19 files changed, 155 insertions, 59 deletions
diff --git a/COPYING b/COPYING
index b6e1c33e0..d159169d1 100644
--- a/COPYING
+++ b/COPYING
@@ -1,12 +1,12 @@
-                    GNU GENERAL PUBLIC LICENSE
+                    GNU GENERAL PUBLIC LICENSE
-                       Version 2, June 1991
+                       Version 2, June 1991
- Copyright (C) 1989, 1991 Free Software Foundation, Inc.
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
-                       51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
 Everyone is permitted to copy and distribute verbatim copies
 of this license document, but changing it is not allowed.
-                            Preamble
+                            Preamble
  The licenses for most software are designed to take away your
 freedom to share and change it.  By contrast, the GNU General Public
@@ -15,7 +15,7 @@ software--to make sure the software is free for all its users.  This
 General Public License applies to most of the Free Software
 Foundation's software and to any other program whose authors commit to
 using it.  (Some other Free Software Foundation software is covered by
-the GNU Library General Public License instead.)  You can apply it to
+the GNU Lesser General Public License instead.)  You can apply it to
 your programs, too.
  When we speak of free software, we are referring to freedom, not
@@ -55,8 +55,8 @@ patent must be licensed for everyone's free use or not licensed at all.
  The precise terms and conditions for copying, distribution and
 modification follow.
-                    GNU GENERAL PUBLIC LICENSE
+                    GNU GENERAL PUBLIC LICENSE
   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
  0. This License applies to any program or other work which contains
@@ -110,7 +110,7 @@ above, provided that you also meet all of these conditions:
    License.  (Exception: if the Program itself is interactive but
    does not normally print such an announcement, your work based on
    the Program is not required to print an announcement.)
 These requirements apply to the modified work as a whole.  If
 identifiable sections of that work are not derived from the Program,
 and can be reasonably considered independent and separate works in
@@ -168,7 +168,7 @@ access to copy from a designated place, then offering equivalent
 access to copy the source code from the same place counts as
 distribution of the source code, even though third parties are not
 compelled to copy the source along with the object code.
  4. You may not copy, modify, sublicense, or distribute the Program
 except as expressly provided under this License.  Any attempt
 otherwise to copy, modify, sublicense or distribute the Program is
@@ -225,7 +225,7 @@ impose that choice.
 This section is intended to make thoroughly clear what is believed to
 be a consequence of the rest of this License.
  8. If the distribution and/or use of the Program is restricted in
 certain countries either by patents or by copyrighted interfaces, the
 original copyright holder who places the Program under this License
@@ -255,7 +255,7 @@ make exceptions for this.  Our decision will be guided by the two goals
 of preserving the free status of all derivatives of our free software and
 of promoting the sharing and reuse of software generally.
-                            NO WARRANTY
+                            NO WARRANTY
  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
 FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
@@ -277,4 +277,63 @@ YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
 PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
 POSSIBILITY OF SUCH DAMAGES.
-                     END OF TERMS AND CONDITIONS
+                     END OF TERMS AND CONDITIONS
+            How to Apply These Terms to Your New Programs
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 2 of the License, or
+    (at your option) any later version.
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+    You should have received a copy of the GNU General Public License along
+    with this program; if not, write to the Free Software Foundation, Inc.,
+    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+Also add information on how to contact you by electronic and paper mail.
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+    Gnomovision version 69, Copyright (C) year name of author
+    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+    This is free software, and you are welcome to redistribute it
+    under certain conditions; type `show c' for details.
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License.  Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary.  Here is a sample; alter the names:
+  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+  `Gnomovision' (which makes passes at compilers) written by James Hacker.
+  <signature of Ty Coon>, 1 April 1989
+  Ty Coon, President of Vice
+This General Public License does not permit incorporating your program into
+proprietary programs.  If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library.  If this is what you want to do, use the GNU Lesser General
+Public License instead of this License.
diff --git a/SECURITY.md b/SECURITY.md
index 7ec2940f6..ef9b9b5fb 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -2,24 +2,24 @@
 ## Supported Versions
-| Version | Supported by us    | EOL  | Supported by distribution |
+| Version | Supported by us    | EOL                | Supported by distribution                                                         |
-| ------- | ------------------ | ---- | ------------------------- |
+| ------- | ------------------ | ------------------ | --------------------------------------------------------------------------------- |
-| 0.9.66  | :heavy_check_mark: |      |                           |
+| 0.9.66  | :heavy_check_mark: |                    | :white_check_mark: Debian 11 **backports**, Debian 12 (testing/unstable)          |
-| 0.9.64  | :x:                |      | :white_check_mark: Debian 10 **backports**, Debian 11 **backports**, Debian 12 (testing/unstable) |
+| 0.9.64  | :x:                |                    | :white_check_mark: Debian 10 **backports**, Debian 11, Ubuntu 21.04, Ubuntu 21.10 |
-| 0.9.62  | :x:                |      | :white_check_mark: Ubuntu 20.04 LTS, Ubuntu 20.10 |
+| 0.9.62  | :x:                |                    | :white_check_mark: Ubuntu 20.04 LTS, Ubuntu 20.10                                 |
-| 0.9.60  | :x:                | 29 Dec 2019 |                    |
+| 0.9.60  | :x:                | 29 Dec 2019        |                                                                                   |
-| 0.9.58  | :x:                |      | :white_check_mark: Debian 9 **backports**, Debian 10 |
+| 0.9.58  | :x:                |                    | :white_check_mark: Debian 9 **backports**, Debian 10                              |
-| 0.9.56  | :x:                | 27 Jan 2019 |                    |
+| 0.9.56  | :x:                | 27 Jan 2019        |                                                                                   |
-| 0.9.54  | :x:                | 18 Sep 2018 |                    |
+| 0.9.54  | :x:                | 18 Sep 2018        |                                                                                   |
-| 0.9.52  | :x:                |      | :white_check_mark: Ubuntu 18.04 LTS |
+| 0.9.52  | :x:                |                    | :white_check_mark: Ubuntu 18.04 LTS                                               |
-| 0.9.50  | :x:                | 12 Dec 2017 |                    |
+| 0.9.50  | :x:                | 12 Dec 2017        |                                                                                   |
-| 0.9.48  | :x:                | 09 Sep 2017 |                    |
+| 0.9.48  | :x:                | 09 Sep 2017        |                                                                                   |
-| 0.9.46  | :x:                | 12 Jun 2017 |                    |
+| 0.9.46  | :x:                | 12 Jun 2017        |                                                                                   |
-| 0.9.44  | :x:                |      | :white_check_mark: Debian 9 |
+| 0.9.44  | :x:                |                    | :white_check_mark: Debian 9                                                       |
-| 0.9.42  | :x:                | 22 Oct 2016 |                    |
+| 0.9.42  | :x:                | 22 Oct 2016        |                                                                                   |
-| 0.9.40  | :x:                | 09 Sep 2016 |                    |
+| 0.9.40  | :x:                | 09 Sep 2016        |                                                                                   |
-| 0.9.38  | :x:                |      | :white_check_mark: Ubuntu 16.04 LTS |
+| 0.9.38  | :x:                |                    | :white_check_mark: Ubuntu 16.04 LTS                                               |
-| <0.9.38 | :x:                | Before 05 Feb 2016 |             |
+| <0.9.38 | :x:                | Before 05 Feb 2016 |                                                                                   |
 ## Security vulnerabilities
diff --git a/configure b/configure
index f78bbaded..33a4ca9fb 100755
--- a/configure
+++ b/configure
@@ -3549,7 +3549,7 @@ if test "x$enable_dbusproxy" != "xno"; then :
 fi
-# overlayfs features temporarely disabled pending fixes
+# overlayfs features temporarily disabled pending fixes
 HAVE_OVERLAYFS=""
 #
diff --git a/configure.ac b/configure.ac
index 7879a5239..5fde6d402 100644
--- a/configure.ac
+++ b/configure.ac
@@ -76,7 +76,7 @@ AS_IF([test "x$enable_dbusproxy" != "xno"], [
        AC_SUBST(HAVE_DBUSPROXY)
 ])
-# overlayfs features temporarely disabled pending fixes
+# overlayfs features temporarily disabled pending fixes
 HAVE_OVERLAYFS=""
 AC_SUBST(HAVE_OVERLAYFS)
 #
diff --git a/contrib/fix_private-bin.py b/contrib/fix_private-bin.py
index 12b596749..961646aa4 100755
--- a/contrib/fix_private-bin.py
+++ b/contrib/fix_private-bin.py
@@ -164,7 +164,7 @@ def printHelp():
 def main() -> None:
-    """The main function. Parses the commandline args, shows messages and calles the function actually doing the work."""
+    """The main function. Parses the commandline args, shows messages and calls the function actually doing the work."""
    if len(sys.argv) > 2 or (len(sys.argv) == 2 and
                             (sys.argv[1] == "-h" or sys.argv[1] == "--help")):
        printHelp()
diff --git a/contrib/sort.py b/contrib/sort.py
index d7a2cd05d..4af9c674c 100755
--- a/contrib/sort.py
+++ b/contrib/sort.py
@@ -34,7 +34,7 @@ def sort_alphabetical(raw_items):
 def sort_protocol(protocols):
-    """sort the given protocole into this scheme: unix,inet,inet6,netlink,packet,bluetooth"""
+    """sort the given protocols into this scheme: unix,inet,inet6,netlink,packet,bluetooth"""
    # shortcut for common protocol lines
    if protocols in ("unix", "unix,inet,inet6"):
diff --git a/etc/firejail.config b/etc/firejail.config
index 2e355586b..aec152b85 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -63,7 +63,7 @@
 # a file argument, the default filter is hardcoded (see man 1 firejail). This
 # configuration entry allows the user to change the default by specifying
 # a file containing the filter configuration. The filter file format is the
-# format of  iptables-save  and iptable-restore commands. Example:
+# format of iptables-save and iptables-restore commands. Example:
 # netfilter-default /etc/iptables.iptables.rules
 # Enable or disable networking features, default enabled.
diff --git a/etc/profile-a-l/eog.profile b/etc/profile-a-l/eog.profile
index 5892374bd..65e5c6e69 100644
--- a/etc/profile-a-l/eog.profile
+++ b/etc/profile-a-l/eog.profile
@@ -18,7 +18,7 @@ whitelist /usr/share/eog
 private-bin eog
-# broken on Debian 10 (buster) running LXDE got the folowing error:
+# broken on Debian 10 (buster) running LXDE got the following error:
 # Failed to register: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: org.freedesktop.DBus.Error.ServiceUnknown
 #dbus-user filter
 #dbus-user.own org.gnome.eog
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile
index fa433b672..74402a8de 100644
--- a/etc/profile-m-z/mpv.profile
+++ b/etc/profile-m-z/mpv.profile
@@ -11,7 +11,7 @@ include globals.local
 # edit ~/.config/mpv/foobar.conf:
 #    screenshot-directory=~/Pictures
-# Mpv has a powerfull lua-API, some off these lua-scripts interact
+# Mpv has a powerful lua-API, some off these lua-scripts interact
 # with external resources which are blocked by firejail. In such cases
 # you need to allow these resources by
 #  - adding additional binaries to private-bin
diff --git a/etc/profile-m-z/softmaker-common.profile b/etc/profile-m-z/softmaker-common.profile
index ebdd5c1f8..47468a531 100644
--- a/etc/profile-m-z/softmaker-common.profile
+++ b/etc/profile-m-z/softmaker-common.profile
@@ -6,9 +6,9 @@ include softmaker-common.local
 # added by caller profile
 #include globals.local
-# The offical packages install the desktop file under /usr/local/share/applications
+# The official packages install the desktop file under /usr/local/share/applications
-# with an absolute Exec line. These files are NOT handelt by firecfg,
+# with an absolute Exec line. These files are NOT handled by firecfg,
-# therefore you must manualy copy them in you home and remove '/usr/bin/'.
+# therefore you must manually copy them in you home and remove '/usr/bin/'.
 noblacklist ${HOME}/SoftMaker
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index e580a0c0c..7628313e0 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -204,7 +204,7 @@ include globals.local
 # Since 0.9.63 also a more granular control of dbus is supported.
 # To get the dbus-addresses an application needs access to you can
-# check with flatpak (when the application is distriputed that way):
+# check with flatpak (when the application is distributed that way):
 #    flatpak remote-info --show-metadata flathub <APP-ID>
 # Notes:
 #  - flatpak implicitly allows an app to own <APP-ID> on the session bus
diff --git a/src/firejail/env.c b/src/firejail/env.c
index f5e9dd980..ad16de037 100644
--- a/src/firejail/env.c
+++ b/src/firejail/env.c
@@ -262,7 +262,7 @@ static const char * const env_whitelist[] = {
        "LANG",
        "LANGUAGE",
        "LC_MESSAGES",
-        "PATH",
+        // "PATH",
        "DISPLAY"       // required by X11
 };
@@ -311,6 +311,10 @@ void env_apply_whitelist(void) {
                errExit("clearenv");
        env_apply_list(env_whitelist, ARRAY_SIZE(env_whitelist));
+        // hardcoding PATH
+        if (setenv("PATH", "/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin", 1) < 0)
+                errExit("setenv");
 }
 // Filter env variables for a sbox app
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 5ac2da164..dd4c2139d 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -108,7 +108,7 @@ static void disable_file(OPERATION op, const char *filename) {
        }
        // check for firejail executable
-        // we migth have a file found in ${PATH} pointing to /usr/bin/firejail
+        // we might have a file found in ${PATH} pointing to /usr/bin/firejail
        // blacklisting it here will end up breaking situations like user clicks on a link in Thunderbird
        //     and expects Firefox to open in the same sandbox
        if (strcmp(BINDIR "/firejail", fname) == 0) {
diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c
index 1a9a78ceb..7d320e90b 100644
--- a/src/firejail/fs_hostname.c
+++ b/src/firejail/fs_hostname.c
@@ -93,10 +93,6 @@ char *fs_check_hosts_file(const char *fname) {
        invalid_filename(fname, 0); // no globbing
        char *rv = expand_macros(fname);
-        // no a link
-        if (is_link(rv))
-                goto errexit;
        // the user has read access to the file
        if (access(rv, R_OK))
                goto errexit;
@@ -119,9 +115,6 @@ void fs_mount_hosts_file(void) {
        struct stat s;
        if (stat("/etc/hosts", &s) == -1)
                goto errexit;
-        // not a link
-        if (is_link("/etc/hosts"))
-                goto errexit;
        // owned by root
        if (s.st_uid != 0)
                goto errexit;
diff --git a/src/firejail/join.c b/src/firejail/join.c
index 99fbfdd0a..a869f6b64 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -551,10 +551,6 @@ void join(pid_t pid, int argc, char **argv, int index) {
                if (cfg.cpus)   // not available for uid 0
                        set_cpu_affinity();
-                // set nice value
-                if (arg_nice)
-                        set_nice(cfg.nice);
                // add x11 display
                if (display) {
                        char *display_str;
@@ -573,6 +569,11 @@ void join(pid_t pid, int argc, char **argv, int index) {
                        dbus_set_system_bus_env();
 #endif
+                // set nice and rlimits
+                if (arg_nice)
+                        set_nice(cfg.nice);
+                set_rlimits();
                start_application(0, shfd, NULL);
                __builtin_unreachable();
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index b7c7185a6..059100fcb 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -1938,7 +1938,7 @@ char *profile_list_compress(char *list)
                        /* Include non-empty item */
                        if (!*item)
                                in[i] = 0;
-                        /* Remove all allready included items */
+                        /* Remove all already included items */
                        for (k = 0; k < i; ++k)
                                in[k] = 0;
                        break;
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index d0d3c25e8..a768829a1 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -606,7 +606,7 @@ Allow the application to see but not talk to the name org.freedesktop.Notificati
 Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus.
 .TP
 \fBdbus-system.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
-Allow the application to receive broadcast signals from the the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus.
+Allow the application to receive broadcast signals from the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus.
 .TP
 \fBdbus-user filter
 Enable filtered access to the session DBus. Filters can be specified with the dbus-user.talk and dbus-user.own commands.
diff --git a/test/environment/environment.sh b/test/environment/environment.sh
index 152975c9d..1e1dd549b 100755
--- a/test/environment/environment.sh
+++ b/test/environment/environment.sh
@@ -112,14 +112,17 @@ echo "TESTING: rlimit (test/environment/rlimit.exp)"
 echo "TESTING: rlimit profile (test/environment/rlimit-profile.exp)"
 ./rlimit-profile.exp
+echo "TESTING: rlimit join (test/environment/rlimit-join.exp)"
+./rlimit-join.exp
 echo "TESTING: rlimit errors (test/environment/rlimit-bad.exp)"
 ./rlimit-bad.exp
 echo "TESTING: rlimit errors profile (test/environment/rlimit-bad-profile.exp)"
 ./rlimit-bad-profile.exp
-echo "TESTING: deterministic exit code (test/environment/deterministic-exit-code.exp"
+echo "TESTING: deterministic exit code (test/environment/deterministic-exit-code.exp)"
 ./deterministic-exit-code.exp
-echo "TESTING: retain umask (test/environment/umask.exp"
+echo "TESTING: retain umask (test/environment/umask.exp)"
 (umask 123 && ./umask.exp)
diff --git a/test/environment/rlimit-join.exp b/test/environment/rlimit-join.exp
new file mode 100755
index 000000000..aa8a203c0
--- /dev/null
+++ b/test/environment/rlimit-join.exp
@@ -0,0 +1,36 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+set timeout 10
+cd /home
+spawn $env(SHELL)
+match_max 100000
+send --  "firejail --noprofile --name=\"rlimit testing\"\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+spawn $env(SHELL)
+send --  "firejail --rlimit-nofile=1234 --join=\"rlimit testing\"\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Switching to pid"
+}
+sleep 1
+send -- "cat /proc/self/limits\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Max open files            1234                 1234"
+}
+after 100
+send -- "exit\r"
+after 100
+puts "\nall done\n"