16 files changed, 193 insertions, 40 deletions

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 1352ce3e6..e1d972d04 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -47,7 +47,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@75f07e7ab2ee63cba88752d8c696324e4df67466
+      uses: github/codeql-action/init@883476649888a9e8e219d5b2e6b789dc024f690c
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -58,7 +58,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@75f07e7ab2ee63cba88752d8c696324e4df67466
+      uses: github/codeql-action/autobuild@883476649888a9e8e219d5b2e6b789dc024f690c
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -72,4 +72,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@75f07e7ab2ee63cba88752d8c696324e4df67466
+      uses: github/codeql-action/analyze@883476649888a9e8e219d5b2e6b789dc024f690c
diff --git a/etc/inc/allow-common-devel.inc b/etc/inc/allow-common-devel.inc
index 4e460fc10..9576239f3 100644
--- a/etc/inc/allow-common-devel.inc
+++ b/etc/inc/allow-common-devel.inc
@@ -8,8 +8,13 @@ noblacklist ${HOME}/.gitconfig
 noblacklist ${HOME}/.git-credentials
 
 # Java
+noblacklist ${HOME}/.ammonite
+noblacklist ${HOME}/.config/jgit
+noblacklist ${HOME}/.g8
 noblacklist ${HOME}/.gradle
+noblacklist ${HOME}/.ivy2
 noblacklist ${HOME}/.java
+noblacklist ${HOME}/.sbt
 
 # Node.js
 noblacklist ${HOME}/.node-gyp
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index 2e2f6c429..080a7f3a1 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -13,6 +13,7 @@ blacklist-nolog ${HOME}/.*_history_*
 blacklist-nolog ${HOME}/.adobe
 blacklist-nolog ${HOME}/.ammonite/history
 blacklist-nolog ${HOME}/.cache/greenclip*
+blacklist-nolog ${HOME}/.cache/mupdf.history
 blacklist-nolog ${HOME}/.histfile
 blacklist-nolog ${HOME}/.history
 blacklist-nolog ${HOME}/.kde/share/apps/klipper
@@ -511,6 +512,7 @@ blacklist /usr/lib/policykit-1/polkit-agent-helper-1
 blacklist /usr/lib/dbus-1.0/dbus-daemon-launch-helper
 blacklist /usr/lib/eject/dmcrypt-get-device
 blacklist /usr/lib/chromium/chrome-sandbox
+blacklist /usr/lib/opera/opera_sandbox
 blacklist /usr/lib/vmware
 blacklist ${PATH}/suexec
 blacklist /usr/lib/squid/basic_pam_auth
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index fcd385cae..efe1b2572 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -175,6 +175,7 @@ blacklist ${HOME}/.cache/mypaint
 blacklist ${HOME}/.cache/netsurf
 blacklist ${HOME}/.cache/nheko
 blacklist ${HOME}/.cache/nvim
+blacklist ${HOME}/.cache/ocenaudio
 blacklist ${HOME}/.cache/okular
 blacklist ${HOME}/.cache/opera
 blacklist ${HOME}/.cache/opera-beta
diff --git a/etc/profile-a-l/cmake.profile b/etc/profile-a-l/cmake.profile
index 26cc2a00a..acc03e93f 100644
--- a/etc/profile-a-l/cmake.profile
+++ b/etc/profile-a-l/cmake.profile
@@ -1,12 +1,15 @@
-# Firejail profile for cargo
-# Description: The Rust package manager
+# Firejail profile for cmake
+# Description: A cross-platform open-source make system
 # This file is overwritten after every install/update
 quiet
 # Persistent local customizations
-include cargo.local
+include cmake.local
 # Persistent global definitions
 include globals.local
 
+whitelist /usr/share/cmake
+whitelist /usr/share/cmake-*
+
 memory-deny-write-execute
 
 # Redirect
diff --git a/etc/profile-m-z/mupdf-gl.profile b/etc/profile-m-z/mupdf-gl.profile
index be94a9083..c5d94c371 100644
--- a/etc/profile-m-z/mupdf-gl.profile
+++ b/etc/profile-m-z/mupdf-gl.profile
@@ -7,7 +7,10 @@ include mupdf-gl.local
 # added by included profile
 #include globals.local
 
+noblacklist ${HOME}/.cache/mupdf.history
 noblacklist ${HOME}/.mupdf.history
 
+ignore no3d
+
 # Redirect
 include mupdf.profile
diff --git a/etc/profile-m-z/mupdf-x11.profile b/etc/profile-m-z/mupdf-x11.profile
index 256201d0c..547aa4f2f 100644
--- a/etc/profile-m-z/mupdf-x11.profile
+++ b/etc/profile-m-z/mupdf-x11.profile
@@ -7,8 +7,5 @@ include mupdf-x11.local
 # added by included profile
 #include globals.local
 
-memory-deny-write-execute
-read-only ${HOME}
-
 # Redirect
 include mupdf.profile
diff --git a/etc/profile-m-z/mupdf.profile b/etc/profile-m-z/mupdf.profile
index 22cb83cc4..7a1f62858 100644
--- a/etc/profile-m-z/mupdf.profile
+++ b/etc/profile-m-z/mupdf.profile
@@ -21,6 +21,7 @@ apparmor
 caps.drop all
 machine-id
 net none
+no3d
 nodvd
 nogroups
 noinput
@@ -41,3 +42,6 @@ private-tmp
 
 dbus-user none
 dbus-system none
+
+memory-deny-write-execute
+read-only ${HOME}
diff --git a/etc/profile-m-z/ocenaudio.profile b/etc/profile-m-z/ocenaudio.profile
index 0bfb35333..080b4c92b 100644
--- a/etc/profile-m-z/ocenaudio.profile
+++ b/etc/profile-m-z/ocenaudio.profile
@@ -6,8 +6,9 @@ include ocenaudio.local
 # Persistent global definitions
 include globals.local
 
+noblacklist ${HOME}/.cache/ocenaudio
 noblacklist ${HOME}/.local/share/ocenaudio
-noblacklist ${DOCUMENTS}
+
 noblacklist ${MUSIC}
 
 include disable-common.inc
@@ -18,38 +19,44 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
+mkdir ${HOME}/.cache/ocenaudio
+mkdir ${HOME}/.local/share/ocenaudio
+whitelist ${HOME}/.cache/ocenaudio
+whitelist ${HOME}/.local/share/ocenaudio
+whitelist ${DOWNLOADS}
+whitelist ${MUSIC}
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 apparmor
 caps.drop all
-ipc-namespace
-# net none - breaks update functionality and AppArmor on Ubuntu systems
-# Add 'net none' to your ocenaudio.local when you want that functionality.
-#net none
+#ipc-namespace
 netfilter
 no3d
 nodvd
 nogroups
 noinput
 nonewprivs
+noprinters
 noroot
 notv
 nou2f
 novideo
-protocol unix
+# Add `protocol unix\nignore protocol` to your ocenaudio.local to disable networking.
+protocol unix,inet,inet6
 seccomp
 shell none
 tracelog
 
-private-bin ocenaudio
+private-bin ocenaudio,ocenvst
 private-cache
 private-dev
-private-etc alternatives,asound.conf,fonts,ld.so.cache,ld.so.preload,pulse
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
+private-opt ocenaudio
 private-tmp
 
-# breaks preferences
-# dbus-user none
-# dbus-system none
-
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/opera.profile b/etc/profile-m-z/opera.profile
index b342b3961..e52e9294d 100644
--- a/etc/profile-m-z/opera.profile
+++ b/etc/profile-m-z/opera.profile
@@ -17,5 +17,16 @@ whitelist ${HOME}/.cache/opera
 whitelist ${HOME}/.config/opera
 whitelist ${HOME}/.opera
 
+# https://github.com/netblue30/firejail/issues/4965
+ignore whitelist /usr/share/mozilla/extensions
+ignore whitelist /usr/share/webext
+
+# opera uses opera_sandbox instead of chrome-sandbox
+noblacklist /usr/lib/opera/opera_sandbox
+ignore noblacklist /usr/lib/chromium/chrome-sandbox
+
+# Add the below to your opera.local if you want to disable auto update
+#env OPERA_AUTOUPDATE_DISABLED=1
+
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-m-z/pip.profile b/etc/profile-m-z/pip.profile
index a0926371f..560957d47 100644
--- a/etc/profile-m-z/pip.profile
+++ b/etc/profile-m-z/pip.profile
@@ -3,7 +3,7 @@
 # This file is overwritten after every install/update
 quiet
 # Persistent local customizations
-include meson.local
+include pip.local
 # Persistent global definitions
 include globals.local
 
@@ -12,6 +12,9 @@ ignore read-only ${HOME}/.local/lib
 # Allow python3 (blacklisted by disable-interpreters.inc)
 include allow-python3.inc
 
+noblacklist ${HOME}/.cache/pip
+
+#whitelist ${HOME}/.cache/pip
 #whitelist ${HOME}/.local/lib/python*
 
 # Redirect
diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c
index ede96c9b4..88b5eaad3 100644
--- a/src/fbuilder/build_fs.c
+++ b/src/fbuilder/build_fs.c
@@ -68,8 +68,23 @@ static void process_file(const char *fname, const char *dir, void (*callback)(ch
                         ptr += 7;
                 else if (strncmp(ptr, "open ", 5) == 0)
                         ptr += 5;
+                else if (strncmp(ptr, "opendir ", 8) == 0)
+                        ptr += 8;
+                else if (strncmp(ptr, "connect ", 8) == 0) {
+                        ptr += 8;
+                        // file descriptor argument
+                        if (!isdigit(*ptr))
+                                continue;
+                        while (isdigit(*ptr))
+                                ptr++;
+                        if (*ptr++ != ' ')
+                                continue;
+                        if (*ptr != '/')
+                                continue;
+                }
                 else
                         continue;
+
                 if (strncmp(ptr, dir, dir_len) != 0)
                         continue;
 
@@ -117,8 +132,19 @@ static void etc_callback(char *ptr) {
         if (strncmp(ptr, "/etc/firejail", 13) == 0)
                 return;
 
+        // extract the directory:
+        assert(strncmp(ptr, "/etc", 4) == 0);
+        ptr += 4;
+        if (*ptr != '/')
+                return;
+        ptr++;
+
+        if (*ptr == '/')        // double '/'
+                ptr++;
+        if (*ptr == '\0')
+                return;
+
         // add only top files and directories
-        ptr += 5;       // skip "/etc/"
         char *end = strchr(ptr, '/');
         if (end)
                 *end = '\0';
@@ -163,6 +189,11 @@ static char *var_skip[] = {
 static FileDB *var_out = NULL;
 static FileDB *var_skip = NULL;
 static void var_callback(char *ptr) {
+        // skip /var/lib/flatpak, /var/lib/snapd directory
+        if (strncmp(ptr, "/var/lib/flatpak", 16) == 0 ||
+            strncmp(ptr, "/var/lib/snapd", 14) == 0)
+                return;
+
         // extract the directory:
         assert(strncmp(ptr, "/var", 4) == 0);
         char *p1 = ptr + 4;
@@ -183,8 +214,6 @@ void build_var(const char *fname, FILE *fp) {
         assert(fname);
 
         var_skip = filedb_load_whitelist(var_skip, "whitelist-var-common.inc", "whitelist /var/");
-        var_skip = filedb_add(var_skip, "lib/flatpak");
-        var_skip = filedb_add(var_skip, "lib/snapd");
         process_files(fname, "/var", var_callback);
 
         // always whitelist /var
@@ -193,6 +222,88 @@ void build_var(const char *fname, FILE *fp) {
         fprintf(fp, "include whitelist-var-common.inc\n");
 }
 
+//*******************************************
+// run directory
+//*******************************************
+static FileDB *run_out = NULL;
+static FileDB *run_skip = NULL;
+static void run_callback(char *ptr) {
+        // skip /run/firejail
+        if (strncmp(ptr, "/run/firejail", 13) == 0)
+                return;
+        // skip files in /run/user
+        if (strncmp(ptr, "/run/user", 9) == 0)
+                return;
+
+        // extract the directory:
+        assert(strncmp(ptr, "/run", 4) == 0);
+        char *p1 = ptr + 4;
+        if (*p1 != '/')
+                return;
+        p1++;
+
+        if (*p1 == '/') // double '/'
+                p1++;
+        if (*p1 == '\0')
+                return;
+
+        if (!filedb_find(run_skip, p1))
+                run_out = filedb_add(run_out, p1);
+}
+
+void build_run(const char *fname, FILE *fp) {
+        assert(fname);
+
+        run_skip = filedb_load_whitelist(run_skip, "whitelist-run-common.inc", "whitelist /run/");
+        process_files(fname, "/run", run_callback);
+
+        // always whitelist /run
+        if (run_out)
+                filedb_print(run_out, "whitelist /run/", fp);
+        fprintf(fp, "include whitelist-run-common.inc\n");
+}
+
+//*******************************************
+// ${RUNUSER} directory
+//*******************************************
+static char *runuser_fname = NULL;
+static FileDB *runuser_out = NULL;
+static FileDB *runuser_skip = NULL;
+static void runuser_callback(char *ptr) {
+        // extract the directory:
+        assert(runuser_fname);
+        assert(strncmp(ptr, runuser_fname, strlen(runuser_fname)) == 0);
+        char *p1 = ptr + strlen(runuser_fname);
+        if (*p1 != '/')
+                return;
+        p1++;
+
+        if (*p1 == '/') // double '/'
+                p1++;
+        if (*p1 == '\0')
+                return;
+
+        if (!filedb_find(runuser_skip, p1))
+                runuser_out = filedb_add(runuser_out, p1);
+}
+
+void build_runuser(const char *fname, FILE *fp) {
+        assert(fname);
+
+        if (asprintf(&runuser_fname, "/run/user/%d", getuid()) < 0)
+                errExit("asprintf");
+
+        if (!is_dir(runuser_fname))
+                return;
+
+        runuser_skip = filedb_load_whitelist(runuser_skip, "whitelist-runuser-common.inc", "whitelist ${RUNUSER}/");
+        process_files(fname, runuser_fname, runuser_callback);
+
+        // always whitelist /run/user/$UID
+        if (runuser_out)
+                filedb_print(runuser_out, "whitelist ${RUNUSER}/", fp);
+        fprintf(fp, "include whitelist-runuser-common.inc\n");
+}
 
 //*******************************************
 // usr/share directory
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c
index 4fcd950c6..24cb4472c 100644
--- a/src/fbuilder/build_profile.c
+++ b/src/fbuilder/build_profile.c
@@ -122,8 +122,10 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
                 fprintf(fp, "\n");
 
                 fprintf(fp, "### Filesystem Whitelisting ###\n");
-                build_share(trace_output, fp);
-                //todo: include whitelist-runuser-common.inc
+                build_run(trace_output, fp);
+                build_runuser(trace_output, fp);
+                if (!arg_appimage)
+                        build_share(trace_output, fp);
                 build_var(trace_output, fp);
                 fprintf(fp, "\n");
 
diff --git a/src/fbuilder/fbuilder.h b/src/fbuilder/fbuilder.h
index 3e23d7854..b07209e51 100644
--- a/src/fbuilder/fbuilder.h
+++ b/src/fbuilder/fbuilder.h
@@ -26,7 +26,7 @@
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <fcntl.h>
-
+#include <fnmatch.h>
 
 #define MAX_BUF 4096
 // main.c
@@ -46,6 +46,8 @@ void build_var(const char *fname, FILE *fp);
 void build_tmp(const char *fname, FILE *fp);
 void build_dev(const char *fname, FILE *fp);
 void build_share(const char *fname, FILE *fp);
+void build_run(const char *fname, FILE *fp);
+void build_runuser(const char *fname, FILE *fp);
 
 // build_bin.c
 void build_bin(const char *fname, FILE *fp);
@@ -61,7 +63,7 @@ char *extract_dir(char *fname);
 typedef struct filedb_t {
         struct filedb_t *next;
         char *fname;    // file name
-        int len;                // length of file name
+        unsigned len;   // length of file name
 } FileDB;
 
 FileDB *filedb_add(FileDB *head, const char *fname);
diff --git a/src/fbuilder/filedb.c b/src/fbuilder/filedb.c
index 569095785..89b6980d2 100644
--- a/src/fbuilder/filedb.c
+++ b/src/fbuilder/filedb.c
@@ -25,17 +25,17 @@ FileDB *filedb_find(FileDB *head, const char *fname) {
         assert(fname);
         FileDB *ptr = head;
         int found = 0;
-        int len = strlen(fname);
 
         while (ptr) {
-                // exact name
-                if (strcmp(fname, ptr->fname) == 0) {
+                // ptr->fname can be a pattern, like .mutter-Xwaylandauth.*
+                // check if fname is a match
+                if (fnmatch(ptr->fname, fname, FNM_PATHNAME) == 0) {
                         found = 1;
                         break;
                 }
 
                 // parent directory in the list
-                if (len > ptr->len &&
+                if (strlen(fname) > ptr->len &&
                     fname[ptr->len] == '/' &&
                     strncmp(ptr->fname, fname, ptr->len) == 0) {
                         found = 1;
@@ -54,8 +54,6 @@ FileDB *filedb_find(FileDB *head, const char *fname) {
 FileDB *filedb_add(FileDB *head, const char *fname) {
         assert(fname);
 
-        // todo: support fnames such as ${RUNUSER}/.mutter-Xwaylandauth.*
-
         // don't add it if it is already there or if the parent directory is already in the list
         if (filedb_find(head, fname))
                 return head;
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 228d0c91c..1d028b8ac 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -185,23 +185,27 @@ $ firejail "\-\-blacklist=/home/username/My Virtual Machines"
 $ firejail \-\-blacklist=/home/username/My\\ Virtual\\ Machines
 .TP
 \fB\-\-build
-The command builds a whitelisted profile. The profile is printed on the screen. The program is run in a very relaxed sandbox, with only --caps.drop=all and --nonewprivs. Programs that raise user privileges are not supported.
+The command builds a whitelisted profile. The profile is printed on the screen. The program is run in a very relaxed sandbox, with only \-\-caps.drop=all and \-\-seccomp=!chroot. Programs that raise user privileges are not supported.
 .br
 
 .br
 Example:
 .br
-$ firejail --build vlc ~/Videos/test.mp4
+$ firejail \-\-build vlc ~/Videos/test.mp4
+.br
+$ firejail \-\-build \-\-appimage ~/Downloads/Subsurface.AppImage
 .TP
 \fB\-\-build=profile-file
 The command builds a whitelisted profile, and saves it in profile-file. The program is run in a very relaxed sandbox,
-with only --caps.drop=all and --nonewprivs. Programs that raise user privileges are not supported.
+with only \-\-caps.drop=all and \-\-seccomp=!chroot. Programs that raise user privileges are not supported.
 .br
 
 .br
 Example:
 .br
-$ firejail --build=vlc.profile vlc ~/Videos/test.mp4
+$ firejail \-\-build=vlc.profile vlc ~/Videos/test.mp4
+.br
+$ firejail \-\-build=Subsurface.profile \-\-appimage ~/Downloads/Subsurface.AppImage
 .TP
 \fB\-c
 Login shell compatibility option. This option is use by some login programs when executing