile
index 217cdeee0..1e7c06879 100644
--- a/etc/0ad.profile
+++ b/etc/0ad.profile
@@ -19,8 +19,8 @@ whitelist ~/.local/share/0ad
 caps.drop all
 netfilter
-nonewprivs
 nogroups
+nonewprivs
 noroot
 protocol unix,inet,inet6
 seccomp
@@ -28,4 +28,4 @@ shell none
 tracelog
 private-dev
+private-tmp
diff --git a/etc/atom-beta.profile b/etc/atom-beta.profile
index 3c753e86c..9a8d93875 100644
--- a/etc/atom-beta.profile
+++ b/etc/atom-beta.profile
@@ -1,4 +1,4 @@
-# Firjail profile for Atom Beta.
+# Firejail profile for Atom Beta.
 noblacklist ~/.atom
 noblacklist ~/.config/Atom
@@ -11,9 +11,10 @@ netfilter
 nonewprivs
 nogroups
 noroot
+nosound
+protocol unix,inet,inet6,netlink
 seccomp
 shell none
 private-dev
-nosound
+private-tmp
diff --git a/etc/atom.profile b/etc/atom.profile
index 8304cd379..3cb86847e 100644
--- a/etc/atom.profile
+++ b/etc/atom.profile
@@ -1,4 +1,4 @@
-# Firjail profile for Atom.
+# Firejail profile for Atom.
 noblacklist ~/.atom
 noblacklist ~/.config/Atom
@@ -11,8 +11,10 @@ netfilter
 nonewprivs
 nogroups
 noroot
+nosound
+protocol unix,inet,inet6,netlink
 seccomp
 shell none
 private-dev
-nosound
+private-tmp
diff --git a/etc/atril.profile b/etc/atril.profile
index bfe731bec..d9e10b072 100644
--- a/etc/atril.profile
+++ b/etc/atril.profile
@@ -18,3 +18,4 @@ tracelog
 private-bin atril, atril-previewer, atril-thumbnailer
 private-dev
+private-tmp
diff --git a/etc/audacity.profile b/etc/audacity.profile
index 162201cb8..be3fac9be 100644
--- a/etc/audacity.profile
+++ b/etc/audacity.profile
@@ -7,6 +7,7 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 caps.drop all
+netfilter
 nonewprivs
 nogroups
 noroot
@@ -17,3 +18,4 @@ tracelog
 private-bin audacity
 private-dev
+private-tmp
diff --git a/etc/aweather.profile b/etc/aweather.profile
index da93e8ba3..4e5c36f50 100644
--- a/etc/aweather.profile
+++ b/etc/aweather.profile
@@ -15,10 +15,11 @@ nonewprivs
 nogroups
 noroot
 nosound
-protocol unix,inet,inet6,netlink
+protocol unix,inet,inet6
 seccomp
 shell none
 tracelog
 private-bin aweather
 private-dev
+private-tmp
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 2f7584241..fb0f5a669 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -89,6 +89,7 @@ blacklist ${HOME}/.steam
 blacklist ${HOME}/.config/wesnoth
 blacklist ${HOME}/.config/0ad
 blacklist ${HOME}/.warzone2100-3.1
+blacklist ${HOME}/.dosbox
 # Cryptocoins
 blacklist ${HOME}/.*coin
diff --git a/etc/dosbox.profile b/etc/dosbox.profile
new file mode 100644
index 000000000..45fbb712a
--- /dev/null
+++ b/etc/dosbox.profile
@@ -0,0 +1,21 @@
+# Firejail profile for dosbox
+noblacklist ~/.dosbox
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+private-bin dosbox
+private-dev
+private-tmp
diff --git a/etc/eom.profile b/etc/eom.profile
index 81d993e96..dfcea82c1 100644
--- a/etc/eom.profile
+++ b/etc/eom.profile
@@ -18,3 +18,4 @@ tracelog
 private-bin eom
 private-dev
+private-tmp
diff --git a/etc/gitter.profile b/etc/gitter.profile
index 2882c59a6..f43f5f199 100644
--- a/etc/gitter.profile
+++ b/etc/gitter.profile
@@ -7,12 +7,14 @@ include /etc/firejail/disable-devel.inc
 caps.drop all
 netfilter
-nonewprivs
 nogroups
+nonewprivs
 noroot
+nosound
 protocol unix,inet,inet6,netlink
 seccomp
 shell none
 private-bin gitter
 private-dev
+private-tmp
diff --git a/etc/gthumb.profile b/etc/gthumb.profile
index e043c7229..3ffd10add 100644
--- a/etc/gthumb.profile
+++ b/etc/gthumb.profile
@@ -19,4 +19,3 @@ tracelog
 private-bin gthumb
 whitelist /tmp/.X11-unix
 private-dev
-private-tmp
diff --git a/etc/hexchat.profile b/etc/hexchat.profile
index 0ff64aef5..5cefe45b5 100644
--- a/etc/hexchat.profile
+++ b/etc/hexchat.profile
@@ -1,7 +1,8 @@
 # HexChat instant messaging profile
+# Currently in testing (may not work for all users)
 noblacklist ${HOME}/.config/hexchat
-noblacklist /usr/lib/python2*
+#noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
+#noblacklist /usr/lib/python3*
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
@@ -14,11 +15,14 @@ noroot
 nosound
 protocol unix,inet,inet6
 seccomp
+shell none
+tracelog
 mkdir ~/.config/hexchat
 whitelist ~/.config/hexchat
 include /etc/firejail/whitelist-common.inc
-# private-bin requires perl, python, etc.
+private-bin hexchat
+#debug note: private-bin requires perl, python, etc on some systems
 private-dev
 private-tmp
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile
index 77a00ebef..75a52e9ff 100644
--- a/etc/libreoffice.profile
+++ b/etc/libreoffice.profile
@@ -7,6 +7,7 @@ include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
 netfilter
+nogroups
 nonewprivs
 noroot
 protocol unix,inet,inet6,netlink
@@ -15,5 +16,3 @@ tracelog
 private-dev
 whitelist /tmp/.X11-unix/
-nosound
diff --git a/etc/palemoon.profile b/etc/palemoon.profile
index acedaebb7..71deec6bc 100644
--- a/etc/palemoon.profile
+++ b/etc/palemoon.profile
@@ -23,6 +23,7 @@ shell none
 tracelog
 private-bin palemoon
+private-tmp
 # These are uncommented in the Firefox profile. If you run into trouble you may
 # want to uncomment (some of) them.
diff --git a/etc/pidgin.profile b/etc/pidgin.profile
index 3df2cafa6..47be2b6ea 100644
--- a/etc/pidgin.profile
+++ b/etc/pidgin.profile
@@ -18,3 +18,4 @@ tracelog
 private-bin pidgin
 private-dev
+private-tmp
diff --git a/etc/qtox.profile b/etc/qtox.profile
index 0cac18573..927487037 100644
--- a/etc/qtox.profile
+++ b/etc/qtox.profile
@@ -20,3 +20,4 @@ shell none
 tracelog
 private-bin qtox
+private-tmp
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile
index 9f087ea1d..0e8527ae7 100644
--- a/etc/rhythmbox.profile
+++ b/etc/rhythmbox.profile
@@ -16,3 +16,4 @@ tracelog
 private-bin rhythmbox
 private-dev
+private-tmp
diff --git a/etc/stellarium.profile b/etc/stellarium.profile
index adefa75ff..d57c9e5f7 100644
--- a/etc/stellarium.profile
+++ b/etc/stellarium.profile
@@ -25,4 +25,4 @@ tracelog
 private-bin stellarium
 private-dev
+private-tmp
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile
index fa5c3b22b..0cfa4fcfc 100644
--- a/etc/transmission-gtk.profile
+++ b/etc/transmission-gtk.profile
@@ -14,9 +14,9 @@ noroot
 nosound
 protocol unix,inet,inet6
 seccomp
+shell none
 tracelog
-shell none
 private-bin transmission-gtk
 whitelist /tmp/.X11-unix
 private-dev
diff --git a/etc/vlc.profile b/etc/vlc.profile
index c82247dd2..cdd098dd5 100644
--- a/etc/vlc.profile
+++ b/etc/vlc.profile
@@ -17,3 +17,5 @@ shell none
 tracelog
 private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc
+private-dev
+private-tmp
diff --git a/etc/warzone2100.profile b/etc/warzone2100.profile
index ff37e2800..7c7efade8 100644
--- a/etc/warzone2100.profile
+++ b/etc/warzone2100.profile
@@ -23,3 +23,4 @@ tracelog
 private-bin warzone2100
 private-dev
+private-tmp
diff --git a/etc/xplayer.profile b/etc/xplayer.profile
index a46b2fa06..54d5ed89b 100644
--- a/etc/xplayer.profile
+++ b/etc/xplayer.profile
@@ -19,3 +19,4 @@ tracelog
 private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer
 private-dev
+private-tmp
diff --git a/etc/xreader.profile b/etc/xreader.profile
index ac7d34022..d2a000bd0 100644
--- a/etc/xreader.profile
+++ b/etc/xreader.profile
@@ -20,3 +20,4 @@ tracelog
 private-bin xreader, xreader-previewer, xreader-thumbnailer
 private-dev
+private-tmp
diff --git a/etc/xviewer.profile b/etc/xviewer.profile
index 7a4ae4858..cbb59d16e 100644
--- a/etc/xviewer.profile
+++ b/etc/xviewer.profile
@@ -6,8 +6,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
-nonewprivs
 nogroups
+nonewprivs
 noroot
 nosound
 protocol unix
@@ -17,3 +17,4 @@ tracelog
 private-dev
 private-bin xviewer
+private-tmp
diff --git a/platform/debian/conffiles b/platform/debian/conffiles
index 2eaca90ce..691c536df 100644
--- a/platform/debian/conffiles
+++ b/platform/debian/conffiles
@@ -142,3 +142,4 @@
 /etc/firejail/xz.profile
 /etc/firejail/xzdec.profile
 /etc/firejail/strings.profile
+/etc/firejail/dosbox.profile
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index c909e6903..dd876c87c 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -75,6 +75,7 @@ unbound
 # emulators/compatibility layers
 mupen64plus
 wine
+dosbox
 # games
 0ad
diff --git a/src/firejail/env.c b/src/firejail/env.c
index 2cc65e464..88cd6918d 100644
--- a/src/firejail/env.c
+++ b/src/firejail/env.c
@@ -135,7 +135,8 @@ void env_defaults(void) {
        }
        // set the window title
-        printf("\033]0;firejail %s\007", cfg.window_title);
+        if (!arg_quiet)
+                printf("\033]0;firejail %s\007", cfg.window_title);
        fflush(0);
 }
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index 33037da29..11e626b6e 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -554,24 +554,30 @@ void fs_whitelist(void) {
        
        // /media mountpoint
        if (media_dir) {
-                // keep a copy of real /media directory in RUN_WHITELIST_MEDIA_DIR
+                // some distros don't have a /media directory
-                int rv = mkdir(RUN_WHITELIST_MEDIA_DIR, 0755);
+                struct stat s;
-                if (rv == -1)
+                if (stat("/media", &s) == 0) {
-                        errExit("mkdir");
+                        // keep a copy of real /media directory in RUN_WHITELIST_MEDIA_DIR
-                if (chown(RUN_WHITELIST_MEDIA_DIR, 0, 0) < 0)
+                        int rv = mkdir(RUN_WHITELIST_MEDIA_DIR, 0755);
-                        errExit("chown");
+                        if (rv == -1)
-                if (chmod(RUN_WHITELIST_MEDIA_DIR, 0755) < 0)
+                                errExit("mkdir");
-                        errExit("chmod");
+                        if (chown(RUN_WHITELIST_MEDIA_DIR, 0, 0) < 0)
+                                errExit("chown");
+                        if (chmod(RUN_WHITELIST_MEDIA_DIR, 0755) < 0)
+                                errExit("chmod");
        
-                if (mount("/media", RUN_WHITELIST_MEDIA_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
+                        if (mount("/media", RUN_WHITELIST_MEDIA_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
-                        errExit("mount bind");
+                                errExit("mount bind");
        
-                // mount tmpfs on /media
+                        // mount tmpfs on /media
-                if (arg_debug || arg_debug_whitelists)
+                        if (arg_debug || arg_debug_whitelists)
-                        printf("Mounting tmpfs on /media directory\n");
+                                printf("Mounting tmpfs on /media directory\n");
-                if (mount("tmpfs", "/media", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                        if (mount("tmpfs", "/media", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
-                        errExit("mounting tmpfs on /media");
+                                errExit("mounting tmpfs on /media");
-                fs_logger("tmpfs /media");
+                        fs_logger("tmpfs /media");
+                }
+                else
+                        media_dir = 0;
        }
        // /var mountpoint
diff --git a/src/firejail/join.c b/src/firejail/join.c
index 948c7ef71..414b899ce 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -309,14 +309,15 @@ void join(pid_t pid, int argc, char **argv, int index) {
                                printf("Joining user namespace\n");
                        if (join_namespace(1, "user"))
                                exit(1);
+                        // user namespace resets capabilities
+                        // set caps filter
+                        if (apply_caps == 1)    // not available for uid 0
+                                caps_set(caps);
                }
                else 
                        drop_privs(arg_nogroups);       // nogroups not available for uid 0
-                // user namespace resets capabilities
-                // set caps filter
-                if (apply_caps == 1)    // not available for uid 0
-                        caps_set(caps);
                // set prompt color to green
                char *prompt = getenv("FIREJAIL_PROMPT");
diff --git a/src/firejail/main.c b/src/firejail/main.c
index dbb92a899..501bccff2 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -46,6 +46,7 @@ printf("time %s:%d %u\n", __FILE__, __LINE__, (uint32_t) systick);
 #endif
 uid_t firejail_uid = 0;
+gid_t firejail_gid = 0;
 #define STACK_SIZE (1024 * 1024)
 static char child_stack[STACK_SIZE];            // space for child's stack
@@ -606,6 +607,9 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                                exit(1);
                        }
                        
+                        if (!cfg.shell && !arg_shell_none)
+                                cfg.shell = guess_shell();
                        // join sandbox by pid or by name
                        pid_t pid;
                        if (read_pid(argv[i] + 15, &pid) == 0)          
@@ -629,6 +633,9 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                        exit(1);
                }
                
+                if (!cfg.shell && !arg_shell_none)
+                        cfg.shell = guess_shell();
                // join sandbox by pid or by name
                pid_t pid;
                if (read_pid(argv[i] + 18, &pid) == 0)          
diff --git a/src/include/euid_common.h b/src/include/euid_common.h
index de5572fb1..752df5fff 100644
--- a/src/include/euid_common.h
+++ b/src/include/euid_common.h
@@ -31,6 +31,7 @@
 }
 extern uid_t firejail_uid;
+extern uid_t firejail_gid;
@@ -44,16 +45,18 @@ static inline void EUID_ROOT(void) {
 static inline void EUID_USER(void) {
        if (seteuid(firejail_uid) == -1)
                errExit("seteuid");
-        if (setegid(firejail_uid) == -1)
+        if (setegid(firejail_gid) == -1)
                errExit("setegid");
 }
 static inline void EUID_PRINT(void) {
        printf("debug: uid %d, euid %d\n", getuid(), geteuid());
+        printf("debug: gid %d, egid %d\n", getgid(), getegid());
 }
 static inline void EUID_INIT(void) {
        firejail_uid = getuid();
+        firejail_gid = getgid();
 }
 #endif
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 35b84b981..dbb0df233 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -578,19 +578,19 @@ $ firejail --net=eth0 --name=browser firefox &
 .br
 # change netfilter configuration
 .br
-$ sudo firejail --join-network=browser "cat /etc/firejail/nolocal.net | /sbin/iptables-restore"
+$ sudo firejail --join-network=browser bash -c "cat /etc/firejail/nolocal.net | /sbin/iptables-restore"
 .br
 .br
 # verify netfilter configuration
 .br
-$ sudo firejail --join-network=browser "/sbin/iptables -vL"
+$ sudo firejail --join-network=browser /sbin/iptables -vL
 .br
 .br
 # verify  IP addresses
 .br
-$ sudo firejail --join-network=browser "ip addr"
+$ sudo firejail --join-network=browser ip addr
 .br
 Switching to pid 1932, the first child process inside the sandbox
 .br
diff --git a/test/environment/environment.sh b/test/environment/environment.sh
index 785f57d3f..04a1daaf6 100755
--- a/test/environment/environment.sh
+++ b/test/environment/environment.sh
@@ -50,7 +50,7 @@ which zsh
 if [ "$?" -eq 0 ];
 then
        echo "TESTING: zsh (test/environment/zsh.exp)"
-        ./csh.exp
+        ./zsh.exp
 else
        echo "TESTING SKIP: zsh not found"
 fi
diff --git a/test/environment/zsh.exp b/test/environment/zsh.exp
index 5fca1cf22..578951ce0 100755
--- a/test/environment/zsh.exp
+++ b/test/environment/zsh.exp
@@ -27,7 +27,7 @@ expect {
 }
 expect {
        timeout {puts "TESTING ERROR 2.1\n";exit}
-        "/usr/bin/zsh"
+        "/bin/zsh"
 }
 send -- "exit\r"
 after 100
diff --git a/test/fs/private-etc-empty.exp b/test/fs/private-etc-empty.exp
index 2ab634afd..5ddce8678 100755
--- a/test/fs/private-etc-empty.exp
+++ b/test/fs/private-etc-empty.exp
@@ -3,7 +3,7 @@
 # Copyright (C) 2014-2016 Firejail Authors
 # License GPL v2
-set timeout 30
+set timeout 10
 spawn $env(SHELL)
 match_max 100000
@@ -17,7 +17,8 @@ sleep 1
 send -- "ls -l /etc | wc -l\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
-        "0"
+        "0" {puts "Debian\n"}
+        "1" {puts "Arch\n"}
 }
 send -- "exit\r"
 sleep 1
@@ -32,7 +33,9 @@ sleep 1
 send -- "ls -l /etc | wc -l\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
-        "0"
+        "0" {puts "Debian\n"}
+        "1" {puts "Arch\n"}
 }
 after 100