11 files changed, 99 insertions, 57 deletions

diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml
index c2b035e11..dd0dc4da0 100644
--- a/.github/workflows/build-extra.yml
+++ b/.github/workflows/build-extra.yml
@@ -60,7 +60,7 @@ jobs:
         allowed-endpoints: >
           azure.archive.ubuntu.com:80
           github.com:443
-    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
     - name: update package information
       run: sudo apt-get update -qy
     - name: install dependencies
@@ -90,7 +90,7 @@ jobs:
         allowed-endpoints: >
           azure.archive.ubuntu.com:80
           github.com:443
-    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
     - name: update package information
       run: sudo apt-get update -qy
     - name: install clang-tools-14 and dependencies
@@ -116,7 +116,7 @@ jobs:
         allowed-endpoints: >
           azure.archive.ubuntu.com:80
           github.com:443
-    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
     - name: update package information
       run: sudo apt-get update -qy
     - name: install cppcheck
@@ -138,7 +138,7 @@ jobs:
         allowed-endpoints: >
           azure.archive.ubuntu.com:80
           github.com:443
-    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
     - name: update package information
       run: sudo apt-get update -qy
     - name: install cppcheck
@@ -156,7 +156,7 @@ jobs:
         allowed-endpoints: >
           azure.archive.ubuntu.com:80
           github.com:443
-    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
     - name: update package information
       run: sudo apt-get update -qy
     - name: install dependencies
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index ea85e1109..afa8d1305 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -61,7 +61,7 @@ jobs:
           www.debian.org:443
           www.debian.org:80
           yahoo.com:1025
-    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
     - name: update package information
       run: sudo apt-get update -qy
     - name: install dependencies
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 8c17646a3..eec359f40 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -86,14 +86,14 @@ jobs:
           uploads.github.com:443
 
     - name: Checkout repository
-      uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+      uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
 
     - name: print env
       run: ./ci/printenv.sh
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@83f0fe6c4988d98a455712a27f0255212bba9bd4
+      uses: github/codeql-action/init@6c089f53dd51dc3fc7e599c3cb5356453a52ca9e
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -104,7 +104,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@83f0fe6c4988d98a455712a27f0255212bba9bd4
+      uses: github/codeql-action/autobuild@6c089f53dd51dc3fc7e599c3cb5356453a52ca9e
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -118,4 +118,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@83f0fe6c4988d98a455712a27f0255212bba9bd4
+      uses: github/codeql-action/analyze@6c089f53dd51dc3fc7e599c3cb5356453a52ca9e
diff --git a/.github/workflows/profile-checks.yml b/.github/workflows/profile-checks.yml
index 8500481cd..8418a390b 100644
--- a/.github/workflows/profile-checks.yml
+++ b/.github/workflows/profile-checks.yml
@@ -31,7 +31,7 @@ jobs:
         allowed-endpoints: >
           github.com:443
 
-    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
     - name: print env
       run: ./ci/printenv.sh
     - run: python3 --version
diff --git a/RELNOTES b/RELNOTES
index 49c2fbce0..bf56218f6 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -7,11 +7,13 @@ firejail (0.9.73) baseline; urgency=low
   * feature: add IPv6 support for --net.print option
   * modif: Stop forwarding own double-dash to the shell (#5599 #5600)
   * modif: Prevent sandbox name (--name=) and host name (--hostname=)
-    from containing only digits (#5578)
+    from containing only digits (#5578 #5741)
   * modif: Escape control characters of the command line (#5613)
-  * modif: Allow only letters and digits for sandbox name (--name=) and
-    host name (--hostname=)
+  * modif: Allow mostly only ASCII letters and digits for sandbox name
+    (--name=) and host name (--hostname=) (#5708 #5856)
   * modif: remove firemon --interface option (duplicating --net.print option)
+  * modif: make private-lib a configure-time option, disabled by default (see
+    --enable-private-lib) (#5727 #5732)
   * modif: Improve --version/--help & print version on startup (#5829)
   * bugfix: qutebrowser: links will not open in the existing instance (#5601
     #5618)
@@ -22,6 +24,7 @@ firejail (0.9.73) baseline; urgency=low
   * build: mkdeb.sh: pass all arguments to ./configure (#5654)
   * build: deb: enable apparmor by default & remove deb-apparmor (#5668)
   * build: Fix whitespace and add .editorconfig (#5674)
+  * build: enable compiler warnings by default (#5842)
   * ci: always update the package db before installing packages (#5742)
   * ci: fix codeql unable to download its own bundle (#5783)
   * ci: split configure/build/install commands on gitlab (#5784)
@@ -29,6 +32,8 @@ firejail (0.9.73) baseline; urgency=low
   * ci: formatting and misc improvements (#5802)
   * ci: run for every branch instead of just master (#5815)
   * ci: upgrade debian:stretch to debian:buster (#5818)
+  * ci: standardize apt-get update/install & misc improvements (#5857)
+  * contrib/vim: match profile files more broadly (#5850)
   * test: split individual test groups in github workflows
   * test: add chroot, appimage and network tests in github workflows
   * docs: remove apparmor options in --help when building without apparmor
diff --git a/etc/profile-a-l/fdns.profile b/etc/profile-a-l/fdns.profile
index 77e16a56b..4dbf3c194 100644
--- a/etc/profile-a-l/fdns.profile
+++ b/etc/profile-a-l/fdns.profile
@@ -21,6 +21,7 @@ include disable-xdg.inc
 #include whitelist-usr-share-common.inc
 #include whitelist-var-common.inc
 
+apparmor /usr/bin/fdns
 caps.keep kill,net_bind_service,setgid,setuid,sys_admin,sys_chroot
 ipc-namespace
 # netfilter /etc/firejail/webserver.net
@@ -47,4 +48,3 @@ private-etc @tls-ca,fdns
 private-tmp
 
 memory-deny-write-execute
-restrict-namespaces
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 1835d8de2..070eb47f3 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -2187,34 +2187,21 @@ int main(int argc, char **argv, char **envp) {
                 else if (strncmp(argv[i], "--name=", 7) == 0) {
                         cfg.name = argv[i] + 7;
                         if (strlen(cfg.name) == 0) {
-                                fprintf(stderr, "Error: please provide a name for sandbox\n");
+                                fprintf(stderr, "Error: invalid sandbox name: cannot be empty\n");
                                 return 1;
                         }
-                        if (invalid_name(cfg.name) || has_cntrl_chars(cfg.name)) {
+                        if (invalid_name(cfg.name)) {
                                 fprintf(stderr, "Error: invalid sandbox name\n");
                                 return 1;
                         }
                 }
                 else if (strncmp(argv[i], "--hostname=", 11) == 0) {
                         cfg.hostname = argv[i] + 11;
-                        size_t len = strlen(cfg.hostname);
-                        if (len == 0 || len > 253) {
-                                fprintf(stderr, "Error: please provide a valid hostname for sandbox, with maximum length of 253 ASCII characters\n");
+                        if (strlen(cfg.hostname) == 0) {
+                                fprintf(stderr, "Error: invalid hostname: cannot be empty\n");
                                 return 1;
                         }
-                        int invalid = invalid_name(cfg.hostname);
-                        char* hostname = cfg.hostname;
-                        while (*hostname && !invalid) {
-                                invalid = invalid || !(
-                                                (*hostname >= 'a' && *hostname <= 'z') ||
-                                                (*hostname >= 'A' && *hostname <= 'Z') ||
-                                                (*hostname >= '0' && *hostname <= '9') ||
-                                                (*hostname == '-' || *hostname == '.'));
-                                hostname++;
-                        }
-                        invalid = invalid || cfg.hostname[0] == '-'; // must not start with -
-                        invalid = invalid || cfg.hostname[len - 1] == '-'; // must not end with -
-                        if (invalid) {
+                        if (invalid_name(cfg.hostname)) {
                                 fprintf(stderr, "Error: invalid hostname\n");
                                 return 1;
                         }
@@ -2847,7 +2834,11 @@ int main(int argc, char **argv, char **envp) {
                         // set sandbox name and start normally
                         cfg.name = argv[i] + 16;
                         if (strlen(cfg.name) == 0) {
-                                fprintf(stderr, "Error: please provide a name for sandbox\n");
+                                fprintf(stderr, "Error: invalid sandbox name: cannot be empty\n");
+                                return 1;
+                        }
+                        if (invalid_name(cfg.name)) {
+                                fprintf(stderr, "Error: invalid sandbox name\n");
                                 return 1;
                         }
                 }
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c
index 22ee9dc3c..9c5e3ee58 100644
--- a/src/firejail/no_sandbox.c
+++ b/src/firejail/no_sandbox.c
@@ -120,7 +120,7 @@ int check_kernel_procs(void) {
 
                 // read file
                 char buf[100];
-                if (fgets(buf, 10, fp) == NULL) {
+                if (fgets(buf, 100, fp) == NULL) {
                         fwarning("cannot read %s\n", fname);
                         fclose(fp);
                         free(fname);
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 202bcf4da..ae881664b 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -326,22 +326,13 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
         }
         // sandbox name
         else if (strncmp(ptr, "name ", 5) == 0) {
-                int only_numbers = 1;
                 cfg.name = ptr + 5;
                 if (strlen(cfg.name) == 0) {
-                        fprintf(stderr, "Error: invalid sandbox name\n");
+                        fprintf(stderr, "Error: invalid sandbox name: cannot be empty\n");
                         exit(1);
                 }
-                const char *c = cfg.name;
-                while (*c) {
-                        if (!isdigit(*c)) {
-                                only_numbers = 0;
-                                break;
-                        }
-                        ++c;
-                }
-                if (only_numbers) {
-                        fprintf(stderr, "Error: invalid sandbox name: it only contains digits\n");
+                if (invalid_name(cfg.name)) {
+                        fprintf(stderr, "Error: invalid sandbox name\n");
                         exit(1);
                 }
                 return 0;
@@ -1165,6 +1156,14 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
         // hostname
         if (strncmp(ptr, "hostname ", 9) == 0) {
                 cfg.hostname = ptr + 9;
+                if (strlen(cfg.hostname) == 0) {
+                        fprintf(stderr, "Error: invalid hostname: cannot be empty\n");
+                        exit(1);
+                }
+                if (invalid_name(cfg.hostname)) {
+                        fprintf(stderr, "Error: invalid hostname\n");
+                        exit(1);
+                }
                 return 0;
         }
 
@@ -1647,6 +1646,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                         // set sandbox name and start normally
                         cfg.name = ptr + 14;
                         if (strlen(cfg.name) == 0) {
+                                fprintf(stderr, "Error: invalid sandbox name: cannot be empty\n");
+                                exit(1);
+                        }
+                        if (invalid_name(cfg.name)) {
                                 fprintf(stderr, "Error: invalid sandbox name\n");
                                 exit(1);
                         }
diff --git a/src/firejail/util.c b/src/firejail/util.c
index a0af3d4bf..555486916 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -1476,23 +1476,46 @@ int ascii_isxdigit(unsigned char c) {
         return ret;
 }
 
-// allow strict ASCII letters and numbers; names with only numbers are rejected; spaces are rejected
+// Note: Keep this in sync with NAME VALIDATION in src/man/firejail.txt.
+//
+// Allow only ASCII letters, digits and a few special characters; names with
+// only numbers are rejected; spaces and control characters are rejected.
 int invalid_name(const char *name) {
         const char *c = name;
-
         int only_numbers = 1;
+
+        if (strlen(name) > 253)
+                return 1;
+
+        // must start with alnum
+        if (!ascii_isalnum(*c))
+                return 1;
+        if (!ascii_isdigit(*c))
+                only_numbers = 0;
+        ++c;
+
         while (*c) {
-                if (!ascii_isalnum(*c))
-                        return 1;
-                if (!ascii_isdigit(*c))
+                switch (*c) {
+                case '-':
+                case '.':
+                case '_':
                         only_numbers = 0;
+                        break;
+                default:
+                        if (!ascii_isalnum(*c))
+                                return 1;
+                        if (!ascii_isdigit(*c))
+                                only_numbers = 0;
+                }
                 ++c;
         }
-        if (only_numbers)
+
+        // must end with alnum
+        --c;
+        if (!ascii_isalnum(*c))
                 return 1;
 
-        // restrict name to 64 chars max
-        if (strlen(name) > 64)
+        if (only_numbers)
                 return 1;
 
         return 0;
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 586ef9852..19fc94ebd 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -876,6 +876,8 @@ Print options end exit.
 \fB\-\-hostname=name
 Set sandbox hostname.
 .br
+For valid names, see the \fBNAME VALIDATION\fR section.
+.br
 
 .br
 Example:
@@ -1180,7 +1182,9 @@ Switching to pid 1932, the first child process inside the sandbox
 .TP
 \fB\-\-join-or-start=name
 Join the sandbox identified by name or start a new one.
-Same as "firejail --join=name" if sandbox with specified name exists, otherwise same as "firejail --name=name ..."
+Same as "firejail --join=name" if sandbox with specified name exists, otherwise
+same as "firejail --name=name ...".
+See \fB\-\-name\fR for details.
 .br
 Note that in contrary to other join options there is respective profile option.
 
@@ -1340,8 +1344,13 @@ $ firejail \-\-net=eth0 \-\-mtu=1492
 \fB\-\-name=name
 Set sandbox name. Several options, such as \-\-join and \-\-shutdown, can use
 this name to identify a sandbox.
-The name cannot contain only digits, as that is treated as a PID in the other options, such as in \-\-join.
+The name cannot contain only digits, as that is treated as a PID in the other
+options, such as in \-\-join.
+.br
+For valid names, see the \fBNAME VALIDATION\fR section.
+.br
 
+.br
 In case the name supplied by the user is already in use by another sandbox, Firejail will assign a
 new name as "name-PID", where PID is the process ID of the sandbox. This functionality
 can be disabled at run time in /etc/firejail/firejail.config file, by setting "name-change" flag to "no".
@@ -3296,6 +3305,17 @@ Example:
 $ firejail --net=eth0 --x11=xephyr --xephyr-screen=640x480 firefox
 .br
 #endif
+.\" Note: Keep this in sync with invalid_name() in src/firejail/util.c.
+.SH NAME VALIDATION
+For simplicity, the same name validation is used for multiple options.
+Rules:
+.PP
+The name must be 1-253 characters long.
+The name can only contain ASCII letters, digits and the special characters
+"-._" (that is, the name cannot contain spaces or control characters).
+The name cannot contain only digits.
+The first and last characters must be an ASCII letter or digit and the name
+may contain special characters in the middle.
 #ifdef HAVE_APPARMOR
 .SH APPARMOR
 .TP