aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--.github/ISSUE_TEMPLATE/bug_report.md77
-rw-r--r--.github/ISSUE_TEMPLATE/config.yml5
-rw-r--r--.github/ISSUE_TEMPLATE/feature_request.md23
-rw-r--r--.github/pull_request_template.md1
-rw-r--r--.github/workflows/sort.yml1
-rw-r--r--COPYING85
-rw-r--r--README44
-rw-r--r--README.md87
-rw-r--r--RELNOTES13
-rw-r--r--SECURITY.md35
-rwxr-xr-xconfigure56
-rw-r--r--configure.ac11
-rwxr-xr-xcontrib/fix_private-bin.py2
-rwxr-xr-xcontrib/gdb-firejail.sh2
-rwxr-xr-xcontrib/sort.py2
-rw-r--r--contrib/vim/syntax/firejail.vim2
-rw-r--r--etc-fixes/0.9.58/atom.profile1
-rw-r--r--etc-fixes/seccomp-join-bug/README1
-rw-r--r--etc/apparmor/firejail-default2
-rw-r--r--etc/firejail.config5
-rw-r--r--etc/inc/allow-common-devel.inc5
-rw-r--r--etc/inc/allow-ruby.inc1
-rw-r--r--etc/inc/disable-devel.inc2
-rw-r--r--etc/inc/disable-interpreters.inc1
-rw-r--r--etc/inc/disable-programs.inc8
-rw-r--r--etc/inc/whitelist-run-common.inc1
-rw-r--r--etc/profile-a-l/Books.profile5
-rw-r--r--etc/profile-a-l/abiword.profile2
-rw-r--r--etc/profile-a-l/agetpkg.profile2
-rw-r--r--etc/profile-a-l/alacarte.profile2
-rw-r--r--etc/profile-a-l/amarok.profile2
-rw-r--r--etc/profile-a-l/amule.profile1
-rw-r--r--etc/profile-a-l/anki.profile2
-rw-r--r--etc/profile-a-l/aria2c.profile2
-rw-r--r--etc/profile-a-l/arm.profile2
-rw-r--r--etc/profile-a-l/artha.profile2
-rw-r--r--etc/profile-a-l/atool.profile2
-rw-r--r--etc/profile-a-l/atril.profile2
-rw-r--r--etc/profile-a-l/authenticator-rs.profile2
-rw-r--r--etc/profile-a-l/authenticator.profile2
-rw-r--r--etc/profile-a-l/balsa.profile4
-rw-r--r--etc/profile-a-l/bibletime.profile2
-rw-r--r--etc/profile-a-l/bitwarden.profile2
-rw-r--r--etc/profile-a-l/bless.profile2
-rw-r--r--etc/profile-a-l/blobby.profile2
-rw-r--r--etc/profile-a-l/blobwars.profile2
-rw-r--r--etc/profile-a-l/bsdtar.profile2
-rw-r--r--etc/profile-a-l/build-systems-common.profile66
-rw-r--r--etc/profile-a-l/bundle.profile23
-rw-r--r--etc/profile-a-l/cameramonitor.profile2
-rw-r--r--etc/profile-a-l/cargo.profile56
-rw-r--r--etc/profile-a-l/cawbird.profile2
-rw-r--r--etc/profile-a-l/celluloid.profile2
-rw-r--r--etc/profile-a-l/cheese.profile14
-rw-r--r--etc/profile-a-l/clawsker.profile2
-rw-r--r--etc/profile-a-l/cmake.profile13
-rw-r--r--etc/profile-a-l/cmus.profile2
-rw-r--r--etc/profile-a-l/codium.profile10
-rw-r--r--etc/profile-a-l/cola.profile2
-rw-r--r--etc/profile-a-l/com.github.bleakgrey.tootle.profile2
-rw-r--r--etc/profile-a-l/com.github.dahenson.agenda.profile2
-rw-r--r--etc/profile-a-l/com.github.johnfactotum.Foliate.profile2
-rw-r--r--etc/profile-a-l/coyim.profile2
-rw-r--r--etc/profile-a-l/crow.profile2
-rw-r--r--etc/profile-a-l/d-feet.profile2
-rw-r--r--etc/profile-a-l/dbus-send.profile2
-rw-r--r--etc/profile-a-l/dconf-editor.profile2
-rw-r--r--etc/profile-a-l/dconf.profile2
-rw-r--r--etc/profile-a-l/ddgtk.profile2
-rw-r--r--etc/profile-a-l/devhelp.profile2
-rw-r--r--etc/profile-a-l/devilspie.profile2
-rw-r--r--etc/profile-a-l/discord-common.profile2
-rw-r--r--etc/profile-a-l/display.profile2
-rw-r--r--etc/profile-a-l/drawio.profile2
-rw-r--r--etc/profile-a-l/easystroke.profile2
-rw-r--r--etc/profile-a-l/electron-mail.profile2
-rw-r--r--etc/profile-a-l/electrum.profile2
-rw-r--r--etc/profile-a-l/email-common.profile4
-rw-r--r--etc/profile-a-l/enchant.profile2
-rw-r--r--etc/profile-a-l/eo-common.profile2
-rw-r--r--etc/profile-a-l/eog.profile2
-rw-r--r--etc/profile-a-l/equalx.profile2
-rw-r--r--etc/profile-a-l/evince.profile4
-rw-r--r--etc/profile-a-l/exiftool.profile2
-rw-r--r--etc/profile-a-l/falkon.profile2
-rw-r--r--etc/profile-a-l/feh-network.inc.profile2
-rw-r--r--etc/profile-a-l/feh.profile2
-rw-r--r--etc/profile-a-l/ffplay.profile2
-rw-r--r--etc/profile-a-l/file-roller.profile2
-rw-r--r--etc/profile-a-l/flameshot.profile6
-rw-r--r--etc/profile-a-l/freetube.profile2
-rw-r--r--etc/profile-a-l/frogatto.profile2
-rw-r--r--etc/profile-a-l/gajim.profile2
-rw-r--r--etc/profile-a-l/galculator.profile2
-rw-r--r--etc/profile-a-l/gallery-dl.profile2
-rw-r--r--etc/profile-a-l/gapplication.profile2
-rw-r--r--etc/profile-a-l/gcloud.profile2
-rw-r--r--etc/profile-a-l/gconf.profile2
-rw-r--r--etc/profile-a-l/geary.profile2
-rw-r--r--etc/profile-a-l/geekbench.profile14
-rw-r--r--etc/profile-a-l/gget.profile2
-rw-r--r--etc/profile-a-l/gist.profile2
-rw-r--r--etc/profile-a-l/git-cola.profile2
-rw-r--r--etc/profile-a-l/gitter.profile2
-rw-r--r--etc/profile-a-l/gmpc.profile2
-rw-r--r--etc/profile-a-l/gnome-calendar.profile2
-rw-r--r--etc/profile-a-l/gnome-chess.profile2
-rw-r--r--etc/profile-a-l/gnome-clocks.profile2
-rw-r--r--etc/profile-a-l/gnome-hexgl.profile2
-rw-r--r--etc/profile-a-l/gnome-latex.profile2
-rw-r--r--etc/profile-a-l/gnome-logs.profile2
-rw-r--r--etc/profile-a-l/gnome-music.profile2
-rw-r--r--etc/profile-a-l/gnome-passwordsafe.profile2
-rw-r--r--etc/profile-a-l/gnome-pie.profile2
-rw-r--r--etc/profile-a-l/gnome-recipes.profile2
-rw-r--r--etc/profile-a-l/gnome-screenshot.profile2
-rw-r--r--etc/profile-a-l/gnome-sound-recorder.profile2
-rw-r--r--etc/profile-a-l/gnome-system-log.profile2
-rw-r--r--etc/profile-a-l/gnome-todo.profile2
-rw-r--r--etc/profile-a-l/gnome_games-common.profile2
-rw-r--r--etc/profile-a-l/gnote.profile2
-rw-r--r--etc/profile-a-l/gnubik.profile2
-rw-r--r--etc/profile-a-l/godot.profile2
-rw-r--r--etc/profile-a-l/goldendict.profile57
-rw-r--r--etc/profile-a-l/googler-common.profile2
-rw-r--r--etc/profile-a-l/gpicview.profile2
-rw-r--r--etc/profile-a-l/gpredict.profile2
-rw-r--r--etc/profile-a-l/gradio.profile2
-rw-r--r--etc/profile-a-l/gravity-beams-and-evaporating-stars.profile2
-rw-r--r--etc/profile-a-l/gtk-update-icon-cache.profile2
-rw-r--r--etc/profile-a-l/gwenview.profile2
-rw-r--r--etc/profile-a-l/hyperrogue.profile2
-rw-r--r--etc/profile-a-l/i2prouter.profile2
-rw-r--r--etc/profile-a-l/inkscape.profile1
-rw-r--r--etc/profile-a-l/ipcalc.profile2
-rw-r--r--etc/profile-a-l/jerry.profile2
-rw-r--r--etc/profile-a-l/jumpnbump.profile2
-rw-r--r--etc/profile-a-l/kalgebra.profile2
-rw-r--r--etc/profile-a-l/kazam.profile2
-rw-r--r--etc/profile-a-l/kcalc.profile2
-rw-r--r--etc/profile-a-l/kdiff3.profile2
-rw-r--r--etc/profile-a-l/keepassx.profile2
-rw-r--r--etc/profile-a-l/keepassxc.profile7
-rw-r--r--etc/profile-a-l/kid3.profile2
-rw-r--r--etc/profile-a-l/kiwix-desktop.profile2
-rw-r--r--etc/profile-a-l/klavaro.profile2
-rw-r--r--etc/profile-a-l/ktouch.profile2
-rw-r--r--etc/profile-a-l/kube.profile2
-rw-r--r--etc/profile-a-l/kwin_x11.profile2
-rw-r--r--etc/profile-a-l/kwrite.profile2
-rw-r--r--etc/profile-a-l/librewolf.profile1
-rw-r--r--etc/profile-a-l/links-common.profile4
-rw-r--r--etc/profile-a-l/lollypop.profile2
-rw-r--r--etc/profile-a-l/lyx.profile2
-rw-r--r--etc/profile-m-z/QOwnNotes.profile2
-rw-r--r--etc/profile-m-z/Viber.profile2
-rw-r--r--etc/profile-m-z/Xvfb.profile2
-rw-r--r--etc/profile-m-z/magicor.profile2
-rw-r--r--etc/profile-m-z/make.profile13
-rw-r--r--etc/profile-m-z/man.profile2
-rw-r--r--etc/profile-m-z/masterpdfeditor.profile2
-rw-r--r--etc/profile-m-z/mate-calc.profile2
-rw-r--r--etc/profile-m-z/mate-color-select.profile2
-rw-r--r--etc/profile-m-z/mate-dictionary.profile2
-rw-r--r--etc/profile-m-z/mcabber.profile2
-rw-r--r--etc/profile-m-z/mdr.profile2
-rw-r--r--etc/profile-m-z/mediainfo.profile2
-rw-r--r--etc/profile-m-z/menulibre.profile2
-rw-r--r--etc/profile-m-z/meson.profile14
-rw-r--r--etc/profile-m-z/microsoft-edge-beta.profile2
-rw-r--r--etc/profile-m-z/mindless.profile2
-rw-r--r--etc/profile-m-z/mirrormagic.profile2
-rw-r--r--etc/profile-m-z/mocp.profile2
-rw-r--r--etc/profile-m-z/mp3splt-gtk.profile2
-rw-r--r--etc/profile-m-z/mp3splt.profile2
-rw-r--r--etc/profile-m-z/mpDris2.profile2
-rw-r--r--etc/profile-m-z/mpv.profile2
-rw-r--r--etc/profile-m-z/mrrescue.profile2
-rw-r--r--etc/profile-m-z/ms-office.profile2
-rw-r--r--etc/profile-m-z/mupdf-x11-curl.profile2
-rw-r--r--etc/profile-m-z/musixmatch.profile4
-rw-r--r--etc/profile-m-z/mutt.profile2
-rw-r--r--etc/profile-m-z/mypaint.profile2
-rw-r--r--etc/profile-m-z/nano.profile2
-rw-r--r--etc/profile-m-z/neochat.profile2
-rw-r--r--etc/profile-m-z/neomutt.profile2
-rw-r--r--etc/profile-m-z/netactview.profile2
-rw-r--r--etc/profile-m-z/newsboat.profile2
-rw-r--r--etc/profile-m-z/nextcloud.profile5
-rw-r--r--etc/profile-m-z/nheko.profile10
-rw-r--r--etc/profile-m-z/nitroshare.profile2
-rw-r--r--etc/profile-m-z/nomacs.profile2
-rw-r--r--etc/profile-m-z/notify-send.profile2
-rw-r--r--etc/profile-m-z/nuclear.profile2
-rw-r--r--etc/profile-m-z/nyx.profile2
-rw-r--r--etc/profile-m-z/ocenaudio.profile2
-rw-r--r--etc/profile-m-z/odt2txt.profile2
-rw-r--r--etc/profile-m-z/okular.profile2
-rw-r--r--etc/profile-m-z/onboard.profile2
-rw-r--r--etc/profile-m-z/openarena.profile2
-rw-r--r--etc/profile-m-z/pandoc.profile7
-rw-r--r--etc/profile-m-z/parole.profile2
-rw-r--r--etc/profile-m-z/pavucontrol.profile2
-rw-r--r--etc/profile-m-z/pdfchain.profile2
-rw-r--r--etc/profile-m-z/pdftotext.profile2
-rw-r--r--etc/profile-m-z/peek.profile2
-rw-r--r--etc/profile-m-z/photoflare.profile2
-rw-r--r--etc/profile-m-z/pingus.profile2
-rw-r--r--etc/profile-m-z/pip.profile18
-rw-r--r--etc/profile-m-z/pkglog.profile2
-rw-r--r--etc/profile-m-z/plv.profile2
-rw-r--r--etc/profile-m-z/pngquant.profile2
-rw-r--r--etc/profile-m-z/pragha.profile2
-rw-r--r--etc/profile-m-z/profanity.profile2
-rw-r--r--etc/profile-m-z/psi.profile2
-rw-r--r--etc/profile-m-z/qgis.profile2
-rw-r--r--etc/profile-m-z/qnapi.profile2
-rw-r--r--etc/profile-m-z/qrencode.profile2
-rw-r--r--etc/profile-m-z/qtox.profile2
-rw-r--r--etc/profile-m-z/regextester.profile2
-rw-r--r--etc/profile-m-z/rsync-download_only.profile2
-rw-r--r--etc/profile-m-z/scorchwentbonkers.profile2
-rw-r--r--etc/profile-m-z/seahorse-adventures.profile2
-rw-r--r--etc/profile-m-z/seahorse-tool.profile2
-rw-r--r--etc/profile-m-z/shotwell.profile2
-rw-r--r--etc/profile-m-z/slack.profile2
-rw-r--r--etc/profile-m-z/smuxi-frontend-gnome.profile2
-rw-r--r--etc/profile-m-z/softmaker-common.profile6
-rw-r--r--etc/profile-m-z/spectacle.profile4
-rw-r--r--etc/profile-m-z/spectral.profile8
-rw-r--r--etc/profile-m-z/spotify.profile2
-rw-r--r--etc/profile-m-z/sqlitebrowser.profile2
-rw-r--r--etc/profile-m-z/standardnotes-desktop.profile2
-rw-r--r--etc/profile-m-z/straw-viewer.profile2
-rw-r--r--etc/profile-m-z/strawberry.profile2
-rw-r--r--etc/profile-m-z/subdownloader.profile2
-rw-r--r--etc/profile-m-z/supertux2.profile2
-rw-r--r--etc/profile-m-z/supertuxkart.profile2
-rw-r--r--etc/profile-m-z/surf.profile2
-rw-r--r--etc/profile-m-z/sway.profile2
-rw-r--r--etc/profile-m-z/sysprof.profile2
-rw-r--r--etc/profile-m-z/tar.profile2
-rw-r--r--etc/profile-m-z/teams-for-linux.profile2
-rw-r--r--etc/profile-m-z/telegram.profile6
-rw-r--r--etc/profile-m-z/tilp.profile2
-rw-r--r--etc/profile-m-z/tin.profile2
-rw-r--r--etc/profile-m-z/tor.profile2
-rw-r--r--etc/profile-m-z/transgui.profile2
-rw-r--r--etc/profile-m-z/transmission-cli.profile2
-rw-r--r--etc/profile-m-z/transmission-daemon.profile2
-rw-r--r--etc/profile-m-z/transmission-remote-gtk.profile2
-rw-r--r--etc/profile-m-z/transmission-remote.profile2
-rw-r--r--etc/profile-m-z/transmission-show.profile2
-rw-r--r--etc/profile-m-z/trojita.profile2
-rw-r--r--etc/profile-m-z/twitch.profile2
-rw-r--r--etc/profile-m-z/unf.profile2
-rw-r--r--etc/profile-m-z/unrar.profile2
-rw-r--r--etc/profile-m-z/unzip.profile2
-rw-r--r--etc/profile-m-z/utox.profile2
-rw-r--r--etc/profile-m-z/viewnior.profile2
-rw-r--r--etc/profile-m-z/virtualbox.profile2
-rw-r--r--etc/profile-m-z/vmware.profile2
-rw-r--r--etc/profile-m-z/vscodium.profile4
-rw-r--r--etc/profile-m-z/w3m.profile2
-rw-r--r--etc/profile-m-z/warmux.profile2
-rw-r--r--etc/profile-m-z/whalebird.profile2
-rw-r--r--etc/profile-m-z/whois.profile2
-rw-r--r--etc/profile-m-z/wire-desktop.profile2
-rw-r--r--etc/profile-m-z/wordwarvi.profile2
-rw-r--r--etc/profile-m-z/xbill.profile2
-rw-r--r--etc/profile-m-z/xfce4-mixer.profile2
-rw-r--r--etc/profile-m-z/xfce4-screenshooter.profile2
-rw-r--r--etc/profile-m-z/xiphos.profile2
-rw-r--r--etc/profile-m-z/xlinks.profile2
-rw-r--r--etc/profile-m-z/xlinks22
-rw-r--r--etc/profile-m-z/xmr-stak.profile2
-rw-r--r--etc/profile-m-z/xournal.profile2
-rw-r--r--etc/profile-m-z/xreader.profile2
-rw-r--r--etc/profile-m-z/yelp.profile2
-rw-r--r--etc/profile-m-z/youtube-dl-gui.profile2
-rw-r--r--etc/profile-m-z/youtube-dl.profile2
-rw-r--r--etc/profile-m-z/youtube-viewer.profile2
-rw-r--r--etc/profile-m-z/youtube-viewers-common.profile2
-rw-r--r--etc/profile-m-z/youtube.profile2
-rw-r--r--etc/profile-m-z/youtubemusic-nativefier.profile2
-rw-r--r--etc/profile-m-z/yt-dlp.profile2
-rw-r--r--etc/profile-m-z/ytmdesktop.profile2
-rw-r--r--etc/profile-m-z/zulip.profile2
-rw-r--r--etc/templates/profile.template2
-rwxr-xr-xgcov.sh6
-rwxr-xr-xlinecnt.sh4
-rw-r--r--src/bash_completion/firejail.bash_completion.in8
-rw-r--r--src/fbuilder/build_fs.c11
-rw-r--r--src/fbuilder/build_home.c4
-rw-r--r--src/fbuilder/build_profile.c2
-rw-r--r--src/fcopy/main.c3
-rw-r--r--src/fids/fids.h2
-rw-r--r--src/firecfg/firecfg.config2
-rw-r--r--src/firejail/cgroup.c83
-rw-r--r--src/firejail/checkcfg.c2
-rw-r--r--src/firejail/chroot.c2
-rw-r--r--src/firejail/env.c7
-rw-r--r--src/firejail/firejail.h24
-rw-r--r--src/firejail/fs.c430
-rw-r--r--src/firejail/fs_dev.c3
-rw-r--r--src/firejail/fs_home.c12
-rw-r--r--src/firejail/fs_hostname.c12
-rw-r--r--src/firejail/fs_lib.c5
-rw-r--r--src/firejail/fs_lib2.c6
-rw-r--r--src/firejail/fs_overlayfs.c470
-rw-r--r--src/firejail/fs_trace.c36
-rw-r--r--src/firejail/fs_var.c7
-rw-r--r--src/firejail/fs_whitelist.c59
-rw-r--r--src/firejail/ids.c2
-rw-r--r--src/firejail/join.c22
-rw-r--r--src/firejail/ls.c2
-rw-r--r--src/firejail/main.c29
-rw-r--r--src/firejail/mountinfo.c216
-rw-r--r--src/firejail/profile.c27
-rw-r--r--src/firejail/restrict_users.c1
-rw-r--r--src/firejail/sandbox.c32
-rw-r--r--src/firejail/selinux.c21
-rw-r--r--src/firejail/usage.c32
-rw-r--r--src/firejail/util.c180
-rw-r--r--src/jailcheck/jailcheck.h2
-rw-r--r--src/jailcheck/noexec.c2
-rw-r--r--src/libtrace/libtrace.c14
-rw-r--r--src/man/firejail-profile.txt124
-rw-r--r--src/man/firejail.txt174
-rw-r--r--src/man/firemon.txt2
-rw-r--r--src/tools/profcleaner.c2
-rw-r--r--src/zsh_completion/_firejail.in2
-rwxr-xr-xtest/environment/environment.sh7
-rwxr-xr-xtest/environment/rlimit-join.exp36
-rwxr-xr-xtest/utils/build.exp2
335 files changed, 1976 insertions, 1483 deletions
diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
index 3700dac20..eb485b8a2 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -7,54 +7,83 @@ assignees: ''
7 7
8--- 8---
9 9
10Write clear, concise and in textual form. 10<!--
11See the following links for help with formatting:
11 12
12### Bug and expected behavior 13https://guides.github.com/features/mastering-markdown/
14https://docs.github.com/en/github/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax
15-->
13 16
14- Describe the bug. 17### Description
15- What did you expect to happen?
16 18
17### No profile and disabling firejail 19_Describe the bug_
18 20
19- What changed calling `firejail --noprofile /path/to/program` in a terminal? 21### Steps to Reproduce
20- What changed calling the program by path (e.g. `/usr/bin/vlc`)?
21 22
22### Reproduce 23_Steps to reproduce the behavior_
23 24
24Steps to reproduce the behavior: 251. Run in bash `LC_ALL=C firejail PROGRAM` (`LC_ALL=C` to get a consistent output in English that can be understood by everybody)
262. Click on '....'
273. Scroll down to '....'
284. See error `ERROR`
25 29
261. Run in bash `firejail PROGRAM` 30### Expected behavior
272. See error `ERROR`
283. Click on '....'
294. Scroll down to '....'
30 31
31### Environment 32_What you expected to happen_
33
34### Actual behavior
35
36_What actually happened_
32 37
33- Linux distribution and version (ie output of `lsb_release -a`, `screenfetch` or `cat /etc/os-release`) 38### Behavior without a profile
34- Firejail version (output of `firejail --version`) exclusive or used git commit (`git rev-parse HEAD`) 39
40_What changed calling `LC_ALL=C firejail --noprofile /path/to/program` in a terminal?_
35 41
36### Additional context 42### Additional context
37 43
38Other context about the problem like related errors to understand the problem. 44_Any other detail that may help to understand/debug the problem_
45
46### Environment
47
48- Linux distribution and version (e.g. "Ubuntu 20.04" or "Arch Linux")
49- Firejail version (`firejail --version`).
50- If you use a development version of firejail, also the commit from which it was compiled (`git rev-parse HEAD`).
39 51
40### Checklist 52### Checklist
41 53
42- [ ] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). 54<!--
55Note: Items are checked with an "x", like so:
56
57- [x] This is a checked item.
58-->
59
60- [ ] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it).
61- [ ] I can reproduce the issue without custom modifications (e.g. globals.local).
43- [ ] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) 62- [ ] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`)
63- [ ] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc).
44- [ ] I have performed a short search for similar issues (to avoid opening a duplicate). 64- [ ] I have performed a short search for similar issues (to avoid opening a duplicate).
45- [ ] If it is a AppImage, `--profile=PROFILENAME` is used to set the right profile. 65 - [ ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers.
46- [ ] Used `LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 PROGRAM` to get english error-messages. 66- [ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages)
47- [ ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers.
48- [ ] This is not a question. Questions should be asked in https://github.com/netblue30/firejail/discussions.
49 67
50### Log 68### Log
51 69
52<details> 70<details>
53<summary>debug output</summary> 71<summary>Output of <code>LC_ALL=C firejail /path/to/program</code></summary>
72<p>
73
74```
75output goes here
76```
77
78</p>
79</details>
80
81<details>
82<summary>Output of <code>LC_ALL=C firejail --debug /path/to/program</code></summary>
54<p> 83<p>
55 84
56``` 85```
57OUTPUT OF `firejail --debug PROGRAM` 86output goes here
58``` 87```
59 88
60</p> 89</p>
diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml
new file mode 100644
index 000000000..b8fe40acd
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -0,0 +1,5 @@
1blank_issues_enabled: true
2contact_links:
3 - name: Question
4 url: https://github.com/netblue30/firejail/discussions
5 about: For questions you should use GitHub Discussions.
diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md
new file mode 100644
index 000000000..a723cdbde
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -0,0 +1,23 @@
1---
2name: Feature request
3about: Suggest an idea for this project
4title: ''
5labels: ''
6assignees: ''
7---
8
9### Is your feature request related to a problem? Please describe.
10
11_A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]_
12
13### Describe the solution you'd like
14
15_A clear and concise description of what you want to happen._
16
17### Describe alternatives you've considered
18
19_A clear and concise description of any alternative solutions or features you've considered._
20
21### Additional context
22
23_Add any other context or screenshots about the feature request here._
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
index 57ac2e9c4..7cb92a938 100644
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -1,4 +1,3 @@
1
2If your PR isn't about profiles or you have no idea how to do one of these, skip the following and go ahead with this PR. 1If your PR isn't about profiles or you have no idea how to do one of these, skip the following and go ahead with this PR.
3 2
4If you submit a PR for new profiles or changing profiles, please do the following: 3If you submit a PR for new profiles or changing profiles, please do the following:
diff --git a/.github/workflows/sort.yml b/.github/workflows/sort.yml
index f3ded0f22..cfa40d2d2 100644
--- a/.github/workflows/sort.yml
+++ b/.github/workflows/sort.yml
@@ -19,4 +19,3 @@ jobs:
19 - uses: actions/checkout@v2 19 - uses: actions/checkout@v2
20 - name: check profiles 20 - name: check profiles
21 run: ./contrib/sort.py etc/*/{*.inc,*.profile} 21 run: ./contrib/sort.py etc/*/{*.inc,*.profile}
22
diff --git a/COPYING b/COPYING
index b6e1c33e0..d159169d1 100644
--- a/COPYING
+++ b/COPYING
@@ -1,12 +1,12 @@
1 GNU GENERAL PUBLIC LICENSE 1 GNU GENERAL PUBLIC LICENSE
2 Version 2, June 1991 2 Version 2, June 1991
3 3
4 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 4 Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
5 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA 5 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
6 Everyone is permitted to copy and distribute verbatim copies 6 Everyone is permitted to copy and distribute verbatim copies
7 of this license document, but changing it is not allowed. 7 of this license document, but changing it is not allowed.
8 8
9 Preamble 9 Preamble
10 10
11 The licenses for most software are designed to take away your 11 The licenses for most software are designed to take away your
12freedom to share and change it. By contrast, the GNU General Public 12freedom to share and change it. By contrast, the GNU General Public
@@ -15,7 +15,7 @@ software--to make sure the software is free for all its users. This
15General Public License applies to most of the Free Software 15General Public License applies to most of the Free Software
16Foundation's software and to any other program whose authors commit to 16Foundation's software and to any other program whose authors commit to
17using it. (Some other Free Software Foundation software is covered by 17using it. (Some other Free Software Foundation software is covered by
18the GNU Library General Public License instead.) You can apply it to 18the GNU Lesser General Public License instead.) You can apply it to
19your programs, too. 19your programs, too.
20 20
21 When we speak of free software, we are referring to freedom, not 21 When we speak of free software, we are referring to freedom, not
@@ -55,8 +55,8 @@ patent must be licensed for everyone's free use or not licensed at all.
55 55
56 The precise terms and conditions for copying, distribution and 56 The precise terms and conditions for copying, distribution and
57modification follow. 57modification follow.
58 58
59 GNU GENERAL PUBLIC LICENSE 59 GNU GENERAL PUBLIC LICENSE
60 TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 60 TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
61 61
62 0. This License applies to any program or other work which contains 62 0. This License applies to any program or other work which contains
@@ -110,7 +110,7 @@ above, provided that you also meet all of these conditions:
110 License. (Exception: if the Program itself is interactive but 110 License. (Exception: if the Program itself is interactive but
111 does not normally print such an announcement, your work based on 111 does not normally print such an announcement, your work based on
112 the Program is not required to print an announcement.) 112 the Program is not required to print an announcement.)
113 113
114These requirements apply to the modified work as a whole. If 114These requirements apply to the modified work as a whole. If
115identifiable sections of that work are not derived from the Program, 115identifiable sections of that work are not derived from the Program,
116and can be reasonably considered independent and separate works in 116and can be reasonably considered independent and separate works in
@@ -168,7 +168,7 @@ access to copy from a designated place, then offering equivalent
168access to copy the source code from the same place counts as 168access to copy the source code from the same place counts as
169distribution of the source code, even though third parties are not 169distribution of the source code, even though third parties are not
170compelled to copy the source along with the object code. 170compelled to copy the source along with the object code.
171 171
172 4. You may not copy, modify, sublicense, or distribute the Program 172 4. You may not copy, modify, sublicense, or distribute the Program
173except as expressly provided under this License. Any attempt 173except as expressly provided under this License. Any attempt
174otherwise to copy, modify, sublicense or distribute the Program is 174otherwise to copy, modify, sublicense or distribute the Program is
@@ -225,7 +225,7 @@ impose that choice.
225 225
226This section is intended to make thoroughly clear what is believed to 226This section is intended to make thoroughly clear what is believed to
227be a consequence of the rest of this License. 227be a consequence of the rest of this License.
228 228
229 8. If the distribution and/or use of the Program is restricted in 229 8. If the distribution and/or use of the Program is restricted in
230certain countries either by patents or by copyrighted interfaces, the 230certain countries either by patents or by copyrighted interfaces, the
231original copyright holder who places the Program under this License 231original copyright holder who places the Program under this License
@@ -255,7 +255,7 @@ make exceptions for this. Our decision will be guided by the two goals
255of preserving the free status of all derivatives of our free software and 255of preserving the free status of all derivatives of our free software and
256of promoting the sharing and reuse of software generally. 256of promoting the sharing and reuse of software generally.
257 257
258 NO WARRANTY 258 NO WARRANTY
259 259
260 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY 260 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
261FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN 261FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
@@ -277,4 +277,63 @@ YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
277PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE 277PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
278POSSIBILITY OF SUCH DAMAGES. 278POSSIBILITY OF SUCH DAMAGES.
279 279
280 END OF TERMS AND CONDITIONS 280 END OF TERMS AND CONDITIONS
281
282 How to Apply These Terms to Your New Programs
283
284 If you develop a new program, and you want it to be of the greatest
285possible use to the public, the best way to achieve this is to make it
286free software which everyone can redistribute and change under these terms.
287
288 To do so, attach the following notices to the program. It is safest
289to attach them to the start of each source file to most effectively
290convey the exclusion of warranty; and each file should have at least
291the "copyright" line and a pointer to where the full notice is found.
292
293 <one line to give the program's name and a brief idea of what it does.>
294 Copyright (C) <year> <name of author>
295
296 This program is free software; you can redistribute it and/or modify
297 it under the terms of the GNU General Public License as published by
298 the Free Software Foundation; either version 2 of the License, or
299 (at your option) any later version.
300
301 This program is distributed in the hope that it will be useful,
302 but WITHOUT ANY WARRANTY; without even the implied warranty of
303 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
304 GNU General Public License for more details.
305
306 You should have received a copy of the GNU General Public License along
307 with this program; if not, write to the Free Software Foundation, Inc.,
308 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
309
310Also add information on how to contact you by electronic and paper mail.
311
312If the program is interactive, make it output a short notice like this
313when it starts in an interactive mode:
314
315 Gnomovision version 69, Copyright (C) year name of author
316 Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
317 This is free software, and you are welcome to redistribute it
318 under certain conditions; type `show c' for details.
319
320The hypothetical commands `show w' and `show c' should show the appropriate
321parts of the General Public License. Of course, the commands you use may
322be called something other than `show w' and `show c'; they could even be
323mouse-clicks or menu items--whatever suits your program.
324
325You should also get your employer (if you work as a programmer) or your
326school, if any, to sign a "copyright disclaimer" for the program, if
327necessary. Here is a sample; alter the names:
328
329 Yoyodyne, Inc., hereby disclaims all copyright interest in the program
330 `Gnomovision' (which makes passes at compilers) written by James Hacker.
331
332 <signature of Ty Coon>, 1 April 1989
333 Ty Coon, President of Vice
334
335This General Public License does not permit incorporating your program into
336proprietary programs. If your program is a subroutine library, you may
337consider it more useful to permit linking proprietary applications with the
338library. If this is what you want to do, use the GNU Lesser General
339Public License instead of this License.
diff --git a/README b/README
index a15e493ff..04d2c7001 100644
--- a/README
+++ b/README
@@ -1,13 +1,13 @@
1Firejail is a SUID sandbox program that reduces the risk of security 1Firejail is a SUID sandbox program that reduces the risk of security
2breaches by restricting the running environment of untrusted applications 2breaches by restricting the running environment of untrusted applications
3using Linux namespaces and seccomp-bpf. It includes sandbox profiles for 3using Linux namespaces and seccomp-bpf. It includes sandbox profiles for
4Iceweasel/Mozilla Firefox, Chromium, Midori, Opera, Evince, Transmission, 4Iceweasel/Mozilla Firefox, Chromium, Midori, Opera, Evince, Transmission,
5VLC, Audacious, Clementine, Rhythmbox, Totem, Deluge, qBittorrent. 5VLC, Audacious, Clementine, Rhythmbox, Totem, Deluge, qBittorrent.
6DeaDBeeF, Dropbox, Empathy, FileZilla, IceCat, Thunderbird/Icedove, 6DeaDBeeF, Dropbox, Empathy, FileZilla, IceCat, Thunderbird/Icedove,
7Pidgin, Quassel, and XChat. 7Pidgin, Quassel, and XChat.
8 8
9Firejail also expands the restricted shell facility found in bash by adding 9Firejail also expands the restricted shell facility found in bash by adding
10Linux namespace support. It supports sandboxing specific users upon login. 10Linux namespace support. It supports sandboxing specific users upon login.
11 11
12Download: https://sourceforge.net/projects/firejail/files/ 12Download: https://sourceforge.net/projects/firejail/files/
13Build and install: ./configure && make && sudo make install 13Build and install: ./configure && make && sudo make install
@@ -68,6 +68,8 @@ Firejail Authors (alphabetical order)
68 - fix flameshot raw screenshots 68 - fix flameshot raw screenshots
691dnrr (https://github.com/1dnrr) 691dnrr (https://github.com/1dnrr)
70 - add pybitmessage profile 70 - add pybitmessage profile
71a1346054 (https://github.com/a1346054)
72 - add missing final newlines in various files
71Ádler Jonas Gross (https://github.com/adgross) 73Ádler Jonas Gross (https://github.com/adgross)
72 - AppArmor fix 74 - AppArmor fix
73Adrian L. Shaw (https://github.com/adrianlshaw) 75Adrian L. Shaw (https://github.com/adrianlshaw)
@@ -221,6 +223,8 @@ Carlo Abelli (https://github.com/carloabelli)
221 - fixed simple-scan 223 - fixed simple-scan
222Cat (https://github.com/ecat3) 224Cat (https://github.com/ecat3)
223 - prevent tmux connecting to an existing session 225 - prevent tmux connecting to an existing session
226cayday (https://github.com/caydey)
227 - added ~/Private blacklist in disable-common.inc
224Christian Pinedo (https://github.com/chrpinedo) 228Christian Pinedo (https://github.com/chrpinedo)
225 - added nicotine profile 229 - added nicotine profile
226 - allow python3 in totem profile 230 - allow python3 in totem profile
@@ -246,6 +250,8 @@ crass (https://github.com/crass)
246 - extract_command_name fixes 250 - extract_command_name fixes
247 - update appimage size calculation to newest code from libappimage 251 - update appimage size calculation to newest code from libappimage
248 - firejail should look for processes with names exactly named 252 - firejail should look for processes with names exactly named
253croket (https://github.com/crocket)
254 - fix librewolf profile
249curiosity-seeker (https://github.com/curiosity-seeker - old) 255curiosity-seeker (https://github.com/curiosity-seeker - old)
250curiosityseeker (https://github.com/curiosityseeker - new) 256curiosityseeker (https://github.com/curiosityseeker - new)
251 - tightening unbound and dnscrypt-proxy profiles 257 - tightening unbound and dnscrypt-proxy profiles
@@ -304,6 +310,8 @@ DiGitHubCap (https://github.com/DiGitHubCap)
304 - fix qt5ct colour schemes and QSS 310 - fix qt5ct colour schemes and QSS
305Disconnect3d (https://github.com/disconnect3d) 311Disconnect3d (https://github.com/disconnect3d)
306 - code cleanup 312 - code cleanup
313dm9pZCAq (https://github.com/dm9pZCAq)
314 - fix for compilation under musl
307dmfreemon (https://github.com/dmfreemon) 315dmfreemon (https://github.com/dmfreemon)
308 - add sandbox name or name of private directory to the window title when xpra is used 316 - add sandbox name or name of private directory to the window title when xpra is used
309 - handle malloc() failures; use gnu_basename() instead of basenaem() 317 - handle malloc() failures; use gnu_basename() instead of basenaem()
@@ -454,7 +462,7 @@ hawkey116477 (https://github.com/hawkeye116477)
454Helmut Grohne (https://github.com/helmutg) 462Helmut Grohne (https://github.com/helmutg)
455 - compiler support in the build system - Debian bug #869707 463 - compiler support in the build system - Debian bug #869707
456hhzek0014 (https://github.com/hhzek0014) 464hhzek0014 (https://github.com/hhzek0014)
457 - updated bibletime.profile 465 - updated bibletime.profile
458hlein (https://github.com/hlein) 466hlein (https://github.com/hlein)
459 - strip out \r's from jail prober 467 - strip out \r's from jail prober
460Holger Heinz (https://github.com/hheinz) 468Holger Heinz (https://github.com/hheinz)
@@ -490,6 +498,10 @@ James Elford (https://github.com/jelford)
490 - removed shell none from ssh-agent configuration, fixing the infinite loop 498 - removed shell none from ssh-agent configuration, fixing the infinite loop
491 - added gcloud profile 499 - added gcloud profile
492 - blacklist sensitive cloud provider files in disable-common 500 - blacklist sensitive cloud provider files in disable-common
501Jan-Niclas (https://github.com/0x6a61)
502 - moved rules from firefox-common.profile to firefox.profile
503 - blacklist /*firefox* except for firefox itself
504 - fix Firefox 'Profile not found' - whitelist /run/user/xxx/firefox
493Jean Lucas (https://github.com/flacks) 505Jean Lucas (https://github.com/flacks)
494 - fix Discord profile 506 - fix Discord profile
495 - add AnyDesk profile 507 - add AnyDesk profile
@@ -526,6 +538,7 @@ John Mullee (https://github.com/jmullee)
526Jonas Heinrich (https://github.com/onny) 538Jonas Heinrich (https://github.com/onny)
527 - added signal-desktop profile 539 - added signal-desktop profile
528 - fixed franz profile 540 - fixed franz profile
541 - remove /etc/hosts is_link check for NixOS
529Jose Riha (https://github.com/jose1711) 542Jose Riha (https://github.com/jose1711)
530 - added meteo-qt profile 543 - added meteo-qt profile
531 - created qgis, links, xlinks profiles 544 - created qgis, links, xlinks profiles
@@ -568,7 +581,7 @@ Kishore96in (https://github.com/Kishore96in)
568 - added falkon profile 581 - added falkon profile
569 - kxmlgui fixes 582 - kxmlgui fixes
570 - okular profile fixes 583 - okular profile fixes
571 - jitsi-meet-desktop profile 584 - jitsi-meet-desktop profile
572 - konversatin profile fix 585 - konversatin profile fix
573 - added Neochat profile 586 - added Neochat profile
574 - added whitelist-1793-workaround.inc 587 - added whitelist-1793-workaround.inc
@@ -595,6 +608,9 @@ Laurent Declercq (https://github.com/nuxwin)
595 - fixed test for shell interpreter in chroots 608 - fixed test for shell interpreter in chroots
596LaurentGH (https://github.com/LaurentGH) 609LaurentGH (https://github.com/LaurentGH)
597 - allow private-bin parameters to be absolute paths 610 - allow private-bin parameters to be absolute paths
611lecso7 (https://github.com/lecso7)
612 - added goldendict profile
613 - allow evince to read .cbz file format
598Loïc Damien (https://github.com/dzamlo) 614Loïc Damien (https://github.com/dzamlo)
599 - small fixes 615 - small fixes
600Liorst4 (https://github.com/Liorst4) 616Liorst4 (https://github.com/Liorst4)
@@ -627,6 +643,8 @@ Martin Carpenter (https://github.com/mcarpenter)
627Martin Dosch (spam-debian@mdosch.de) 643Martin Dosch (spam-debian@mdosch.de)
628 - support for gnome-shell integration addon in Firefox 644 - support for gnome-shell integration addon in Firefox
629 (Bug-Debian: https://bugs.debian.org/872720) 645 (Bug-Debian: https://bugs.debian.org/872720)
646Martynas Janonis (https://github.com/mjanonis)
647 - update wrc for Arch Linux
630Matt Parnell (https://github.com/ilikenwf) 648Matt Parnell (https://github.com/ilikenwf)
631 - whitelisting for core firefox related functionality 649 - whitelisting for core firefox related functionality
632Mattias Wadman (https://github.com/wader) 650Mattias Wadman (https://github.com/wader)
@@ -699,7 +717,7 @@ Ondra Nekola (https://github.com/satai)
699OndrejMalek (https://github.com/OndrejMalek) 717OndrejMalek (https://github.com/OndrejMalek)
700 - various manpage fixes 718 - various manpage fixes
701Ondřej Nový (https://github.com/onovy) 719Ondřej Nový (https://github.com/onovy)
702 - allow video for Signal profile 720 - allow video for Signal profile
703 - added Mattermost desktop profile 721 - added Mattermost desktop profile
704 - hardened Zoom profile 722 - hardened Zoom profile
705 - hardened Signal desktop profile 723 - hardened Signal desktop profile
@@ -716,7 +734,7 @@ Patrick Toomey (https://sourceforge.net/u/ptoomey/profile/)
716Paul Moore <pmoore@redhat.com> 734Paul Moore <pmoore@redhat.com>
717 -src/fsec-print/print.c extracted from libseccomp software package 735 -src/fsec-print/print.c extracted from libseccomp software package
718Paupiah Yash (https://github.com/CaffeinatedStud) 736Paupiah Yash (https://github.com/CaffeinatedStud)
719 - gzip profile 737 - gzip profile
720Pawel (https://github.com/grimskies) 738Pawel (https://github.com/grimskies)
721 - make --join return exit code of the invoked program 739 - make --join return exit code of the invoked program
722Peter Millerchip (https://github.com/pmillerchip) 740Peter Millerchip (https://github.com/pmillerchip)
@@ -944,7 +962,7 @@ SYN-cook (https://github.com/SYN-cook)
944 - gnome-calculator changes 962 - gnome-calculator changes
945startx2017 (https://github.com/startx2017) 963startx2017 (https://github.com/startx2017)
946 - syscall list update 964 - syscall list update
947 - updated default seccomp filters - added bpf, clock_settime, personality, process_vm_writev, query_module, 965 - updated default seccomp filters - added bpf, clock_settime, personality, process_vm_writev, query_module,
948 settimeofday, stime, umount, userfaultfd, ustat, vm86, and vm86old 966 settimeofday, stime, umount, userfaultfd, ustat, vm86, and vm86old
949 - enable/disable join support in /etc/firejail/firejail.config 967 - enable/disable join support in /etc/firejail/firejail.config
950 - firecfg fix: create ~/.local/share/applications directory if it doesn't exist 968 - firecfg fix: create ~/.local/share/applications directory if it doesn't exist
@@ -995,10 +1013,11 @@ Topi Miettinen (https://github.com/topimiettinen)
995 - improve loading of seccomp filter and memory-deny-write-execute feature 1013 - improve loading of seccomp filter and memory-deny-write-execute feature
996 - private-lib feature 1014 - private-lib feature
997 - make --nodbus block also system D-Bus socket 1015 - make --nodbus block also system D-Bus socket
998Ted Robertson (https://github.com/tredondo) 1016Ted Robertson (https://github.com/tredondo)
999 - webstorm profile fixes 1017 - webstorm profile fixes
1000 - added bcompare profile 1018 - added bcompare profile
1001 - various documentation fixes 1019 - various documentation fixes
1020 - blacklist Exodus wallet
1002user1024 (user1024@tut.by) 1021user1024 (user1024@tut.by)
1003 - electron profile whitelisting 1022 - electron profile whitelisting
1004 - fixed Rocket.Chat profile 1023 - fixed Rocket.Chat profile
@@ -1054,7 +1073,7 @@ vismir2 (https://github.com/vismir2)
1054 - feh, ranger, 7z, keepass, keepassx and zathura profiles 1073 - feh, ranger, 7z, keepass, keepassx and zathura profiles
1055 - claws-mail, mutt, git, emacs, vim profiles 1074 - claws-mail, mutt, git, emacs, vim profiles
1056 - lots of profile fixes 1075 - lots of profile fixes
1057 - support for truecrypt and zuluCrypt 1076 - support for truecrypt and zuluCrypt
1058viq (https://github.com/viq) 1077viq (https://github.com/viq)
1059 - discord-canary profile 1078 - discord-canary profile
1060Vladimir Gorelov (https://github.com/larkvirtual) 1079Vladimir Gorelov (https://github.com/larkvirtual)
@@ -1062,11 +1081,12 @@ Vladimir Gorelov (https://github.com/larkvirtual)
1062Vladimir Schowalter (https://github.com/VladimirSchowalter20) 1081Vladimir Schowalter (https://github.com/VladimirSchowalter20)
1063 - apparmor profile enhancements 1082 - apparmor profile enhancements
1064 - various KDE profile enhancements 1083 - various KDE profile enhancements
1065 read-only kde5 services directory 1084 - read-only kde5 services directory
1066Vladislav Nepogodin (https://github.com/vnepogodin) 1085Vladislav Nepogodin (https://github.com/vnepogodin)
1067 - added Librewolf profiles 1086 - added Librewolf profiles
1068 - added Sway profile 1087 - added Sway profile
1069 - fix CLion profile 1088 - fix CLion profile
1089 - fixes for disable-programs.inc
1070xee5ch (https://github.com/xee5ch) 1090xee5ch (https://github.com/xee5ch)
1071 - skypeforlinux profile 1091 - skypeforlinux profile
1072Ypnose (https://github.com/Ypnose) 1092Ypnose (https://github.com/Ypnose)
diff --git a/README.md b/README.md
index 0623d9463..cf9d9563e 100644
--- a/README.md
+++ b/README.md
@@ -22,43 +22,23 @@ implemented directly in Linux kernel and available on any Linux computer.
22<table><tr> 22<table><tr>
23 23
24<td> 24<td>
25<a href="http://www.youtube.com/watch?feature=player_embedded&v=8jfXL0ePV7U 25<a href="https://www.brighteon.com/1928415c-2bce-40b2-a81f-7861a3734913" target="_blank">
26" target="_blank"><img src="http://img.youtube.com/vi/8jfXL0ePV7U/0.jpg" 26<img src="https://video.brighteon.com/file/Brighteon-staging/thumbnail/682ae17c-3fd8-4813-9c4e-6917c7cd2a5c.0000001.jpg"
27alt="Firejail Introduction" width="240" height="180" border="10" /><br/>Firejail Intro</a> 27alt="Introduction" width="240" height="142" border="10" /><br/>Introduction</a>
28</td> 28</td>
29 29
30<td> 30<td>
31<a href="http://www.youtube.com/watch?feature=player_embedded&v=J1ZsXrpAgBU 31<a href="https://www.brighteon.com/c20c32ac-1953-438f-8640-a414dcb318d6" target="_blank">
32" target="_blank"><img src="http://img.youtube.com/vi/J1ZsXrpAgBU/0.jpg" 32<img src="https://photos.brighteon.com/thumbnail/ecd8b0ca-7564-4993-a676-bbe4aa21cffc"
33alt="Firejail Demo" width="240" height="180" border="10" /><br/>Firejail Demo</a> 33alt="Technology" width="240" height="142" border="10" /><br/>Technology</a>
34</td> 34</td>
35 35
36<td> 36<td>
37<a href="http://www.youtube.com/watch?feature=player_embedded&v=EyEz65RYfw4 37<a href="https://www.brighteon.com/94ae1731-2352-4cda-bb48-7cc7a6ad32f8" target="_blank">
38" target="_blank"><img src="http://img.youtube.com/vi/EyEz65RYfw4/0.jpg" 38<img src="https://photos.brighteon.com/thumbnail/5c90254c-61f3-4927-ac57-ae279dc543cf"
39alt="Debian Install" width="240" height="180" border="10" /><br/>Debian Install</a> 39alt="Deep Dive" width="240" height="142" border="10" /><br/>Deep Dive</a>
40</td> 40</td>
41 41
42
43</tr><tr>
44<td>
45<a href="http://www.youtube.com/watch?feature=player_embedded&v=Uy2ZTHc4s0w
46" target="_blank"><img src="http://img.youtube.com/vi/Uy2ZTHc4s0w/0.jpg"
47alt="Arch Linux Install" width="240" height="180" border="10" /><br/>Arch Linux Install</a>
48
49</td>
50<td>
51<a href="http://www.youtube.com/watch?feature=player_embedded&v=xuMxRx0zSfQ
52" target="_blank"><img src="http://img.youtube.com/vi/xuMxRx0zSfQ/0.jpg"
53alt="Disable Network Access" width="240" height="180" border="10" /><br/>Disable Network Access</a>
54
55</td>
56<td>
57<a href="http://www.youtube.com/watch?feature=player_embedded&v=N-Mso2bSr3o
58" target="_blank"><img src="http://img.youtube.com/vi/N-Mso2bSr3o/0.jpg"
59alt="Firejail Security Deep Dive" width="240" height="180" border="10" /><br/>Firejail Security Deep Dive</a>
60
61</td>
62</tr></table> 42</tr></table>
63 43
64Project webpage: https://firejail.wordpress.com/ 44Project webpage: https://firejail.wordpress.com/
@@ -239,32 +219,33 @@ A small tool to print profile statistics. Compile as usual and run in /etc/profi
239$ sudo cp src/profstats/profstats /etc/firejail/. 219$ sudo cp src/profstats/profstats /etc/firejail/.
240$ cd /etc/firejail 220$ cd /etc/firejail
241$ ./profstats *.profile 221$ ./profstats *.profile
242 profiles 1150 222 profiles 1167
243 include local profile 1150 (include profile-name.local) 223 include local profile 1167 (include profile-name.local)
244 include globals 1120 (include globals.local) 224 include globals 1136 (include globals.local)
245 blacklist ~/.ssh 1026 (include disable-common.inc) 225 blacklist ~/.ssh 1042 (include disable-common.inc)
246 seccomp 1050 226 seccomp 1062
247 capabilities 1146 227 capabilities 1163
248 noexec 1030 (include disable-exec.inc) 228 noexec 1049 (include disable-exec.inc)
249 noroot 959 229 noroot 971
250 memory-deny-write-execute 253 230 memory-deny-write-execute 256
251 apparmor 681 231 apparmor 693
252 private-bin 667 232 private-bin 677
253 private-dev 1009 233 private-dev 1027
254 private-etc 523 234 private-etc 532
255 private-tmp 883 235 private-tmp 897
256 whitelist home directory 547 236 whitelist home directory 557
257 whitelist var 818 (include whitelist-var-common.inc) 237 whitelist var 836 (include whitelist-var-common.inc)
258 whitelist run/user 616 (include whitelist-runuser-common.inc 238 whitelist run/user 1137 (include whitelist-runuser-common.inc
259 or blacklist ${RUNUSER}) 239 or blacklist ${RUNUSER})
260 whitelist usr/share 591 (include whitelist-usr-share-common.inc 240 whitelist usr/share 609 (include whitelist-usr-share-common.inc
261 net none 391 241 net none 396
262 dbus-user none 641 242 dbus-user none 656
263 dbus-user filter 105 243 dbus-user filter 108
264 dbus-system none 792 244 dbus-system none 808
265 dbus-system filter 7 245 dbus-system filter 10
266``` 246```
267 247
268### New profiles: 248### New profiles:
269 249
270clion-eap, lifeograph, io.github.lainsce.Notejot, rednotebook, zim, microsoft-edge-beta, ncdu2, gallery-dl, yt-dlp 250clion-eap, lifeograph, io.github.lainsce.Notejot, rednotebook, zim, microsoft-edge-beta, ncdu2, gallery-dl, yt-dlp, goldendict, bundle,
251cmake, make, meson, pip, codium
diff --git a/RELNOTES b/RELNOTES
index 86c4a6104..3f92c89c7 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,13 +1,16 @@
1firejail (0.9.67) baseline; urgency=low 1firejail (0.9.67) baseline; urgency=low
2 * work in progress 2 * work in progress
3 * exit code: distinguish fatal signals by adding 128
3 * deprecated --disable-whitelist at compile time 4 * deprecated --disable-whitelist at compile time
4 * deprecated whitelist=yes/no in /etc/firejail/firejail.config 5 * deprecated whitelist=yes/no in /etc/firejail/firejail.config
6 * new condition: ALLOW_TRAY
5 * remove (some) environment variables with auth-tokens 7 * remove (some) environment variables with auth-tokens
6 * new includes: whitelist-run-common.inc, disable-X11.inc 8 * new includes: whitelist-run-common.inc, disable-X11.inc
7 * removed includes: disable-passwordmgr.inc 9 * removed includes: disable-passwordmgr.inc
8 * new profiles: microsoft-edge-beta, clion-eap, lifeograph, zim 10 * new profiles: microsoft-edge-beta, clion-eap, lifeograph, zim
9 * new profiles: io.github.lainsce.Notejot, rednotebook, gallery-dl 11 * new profiles: io.github.lainsce.Notejot, rednotebook, gallery-dl
10 * new profiles: yt-dlp 12 * new profiles: yt-dlp, goldendict, goldendict, bundle, cmake
13 * new profiles: make, meson, pip, codium
11 -- netblue30 <netblue30@yahoo.com> Thu, 29 Jul 2021 09:00:00 -0500 14 -- netblue30 <netblue30@yahoo.com> Thu, 29 Jul 2021 09:00:00 -0500
12 15
13firejail (0.9.66) baseline; urgency=low 16firejail (0.9.66) baseline; urgency=low
@@ -59,7 +62,7 @@ firejail (0.9.64.4) baseline; urgency=low
59 62
60firejail (0.9.64.2) baseline; urgency=low 63firejail (0.9.64.2) baseline; urgency=low
61 * allow --tmpfs inside $HOME for unprivileged users 64 * allow --tmpfs inside $HOME for unprivileged users
62 * --disable-usertmpfs compile time option 65 * --disable-usertmpfs compile time option
63 * allow AF_BLUETOOTH via --protocol=bluetooth 66 * allow AF_BLUETOOTH via --protocol=bluetooth
64 * Setup guide for new users: contrib/firejail-welcome.sh 67 * Setup guide for new users: contrib/firejail-welcome.sh
65 * implement netns in profiles 68 * implement netns in profiles
@@ -566,7 +569,7 @@ firejail (0.9.44) baseline; urgency=low
566 * feature: disable 3D hardware acceleration (--no3d) 569 * feature: disable 3D hardware acceleration (--no3d)
567 * feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands 570 * feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands
568 * feature: move files in sandbox (--put) 571 * feature: move files in sandbox (--put)
569 * feature: accept wildcard patterns in user name field of restricted 572 * feature: accept wildcard patterns in user name field of restricted
570 shell login feature 573 shell login feature
571 * new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape 574 * new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape
572 * new profiles: feh, ranger, zathura, 7z, keepass, keepassx, 575 * new profiles: feh, ranger, zathura, 7z, keepass, keepassx,
@@ -608,7 +611,7 @@ firejail (0.9.42) baseline; urgency=low
608 * compile time: disable whitelisting (--disable-whitelist) 611 * compile time: disable whitelisting (--disable-whitelist)
609 * compile time: disable global config (--disable-globalcfg) 612 * compile time: disable global config (--disable-globalcfg)
610 * run time: enable/disable overlayfs (overlayfs yes/no) 613 * run time: enable/disable overlayfs (overlayfs yes/no)
611 * run time: enable/disable quiet as default (quiet-by-default yes/no) 614 * run time: enable/disable quiet as default (quiet-by-default yes/no)
612 * run time: user-defined network filter (netfilter-default) 615 * run time: user-defined network filter (netfilter-default)
613 * run time: enable/disable whitelisting (whitelist yes/no) 616 * run time: enable/disable whitelisting (whitelist yes/no)
614 * run time: enable/disable remounting of /proc and /sys 617 * run time: enable/disable remounting of /proc and /sys
@@ -706,7 +709,7 @@ firejail (0.9.38) baseline; urgency=low
706 -- netblue30 <netblue30@yahoo.com> Tue, 2 Feb 2016 10:00:00 -0500 709 -- netblue30 <netblue30@yahoo.com> Tue, 2 Feb 2016 10:00:00 -0500
707 710
708firejail (0.9.36) baseline; urgency=low 711firejail (0.9.36) baseline; urgency=low
709 * added unbound, dnscrypt-proxy, BitlBee, HexChat, WeeChat, 712 * added unbound, dnscrypt-proxy, BitlBee, HexChat, WeeChat,
710 parole and rtorrent profiles 713 parole and rtorrent profiles
711 * Google Chrome profile rework 714 * Google Chrome profile rework
712 * added google-chrome-stable profile 715 * added google-chrome-stable profile
diff --git a/SECURITY.md b/SECURITY.md
index 92204da0a..ef9b9b5fb 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -2,23 +2,24 @@
2 2
3## Supported Versions 3## Supported Versions
4 4
5| Version | Supported by us | EOL | Supported by distribution | 5| Version | Supported by us | EOL | Supported by distribution |
6| ------- | ------------------ | ---- | --------------------------- 6| ------- | ------------------ | ------------------ | --------------------------------------------------------------------------------- |
7| 0.9.64 | :heavy_check_mark: | | :white_check_mark: Debian 10 **backports**, Debian 11 **backports**, Debian 12 (testing/unstable) 7| 0.9.66 | :heavy_check_mark: | | :white_check_mark: Debian 11 **backports**, Debian 12 (testing/unstable) |
8| 0.9.62 | :x: | | :white_check_mark: Ubuntu 20.04 LTS, Ubuntu 20.10 8| 0.9.64 | :x: | | :white_check_mark: Debian 10 **backports**, Debian 11, Ubuntu 21.04, Ubuntu 21.10 |
9| 0.9.60 | :x: | 29 Dec 2019 | 9| 0.9.62 | :x: | | :white_check_mark: Ubuntu 20.04 LTS, Ubuntu 20.10 |
10| 0.9.58 | :x: | | :white_check_mark: Debian 9 **backports**, Debian 10 10| 0.9.60 | :x: | 29 Dec 2019 | |
11| 0.9.56 | :x: | 27 Jan 2019 | 11| 0.9.58 | :x: | | :white_check_mark: Debian 9 **backports**, Debian 10 |
12| 0.9.54 | :x: | 18 Sep 2018 | 12| 0.9.56 | :x: | 27 Jan 2019 | |
13| 0.9.52 | :x: | | :white_check_mark: Ubuntu 18.04 LTS 13| 0.9.54 | :x: | 18 Sep 2018 | |
14| 0.9.50 | :x: | 12 Dec 2017 | 14| 0.9.52 | :x: | | :white_check_mark: Ubuntu 18.04 LTS |
15| 0.9.48 | :x: | 09 Sep 2017 | 15| 0.9.50 | :x: | 12 Dec 2017 | |
16| 0.9.46 | :x: | 12 Jun 2017 | 16| 0.9.48 | :x: | 09 Sep 2017 | |
17| 0.9.44 | :x: | | :white_check_mark: Debian 9 17| 0.9.46 | :x: | 12 Jun 2017 | |
18| 0.9.42 | :x: | 22 Oct 2016 | 18| 0.9.44 | :x: | | :white_check_mark: Debian 9 |
19| 0.9.40 | :x: | 09 Sep 2016 | 19| 0.9.42 | :x: | 22 Oct 2016 | |
20| 0.9.38 | :x: | | :white_check_mark: Ubuntu 16.04 LTS 20| 0.9.40 | :x: | 09 Sep 2016 | |
21| <0.9.38 | :x: | Before 05 Feb 2016 | 21| 0.9.38 | :x: | | :white_check_mark: Ubuntu 16.04 LTS |
22| <0.9.38 | :x: | Before 05 Feb 2016 | |
22 23
23## Security vulnerabilities 24## Security vulnerabilities
24 25
diff --git a/configure b/configure
index f78bbaded..557f5beb2 100755
--- a/configure
+++ b/configure
@@ -711,6 +711,7 @@ ac_subst_files=''
711ac_user_opts=' 711ac_user_opts='
712enable_option_checking 712enable_option_checking
713enable_analyzer 713enable_analyzer
714enable_sanitizer
714enable_apparmor 715enable_apparmor
715enable_selinux 716enable_selinux
716enable_dbusproxy 717enable_dbusproxy
@@ -1368,6 +1369,8 @@ Optional Features:
1368 --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no) 1369 --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no)
1369 --enable-FEATURE[=ARG] include FEATURE [ARG=yes] 1370 --enable-FEATURE[=ARG] include FEATURE [ARG=yes]
1370 --enable-analyzer enable GCC static analyzer 1371 --enable-analyzer enable GCC static analyzer
1372 --enable-sanitizer=[address | memory | undefined]
1373 enable a compiler-based sanitizer (debug)
1371 --enable-apparmor enable apparmor 1374 --enable-apparmor enable apparmor
1372 --enable-selinux SELinux labeling support 1375 --enable-selinux SELinux labeling support
1373 --disable-dbusproxy disable dbus proxy 1376 --disable-dbusproxy disable dbus proxy
@@ -3294,6 +3297,57 @@ if test "x$enable_analyzer" = "xyes"; then :
3294 3297
3295fi 3298fi
3296 3299
3300# Check whether --enable-sanitizer was given.
3301if test "${enable_sanitizer+set}" = set; then :
3302 enableval=$enable_sanitizer;
3303else
3304 enable_sanitizer=no
3305fi
3306
3307if test "x$enable_sanitizer" != "xno" ; then :
3308 as_CACHEVAR=`$as_echo "ax_cv_check_cflags__-fsanitize=$enable_sanitizer" | $as_tr_sh`
3309{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fsanitize=$enable_sanitizer" >&5
3310$as_echo_n "checking whether C compiler accepts -fsanitize=$enable_sanitizer... " >&6; }
3311if eval \${$as_CACHEVAR+:} false; then :
3312 $as_echo_n "(cached) " >&6
3313else
3314
3315 ax_check_save_flags=$CFLAGS
3316 CFLAGS="$CFLAGS -fsanitize=$enable_sanitizer"
3317 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
3318/* end confdefs.h. */
3319
3320int
3321main ()
3322{
3323
3324 ;
3325 return 0;
3326}
3327_ACEOF
3328if ac_fn_c_try_compile "$LINENO"; then :
3329 eval "$as_CACHEVAR=yes"
3330else
3331 eval "$as_CACHEVAR=no"
3332fi
3333rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
3334 CFLAGS=$ax_check_save_flags
3335fi
3336eval ac_res=\$$as_CACHEVAR
3337 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
3338$as_echo "$ac_res" >&6; }
3339if eval test \"x\$"$as_CACHEVAR"\" = x"yes"; then :
3340
3341 EXTRA_CFLAGS="$EXTRA_CFLAGS -fsanitize=$enable_sanitizer -fno-omit-frame-pointer"
3342 EXTRA_LDFLAGS="$EXTRA_LDFLAGS -fsanitize=$enable_sanitizer"
3343
3344else
3345 as_fn_error $? "sanitizer not supported: $enable_sanitizer" "$LINENO" 5
3346
3347fi
3348
3349fi
3350
3297HAVE_APPARMOR="" 3351HAVE_APPARMOR=""
3298# Check whether --enable-apparmor was given. 3352# Check whether --enable-apparmor was given.
3299if test "${enable_apparmor+set}" = set; then : 3353if test "${enable_apparmor+set}" = set; then :
@@ -3549,7 +3603,7 @@ if test "x$enable_dbusproxy" != "xno"; then :
3549 3603
3550fi 3604fi
3551 3605
3552# overlayfs features temporarely disabled pending fixes 3606# overlayfs features temporarily disabled pending fixes
3553HAVE_OVERLAYFS="" 3607HAVE_OVERLAYFS=""
3554 3608
3555# 3609#
diff --git a/configure.ac b/configure.ac
index 7879a5239..fc5823143 100644
--- a/configure.ac
+++ b/configure.ac
@@ -45,6 +45,15 @@ AS_IF([test "x$enable_analyzer" = "xyes"], [
45 EXTRA_CFLAGS="$EXTRA_CFLAGS -fanalyzer -Wno-analyzer-malloc-leak" 45 EXTRA_CFLAGS="$EXTRA_CFLAGS -fanalyzer -Wno-analyzer-malloc-leak"
46]) 46])
47 47
48AC_ARG_ENABLE([sanitizer],
49 AS_HELP_STRING([--enable-sanitizer=@<:@address | memory | undefined@:>@], [enable a compiler-based sanitizer (debug)]), [], [enable_sanitizer=no])
50AS_IF([test "x$enable_sanitizer" != "xno" ],
51 [AX_CHECK_COMPILE_FLAG([-fsanitize=$enable_sanitizer], [
52 EXTRA_CFLAGS="$EXTRA_CFLAGS -fsanitize=$enable_sanitizer -fno-omit-frame-pointer"
53 EXTRA_LDFLAGS="$EXTRA_LDFLAGS -fsanitize=$enable_sanitizer"
54 ], [AC_MSG_ERROR([sanitizer not supported: $enable_sanitizer])]
55)])
56
48HAVE_APPARMOR="" 57HAVE_APPARMOR=""
49AC_ARG_ENABLE([apparmor], 58AC_ARG_ENABLE([apparmor],
50 AS_HELP_STRING([--enable-apparmor], [enable apparmor])) 59 AS_HELP_STRING([--enable-apparmor], [enable apparmor]))
@@ -76,7 +85,7 @@ AS_IF([test "x$enable_dbusproxy" != "xno"], [
76 AC_SUBST(HAVE_DBUSPROXY) 85 AC_SUBST(HAVE_DBUSPROXY)
77]) 86])
78 87
79# overlayfs features temporarely disabled pending fixes 88# overlayfs features temporarily disabled pending fixes
80HAVE_OVERLAYFS="" 89HAVE_OVERLAYFS=""
81AC_SUBST(HAVE_OVERLAYFS) 90AC_SUBST(HAVE_OVERLAYFS)
82# 91#
diff --git a/contrib/fix_private-bin.py b/contrib/fix_private-bin.py
index 12b596749..961646aa4 100755
--- a/contrib/fix_private-bin.py
+++ b/contrib/fix_private-bin.py
@@ -164,7 +164,7 @@ def printHelp():
164 164
165 165
166def main() -> None: 166def main() -> None:
167 """The main function. Parses the commandline args, shows messages and calles the function actually doing the work.""" 167 """The main function. Parses the commandline args, shows messages and calls the function actually doing the work."""
168 if len(sys.argv) > 2 or (len(sys.argv) == 2 and 168 if len(sys.argv) > 2 or (len(sys.argv) == 2 and
169 (sys.argv[1] == "-h" or sys.argv[1] == "--help")): 169 (sys.argv[1] == "-h" or sys.argv[1] == "--help")):
170 printHelp() 170 printHelp()
diff --git a/contrib/gdb-firejail.sh b/contrib/gdb-firejail.sh
index 941fc45ef..686bdc2c0 100755
--- a/contrib/gdb-firejail.sh
+++ b/contrib/gdb-firejail.sh
@@ -21,4 +21,4 @@ else
21fi 21fi
22 22
23bash -c "kill -STOP \$\$; exec \"\$0\" \"\$@\"" "$@" & 23bash -c "kill -STOP \$\$; exec \"\$0\" \"\$@\"" "$@" &
24sudo gdb -e "$FIREJAIL" -p "$!" 24sudo gdb -e "$FIREJAIL" -p "$!"
diff --git a/contrib/sort.py b/contrib/sort.py
index d7a2cd05d..4af9c674c 100755
--- a/contrib/sort.py
+++ b/contrib/sort.py
@@ -34,7 +34,7 @@ def sort_alphabetical(raw_items):
34 34
35 35
36def sort_protocol(protocols): 36def sort_protocol(protocols):
37 """sort the given protocole into this scheme: unix,inet,inet6,netlink,packet,bluetooth""" 37 """sort the given protocols into this scheme: unix,inet,inet6,netlink,packet,bluetooth"""
38 38
39 # shortcut for common protocol lines 39 # shortcut for common protocol lines
40 if protocols in ("unix", "unix,inet,inet6"): 40 if protocols in ("unix", "unix,inet,inet6"):
diff --git a/contrib/vim/syntax/firejail.vim b/contrib/vim/syntax/firejail.vim
index d07690ee2..fa80a9c00 100644
--- a/contrib/vim/syntax/firejail.vim
+++ b/contrib/vim/syntax/firejail.vim
@@ -72,7 +72,7 @@ syn match fjCommandNoCond /quiet$/ contained
72 72
73" Conditionals grabbed from: src/firejail/profile.c 73" Conditionals grabbed from: src/firejail/profile.c
74" Generate list with: awk -- 'BEGIN {process=0;} /^Cond conditionals\[\] = \{$/ {process=1;} /\t*\{"[^"]+".*/ { if (process) {print gensub(/^\t*\{"([^"]+)".*$/, "\\1", 1);} } /^\t\{ NULL, NULL \}$/ {process=0;}' src/firejail/profile.c | sort -u | tr $'\n' '|' 74" Generate list with: awk -- 'BEGIN {process=0;} /^Cond conditionals\[\] = \{$/ {process=1;} /\t*\{"[^"]+".*/ { if (process) {print gensub(/^\t*\{"([^"]+)".*$/, "\\1", 1);} } /^\t\{ NULL, NULL \}$/ {process=0;}' src/firejail/profile.c | sort -u | tr $'\n' '|'
75syn match fjConditional /\v\?(BROWSER_ALLOW_DRM|BROWSER_DISABLE_U2F|HAS_APPIMAGE|HAS_NET|HAS_NODBUS|HAS_NOSOUND|HAS_X11) ?:/ nextgroup=fjCommand skipwhite contained 75syn match fjConditional /\v\?(ALLOW_TRAY|BROWSER_ALLOW_DRM|BROWSER_DISABLE_U2F|HAS_APPIMAGE|HAS_NET|HAS_NODBUS|HAS_NOSOUND|HAS_X11) ?:/ nextgroup=fjCommand skipwhite contained
76 76
77" A line is either a command, a conditional or a comment 77" A line is either a command, a conditional or a comment
78syn match fjStatement /^/ nextgroup=fjCommand,fjCommandNoCond,fjConditional,fjComment 78syn match fjStatement /^/ nextgroup=fjCommand,fjCommandNoCond,fjConditional,fjComment
diff --git a/etc-fixes/0.9.58/atom.profile b/etc-fixes/0.9.58/atom.profile
index 9bc35da5a..1cc9b0116 100644
--- a/etc-fixes/0.9.58/atom.profile
+++ b/etc-fixes/0.9.58/atom.profile
@@ -1,4 +1,3 @@
1
2# Firejail profile for atom 1# Firejail profile for atom
3# Description: A hackable text editor for the 21st Century 2# Description: A hackable text editor for the 21st Century
4# This file is overwritten after every install/update 3# This file is overwritten after every install/update
diff --git a/etc-fixes/seccomp-join-bug/README b/etc-fixes/seccomp-join-bug/README
index 9f85a0e00..15596eca7 100644
--- a/etc-fixes/seccomp-join-bug/README
+++ b/etc-fixes/seccomp-join-bug/README
@@ -8,4 +8,3 @@ on May 21, 2019:
8 8
9The original discussion thread: https://github.com/netblue30/firejail/issues/2718 9The original discussion thread: https://github.com/netblue30/firejail/issues/2718
10The fix on mainline: https://github.com/netblue30/firejail/commit/eecf35c2f8249489a1d3e512bb07f0d427183134 10The fix on mainline: https://github.com/netblue30/firejail/commit/eecf35c2f8249489a1d3e512bb07f0d427183134
11
diff --git a/etc/apparmor/firejail-default b/etc/apparmor/firejail-default
index ca32f5b0d..a7044152e 100644
--- a/etc/apparmor/firejail-default
+++ b/etc/apparmor/firejail-default
@@ -129,7 +129,7 @@ signal (receive),
129########## 129##########
130# The list of recognized capabilities varies from one apparmor version to another. 130# The list of recognized capabilities varies from one apparmor version to another.
131# For example on Debian 10 (apparmor 2.13.2) checkpoint_restore, perfmon, bpf are not available 131# For example on Debian 10 (apparmor 2.13.2) checkpoint_restore, perfmon, bpf are not available
132# We allow all caps by default and remove the ones we don't like: 132# We allow all caps by default and remove the ones we don't like:
133capability, 133capability,
134deny capability audit_write, 134deny capability audit_write,
135deny capability audit_control, 135deny capability audit_control,
diff --git a/etc/firejail.config b/etc/firejail.config
index 2e355586b..7912b746c 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -2,6 +2,9 @@
2# keyword-argument pairs, one per line. Most features are enabled by default. 2# keyword-argument pairs, one per line. Most features are enabled by default.
3# Use 'yes' or 'no' as configuration values. 3# Use 'yes' or 'no' as configuration values.
4 4
5# Allow programs to display a tray icon
6# allow-tray no
7
5# Enable AppArmor functionality, default enabled. 8# Enable AppArmor functionality, default enabled.
6# apparmor yes 9# apparmor yes
7 10
@@ -63,7 +66,7 @@
63# a file argument, the default filter is hardcoded (see man 1 firejail). This 66# a file argument, the default filter is hardcoded (see man 1 firejail). This
64# configuration entry allows the user to change the default by specifying 67# configuration entry allows the user to change the default by specifying
65# a file containing the filter configuration. The filter file format is the 68# a file containing the filter configuration. The filter file format is the
66# format of iptables-save and iptable-restore commands. Example: 69# format of iptables-save and iptables-restore commands. Example:
67# netfilter-default /etc/iptables.iptables.rules 70# netfilter-default /etc/iptables.iptables.rules
68 71
69# Enable or disable networking features, default enabled. 72# Enable or disable networking features, default enabled.
diff --git a/etc/inc/allow-common-devel.inc b/etc/inc/allow-common-devel.inc
index 011bbe226..4e460fc10 100644
--- a/etc/inc/allow-common-devel.inc
+++ b/etc/inc/allow-common-devel.inc
@@ -27,5 +27,8 @@ noblacklist ${HOME}/.python-history
27noblacklist ${HOME}/.python_history 27noblacklist ${HOME}/.python_history
28noblacklist ${HOME}/.pythonhist 28noblacklist ${HOME}/.pythonhist
29 29
30# Ruby
31noblacklist ${HOME}/.bundle
32
30# Rust 33# Rust
31noblacklist ${HOME}/.cargo/* 34noblacklist ${HOME}/.cargo
diff --git a/etc/inc/allow-ruby.inc b/etc/inc/allow-ruby.inc
index a8c701219..00276cac7 100644
--- a/etc/inc/allow-ruby.inc
+++ b/etc/inc/allow-ruby.inc
@@ -4,3 +4,4 @@ include allow-ruby.local
4 4
5noblacklist ${PATH}/ruby 5noblacklist ${PATH}/ruby
6noblacklist /usr/lib/ruby 6noblacklist /usr/lib/ruby
7noblacklist /usr/lib64/ruby
diff --git a/etc/inc/disable-devel.inc b/etc/inc/disable-devel.inc
index e74b1b40b..98bf5ecc8 100644
--- a/etc/inc/disable-devel.inc
+++ b/etc/inc/disable-devel.inc
@@ -60,9 +60,7 @@ blacklist /usr/lib/tcc
60blacklist ${PATH}/valgrind* 60blacklist ${PATH}/valgrind*
61blacklist /usr/lib/valgrind 61blacklist /usr/lib/valgrind
62 62
63
64# Source-Code 63# Source-Code
65
66blacklist /usr/src 64blacklist /usr/src
67blacklist /usr/local/src 65blacklist /usr/local/src
68blacklist /usr/include 66blacklist /usr/include
diff --git a/etc/inc/disable-interpreters.inc b/etc/inc/disable-interpreters.inc
index 5d8a236fb..804869e2a 100644
--- a/etc/inc/disable-interpreters.inc
+++ b/etc/inc/disable-interpreters.inc
@@ -48,6 +48,7 @@ blacklist /usr/share/php*
48# Ruby 48# Ruby
49blacklist ${PATH}/ruby 49blacklist ${PATH}/ruby
50blacklist /usr/lib/ruby 50blacklist /usr/lib/ruby
51blacklist /usr/lib64/ruby
51 52
52# Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat, libreoffice, scribus 53# Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat, libreoffice, scribus
53# Python 2 54# Python 2
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 444446156..6734e220a 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -49,8 +49,9 @@ blacklist ${HOME}/.bibletime
49blacklist ${HOME}/.bitcoin 49blacklist ${HOME}/.bitcoin
50blacklist ${HOME}/.blobby 50blacklist ${HOME}/.blobby
51blacklist ${HOME}/.bogofilter 51blacklist ${HOME}/.bogofilter
52blacklist ${HOME}/.bundle
52blacklist ${HOME}/.bzf 53blacklist ${HOME}/.bzf
53blacklist ${HOME}/.cargo/* 54blacklist ${HOME}/.cargo
54blacklist ${HOME}/.claws-mail 55blacklist ${HOME}/.claws-mail
55blacklist ${HOME}/.cliqz 56blacklist ${HOME}/.cliqz
56blacklist ${HOME}/.clion* 57blacklist ${HOME}/.clion*
@@ -77,6 +78,7 @@ blacklist ${HOME}/.config/Element
77blacklist ${HOME}/.config/Element (Riot) 78blacklist ${HOME}/.config/Element (Riot)
78blacklist ${HOME}/.config/Enox 79blacklist ${HOME}/.config/Enox
79blacklist ${HOME}/.config/Epic 80blacklist ${HOME}/.config/Epic
81blacklist ${HOME}/.config/Exodus
80blacklist ${HOME}/.config/Ferdi 82blacklist ${HOME}/.config/Ferdi
81blacklist ${HOME}/.config/Flavio Tordini 83blacklist ${HOME}/.config/Flavio Tordini
82blacklist ${HOME}/.config/Franz 84blacklist ${HOME}/.config/Franz
@@ -141,6 +143,7 @@ blacklist ${HOME}/.config/SubDownloader
141blacklist ${HOME}/.config/Thunar 143blacklist ${HOME}/.config/Thunar
142blacklist ${HOME}/.config/Twitch 144blacklist ${HOME}/.config/Twitch
143blacklist ${HOME}/.config/Unknown Organization 145blacklist ${HOME}/.config/Unknown Organization
146blacklist ${HOME}/.config/VSCodium
144blacklist ${HOME}/.config/VirtualBox 147blacklist ${HOME}/.config/VirtualBox
145blacklist ${HOME}/.config/Whalebird 148blacklist ${HOME}/.config/Whalebird
146blacklist ${HOME}/.config/Wire 149blacklist ${HOME}/.config/Wire
@@ -495,12 +498,14 @@ blacklist ${HOME}/.frogatto
495blacklist ${HOME}/.frozen-bubble 498blacklist ${HOME}/.frozen-bubble
496blacklist ${HOME}/.funnyboat 499blacklist ${HOME}/.funnyboat
497blacklist ${HOME}/.gallery-dl.conf 500blacklist ${HOME}/.gallery-dl.conf
501blacklist ${HOME}/.geekbench5
498blacklist ${HOME}/.gimp* 502blacklist ${HOME}/.gimp*
499blacklist ${HOME}/.gist 503blacklist ${HOME}/.gist
500blacklist ${HOME}/.gitconfig 504blacklist ${HOME}/.gitconfig
501blacklist ${HOME}/.gl-117 505blacklist ${HOME}/.gl-117
502blacklist ${HOME}/.glaxiumrc 506blacklist ${HOME}/.glaxiumrc
503blacklist ${HOME}/.gnome/gnome-schedule 507blacklist ${HOME}/.gnome/gnome-schedule
508blacklist ${HOME}/.goldendict
504blacklist ${HOME}/.googleearth 509blacklist ${HOME}/.googleearth
505blacklist ${HOME}/.gradle 510blacklist ${HOME}/.gradle
506blacklist ${HOME}/.gramps 511blacklist ${HOME}/.gramps
@@ -966,6 +971,7 @@ blacklist ${HOME}/.cache/Enpass
966blacklist ${HOME}/.cache/Ferdi 971blacklist ${HOME}/.cache/Ferdi
967blacklist ${HOME}/.cache/Flavio Tordini 972blacklist ${HOME}/.cache/Flavio Tordini
968blacklist ${HOME}/.cache/Franz 973blacklist ${HOME}/.cache/Franz
974blacklist ${HOME}/.cache/GoldenDict
969blacklist ${HOME}/.cache/INRIA 975blacklist ${HOME}/.cache/INRIA
970blacklist ${HOME}/.cache/INRIA/Natron 976blacklist ${HOME}/.cache/INRIA/Natron
971blacklist ${HOME}/.cache/KDE/neochat 977blacklist ${HOME}/.cache/KDE/neochat
diff --git a/etc/inc/whitelist-run-common.inc b/etc/inc/whitelist-run-common.inc
index 224d21064..0d87657a9 100644
--- a/etc/inc/whitelist-run-common.inc
+++ b/etc/inc/whitelist-run-common.inc
@@ -7,5 +7,6 @@ whitelist /run/cups/cups.sock
7whitelist /run/dbus/system_bus_socket 7whitelist /run/dbus/system_bus_socket
8whitelist /run/media 8whitelist /run/media
9whitelist /run/resolvconf/resolv.conf 9whitelist /run/resolvconf/resolv.conf
10whitelist /run/shm
10whitelist /run/systemd/resolve/resolv.conf 11whitelist /run/systemd/resolve/resolv.conf
11whitelist /run/systemd/resolve/stub-resolv.conf 12whitelist /run/systemd/resolve/stub-resolv.conf
diff --git a/etc/profile-a-l/Books.profile b/etc/profile-a-l/Books.profile
index 76fd21d32..a256e942f 100644
--- a/etc/profile-a-l/Books.profile
+++ b/etc/profile-a-l/Books.profile
@@ -1,5 +1,10 @@
1# Firejail profile for gnome-books 1# Firejail profile for gnome-books
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include Books.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4 9
5# Temporary fix for https://github.com/netblue30/firejail/issues/2624 10# Temporary fix for https://github.com/netblue30/firejail/issues/2624
diff --git a/etc/profile-a-l/abiword.profile b/etc/profile-a-l/abiword.profile
index 005a502c4..256e2115a 100644
--- a/etc/profile-a-l/abiword.profile
+++ b/etc/profile-a-l/abiword.profile
@@ -42,7 +42,7 @@ tracelog
42private-bin abiword 42private-bin abiword
43private-cache 43private-cache
44private-dev 44private-dev
45private-etc fonts,gtk-3.0,passwd 45private-etc fonts,gtk-3.0,ld.so.preload,passwd
46private-tmp 46private-tmp
47 47
48# dbus-user none 48# dbus-user none
diff --git a/etc/profile-a-l/agetpkg.profile b/etc/profile-a-l/agetpkg.profile
index fea25fd58..8652ae5f1 100644
--- a/etc/profile-a-l/agetpkg.profile
+++ b/etc/profile-a-l/agetpkg.profile
@@ -50,7 +50,7 @@ tracelog
50private-bin agetpkg,python3 50private-bin agetpkg,python3
51private-cache 51private-cache
52private-dev 52private-dev
53private-etc ca-certificates,crypto-policies,pki,resolv.conf,ssl 53private-etc ca-certificates,crypto-policies,ld.so.preload,pki,resolv.conf,ssl
54private-tmp 54private-tmp
55 55
56dbus-user none 56dbus-user none
diff --git a/etc/profile-a-l/alacarte.profile b/etc/profile-a-l/alacarte.profile
index 69b499c74..9b74b4d29 100644
--- a/etc/profile-a-l/alacarte.profile
+++ b/etc/profile-a-l/alacarte.profile
@@ -53,7 +53,7 @@ disable-mnt
53# private-bin alacarte,bash,python*,sh 53# private-bin alacarte,bash,python*,sh
54private-cache 54private-cache
55private-dev 55private-dev
56private-etc alternatives,dconf,fonts,gtk-3.0,locale.alias,locale.conf,login.defs,mime.types,nsswitch.conf,passwd,pki,X11,xdg 56private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.preload,locale.alias,locale.conf,login.defs,mime.types,nsswitch.conf,passwd,pki,X11,xdg
57private-tmp 57private-tmp
58 58
59dbus-user none 59dbus-user none
diff --git a/etc/profile-a-l/amarok.profile b/etc/profile-a-l/amarok.profile
index e7b78f7d0..7d8ec481d 100644
--- a/etc/profile-a-l/amarok.profile
+++ b/etc/profile-a-l/amarok.profile
@@ -39,7 +39,7 @@ dbus-user.own org.kde.amarok
39dbus-user.own org.mpris.amarok 39dbus-user.own org.mpris.amarok
40dbus-user.own org.mpris.MediaPlayer2.amarok 40dbus-user.own org.mpris.MediaPlayer2.amarok
41dbus-user.talk org.freedesktop.Notifications 41dbus-user.talk org.freedesktop.Notifications
42dbus-user.talk org.kde.StatusNotifierWatcher 42?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
43# If you're not on kde-plasma add the next lines to your amarok.local. 43# If you're not on kde-plasma add the next lines to your amarok.local.
44#dbus-user.own org.kde.kded 44#dbus-user.own org.kde.kded
45#dbus-user.own org.kde.klauncher 45#dbus-user.own org.kde.klauncher
diff --git a/etc/profile-a-l/amule.profile b/etc/profile-a-l/amule.profile
index 3ce05c5bc..e82c145d1 100644
--- a/etc/profile-a-l/amule.profile
+++ b/etc/profile-a-l/amule.profile
@@ -32,6 +32,7 @@ nosound
32notv 32notv
33nou2f 33nou2f
34novideo 34novideo
35# Add netlink protocol to use UPnP
35protocol unix,inet,inet6 36protocol unix,inet,inet6
36seccomp 37seccomp
37shell none 38shell none
diff --git a/etc/profile-a-l/anki.profile b/etc/profile-a-l/anki.profile
index fa4dfbb6f..b6e931be5 100644
--- a/etc/profile-a-l/anki.profile
+++ b/etc/profile-a-l/anki.profile
@@ -50,7 +50,7 @@ disable-mnt
50private-bin anki,python* 50private-bin anki,python*
51private-cache 51private-cache
52private-dev 52private-dev
53private-etc alternatives,ca-certificates,fonts,gtk-2.0,hostname,hosts,machine-id,pki,resolv.conf,ssl,Trolltech.conf 53private-etc alternatives,ca-certificates,fonts,gtk-2.0,hostname,hosts,ld.so.preload,machine-id,pki,resolv.conf,ssl,Trolltech.conf
54private-tmp 54private-tmp
55 55
56dbus-user none 56dbus-user none
diff --git a/etc/profile-a-l/aria2c.profile b/etc/profile-a-l/aria2c.profile
index 737cf3095..e96def048 100644
--- a/etc/profile-a-l/aria2c.profile
+++ b/etc/profile-a-l/aria2c.profile
@@ -45,7 +45,7 @@ private-bin aria2c,gzip
45# Add 'private-cache' to your aria2c.local if you don't use Lutris/winetricks (see issue #2772). 45# Add 'private-cache' to your aria2c.local if you don't use Lutris/winetricks (see issue #2772).
46#private-cache 46#private-cache
47private-dev 47private-dev
48private-etc alternatives,ca-certificates,crypto-policies,groups,login.defs,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl 48private-etc alternatives,ca-certificates,crypto-policies,groups,ld.so.preload,login.defs,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl
49private-lib libreadline.so.* 49private-lib libreadline.so.*
50private-tmp 50private-tmp
51 51
diff --git a/etc/profile-a-l/arm.profile b/etc/profile-a-l/arm.profile
index 3253fb586..98ae01950 100644
--- a/etc/profile-a-l/arm.profile
+++ b/etc/profile-a-l/arm.profile
@@ -43,6 +43,6 @@ tracelog
43disable-mnt 43disable-mnt
44private-bin arm,bash,ldconfig,lsof,ps,python*,sh,tor 44private-bin arm,bash,ldconfig,lsof,ps,python*,sh,tor
45private-dev 45private-dev
46private-etc alternatives,ca-certificates,crypto-policies,passwd,pki,ssl,tor 46private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,passwd,pki,ssl,tor
47private-tmp 47private-tmp
48 48
diff --git a/etc/profile-a-l/artha.profile b/etc/profile-a-l/artha.profile
index 8d74b6ba4..adf4e16ee 100644
--- a/etc/profile-a-l/artha.profile
+++ b/etc/profile-a-l/artha.profile
@@ -56,7 +56,7 @@ disable-mnt
56private-bin artha,enchant,notify-send 56private-bin artha,enchant,notify-send
57private-cache 57private-cache
58private-dev 58private-dev
59private-etc alternatives,fonts,machine-id 59private-etc alternatives,fonts,ld.so.preload,machine-id
60private-lib libnotify.so.* 60private-lib libnotify.so.*
61private-tmp 61private-tmp
62 62
diff --git a/etc/profile-a-l/atool.profile b/etc/profile-a-l/atool.profile
index e377de2c8..272f9906d 100644
--- a/etc/profile-a-l/atool.profile
+++ b/etc/profile-a-l/atool.profile
@@ -13,7 +13,7 @@ include allow-perl.inc
13noroot 13noroot
14 14
15# without login.defs atool complains and uses UID/GID 1000 by default 15# without login.defs atool complains and uses UID/GID 1000 by default
16private-etc alternatives,group,login.defs,passwd 16private-etc alternatives,group,ld.so.preload,login.defs,passwd
17private-tmp 17private-tmp
18 18
19# Redirect 19# Redirect
diff --git a/etc/profile-a-l/atril.profile b/etc/profile-a-l/atril.profile
index f7c62926f..264bc0215 100644
--- a/etc/profile-a-l/atril.profile
+++ b/etc/profile-a-l/atril.profile
@@ -42,7 +42,7 @@ tracelog
42 42
43private-bin 7z,7za,7zr,atril,atril-previewer,atril-thumbnailer,sh,tar,unrar,unzip,zipnote 43private-bin 7z,7za,7zr,atril,atril-previewer,atril-thumbnailer,sh,tar,unrar,unzip,zipnote
44private-dev 44private-dev
45private-etc alternatives,fonts,ld.so.cache 45private-etc alternatives,fonts,ld.so.cache,ld.so.preload
46# atril uses webkit gtk to display epub files 46# atril uses webkit gtk to display epub files
47# waiting for globbing support in private-lib; for now hardcoding it to webkit2gtk-4.0 47# waiting for globbing support in private-lib; for now hardcoding it to webkit2gtk-4.0
48#private-lib webkit2gtk-4.0 - problems on Arch with the new version of WebKit 48#private-lib webkit2gtk-4.0 - problems on Arch with the new version of WebKit
diff --git a/etc/profile-a-l/authenticator-rs.profile b/etc/profile-a-l/authenticator-rs.profile
index 411c5f4d3..8fefc1eb7 100644
--- a/etc/profile-a-l/authenticator-rs.profile
+++ b/etc/profile-a-l/authenticator-rs.profile
@@ -47,7 +47,7 @@ disable-mnt
47private-bin authenticator-rs 47private-bin authenticator-rs
48private-cache 48private-cache
49private-dev 49private-dev
50private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,pki,resolv.conf,ssl,xdg 50private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.preload,pki,resolv.conf,ssl,xdg
51private-tmp 51private-tmp
52 52
53dbus-user filter 53dbus-user filter
diff --git a/etc/profile-a-l/authenticator.profile b/etc/profile-a-l/authenticator.profile
index 0f0fb7ceb..f9a03ca68 100644
--- a/etc/profile-a-l/authenticator.profile
+++ b/etc/profile-a-l/authenticator.profile
@@ -39,7 +39,7 @@ shell none
39disable-mnt 39disable-mnt
40# private-bin authenticator,python* 40# private-bin authenticator,python*
41private-dev 41private-dev
42private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,pki,resolv.conf,ssl 42private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl
43private-tmp 43private-tmp
44 44
45# makes settings immutable 45# makes settings immutable
diff --git a/etc/profile-a-l/balsa.profile b/etc/profile-a-l/balsa.profile
index 197f787ca..2080aad62 100644
--- a/etc/profile-a-l/balsa.profile
+++ b/etc/profile-a-l/balsa.profile
@@ -66,7 +66,7 @@ tracelog
66private-bin balsa,balsa-ab,gpg,gpg-agent,gpg2,gpgsm 66private-bin balsa,balsa-ab,gpg,gpg-agent,gpg2,gpgsm
67private-cache 67private-cache
68private-dev 68private-dev
69private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg 69private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.preload,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg
70private-tmp 70private-tmp
71writable-run-user 71writable-run-user
72writable-var 72writable-var
@@ -79,4 +79,4 @@ dbus-user.talk org.freedesktop.secrets
79dbus-user.talk org.gnome.keyring.SystemPrompter 79dbus-user.talk org.gnome.keyring.SystemPrompter
80dbus-system none 80dbus-system none
81 81
82read-only ${HOME}/.mozilla/firefox/profiles.ini \ No newline at end of file 82read-only ${HOME}/.mozilla/firefox/profiles.ini
diff --git a/etc/profile-a-l/bibletime.profile b/etc/profile-a-l/bibletime.profile
index 0104dc181..24db11c7e 100644
--- a/etc/profile-a-l/bibletime.profile
+++ b/etc/profile-a-l/bibletime.profile
@@ -52,7 +52,7 @@ disable-mnt
52# private-bin bibletime,qt5ct 52# private-bin bibletime,qt5ct
53private-cache 53private-cache
54private-dev 54private-dev
55private-etc alternatives,ca-certificates,crypto-policies,fonts,login.defs,machine-id,passwd,pki,resolv.conf,ssl,sword,sword.conf 55private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.preload,login.defs,machine-id,passwd,pki,resolv.conf,ssl,sword,sword.conf
56private-tmp 56private-tmp
57 57
58dbus-user none 58dbus-user none
diff --git a/etc/profile-a-l/bitwarden.profile b/etc/profile-a-l/bitwarden.profile
index ba2eb2ea7..91ce57966 100644
--- a/etc/profile-a-l/bitwarden.profile
+++ b/etc/profile-a-l/bitwarden.profile
@@ -23,7 +23,7 @@ no3d
23nosound 23nosound
24 24
25?HAS_APPIMAGE: ignore private-dev 25?HAS_APPIMAGE: ignore private-dev
26private-etc alternatives,ca-certificates,crypto-policies,fonts,hosts,nsswitch.conf,pki,resolv.conf,ssl 26private-etc alternatives,ca-certificates,crypto-policies,fonts,hosts,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
27private-opt Bitwarden 27private-opt Bitwarden
28 28
29# Redirect 29# Redirect
diff --git a/etc/profile-a-l/bless.profile b/etc/profile-a-l/bless.profile
index 61d1c3a1e..8d8787174 100644
--- a/etc/profile-a-l/bless.profile
+++ b/etc/profile-a-l/bless.profile
@@ -35,7 +35,7 @@ shell none
35# private-bin bash,bless,mono,sh 35# private-bin bash,bless,mono,sh
36private-cache 36private-cache
37private-dev 37private-dev
38private-etc alternatives,fonts,mono 38private-etc alternatives,fonts,ld.so.preload,mono
39private-tmp 39private-tmp
40 40
41dbus-user none 41dbus-user none
diff --git a/etc/profile-a-l/blobby.profile b/etc/profile-a-l/blobby.profile
index 11d705c5b..7179bf4a5 100644
--- a/etc/profile-a-l/blobby.profile
+++ b/etc/profile-a-l/blobby.profile
@@ -41,7 +41,7 @@ tracelog
41disable-mnt 41disable-mnt
42private-bin blobby 42private-bin blobby
43private-dev 43private-dev
44private-etc alsa,alternatives,asound.conf,drirc,group,hosts,login.defs,machine-id,passwd,pulse 44private-etc alsa,alternatives,asound.conf,drirc,group,hosts,ld.so.preload,login.defs,machine-id,passwd,pulse
45private-lib 45private-lib
46private-tmp 46private-tmp
47 47
diff --git a/etc/profile-a-l/blobwars.profile b/etc/profile-a-l/blobwars.profile
index 6e3d4256c..683a7858b 100644
--- a/etc/profile-a-l/blobwars.profile
+++ b/etc/profile-a-l/blobwars.profile
@@ -43,7 +43,7 @@ disable-mnt
43private-bin blobwars 43private-bin blobwars
44private-cache 44private-cache
45private-dev 45private-dev
46private-etc machine-id 46private-etc ld.so.preload,machine-id
47private-tmp 47private-tmp
48 48
49dbus-user none 49dbus-user none
diff --git a/etc/profile-a-l/bsdtar.profile b/etc/profile-a-l/bsdtar.profile
index d731a6a6e..dbfc90996 100644
--- a/etc/profile-a-l/bsdtar.profile
+++ b/etc/profile-a-l/bsdtar.profile
@@ -6,7 +6,7 @@ include bsdtar.local
6# Persistent global definitions 6# Persistent global definitions
7include globals.local 7include globals.local
8 8
9private-etc alternatives,group,localtime,passwd 9private-etc alternatives,group,ld.so.preload,localtime,passwd
10 10
11# Redirect 11# Redirect
12include archiver-common.profile 12include archiver-common.profile
diff --git a/etc/profile-a-l/build-systems-common.profile b/etc/profile-a-l/build-systems-common.profile
new file mode 100644
index 000000000..1b199d612
--- /dev/null
+++ b/etc/profile-a-l/build-systems-common.profile
@@ -0,0 +1,66 @@
1# Firejail profile for build-systems-common
2# This file is overwritten after every install/update
3# Persistent local customizations
4include build-systems-common.local
5# Persistent global definitions
6# added by caller profile
7#include globals.local
8
9ignore noexec ${HOME}
10ignore noexec /tmp
11
12# Allow /bin/sh (blacklisted by disable-shell.inc)
13include allow-bin-sh.inc
14
15# Allows files commonly used by IDEs
16include allow-common-devel.inc
17
18# Allow ssh (blacklisted by disable-common.inc)
19#include allow-ssh.inc
20
21blacklist ${RUNUSER}
22
23include disable-common.inc
24include disable-exec.inc
25include disable-interpreters.inc
26include disable-programs.inc
27include disable-shell.inc
28include disable-X11.inc
29include disable-xdg.inc
30
31#whitelist ${HOME}/Projects
32#include whitelist-common.inc
33
34whitelist /usr/share/pkgconfig
35include whitelist-run-common.inc
36include whitelist-usr-share-common.inc
37include whitelist-var-common.inc
38
39caps.drop all
40ipc-namespace
41machine-id
42# net none
43netfilter
44no3d
45nodvd
46nogroups
47noinput
48nonewprivs
49noroot
50nosound
51notv
52nou2f
53novideo
54protocol unix,inet,inet6
55seccomp
56seccomp.block-secondary
57shell none
58tracelog
59
60disable-mnt
61private-cache
62private-dev
63private-tmp
64
65dbus-user none
66dbus-system none
diff --git a/etc/profile-a-l/bundle.profile b/etc/profile-a-l/bundle.profile
new file mode 100644
index 000000000..bb82022b1
--- /dev/null
+++ b/etc/profile-a-l/bundle.profile
@@ -0,0 +1,23 @@
1# Firejail profile for bundle
2# Description: Ruby Dependency Management
3# This file is overwritten after every install/update
4quiet
5# Persistent local customizations
6include bundle.local
7# Persistent global definitions
8include globals.local
9
10noblacklist ${HOME}/.bundle
11
12# Allow ruby (blacklisted by disable-interpreters.inc)
13include allow-ruby.inc
14
15#whitelist ${HOME}/.bundle
16#whitelist ${HOME}/.gem
17#whitelist ${HOME}/.local/share/gem
18whitelist /usr/share/gems
19whitelist /usr/share/ruby
20whitelist /usr/share/rubygems
21
22# Redirect
23include build-systems-common.profile
diff --git a/etc/profile-a-l/cameramonitor.profile b/etc/profile-a-l/cameramonitor.profile
index ae9e0f1d2..d3c25d451 100644
--- a/etc/profile-a-l/cameramonitor.profile
+++ b/etc/profile-a-l/cameramonitor.profile
@@ -46,7 +46,7 @@ tracelog
46disable-mnt 46disable-mnt
47private-bin cameramonitor,python* 47private-bin cameramonitor,python*
48private-cache 48private-cache
49private-etc alternatives,fonts 49private-etc alternatives,fonts,ld.so.preload
50private-tmp 50private-tmp
51 51
52# dbus-user none 52# dbus-user none
diff --git a/etc/profile-a-l/cargo.profile b/etc/profile-a-l/cargo.profile
index ff46cd429..4c8afd895 100644
--- a/etc/profile-a-l/cargo.profile
+++ b/etc/profile-a-l/cargo.profile
@@ -7,66 +7,18 @@ include cargo.local
7# Persistent global definitions 7# Persistent global definitions
8include globals.local 8include globals.local
9 9
10ignore noexec ${HOME} 10ignore read-only ${HOME}/.cargo/bin
11ignore noexec /tmp
12
13blacklist /tmp/.X11-unix
14blacklist ${RUNUSER}
15 11
16noblacklist ${HOME}/.cargo/credentials 12noblacklist ${HOME}/.cargo/credentials
17noblacklist ${HOME}/.cargo/credentials.toml 13noblacklist ${HOME}/.cargo/credentials.toml
18 14
19# Allows files commonly used by IDEs
20include allow-common-devel.inc
21
22# Allow ssh (blacklisted by disable-common.inc)
23#include allow-ssh.inc
24
25include disable-common.inc
26include disable-exec.inc
27include disable-interpreters.inc
28include disable-programs.inc
29include disable-xdg.inc
30
31#mkdir ${HOME}/.cargo
32#whitelist ${HOME}/YOUR_CARGO_PROJECTS
33#whitelist ${HOME}/.cargo 15#whitelist ${HOME}/.cargo
34#whitelist ${HOME}/.rustup 16#whitelist ${HOME}/.rustup
35#include whitelist-common.inc
36whitelist /usr/share/pkgconfig
37include whitelist-runuser-common.inc
38include whitelist-usr-share-common.inc
39include whitelist-var-common.inc
40 17
41caps.drop all
42ipc-namespace
43machine-id
44netfilter
45no3d
46nodvd
47nogroups
48noinput
49nonewprivs
50noroot
51nosound
52notv
53nou2f
54novideo
55protocol unix,inet,inet6
56seccomp
57seccomp.block-secondary
58shell none
59tracelog
60
61disable-mnt
62#private-bin cargo,rustc 18#private-bin cargo,rustc
63private-cache
64private-dev
65private-etc alternatives,ca-certificates,crypto-policies,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,magic,magic.mgc,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl 19private-etc alternatives,ca-certificates,crypto-policies,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,magic,magic.mgc,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl
66private-tmp
67
68dbus-user none
69dbus-system none
70 20
71memory-deny-write-execute 21memory-deny-write-execute
72read-write ${HOME}/.cargo/bin 22
23# Redirect
24include build-systems-common.profile
diff --git a/etc/profile-a-l/cawbird.profile b/etc/profile-a-l/cawbird.profile
index 78df5af83..ceba03269 100644
--- a/etc/profile-a-l/cawbird.profile
+++ b/etc/profile-a-l/cawbird.profile
@@ -39,7 +39,7 @@ disable-mnt
39private-bin cawbird 39private-bin cawbird
40private-cache 40private-cache
41private-dev 41private-dev
42private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,resolv.conf,ssl,X11,xdg 42private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,mime.types,nsswitch.conf,pki,resolv.conf,ssl,X11,xdg
43private-tmp 43private-tmp
44 44
45# dbus-user none 45# dbus-user none
diff --git a/etc/profile-a-l/celluloid.profile b/etc/profile-a-l/celluloid.profile
index 0beeaafdd..1a9340632 100644
--- a/etc/profile-a-l/celluloid.profile
+++ b/etc/profile-a-l/celluloid.profile
@@ -53,7 +53,7 @@ tracelog
53 53
54private-bin celluloid,env,gnome-mpv,python*,youtube-dl 54private-bin celluloid,env,gnome-mpv,python*,youtube-dl
55private-cache 55private-cache
56private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,ld.so.cache,libva.conf,localtime,machine-id,pkcs11,pki,resolv.conf,selinux,ssl,xdg 56private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.preload,libva.conf,localtime,machine-id,pkcs11,pki,resolv.conf,selinux,ssl,xdg
57private-dev 57private-dev
58private-tmp 58private-tmp
59 59
diff --git a/etc/profile-a-l/cheese.profile b/etc/profile-a-l/cheese.profile
index c2fc064f3..978d727f4 100644
--- a/etc/profile-a-l/cheese.profile
+++ b/etc/profile-a-l/cheese.profile
@@ -9,17 +9,24 @@ include globals.local
9noblacklist ${VIDEOS} 9noblacklist ${VIDEOS}
10noblacklist ${PICTURES} 10noblacklist ${PICTURES}
11 11
12include allow-python3.inc
13
12include disable-common.inc 14include disable-common.inc
13include disable-devel.inc 15include disable-devel.inc
14include disable-exec.inc 16include disable-exec.inc
15include disable-interpreters.inc 17include disable-interpreters.inc
16include disable-programs.inc 18include disable-programs.inc
19include disable-shell.inc
17include disable-xdg.inc 20include disable-xdg.inc
18 21
19whitelist ${VIDEOS} 22whitelist ${VIDEOS}
20whitelist ${PICTURES} 23whitelist ${PICTURES}
24whitelist /run/udev/data
25whitelist /usr/libexec/gstreamer-1.0/gst-plugin-scanner
21whitelist /usr/share/gnome-video-effects 26whitelist /usr/share/gnome-video-effects
27whitelist /usr/share/gstreamer-1.0
22include whitelist-common.inc 28include whitelist-common.inc
29include whitelist-run-common.inc
23include whitelist-runuser-common.inc 30include whitelist-runuser-common.inc
24include whitelist-usr-share-common.inc 31include whitelist-usr-share-common.inc
25include whitelist-var-common.inc 32include whitelist-var-common.inc
@@ -30,21 +37,26 @@ machine-id
30net none 37net none
31nodvd 38nodvd
32nogroups 39nogroups
40noinput
33nonewprivs 41nonewprivs
34noroot 42noroot
43nosound
35notv 44notv
36nou2f 45nou2f
37protocol unix 46protocol unix
38seccomp 47seccomp
48seccomp.block-secondary
39shell none 49shell none
40tracelog 50tracelog
41 51
42disable-mnt 52disable-mnt
43private-bin cheese 53private-bin cheese
44private-cache 54private-cache
45private-etc alternatives,clutter-1.0,dconf,drirc,fonts,gtk-3.0 55private-dev
56private-etc alternatives,clutter-1.0,dconf,drirc,fonts,gtk-3.0,ld.so.preload
46private-tmp 57private-tmp
47 58
48dbus-user filter 59dbus-user filter
60dbus-user.own org.gnome.Cheese
49dbus-user.talk ca.desrt.dconf 61dbus-user.talk ca.desrt.dconf
50dbus-system none 62dbus-system none
diff --git a/etc/profile-a-l/clawsker.profile b/etc/profile-a-l/clawsker.profile
index 8ccf67ba1..5eb2cb621 100644
--- a/etc/profile-a-l/clawsker.profile
+++ b/etc/profile-a-l/clawsker.profile
@@ -44,7 +44,7 @@ disable-mnt
44private-bin bash,clawsker,perl,sh,which 44private-bin bash,clawsker,perl,sh,which
45private-cache 45private-cache
46private-dev 46private-dev
47private-etc alternatives,fonts 47private-etc alternatives,fonts,ld.so.preload
48private-lib girepository-1.*,libdbus-glib-1.so.*,libetpan.so.*,libgirepository-1.*,libgtk-3.so.*,libgtk-x11-2.0.so.*,libstartup-notification-1.so.*,perl* 48private-lib girepository-1.*,libdbus-glib-1.so.*,libetpan.so.*,libgirepository-1.*,libgtk-3.so.*,libgtk-x11-2.0.so.*,libstartup-notification-1.so.*,perl*
49private-tmp 49private-tmp
50 50
diff --git a/etc/profile-a-l/cmake.profile b/etc/profile-a-l/cmake.profile
new file mode 100644
index 000000000..26cc2a00a
--- /dev/null
+++ b/etc/profile-a-l/cmake.profile
@@ -0,0 +1,13 @@
1# Firejail profile for cargo
2# Description: The Rust package manager
3# This file is overwritten after every install/update
4quiet
5# Persistent local customizations
6include cargo.local
7# Persistent global definitions
8include globals.local
9
10memory-deny-write-execute
11
12# Redirect
13include build-systems-common.profile
diff --git a/etc/profile-a-l/cmus.profile b/etc/profile-a-l/cmus.profile
index 19a30e694..e51dd6bed 100644
--- a/etc/profile-a-l/cmus.profile
+++ b/etc/profile-a-l/cmus.profile
@@ -27,4 +27,4 @@ seccomp
27shell none 27shell none
28 28
29private-bin cmus 29private-bin cmus
30private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,machine-id,pki,pulse,resolv.conf,ssl 30private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl
diff --git a/etc/profile-a-l/codium.profile b/etc/profile-a-l/codium.profile
new file mode 100644
index 000000000..9ff87ed8a
--- /dev/null
+++ b/etc/profile-a-l/codium.profile
@@ -0,0 +1,10 @@
1# Firejail profile alias for VSCodium
2# This file is overwritten after every install/update
3# Persistent local customizations
4include codium.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
8
9# Redirect
10include vscodium.profile
diff --git a/etc/profile-a-l/cola.profile b/etc/profile-a-l/cola.profile
index e5debfd82..97bf6d394 100644
--- a/etc/profile-a-l/cola.profile
+++ b/etc/profile-a-l/cola.profile
@@ -7,4 +7,4 @@ include cola.local
7include globals.local 7include globals.local
8 8
9# Redirect 9# Redirect
10include git-cola.profile \ No newline at end of file 10include git-cola.profile
diff --git a/etc/profile-a-l/com.github.bleakgrey.tootle.profile b/etc/profile-a-l/com.github.bleakgrey.tootle.profile
index 8d9de93bb..6f08bc378 100644
--- a/etc/profile-a-l/com.github.bleakgrey.tootle.profile
+++ b/etc/profile-a-l/com.github.bleakgrey.tootle.profile
@@ -45,7 +45,7 @@ disable-mnt
45private-bin com.github.bleakgrey.tootle 45private-bin com.github.bleakgrey.tootle
46private-cache 46private-cache
47private-dev 47private-dev
48private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,machine-id mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg 48private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,machine-id mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
49private-tmp 49private-tmp
50 50
51# Settings are immutable 51# Settings are immutable
diff --git a/etc/profile-a-l/com.github.dahenson.agenda.profile b/etc/profile-a-l/com.github.dahenson.agenda.profile
index e7aa32be9..d33b89e7c 100644
--- a/etc/profile-a-l/com.github.dahenson.agenda.profile
+++ b/etc/profile-a-l/com.github.dahenson.agenda.profile
@@ -52,7 +52,7 @@ disable-mnt
52private-bin com.github.dahenson.agenda 52private-bin com.github.dahenson.agenda
53private-cache 53private-cache
54private-dev 54private-dev
55private-etc dconf,fonts,gtk-3.0 55private-etc dconf,fonts,gtk-3.0,ld.so.preload
56private-tmp 56private-tmp
57 57
58dbus-user filter 58dbus-user filter
diff --git a/etc/profile-a-l/com.github.johnfactotum.Foliate.profile b/etc/profile-a-l/com.github.johnfactotum.Foliate.profile
index aa9a19fcb..c75a09a51 100644
--- a/etc/profile-a-l/com.github.johnfactotum.Foliate.profile
+++ b/etc/profile-a-l/com.github.johnfactotum.Foliate.profile
@@ -55,7 +55,7 @@ disable-mnt
55private-bin com.github.johnfactotum.Foliate,gjs 55private-bin com.github.johnfactotum.Foliate,gjs
56private-cache 56private-cache
57private-dev 57private-dev
58private-etc dconf,fonts,gconf,gtk-3.0 58private-etc dconf,fonts,gconf,gtk-3.0,ld.so.preload
59private-tmp 59private-tmp
60 60
61read-only ${HOME} 61read-only ${HOME}
diff --git a/etc/profile-a-l/coyim.profile b/etc/profile-a-l/coyim.profile
index 03218d85a..1d623fa09 100644
--- a/etc/profile-a-l/coyim.profile
+++ b/etc/profile-a-l/coyim.profile
@@ -40,7 +40,7 @@ tracelog
40disable-mnt 40disable-mnt
41private-cache 41private-cache
42private-dev 42private-dev
43private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,ssl 43private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.preload,machine-id,pki,ssl
44private-tmp 44private-tmp
45 45
46dbus-user none 46dbus-user none
diff --git a/etc/profile-a-l/crow.profile b/etc/profile-a-l/crow.profile
index 177abf829..deb2c0ef8 100644
--- a/etc/profile-a-l/crow.profile
+++ b/etc/profile-a-l/crow.profile
@@ -39,7 +39,7 @@ shell none
39disable-mnt 39disable-mnt
40private-bin crow 40private-bin crow
41private-dev 41private-dev
42private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl 42private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,ld.so.preload,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl
43private-opt none 43private-opt none
44private-tmp 44private-tmp
45private-srv none 45private-srv none
diff --git a/etc/profile-a-l/d-feet.profile b/etc/profile-a-l/d-feet.profile
index 0e4b8d475..0e754c448 100644
--- a/etc/profile-a-l/d-feet.profile
+++ b/etc/profile-a-l/d-feet.profile
@@ -50,7 +50,7 @@ disable-mnt
50private-bin d-feet,python* 50private-bin d-feet,python*
51private-cache 51private-cache
52private-dev 52private-dev
53private-etc alternatives,dbus-1,fonts,machine-id 53private-etc alternatives,dbus-1,fonts,ld.so.preload,machine-id
54private-tmp 54private-tmp
55 55
56#memory-deny-write-execute - breaks on Arch (see issue #1803) 56#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/profile-a-l/dbus-send.profile b/etc/profile-a-l/dbus-send.profile
index 768f1ac2c..c2532ed3b 100644
--- a/etc/profile-a-l/dbus-send.profile
+++ b/etc/profile-a-l/dbus-send.profile
@@ -51,7 +51,7 @@ private
51private-bin dbus-send 51private-bin dbus-send
52private-cache 52private-cache
53private-dev 53private-dev
54private-etc alternatives,dbus-1 54private-etc alternatives,dbus-1,ld.so.preload
55private-lib libpcre* 55private-lib libpcre*
56private-tmp 56private-tmp
57 57
diff --git a/etc/profile-a-l/dconf-editor.profile b/etc/profile-a-l/dconf-editor.profile
index f57063ab6..2b43c5ea3 100644
--- a/etc/profile-a-l/dconf-editor.profile
+++ b/etc/profile-a-l/dconf-editor.profile
@@ -43,7 +43,7 @@ disable-mnt
43private-bin dconf-editor 43private-bin dconf-editor
44private-cache 44private-cache
45private-dev 45private-dev
46private-etc alternatives,dconf,fonts,gtk-3.0,machine-id 46private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.preload,machine-id
47private-lib 47private-lib
48private-tmp 48private-tmp
49 49
diff --git a/etc/profile-a-l/dconf.profile b/etc/profile-a-l/dconf.profile
index 8b7c86789..1cbeee763 100644
--- a/etc/profile-a-l/dconf.profile
+++ b/etc/profile-a-l/dconf.profile
@@ -46,7 +46,7 @@ disable-mnt
46private-bin dconf,gsettings 46private-bin dconf,gsettings
47private-cache 47private-cache
48private-dev 48private-dev
49private-etc alternatives,dconf 49private-etc alternatives,dconf,ld.so.preload
50private-lib 50private-lib
51private-tmp 51private-tmp
52 52
diff --git a/etc/profile-a-l/ddgtk.profile b/etc/profile-a-l/ddgtk.profile
index 701755d93..0669a5a6c 100644
--- a/etc/profile-a-l/ddgtk.profile
+++ b/etc/profile-a-l/ddgtk.profile
@@ -45,7 +45,7 @@ tracelog
45disable-mnt 45disable-mnt
46private-bin bash,dd,ddgtk,grep,lsblk,python*,sed,sh,tr 46private-bin bash,dd,ddgtk,grep,lsblk,python*,sed,sh,tr
47private-cache 47private-cache
48private-etc alternatives,fonts 48private-etc alternatives,fonts,ld.so.preload
49private-tmp 49private-tmp
50 50
51dbus-user none 51dbus-user none
diff --git a/etc/profile-a-l/devhelp.profile b/etc/profile-a-l/devhelp.profile
index a416bc27e..562f6b105 100644
--- a/etc/profile-a-l/devhelp.profile
+++ b/etc/profile-a-l/devhelp.profile
@@ -42,7 +42,7 @@ disable-mnt
42private-bin devhelp 42private-bin devhelp
43private-cache 43private-cache
44private-dev 44private-dev
45private-etc alternatives,dconf,fonts,ld.so.cache,machine-id,ssl 45private-etc alternatives,dconf,fonts,ld.so.cache,ld.so.preload,machine-id,ssl
46private-tmp 46private-tmp
47 47
48# makes settings immutable 48# makes settings immutable
diff --git a/etc/profile-a-l/devilspie.profile b/etc/profile-a-l/devilspie.profile
index 89c8e1ae8..19b6cffaf 100644
--- a/etc/profile-a-l/devilspie.profile
+++ b/etc/profile-a-l/devilspie.profile
@@ -48,7 +48,7 @@ disable-mnt
48private-bin devilspie 48private-bin devilspie
49private-cache 49private-cache
50private-dev 50private-dev
51private-etc alternatives 51private-etc alternatives,ld.so.preload
52private-lib gconv 52private-lib gconv
53private-tmp 53private-tmp
54 54
diff --git a/etc/profile-a-l/discord-common.profile b/etc/profile-a-l/discord-common.profile
index 2613027ba..c04e38899 100644
--- a/etc/profile-a-l/discord-common.profile
+++ b/etc/profile-a-l/discord-common.profile
@@ -24,7 +24,7 @@ whitelist ${HOME}/.config/BetterDiscord
24whitelist ${HOME}/.local/share/betterdiscordctl 24whitelist ${HOME}/.local/share/betterdiscordctl
25 25
26private-bin bash,cut,echo,egrep,electron,electron[0-9],electron[0-9][0-9],fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh 26private-bin bash,cut,echo,egrep,electron,electron[0-9],electron[0-9][0-9],fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh
27private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,pulse,resolv.conf,ssl 27private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,localtime,login.defs,machine-id,password,pki,pulse,resolv.conf,ssl
28 28
29join-or-start discord 29join-or-start discord
30 30
diff --git a/etc/profile-a-l/display.profile b/etc/profile-a-l/display.profile
index 0f134bd87..6eff39d40 100644
--- a/etc/profile-a-l/display.profile
+++ b/etc/profile-a-l/display.profile
@@ -40,7 +40,7 @@ shell none
40private-bin display,python* 40private-bin display,python*
41private-dev 41private-dev
42# On Debian-based systems, display is a symlink in /etc/alternatives 42# On Debian-based systems, display is a symlink in /etc/alternatives
43private-etc alternatives 43private-etc alternatives,ld.so.preload
44private-tmp 44private-tmp
45 45
46dbus-user none 46dbus-user none
diff --git a/etc/profile-a-l/drawio.profile b/etc/profile-a-l/drawio.profile
index 6d5e2501f..253f5643e 100644
--- a/etc/profile-a-l/drawio.profile
+++ b/etc/profile-a-l/drawio.profile
@@ -45,7 +45,7 @@ shell none
45private-bin drawio 45private-bin drawio
46private-cache 46private-cache
47private-dev 47private-dev
48private-etc alternatives,fonts 48private-etc alternatives,fonts,ld.so.preload
49private-tmp 49private-tmp
50 50
51dbus-user none 51dbus-user none
diff --git a/etc/profile-a-l/easystroke.profile b/etc/profile-a-l/easystroke.profile
index fd7f252b6..0345f2b24 100644
--- a/etc/profile-a-l/easystroke.profile
+++ b/etc/profile-a-l/easystroke.profile
@@ -45,7 +45,7 @@ disable-mnt
45#private-bin bash,easystroke,sh 45#private-bin bash,easystroke,sh
46private-cache 46private-cache
47private-dev 47private-dev
48private-etc alternatives,fonts,group,passwd 48private-etc alternatives,fonts,group,ld.so.preload,passwd
49# breaks custom shell command functionality 49# breaks custom shell command functionality
50#private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.* 50#private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*
51private-tmp 51private-tmp
diff --git a/etc/profile-a-l/electron-mail.profile b/etc/profile-a-l/electron-mail.profile
index 9aac3f570..e472f57b6 100644
--- a/etc/profile-a-l/electron-mail.profile
+++ b/etc/profile-a-l/electron-mail.profile
@@ -45,7 +45,7 @@ shell none
45private-bin electron-mail 45private-bin electron-mail
46private-cache 46private-cache
47private-dev 47private-dev
48private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,nsswitch.conf,pki,resolv.conf,selinux,ssl,xdg 48private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,ld.so.preload,nsswitch.conf,pki,resolv.conf,selinux,ssl,xdg
49private-opt ElectronMail 49private-opt ElectronMail
50private-tmp 50private-tmp
51 51
diff --git a/etc/profile-a-l/electrum.profile b/etc/profile-a-l/electrum.profile
index 1647f2bc4..8cfc9f797 100644
--- a/etc/profile-a-l/electrum.profile
+++ b/etc/profile-a-l/electrum.profile
@@ -47,7 +47,7 @@ private-bin electrum,python*
47private-cache 47private-cache
48?HAS_APPIMAGE: ignore private-dev 48?HAS_APPIMAGE: ignore private-dev
49private-dev 49private-dev
50private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,machine-id,pki,resolv.conf,ssl 50private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,ld.so.preload,machine-id,pki,resolv.conf,ssl
51private-tmp 51private-tmp
52 52
53# dbus-user none 53# dbus-user none
diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile
index 03fd9033a..8673b65ca 100644
--- a/etc/profile-a-l/email-common.profile
+++ b/etc/profile-a-l/email-common.profile
@@ -12,7 +12,7 @@ noblacklist ${HOME}/.gnupg
12noblacklist ${HOME}/.mozilla 12noblacklist ${HOME}/.mozilla
13noblacklist ${HOME}/.signature 13noblacklist ${HOME}/.signature
14# when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your email-common.local 14# when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your email-common.local
15# and 'blacklist' it in your disable-common.local too so it is kept hidden from other applications 15# and 'blacklist' it in your disable-common.local too so it is kept hidden from other applications
16noblacklist ${HOME}/Mail 16noblacklist ${HOME}/Mail
17 17
18noblacklist ${DOCUMENTS} 18noblacklist ${DOCUMENTS}
@@ -66,7 +66,7 @@ tracelog
66# disable-mnt 66# disable-mnt
67private-cache 67private-cache
68private-dev 68private-dev
69private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,groups,gtk-2.0,gtk-3.0,hostname,hosts,hosts.conf,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,xdg 69private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,groups,gtk-2.0,gtk-3.0,hostname,hosts,hosts.conf,ld.so.preload,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,xdg
70private-tmp 70private-tmp
71# encrypting and signing email 71# encrypting and signing email
72writable-run-user 72writable-run-user
diff --git a/etc/profile-a-l/enchant.profile b/etc/profile-a-l/enchant.profile
index dc383984e..0a2e23996 100644
--- a/etc/profile-a-l/enchant.profile
+++ b/etc/profile-a-l/enchant.profile
@@ -48,7 +48,7 @@ x11 none
48private-bin enchant,enchant-* 48private-bin enchant,enchant-*
49private-cache 49private-cache
50private-dev 50private-dev
51private-etc alternatives 51private-etc alternatives,ld.so.preload
52private-lib 52private-lib
53private-tmp 53private-tmp
54 54
diff --git a/etc/profile-a-l/eo-common.profile b/etc/profile-a-l/eo-common.profile
index 02112ef20..ddc0ce0b9 100644
--- a/etc/profile-a-l/eo-common.profile
+++ b/etc/profile-a-l/eo-common.profile
@@ -47,6 +47,6 @@ tracelog
47 47
48private-cache 48private-cache
49private-dev 49private-dev
50private-etc alternatives,dconf,fonts,gtk-3.0 50private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.preload
51private-lib eog,eom,gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.* 51private-lib eog,eom,gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.*
52private-tmp 52private-tmp
diff --git a/etc/profile-a-l/eog.profile b/etc/profile-a-l/eog.profile
index 5892374bd..65e5c6e69 100644
--- a/etc/profile-a-l/eog.profile
+++ b/etc/profile-a-l/eog.profile
@@ -18,7 +18,7 @@ whitelist /usr/share/eog
18 18
19private-bin eog 19private-bin eog
20 20
21# broken on Debian 10 (buster) running LXDE got the folowing error: 21# broken on Debian 10 (buster) running LXDE got the following error:
22# Failed to register: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: org.freedesktop.DBus.Error.ServiceUnknown 22# Failed to register: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: org.freedesktop.DBus.Error.ServiceUnknown
23#dbus-user filter 23#dbus-user filter
24#dbus-user.own org.gnome.eog 24#dbus-user.own org.gnome.eog
diff --git a/etc/profile-a-l/equalx.profile b/etc/profile-a-l/equalx.profile
index 7566f7b50..fe7b912bd 100644
--- a/etc/profile-a-l/equalx.profile
+++ b/etc/profile-a-l/equalx.profile
@@ -54,7 +54,7 @@ disable-mnt
54private-bin equalx,gs,pdflatex,pdftocairo 54private-bin equalx,gs,pdflatex,pdftocairo
55private-cache 55private-cache
56private-dev 56private-dev
57private-etc equalx,equalx.conf,fonts,gtk-2.0,latexmk.conf,machine-id,papersize,passwd,texlive,Trolltech.conf 57private-etc equalx,equalx.conf,fonts,gtk-2.0,latexmk.conf,ld.so.preload,machine-id,papersize,passwd,texlive,Trolltech.conf
58private-tmp 58private-tmp
59 59
60dbus-user none 60dbus-user none
diff --git a/etc/profile-a-l/evince.profile b/etc/profile-a-l/evince.profile
index 77fb458ca..63e456488 100644
--- a/etc/profile-a-l/evince.profile
+++ b/etc/profile-a-l/evince.profile
@@ -54,9 +54,9 @@ tracelog
54private-bin evince,evince-previewer,evince-thumbnailer 54private-bin evince,evince-previewer,evince-thumbnailer
55private-cache 55private-cache
56private-dev 56private-dev
57private-etc alternatives,fonts,group,ld.so.cache,machine-id,passwd 57private-etc alternatives,fonts,group,ld.so.cache,ld.so.preload,machine-id,passwd
58# private-lib might break two-page-view on some systems 58# private-lib might break two-page-view on some systems
59private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.* 59private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libarchive.so.*,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.*
60private-tmp 60private-tmp
61 61
62# dbus-user filtering might break two-page-view on some systems 62# dbus-user filtering might break two-page-view on some systems
diff --git a/etc/profile-a-l/exiftool.profile b/etc/profile-a-l/exiftool.profile
index 49a16f2f2..12c22ba5b 100644
--- a/etc/profile-a-l/exiftool.profile
+++ b/etc/profile-a-l/exiftool.profile
@@ -48,7 +48,7 @@ x11 none
48#private-bin exiftool,perl 48#private-bin exiftool,perl
49private-cache 49private-cache
50private-dev 50private-dev
51private-etc alternatives 51private-etc alternatives,ld.so.preload
52private-tmp 52private-tmp
53 53
54dbus-user none 54dbus-user none
diff --git a/etc/profile-a-l/falkon.profile b/etc/profile-a-l/falkon.profile
index 3911a8c75..62ea449a6 100644
--- a/etc/profile-a-l/falkon.profile
+++ b/etc/profile-a-l/falkon.profile
@@ -46,7 +46,7 @@ disable-mnt
46# private-bin falkon 46# private-bin falkon
47private-cache 47private-cache
48private-dev 48private-dev
49private-etc adobe,alternatives,asound.conf,ati,ca-certificates,crypto-policies,dconf,drirc,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg 49private-etc adobe,alternatives,asound.conf,ati,ca-certificates,crypto-policies,dconf,drirc,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
50private-tmp 50private-tmp
51 51
52# dbus-user filter 52# dbus-user filter
diff --git a/etc/profile-a-l/feh-network.inc.profile b/etc/profile-a-l/feh-network.inc.profile
index 690b39171..f9b3d58c9 100644
--- a/etc/profile-a-l/feh-network.inc.profile
+++ b/etc/profile-a-l/feh-network.inc.profile
@@ -5,4 +5,4 @@ include feh-network.inc.local
5ignore net none 5ignore net none
6netfilter 6netfilter
7protocol unix,inet,inet6 7protocol unix,inet,inet6
8private-etc ca-certificates,crypto-policies,hosts,pki,resolv.conf,ssl 8private-etc ca-certificates,crypto-policies,hosts,ld.so.preload,pki,resolv.conf,ssl
diff --git a/etc/profile-a-l/feh.profile b/etc/profile-a-l/feh.profile
index 0fdb1d3d3..f2770f294 100644
--- a/etc/profile-a-l/feh.profile
+++ b/etc/profile-a-l/feh.profile
@@ -36,7 +36,7 @@ shell none
36private-bin feh,jpegexiforient,jpegtran 36private-bin feh,jpegexiforient,jpegtran
37private-cache 37private-cache
38private-dev 38private-dev
39private-etc alternatives,feh 39private-etc alternatives,feh,ld.so.preload
40private-tmp 40private-tmp
41 41
42dbus-user none 42dbus-user none
diff --git a/etc/profile-a-l/ffplay.profile b/etc/profile-a-l/ffplay.profile
index 04134cbf4..2284ccbe4 100644
--- a/etc/profile-a-l/ffplay.profile
+++ b/etc/profile-a-l/ffplay.profile
@@ -14,7 +14,7 @@ ignore nogroups
14ignore nosound 14ignore nosound
15 15
16private-bin ffplay 16private-bin ffplay
17private-etc alsa,asound.conf,group 17private-etc alsa,asound.conf,group,ld.so.preload
18 18
19# Redirect 19# Redirect
20include ffmpeg.profile 20include ffmpeg.profile
diff --git a/etc/profile-a-l/file-roller.profile b/etc/profile-a-l/file-roller.profile
index 434466139..54fa7dfa7 100644
--- a/etc/profile-a-l/file-roller.profile
+++ b/etc/profile-a-l/file-roller.profile
@@ -43,7 +43,7 @@ tracelog
43private-bin 7z,7za,7zr,ar,arj,atool,bash,brotli,bsdtar,bzip2,compress,cp,cpio,dpkg-deb,file-roller,gtar,gzip,isoinfo,lha,lrzip,lsar,lz4,lzip,lzma,lzop,mv,p7zip,rar,rm,rzip,sh,tar,unace,unalz,unar,uncompress,unrar,unsquashfs,unstuff,unzip,unzstd,xz,xzdec,zip,zoo,zstd 43private-bin 7z,7za,7zr,ar,arj,atool,bash,brotli,bsdtar,bzip2,compress,cp,cpio,dpkg-deb,file-roller,gtar,gzip,isoinfo,lha,lrzip,lsar,lz4,lzip,lzma,lzop,mv,p7zip,rar,rm,rzip,sh,tar,unace,unalz,unar,uncompress,unrar,unsquashfs,unstuff,unzip,unzstd,xz,xzdec,zip,zoo,zstd
44private-cache 44private-cache
45private-dev 45private-dev
46private-etc dconf,fonts,gtk-3.0,xdg 46private-etc dconf,fonts,gtk-3.0,ld.so.preload,xdg
47# private-tmp 47# private-tmp
48 48
49dbus-system none 49dbus-system none
diff --git a/etc/profile-a-l/flameshot.profile b/etc/profile-a-l/flameshot.profile
index e9241efc3..862ef6ab6 100644
--- a/etc/profile-a-l/flameshot.profile
+++ b/etc/profile-a-l/flameshot.profile
@@ -52,7 +52,7 @@ tracelog
52disable-mnt 52disable-mnt
53private-bin flameshot 53private-bin flameshot
54private-cache 54private-cache
55private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.conf,machine-id,pki,resolv.conf,ssl 55private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.conf,ld.so.preload,machine-id,pki,resolv.conf,ssl
56private-dev 56private-dev
57#private-tmp 57#private-tmp
58 58
@@ -63,6 +63,6 @@ dbus-user.talk org.freedesktop.Notifications
63dbus-user.talk org.freedesktop.portal.Desktop 63dbus-user.talk org.freedesktop.portal.Desktop
64dbus-user.talk org.gnome.Shell 64dbus-user.talk org.gnome.Shell
65dbus-user.talk org.kde.KWin 65dbus-user.talk org.kde.KWin
66dbus-user.talk org.kde.StatusNotifierWatcher 66?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
67dbus-user.own org.kde.* 67?ALLOW_TRAY: dbus-user.own org.kde.*
68dbus-system none 68dbus-system none
diff --git a/etc/profile-a-l/freetube.profile b/etc/profile-a-l/freetube.profile
index 7beb2bcba..aeed313c8 100644
--- a/etc/profile-a-l/freetube.profile
+++ b/etc/profile-a-l/freetube.profile
@@ -16,7 +16,7 @@ mkdir ${HOME}/.config/FreeTube
16whitelist ${HOME}/.config/FreeTube 16whitelist ${HOME}/.config/FreeTube
17 17
18private-bin electron,electron[0-9],electron[0-9][0-9],freetube,sh 18private-bin electron,electron[0-9],electron[0-9][0-9],freetube,sh
19private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg 19private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
20 20
21# Redirect 21# Redirect
22include electron.profile 22include electron.profile
diff --git a/etc/profile-a-l/frogatto.profile b/etc/profile-a-l/frogatto.profile
index fa08b4956..efd5246d6 100644
--- a/etc/profile-a-l/frogatto.profile
+++ b/etc/profile-a-l/frogatto.profile
@@ -45,7 +45,7 @@ disable-mnt
45private-bin frogatto,sh 45private-bin frogatto,sh
46private-cache 46private-cache
47private-dev 47private-dev
48private-etc machine-id 48private-etc ld.so.preload,machine-id
49private-tmp 49private-tmp
50 50
51dbus-user none 51dbus-user none
diff --git a/etc/profile-a-l/gajim.profile b/etc/profile-a-l/gajim.profile
index b0d017db9..6d764a0f9 100644
--- a/etc/profile-a-l/gajim.profile
+++ b/etc/profile-a-l/gajim.profile
@@ -59,7 +59,7 @@ disable-mnt
59private-bin bash,gajim,gajim-history-manager,gpg,gpg2,paplay,python*,sh,zsh 59private-bin bash,gajim,gajim-history-manager,gpg,gpg2,paplay,python*,sh,zsh
60private-cache 60private-cache
61private-dev 61private-dev
62private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,hostname,hosts,ld.so.cache,ld.so.conf,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,xdg 62private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.preload,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,xdg
63private-tmp 63private-tmp
64writable-run-user 64writable-run-user
65 65
diff --git a/etc/profile-a-l/galculator.profile b/etc/profile-a-l/galculator.profile
index 50b1c319c..c6280c488 100644
--- a/etc/profile-a-l/galculator.profile
+++ b/etc/profile-a-l/galculator.profile
@@ -43,7 +43,7 @@ tracelog
43private-bin galculator 43private-bin galculator
44private-cache 44private-cache
45private-dev 45private-dev
46private-etc alternatives,fonts 46private-etc alternatives,fonts,ld.so.preload
47private-lib 47private-lib
48private-tmp 48private-tmp
49 49
diff --git a/etc/profile-a-l/gallery-dl.profile b/etc/profile-a-l/gallery-dl.profile
index 9c8200dc4..a31dde21c 100644
--- a/etc/profile-a-l/gallery-dl.profile
+++ b/etc/profile-a-l/gallery-dl.profile
@@ -12,7 +12,7 @@ noblacklist ${HOME}/.config/gallery-dl
12noblacklist ${HOME}/.gallery-dl.conf 12noblacklist ${HOME}/.gallery-dl.conf
13 13
14private-bin gallery-dl 14private-bin gallery-dl
15private-etc gallery-dl.conf 15private-etc gallery-dl.conf,ld.so.preload
16 16
17# Redirect 17# Redirect
18include youtube-dl.profile 18include youtube-dl.profile
diff --git a/etc/profile-a-l/gapplication.profile b/etc/profile-a-l/gapplication.profile
index 8263423a0..e9eb55709 100644
--- a/etc/profile-a-l/gapplication.profile
+++ b/etc/profile-a-l/gapplication.profile
@@ -49,7 +49,7 @@ private
49private-bin gapplication 49private-bin gapplication
50private-cache 50private-cache
51private-dev 51private-dev
52private-etc none 52private-etc ld.so.preload,none
53private-tmp 53private-tmp
54 54
55# Add the next line to your gapplication.local to filter D-Bus names. 55# Add the next line to your gapplication.local to filter D-Bus names.
diff --git a/etc/profile-a-l/gcloud.profile b/etc/profile-a-l/gcloud.profile
index 388f4c0df..297e5d345 100644
--- a/etc/profile-a-l/gcloud.profile
+++ b/etc/profile-a-l/gcloud.profile
@@ -36,7 +36,7 @@ tracelog
36 36
37disable-mnt 37disable-mnt
38private-dev 38private-dev
39private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,localtime,nsswitch.conf,pki,resolv.conf,ssl 39private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,pki,resolv.conf,ssl
40private-tmp 40private-tmp
41 41
42dbus-user none 42dbus-user none
diff --git a/etc/profile-a-l/gconf.profile b/etc/profile-a-l/gconf.profile
index b01d88f80..6532d85f0 100644
--- a/etc/profile-a-l/gconf.profile
+++ b/etc/profile-a-l/gconf.profile
@@ -54,7 +54,7 @@ disable-mnt
54private-bin gconf-editor,gconf-merge-*,gconfpkg,gconftool-2,gsettings-*-convert,python2* 54private-bin gconf-editor,gconf-merge-*,gconfpkg,gconftool-2,gsettings-*-convert,python2*
55private-cache 55private-cache
56private-dev 56private-dev
57private-etc alternatives,fonts,gconf 57private-etc alternatives,fonts,gconf,ld.so.preload
58private-lib GConf,libpython*,python2* 58private-lib GConf,libpython*,python2*
59private-tmp 59private-tmp
60 60
diff --git a/etc/profile-a-l/geary.profile b/etc/profile-a-l/geary.profile
index 29c620556..b78f7e647 100644
--- a/etc/profile-a-l/geary.profile
+++ b/etc/profile-a-l/geary.profile
@@ -70,7 +70,7 @@ tracelog
70private-bin geary 70private-bin geary
71private-cache 71private-cache
72private-dev 72private-dev
73private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,ssl,xdg 73private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.preload,pki,resolv.conf,ssl,xdg
74private-tmp 74private-tmp
75 75
76dbus-user filter 76dbus-user filter
diff --git a/etc/profile-a-l/geekbench.profile b/etc/profile-a-l/geekbench.profile
index f0e17963c..4812e1368 100644
--- a/etc/profile-a-l/geekbench.profile
+++ b/etc/profile-a-l/geekbench.profile
@@ -6,6 +6,10 @@ include geekbench.local
6# Persistent global definitions 6# Persistent global definitions
7include globals.local 7include globals.local
8 8
9noblacklist ${HOME}/.geekbench5
10noblacklist /sbin
11noblacklist /usr/sbin
12
9include disable-common.inc 13include disable-common.inc
10include disable-devel.inc 14include disable-devel.inc
11include disable-exec.inc 15include disable-exec.inc
@@ -13,6 +17,8 @@ include disable-interpreters.inc
13include disable-programs.inc 17include disable-programs.inc
14include disable-xdg.inc 18include disable-xdg.inc
15 19
20mkdir ${HOME}/.geekbench5
21whitelist ${HOME}/.geekbench5
16include whitelist-common.inc 22include whitelist-common.inc
17include whitelist-usr-share-common.inc 23include whitelist-usr-share-common.inc
18include whitelist-var-common.inc 24include whitelist-var-common.inc
@@ -39,16 +45,14 @@ shell none
39tracelog 45tracelog
40 46
41disable-mnt 47disable-mnt
42private-bin bash,geekbenc*,sh 48#private-bin bash,geekbench*,sh -- #4576
43private-cache 49private-cache
44private-dev 50private-dev
45private-etc alternatives,group,lsb-release,passwd 51private-etc alternatives,group,ld.so.preload,lsb-release,passwd
46private-lib gcc/*/*/libstdc++.so.*
47private-opt none
48private-tmp 52private-tmp
49 53
50dbus-user none 54dbus-user none
51dbus-system none 55dbus-system none
52 56
53#memory-deny-write-execute - breaks on Arch (see issue #1803)
54read-only ${HOME} 57read-only ${HOME}
58read-write ${HOME}/.geekbench5
diff --git a/etc/profile-a-l/gget.profile b/etc/profile-a-l/gget.profile
index b2adaa8e4..d8ca4ae41 100644
--- a/etc/profile-a-l/gget.profile
+++ b/etc/profile-a-l/gget.profile
@@ -49,7 +49,7 @@ disable-mnt
49private-bin gget 49private-bin gget
50private-cache 50private-cache
51private-dev 51private-dev
52private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl 52private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,pki,resolv.conf,ssl
53private-lib 53private-lib
54private-tmp 54private-tmp
55 55
diff --git a/etc/profile-a-l/gist.profile b/etc/profile-a-l/gist.profile
index 80fa18119..010cdae06 100644
--- a/etc/profile-a-l/gist.profile
+++ b/etc/profile-a-l/gist.profile
@@ -52,7 +52,7 @@ tracelog
52disable-mnt 52disable-mnt
53private-cache 53private-cache
54private-dev 54private-dev
55private-etc alternatives 55private-etc alternatives,ld.so.preload
56private-tmp 56private-tmp
57 57
58dbus-user none 58dbus-user none
diff --git a/etc/profile-a-l/git-cola.profile b/etc/profile-a-l/git-cola.profile
index f77adef63..c13273321 100644
--- a/etc/profile-a-l/git-cola.profile
+++ b/etc/profile-a-l/git-cola.profile
@@ -70,7 +70,7 @@ tracelog
70private-bin basename,bash,cola,envsubst,gettext,git,git-cola,git-dag,git-gui,gitk,gpg,gpg-agent,nano,ps,python*,sh,ssh,ssh-agent,tclsh,tr,wc,which,xed 70private-bin basename,bash,cola,envsubst,gettext,git,git-cola,git-dag,git-gui,gitk,gpg,gpg-agent,nano,ps,python*,sh,ssh,ssh-agent,tclsh,tr,wc,which,xed
71private-cache 71private-cache
72private-dev 72private-dev
73private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gitconfig,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,localtime,login.defs,machine-id,mime.types,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssh,ssl,X11,xdg 73private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gitconfig,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,localtime,login.defs,machine-id,mime.types,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssh,ssl,X11,xdg
74private-tmp 74private-tmp
75writable-run-user 75writable-run-user
76 76
diff --git a/etc/profile-a-l/gitter.profile b/etc/profile-a-l/gitter.profile
index 5dfb48189..36b016e02 100644
--- a/etc/profile-a-l/gitter.profile
+++ b/etc/profile-a-l/gitter.profile
@@ -37,7 +37,7 @@ shell none
37 37
38disable-mnt 38disable-mnt
39private-bin bash,env,gitter 39private-bin bash,env,gitter
40private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,pulse,resolv.conf,ssl 40private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.preload,pki,pulse,resolv.conf,ssl
41private-opt Gitter 41private-opt Gitter
42private-dev 42private-dev
43private-tmp 43private-tmp
diff --git a/etc/profile-a-l/gmpc.profile b/etc/profile-a-l/gmpc.profile
index 4aa4b6c20..0a1264888 100644
--- a/etc/profile-a-l/gmpc.profile
+++ b/etc/profile-a-l/gmpc.profile
@@ -44,7 +44,7 @@ tracelog
44disable-mnt 44disable-mnt
45#private-bin gmpc 45#private-bin gmpc
46private-cache 46private-cache
47private-etc alternatives,fonts 47private-etc alternatives,fonts,ld.so.preload
48private-tmp 48private-tmp
49writable-run-user 49writable-run-user
50 50
diff --git a/etc/profile-a-l/gnome-calendar.profile b/etc/profile-a-l/gnome-calendar.profile
index c8903a991..2c1dee50c 100644
--- a/etc/profile-a-l/gnome-calendar.profile
+++ b/etc/profile-a-l/gnome-calendar.profile
@@ -45,7 +45,7 @@ private
45private-bin gnome-calendar 45private-bin gnome-calendar
46private-cache 46private-cache
47private-dev 47private-dev
48private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,localtime,nsswitch.conf,pki,resolv.conf,ssl 48private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,ld.so.preload,localtime,nsswitch.conf,pki,resolv.conf,ssl
49private-tmp 49private-tmp
50 50
51dbus-user filter 51dbus-user filter
diff --git a/etc/profile-a-l/gnome-chess.profile b/etc/profile-a-l/gnome-chess.profile
index d038d775a..6261fcc27 100644
--- a/etc/profile-a-l/gnome-chess.profile
+++ b/etc/profile-a-l/gnome-chess.profile
@@ -50,5 +50,5 @@ disable-mnt
50private-bin fairymax,gnome-chess,gnuchess,hoichess 50private-bin fairymax,gnome-chess,gnuchess,hoichess
51private-cache 51private-cache
52private-dev 52private-dev
53private-etc alternatives,dconf,fonts,gnome-chess,gtk-3.0 53private-etc alternatives,dconf,fonts,gnome-chess,gtk-3.0,ld.so.preload
54private-tmp 54private-tmp
diff --git a/etc/profile-a-l/gnome-clocks.profile b/etc/profile-a-l/gnome-clocks.profile
index 96a39f6ce..7d33ac94e 100644
--- a/etc/profile-a-l/gnome-clocks.profile
+++ b/etc/profile-a-l/gnome-clocks.profile
@@ -42,6 +42,6 @@ disable-mnt
42private-bin gnome-clocks,gsound-play 42private-bin gnome-clocks,gsound-play
43private-cache 43private-cache
44private-dev 44private-dev
45private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,localtime,machine-id,pkcs11,pki,ssl 45private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,ld.so.preload,localtime,machine-id,pkcs11,pki,ssl
46private-tmp 46private-tmp
47 47
diff --git a/etc/profile-a-l/gnome-hexgl.profile b/etc/profile-a-l/gnome-hexgl.profile
index 19a4bc5c7..28c7e3346 100644
--- a/etc/profile-a-l/gnome-hexgl.profile
+++ b/etc/profile-a-l/gnome-hexgl.profile
@@ -42,7 +42,7 @@ private
42private-bin gnome-hexgl 42private-bin gnome-hexgl
43private-cache 43private-cache
44private-dev 44private-dev
45private-etc alsa,asound.conf,machine-id,pulse 45private-etc alsa,asound.conf,ld.so.preload,machine-id,pulse
46private-tmp 46private-tmp
47 47
48dbus-user none 48dbus-user none
diff --git a/etc/profile-a-l/gnome-latex.profile b/etc/profile-a-l/gnome-latex.profile
index 26c2c4409..1d2366365 100644
--- a/etc/profile-a-l/gnome-latex.profile
+++ b/etc/profile-a-l/gnome-latex.profile
@@ -48,6 +48,6 @@ tracelog
48private-cache 48private-cache
49private-dev 49private-dev
50# passwd,login.defs,firejail are a temporary workaround for #2877 and can be removed once it is fixed 50# passwd,login.defs,firejail are a temporary workaround for #2877 and can be removed once it is fixed
51private-etc alternatives,dconf,fonts,gtk-3.0,latexmk.conf,login.defs,passwd,texlive 51private-etc alternatives,dconf,fonts,gtk-3.0,latexmk.conf,ld.so.preload,login.defs,passwd,texlive
52 52
53dbus-system none 53dbus-system none
diff --git a/etc/profile-a-l/gnome-logs.profile b/etc/profile-a-l/gnome-logs.profile
index 2c15f7592..3d8218e99 100644
--- a/etc/profile-a-l/gnome-logs.profile
+++ b/etc/profile-a-l/gnome-logs.profile
@@ -40,7 +40,7 @@ disable-mnt
40private-bin gnome-logs 40private-bin gnome-logs
41private-cache 41private-cache
42private-dev 42private-dev
43private-etc alternatives,fonts,localtime,machine-id 43private-etc alternatives,fonts,ld.so.preload,localtime,machine-id
44private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.* 44private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*
45private-tmp 45private-tmp
46writable-var-log 46writable-var-log
diff --git a/etc/profile-a-l/gnome-music.profile b/etc/profile-a-l/gnome-music.profile
index a00edfa37..fe8268530 100644
--- a/etc/profile-a-l/gnome-music.profile
+++ b/etc/profile-a-l/gnome-music.profile
@@ -42,6 +42,6 @@ tracelog
42# private-bin calls a file manager - whatever is installed! 42# private-bin calls a file manager - whatever is installed!
43#private-bin env,gio-launch-desktop,gnome-music,python*,yelp 43#private-bin env,gio-launch-desktop,gnome-music,python*,yelp
44private-dev 44private-dev
45private-etc alternatives,asound.conf,dconf,fonts,fonts,gtk-3.0,machine-id,pulse,selinux,xdg 45private-etc alternatives,asound.conf,dconf,fonts,fonts,gtk-3.0,ld.so.preload,machine-id,pulse,selinux,xdg
46private-tmp 46private-tmp
47 47
diff --git a/etc/profile-a-l/gnome-passwordsafe.profile b/etc/profile-a-l/gnome-passwordsafe.profile
index b69899c70..bdc09b5ac 100644
--- a/etc/profile-a-l/gnome-passwordsafe.profile
+++ b/etc/profile-a-l/gnome-passwordsafe.profile
@@ -53,7 +53,7 @@ disable-mnt
53private-bin gnome-passwordsafe,python3* 53private-bin gnome-passwordsafe,python3*
54private-cache 54private-cache
55private-dev 55private-dev
56private-etc dconf,fonts,gtk-3.0,passwd 56private-etc dconf,fonts,gtk-3.0,ld.so.preload,passwd
57private-tmp 57private-tmp
58 58
59dbus-user filter 59dbus-user filter
diff --git a/etc/profile-a-l/gnome-pie.profile b/etc/profile-a-l/gnome-pie.profile
index 3ab2e4aad..fb108ee97 100644
--- a/etc/profile-a-l/gnome-pie.profile
+++ b/etc/profile-a-l/gnome-pie.profile
@@ -34,7 +34,7 @@ shell none
34disable-mnt 34disable-mnt
35private-cache 35private-cache
36private-dev 36private-dev
37private-etc alternatives,fonts,machine-id 37private-etc alternatives,fonts,ld.so.preload,machine-id
38private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.* 38private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*
39private-tmp 39private-tmp
40 40
diff --git a/etc/profile-a-l/gnome-recipes.profile b/etc/profile-a-l/gnome-recipes.profile
index 01162b552..9a5f878fc 100644
--- a/etc/profile-a-l/gnome-recipes.profile
+++ b/etc/profile-a-l/gnome-recipes.profile
@@ -47,7 +47,7 @@ shell none
47disable-mnt 47disable-mnt
48private-bin gnome-recipes,tar 48private-bin gnome-recipes,tar
49private-dev 49private-dev
50private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl 50private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.preload,pki,ssl
51private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,libgnutls.so.*,libjpeg.so.*,libp11-kit.so.*,libproxy.so.*,librsvg-2.so.* 51private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,libgnutls.so.*,libjpeg.so.*,libp11-kit.so.*,libproxy.so.*,librsvg-2.so.*
52private-tmp 52private-tmp
53 53
diff --git a/etc/profile-a-l/gnome-screenshot.profile b/etc/profile-a-l/gnome-screenshot.profile
index f5afa9fb3..a4e4ae38a 100644
--- a/etc/profile-a-l/gnome-screenshot.profile
+++ b/etc/profile-a-l/gnome-screenshot.profile
@@ -42,7 +42,7 @@ tracelog
42disable-mnt 42disable-mnt
43private-bin gnome-screenshot 43private-bin gnome-screenshot
44private-dev 44private-dev
45private-etc dconf,fonts,gtk-3.0,localtime,machine-id 45private-etc dconf,fonts,gtk-3.0,ld.so.preload,localtime,machine-id
46private-tmp 46private-tmp
47 47
48dbus-user filter 48dbus-user filter
diff --git a/etc/profile-a-l/gnome-sound-recorder.profile b/etc/profile-a-l/gnome-sound-recorder.profile
index 159145b1b..859d56bd9 100644
--- a/etc/profile-a-l/gnome-sound-recorder.profile
+++ b/etc/profile-a-l/gnome-sound-recorder.profile
@@ -40,5 +40,5 @@ tracelog
40disable-mnt 40disable-mnt
41private-cache 41private-cache
42private-dev 42private-dev
43private-etc alsa,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,machine-id,openal,pango,pulse,xdg 43private-etc alsa,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.preload,machine-id,openal,pango,pulse,xdg
44private-tmp 44private-tmp
diff --git a/etc/profile-a-l/gnome-system-log.profile b/etc/profile-a-l/gnome-system-log.profile
index 3f9497e80..addd76f7f 100644
--- a/etc/profile-a-l/gnome-system-log.profile
+++ b/etc/profile-a-l/gnome-system-log.profile
@@ -43,7 +43,7 @@ disable-mnt
43private-bin gnome-system-log 43private-bin gnome-system-log
44private-cache 44private-cache
45private-dev 45private-dev
46private-etc alternatives,fonts,localtime,machine-id 46private-etc alternatives,fonts,ld.so.preload,localtime,machine-id
47private-lib 47private-lib
48private-tmp 48private-tmp
49writable-var-log 49writable-var-log
diff --git a/etc/profile-a-l/gnome-todo.profile b/etc/profile-a-l/gnome-todo.profile
index 4640f7f43..e7615e4f2 100644
--- a/etc/profile-a-l/gnome-todo.profile
+++ b/etc/profile-a-l/gnome-todo.profile
@@ -46,7 +46,7 @@ disable-mnt
46private-bin gnome-todo 46private-bin gnome-todo
47private-cache 47private-cache
48private-dev 48private-dev
49private-etc dconf,fonts,gtk-3.0,localtime,passwd,xdg 49private-etc dconf,fonts,gtk-3.0,ld.so.preload,localtime,passwd,xdg
50private-tmp 50private-tmp
51 51
52dbus-user filter 52dbus-user filter
diff --git a/etc/profile-a-l/gnome_games-common.profile b/etc/profile-a-l/gnome_games-common.profile
index 4ad39a988..a76fbbb2c 100644
--- a/etc/profile-a-l/gnome_games-common.profile
+++ b/etc/profile-a-l/gnome_games-common.profile
@@ -41,7 +41,7 @@ tracelog
41disable-mnt 41disable-mnt
42private-cache 42private-cache
43private-dev 43private-dev
44private-etc dconf,fonts,gconf,gtk-2.0,gtk-3.0,machine-id,pango,passwd,X11 44private-etc dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.preload,machine-id,pango,passwd,X11
45private-tmp 45private-tmp
46 46
47dbus-user filter 47dbus-user filter
diff --git a/etc/profile-a-l/gnote.profile b/etc/profile-a-l/gnote.profile
index 2d4ce2437..deda06f8e 100644
--- a/etc/profile-a-l/gnote.profile
+++ b/etc/profile-a-l/gnote.profile
@@ -51,7 +51,7 @@ disable-mnt
51private-bin gnote 51private-bin gnote
52private-cache 52private-cache
53private-dev 53private-dev
54private-etc dconf,fonts,gtk-3.0,pango,X11 54private-etc dconf,fonts,gtk-3.0,ld.so.preload,pango,X11
55private-tmp 55private-tmp
56 56
57dbus-user filter 57dbus-user filter
diff --git a/etc/profile-a-l/gnubik.profile b/etc/profile-a-l/gnubik.profile
index 902e76416..e2e154216 100644
--- a/etc/profile-a-l/gnubik.profile
+++ b/etc/profile-a-l/gnubik.profile
@@ -43,7 +43,7 @@ private
43private-bin gnubik 43private-bin gnubik
44private-cache 44private-cache
45private-dev 45private-dev
46private-etc drirc,fonts,gtk-2.0 46private-etc drirc,fonts,gtk-2.0,ld.so.preload
47private-tmp 47private-tmp
48 48
49dbus-user none 49dbus-user none
diff --git a/etc/profile-a-l/godot.profile b/etc/profile-a-l/godot.profile
index b3c19e97f..f33f63497 100644
--- a/etc/profile-a-l/godot.profile
+++ b/etc/profile-a-l/godot.profile
@@ -38,7 +38,7 @@ tracelog
38# private-bin godot 38# private-bin godot
39private-cache 39private-cache
40private-dev 40private-dev
41private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,machine-id,mono,nsswitch.conf,openal,pki,pulse,resolv.conf,ssl 41private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,ld.so.preload,machine-id,mono,nsswitch.conf,openal,pki,pulse,resolv.conf,ssl
42private-tmp 42private-tmp
43 43
44dbus-user none 44dbus-user none
diff --git a/etc/profile-a-l/goldendict.profile b/etc/profile-a-l/goldendict.profile
new file mode 100644
index 000000000..59a572319
--- /dev/null
+++ b/etc/profile-a-l/goldendict.profile
@@ -0,0 +1,57 @@
1# Firejail profile for goldendict
2# This file is overwritten after every install/update
3# Persistent local customizations
4include goldendict.local
5# Persistent global definitions
6include globals.local
7
8noblacklist ${HOME}/.goldendict
9noblacklist ${HOME}/.cache/GoldenDict
10
11include disable-common.inc
12include disable-devel.inc
13include disable-exec.inc
14include disable-interpreters.inc
15include disable-programs.inc
16include disable-shell.inc
17include disable-xdg.inc
18
19mkdir ${HOME}/.goldendict
20mkdir ${HOME}/.cache/GoldenDict
21whitelist ${HOME}/.goldendict
22whitelist ${HOME}/.cache/GoldenDict
23# The default path of dictionaries
24whitelist /usr/share/stardict/dic
25include whitelist-common.inc
26include whitelist-runuser-common.inc
27include whitelist-usr-share-common.inc
28include whitelist-var-common.inc
29
30apparmor
31caps.drop all
32netfilter
33# no3d leads to the libGL MESA-LOADER errors
34#no3d
35nodvd
36nogroups
37noinput
38nonewprivs
39noroot
40notv
41nou2f
42novideo
43protocol unix,inet,inet6,netlink
44seccomp
45seccomp.block-secondary
46shell none
47tracelog
48
49disable-mnt
50private-bin goldendict
51private-cache
52private-dev
53private-etc ca-certificates,crypto-policies,fonts,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
54private-tmp
55
56dbus-user none
57dbus-system none
diff --git a/etc/profile-a-l/googler-common.profile b/etc/profile-a-l/googler-common.profile
index b8e2b04df..a37c7ad77 100644
--- a/etc/profile-a-l/googler-common.profile
+++ b/etc/profile-a-l/googler-common.profile
@@ -54,7 +54,7 @@ disable-mnt
54private-bin env,python3*,sh,w3m 54private-bin env,python3*,sh,w3m
55private-cache 55private-cache
56private-dev 56private-dev
57private-etc ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl 57private-etc ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.preload,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
58private-tmp 58private-tmp
59 59
60dbus-user none 60dbus-user none
diff --git a/etc/profile-a-l/gpicview.profile b/etc/profile-a-l/gpicview.profile
index 9a782b238..436134e1b 100644
--- a/etc/profile-a-l/gpicview.profile
+++ b/etc/profile-a-l/gpicview.profile
@@ -41,7 +41,7 @@ tracelog
41private-bin gpicview 41private-bin gpicview
42private-cache 42private-cache
43private-dev 43private-dev
44private-etc alternatives,fonts,group,passwd 44private-etc alternatives,fonts,group,ld.so.preload,passwd
45private-lib 45private-lib
46private-tmp 46private-tmp
47 47
diff --git a/etc/profile-a-l/gpredict.profile b/etc/profile-a-l/gpredict.profile
index 54e52d695..e421c6a0b 100644
--- a/etc/profile-a-l/gpredict.profile
+++ b/etc/profile-a-l/gpredict.profile
@@ -36,6 +36,6 @@ tracelog
36 36
37private-bin gpredict 37private-bin gpredict
38private-dev 38private-dev
39private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl 39private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.preload,pki,resolv.conf,ssl
40private-tmp 40private-tmp
41 41
diff --git a/etc/profile-a-l/gradio.profile b/etc/profile-a-l/gradio.profile
index 31f95fb80..efb6b39c6 100644
--- a/etc/profile-a-l/gradio.profile
+++ b/etc/profile-a-l/gradio.profile
@@ -45,7 +45,7 @@ disable-mnt
45private-bin gradio 45private-bin gradio
46private-cache 46private-cache
47private-dev 47private-dev
48private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,machine-id,pki,pulse,resolv.conf,ssl,xdg 48private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl,xdg
49private-tmp 49private-tmp
50 50
51dbus-user filter 51dbus-user filter
diff --git a/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile
index c5bcc85f3..10d41735a 100644
--- a/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile
+++ b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile
@@ -40,7 +40,7 @@ private
40private-bin gravity-beams-and-evaporating-stars 40private-bin gravity-beams-and-evaporating-stars
41private-cache 41private-cache
42private-dev 42private-dev
43private-etc fonts,machine-id 43private-etc fonts,ld.so.preload,machine-id
44private-tmp 44private-tmp
45 45
46dbus-user none 46dbus-user none
diff --git a/etc/profile-a-l/gtk-update-icon-cache.profile b/etc/profile-a-l/gtk-update-icon-cache.profile
index 3231374b7..c6347efdf 100644
--- a/etc/profile-a-l/gtk-update-icon-cache.profile
+++ b/etc/profile-a-l/gtk-update-icon-cache.profile
@@ -46,7 +46,7 @@ disable-mnt
46private-bin gtk-update-icon-cache 46private-bin gtk-update-icon-cache
47private-cache 47private-cache
48private-dev 48private-dev
49private-etc none 49private-etc ld.so.preload,none
50private-lib 50private-lib
51private-tmp 51private-tmp
52 52
diff --git a/etc/profile-a-l/gwenview.profile b/etc/profile-a-l/gwenview.profile
index 8c4453a8b..8becf6d84 100644
--- a/etc/profile-a-l/gwenview.profile
+++ b/etc/profile-a-l/gwenview.profile
@@ -46,7 +46,7 @@ shell none
46 46
47private-bin gimp*,gwenview,kbuildsycoca4,kdeinit4 47private-bin gimp*,gwenview,kbuildsycoca4,kdeinit4
48private-dev 48private-dev
49private-etc alternatives,fonts,gimp,gtk-2.0,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,xdg 49private-etc alternatives,fonts,gimp,gtk-2.0,kde4rc,kde5rc,ld.so.cache,ld.so.preload,machine-id,passwd,pulse,xdg
50 50
51# dbus-user none 51# dbus-user none
52# dbus-system none 52# dbus-system none
diff --git a/etc/profile-a-l/hyperrogue.profile b/etc/profile-a-l/hyperrogue.profile
index f210a264f..0baebdae1 100644
--- a/etc/profile-a-l/hyperrogue.profile
+++ b/etc/profile-a-l/hyperrogue.profile
@@ -44,7 +44,7 @@ private-bin hyperrogue
44private-cache 44private-cache
45private-cwd ${HOME} 45private-cwd ${HOME}
46private-dev 46private-dev
47private-etc fonts,machine-id 47private-etc fonts,ld.so.preload,machine-id
48private-tmp 48private-tmp
49 49
50dbus-user none 50dbus-user none
diff --git a/etc/profile-a-l/i2prouter.profile b/etc/profile-a-l/i2prouter.profile
index c875cad72..200b4c8b1 100644
--- a/etc/profile-a-l/i2prouter.profile
+++ b/etc/profile-a-l/i2prouter.profile
@@ -68,5 +68,5 @@ shell none
68disable-mnt 68disable-mnt
69private-cache 69private-cache
70private-dev 70private-dev
71private-etc alternatives,ca-certificates,crypto-policies,dconf,group,hostname,hosts,i2p,java-10-openjdk,java-11-openjdk,java-12-openjdk,java-13-openjdk,java-8-openjdk,java-9-openjdk,java-openjdk,ld.so.cache,localtime,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl 71private-etc alternatives,ca-certificates,crypto-policies,dconf,group,hostname,hosts,i2p,java-10-openjdk,java-11-openjdk,java-12-openjdk,java-13-openjdk,java-8-openjdk,java-9-openjdk,java-openjdk,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl
72private-tmp 72private-tmp
diff --git a/etc/profile-a-l/inkscape.profile b/etc/profile-a-l/inkscape.profile
index 5e54b5441..e0015e69a 100644
--- a/etc/profile-a-l/inkscape.profile
+++ b/etc/profile-a-l/inkscape.profile
@@ -1,6 +1,7 @@
1# Firejail profile for inkscape 1# Firejail profile for inkscape
2# Description: Vector-based drawing program 2# Description: Vector-based drawing program
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4quiet
4# Persistent local customizations 5# Persistent local customizations
5include inkscape.local 6include inkscape.local
6# Persistent global definitions 7# Persistent global definitions
diff --git a/etc/profile-a-l/ipcalc.profile b/etc/profile-a-l/ipcalc.profile
index ea4ee5ae1..2997328e8 100644
--- a/etc/profile-a-l/ipcalc.profile
+++ b/etc/profile-a-l/ipcalc.profile
@@ -50,7 +50,7 @@ private-bin bash,ipcalc,ipcalc-ng,perl,sh
50# private-cache 50# private-cache
51private-dev 51private-dev
52# empty etc directory 52# empty etc directory
53private-etc none 53private-etc ld.so.preload,none
54private-lib 54private-lib
55private-opt none 55private-opt none
56private-tmp 56private-tmp
diff --git a/etc/profile-a-l/jerry.profile b/etc/profile-a-l/jerry.profile
index 1209c5e11..59260dc64 100644
--- a/etc/profile-a-l/jerry.profile
+++ b/etc/profile-a-l/jerry.profile
@@ -34,7 +34,7 @@ tracelog
34 34
35private-bin bash,jerry,sh,stockfish 35private-bin bash,jerry,sh,stockfish
36private-dev 36private-dev
37private-etc fonts,gtk-2.0,gtk-3.0 37private-etc fonts,gtk-2.0,gtk-3.0,ld.so.preload
38private-tmp 38private-tmp
39 39
40dbus-user none 40dbus-user none
diff --git a/etc/profile-a-l/jumpnbump.profile b/etc/profile-a-l/jumpnbump.profile
index 77d3f6bf4..b9bc8f219 100644
--- a/etc/profile-a-l/jumpnbump.profile
+++ b/etc/profile-a-l/jumpnbump.profile
@@ -42,7 +42,7 @@ disable-mnt
42private-bin jumpnbump 42private-bin jumpnbump
43private-cache 43private-cache
44private-dev 44private-dev
45private-etc none 45private-etc ld.so.preload,none
46private-tmp 46private-tmp
47 47
48dbus-user none 48dbus-user none
diff --git a/etc/profile-a-l/kalgebra.profile b/etc/profile-a-l/kalgebra.profile
index 210b7cf03..5253a78b0 100644
--- a/etc/profile-a-l/kalgebra.profile
+++ b/etc/profile-a-l/kalgebra.profile
@@ -42,7 +42,7 @@ disable-mnt
42private-bin kalgebra,kalgebramobile 42private-bin kalgebra,kalgebramobile
43private-cache 43private-cache
44private-dev 44private-dev
45private-etc fonts,machine-id 45private-etc fonts,ld.so.preload,machine-id
46private-tmp 46private-tmp
47 47
48dbus-user none 48dbus-user none
diff --git a/etc/profile-a-l/kazam.profile b/etc/profile-a-l/kazam.profile
index 7b990bf41..d88631005 100644
--- a/etc/profile-a-l/kazam.profile
+++ b/etc/profile-a-l/kazam.profile
@@ -49,7 +49,7 @@ disable-mnt
49# private-bin kazam,python* 49# private-bin kazam,python*
50private-cache 50private-cache
51private-dev 51private-dev
52private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,machine-id,pulse,selinux,X11,xdg 52private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.preload,machine-id,pulse,selinux,X11,xdg
53private-tmp 53private-tmp
54 54
55dbus-system none 55dbus-system none
diff --git a/etc/profile-a-l/kcalc.profile b/etc/profile-a-l/kcalc.profile
index 46e8ccb82..c551dbdbe 100644
--- a/etc/profile-a-l/kcalc.profile
+++ b/etc/profile-a-l/kcalc.profile
@@ -55,7 +55,7 @@ disable-mnt
55private-bin kcalc 55private-bin kcalc
56private-cache 56private-cache
57private-dev 57private-dev
58private-etc alternatives,fonts,ld.so.cache,locale,locale.conf 58private-etc alternatives,fonts,ld.so.cache,ld.so.preload,locale,locale.conf
59# private-lib - problems on Arch 59# private-lib - problems on Arch
60private-tmp 60private-tmp
61 61
diff --git a/etc/profile-a-l/kdiff3.profile b/etc/profile-a-l/kdiff3.profile
index 7c9be2bcc..fa50b0a20 100644
--- a/etc/profile-a-l/kdiff3.profile
+++ b/etc/profile-a-l/kdiff3.profile
@@ -48,7 +48,7 @@ shell none
48tracelog 48tracelog
49 49
50disable-mnt 50disable-mnt
51private-bin kdiff3 51private-bin kdiff3
52private-cache 52private-cache
53private-dev 53private-dev
54 54
diff --git a/etc/profile-a-l/keepassx.profile b/etc/profile-a-l/keepassx.profile
index 768a3cef0..616b87d7e 100644
--- a/etc/profile-a-l/keepassx.profile
+++ b/etc/profile-a-l/keepassx.profile
@@ -41,7 +41,7 @@ tracelog
41 41
42private-bin keepassx,keepassx2 42private-bin keepassx,keepassx2
43private-dev 43private-dev
44private-etc alternatives,fonts,machine-id 44private-etc alternatives,fonts,ld.so.preload,machine-id
45private-tmp 45private-tmp
46 46
47dbus-user none 47dbus-user none
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile
index b915f6202..45a707071 100644
--- a/etc/profile-a-l/keepassxc.profile
+++ b/etc/profile-a-l/keepassxc.profile
@@ -88,7 +88,7 @@ tracelog
88 88
89private-bin keepassxc,keepassxc-cli,keepassxc-proxy 89private-bin keepassxc,keepassxc-cli,keepassxc-proxy
90private-dev 90private-dev
91private-etc alternatives,fonts,ld.so.cache,machine-id 91private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
92private-tmp 92private-tmp
93 93
94dbus-user filter 94dbus-user filter
@@ -98,11 +98,10 @@ dbus-user.talk org.freedesktop.ScreenSaver
98dbus-user.talk org.gnome.ScreenSaver 98dbus-user.talk org.gnome.ScreenSaver
99dbus-user.talk org.gnome.SessionManager 99dbus-user.talk org.gnome.SessionManager
100dbus-user.talk org.xfce.ScreenSaver 100dbus-user.talk org.xfce.ScreenSaver
101?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
102?ALLOW_TRAY: dbus-user.own org.kde.*
101# Add the next line to your keepassxc.local to allow notifications. 103# Add the next line to your keepassxc.local to allow notifications.
102#dbus-user.talk org.freedesktop.Notifications 104#dbus-user.talk org.freedesktop.Notifications
103# Add the next line to your keepassxc.local to allow the tray menu.
104#dbus-user.talk org.kde.StatusNotifierWatcher
105#dbus-user.own org.kde.*
106dbus-system filter 105dbus-system filter
107dbus-system.talk org.freedesktop.login1 106dbus-system.talk org.freedesktop.login1
108 107
diff --git a/etc/profile-a-l/kid3.profile b/etc/profile-a-l/kid3.profile
index e66716eeb..8b35a8946 100644
--- a/etc/profile-a-l/kid3.profile
+++ b/etc/profile-a-l/kid3.profile
@@ -37,7 +37,7 @@ tracelog
37 37
38private-cache 38private-cache
39private-dev 39private-dev
40private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hostname,hosts,kde5rc,machine-id,pki,pulse,resolv.conf,ssl 40private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hostname,hosts,kde5rc,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl
41private-tmp 41private-tmp
42private-opt none 42private-opt none
43private-srv none 43private-srv none
diff --git a/etc/profile-a-l/kiwix-desktop.profile b/etc/profile-a-l/kiwix-desktop.profile
index 968402a8a..837ea9e36 100644
--- a/etc/profile-a-l/kiwix-desktop.profile
+++ b/etc/profile-a-l/kiwix-desktop.profile
@@ -44,7 +44,7 @@ shell none
44disable-mnt 44disable-mnt
45private-cache 45private-cache
46private-dev 46private-dev
47private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,machine-id,pki,pulse,resolv.conf,ssl 47private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl
48private-tmp 48private-tmp
49 49
50dbus-user none 50dbus-user none
diff --git a/etc/profile-a-l/klavaro.profile b/etc/profile-a-l/klavaro.profile
index f733fa42c..964175274 100644
--- a/etc/profile-a-l/klavaro.profile
+++ b/etc/profile-a-l/klavaro.profile
@@ -45,7 +45,7 @@ disable-mnt
45private-bin bash,klavaro,sh,tclsh,tclsh* 45private-bin bash,klavaro,sh,tclsh,tclsh*
46private-cache 46private-cache
47private-dev 47private-dev
48private-etc alternatives,fonts 48private-etc alternatives,fonts,ld.so.preload
49private-tmp 49private-tmp
50private-opt none 50private-opt none
51private-srv none 51private-srv none
diff --git a/etc/profile-a-l/ktouch.profile b/etc/profile-a-l/ktouch.profile
index 051782172..78eb2e8f5 100644
--- a/etc/profile-a-l/ktouch.profile
+++ b/etc/profile-a-l/ktouch.profile
@@ -46,7 +46,7 @@ disable-mnt
46private-bin ktouch 46private-bin ktouch
47private-cache 47private-cache
48private-dev 48private-dev
49private-etc alternatives,fonts,kde5rc,machine-id 49private-etc alternatives,fonts,kde5rc,ld.so.preload,machine-id
50private-tmp 50private-tmp
51 51
52dbus-user none 52dbus-user none
diff --git a/etc/profile-a-l/kube.profile b/etc/profile-a-l/kube.profile
index 262ffb532..ad6b2f5fe 100644
--- a/etc/profile-a-l/kube.profile
+++ b/etc/profile-a-l/kube.profile
@@ -68,7 +68,7 @@ tracelog
68private-bin kube,sink_synchronizer 68private-bin kube,sink_synchronizer
69private-cache 69private-cache
70private-dev 70private-dev
71private-etc alternatives,ca-certificates,crypto-policies,fonts,gcrypt,gtk-2.0,gtk-3.0,hostname,hosts,pki,resolv.conf,selinux,ssl,xdg 71private-etc alternatives,ca-certificates,crypto-policies,fonts,gcrypt,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.preload,pki,resolv.conf,selinux,ssl,xdg
72private-tmp 72private-tmp
73writable-run-user 73writable-run-user
74 74
diff --git a/etc/profile-a-l/kwin_x11.profile b/etc/profile-a-l/kwin_x11.profile
index 5bbadfc73..32e9870e5 100644
--- a/etc/profile-a-l/kwin_x11.profile
+++ b/etc/profile-a-l/kwin_x11.profile
@@ -42,5 +42,5 @@ tracelog
42disable-mnt 42disable-mnt
43private-bin kwin_x11 43private-bin kwin_x11
44private-dev 44private-dev
45private-etc alternatives,drirc,fonts,kde5rc,ld.so.cache,machine-id,xdg 45private-etc alternatives,drirc,fonts,kde5rc,ld.so.cache,ld.so.preload,machine-id,xdg
46private-tmp 46private-tmp
diff --git a/etc/profile-a-l/kwrite.profile b/etc/profile-a-l/kwrite.profile
index 682c7782d..cd5ce7034 100644
--- a/etc/profile-a-l/kwrite.profile
+++ b/etc/profile-a-l/kwrite.profile
@@ -46,7 +46,7 @@ tracelog
46 46
47private-bin kbuildsycoca4,kdeinit4,kwrite 47private-bin kbuildsycoca4,kdeinit4,kwrite
48private-dev 48private-dev
49private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg 49private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,ld.so.preload,machine-id,pulse,xdg
50private-tmp 50private-tmp
51 51
52# dbus-user none 52# dbus-user none
diff --git a/etc/profile-a-l/librewolf.profile b/etc/profile-a-l/librewolf.profile
index c9f5221f7..ebffbbabf 100644
--- a/etc/profile-a-l/librewolf.profile
+++ b/etc/profile-a-l/librewolf.profile
@@ -36,6 +36,7 @@ include whitelist-usr-share-common.inc
36#private-etc librewolf 36#private-etc librewolf
37 37
38dbus-user filter 38dbus-user filter
39dbus-user.own org.mozilla.librewolf.*
39# Add the next line to your librewolf.local to enable native notifications. 40# Add the next line to your librewolf.local to enable native notifications.
40#dbus-user.talk org.freedesktop.Notifications 41#dbus-user.talk org.freedesktop.Notifications
41# Add the next line to your librewolf.local to allow inhibiting screensavers. 42# Add the next line to your librewolf.local to allow inhibiting screensavers.
diff --git a/etc/profile-a-l/links-common.profile b/etc/profile-a-l/links-common.profile
index bd28f25d6..dac3eaee3 100644
--- a/etc/profile-a-l/links-common.profile
+++ b/etc/profile-a-l/links-common.profile
@@ -47,11 +47,11 @@ shell none
47tracelog 47tracelog
48 48
49disable-mnt 49disable-mnt
50# Add 'private-bin PROGRAM1,PROGRAM2' to your links-common.local if you want to use user-configured programs. 50# Add 'private-bin PROGRAM1,PROGRAM2' to your links-common.local if you want to use user-configured programs.
51private-bin sh 51private-bin sh
52private-cache 52private-cache
53private-dev 53private-dev
54private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl 54private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
55# Add the next line to your links-common.local to allow external media players. 55# Add the next line to your links-common.local to allow external media players.
56# private-etc alsa,asound.conf,machine-id,openal,pulse 56# private-etc alsa,asound.conf,machine-id,openal,pulse
57private-tmp 57private-tmp
diff --git a/etc/profile-a-l/lollypop.profile b/etc/profile-a-l/lollypop.profile
index a187ca0fc..a590c5fb7 100644
--- a/etc/profile-a-l/lollypop.profile
+++ b/etc/profile-a-l/lollypop.profile
@@ -37,6 +37,6 @@ seccomp
37shell none 37shell none
38 38
39private-dev 39private-dev
40private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,machine-id,pki,pulse,resolv.conf,ssl,xdg 40private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl,xdg
41private-tmp 41private-tmp
42 42
diff --git a/etc/profile-a-l/lyx.profile b/etc/profile-a-l/lyx.profile
index fa69463d1..3213f3674 100644
--- a/etc/profile-a-l/lyx.profile
+++ b/etc/profile-a-l/lyx.profile
@@ -32,7 +32,7 @@ apparmor
32machine-id 32machine-id
33 33
34# private-bin atril,dvilualatex,env,latex,lua*,luatex,lyx,lyxclient,okular,pdf2latex,pdflatex,pdftex,perl*,python*,qpdf,qpdfview,sh,tex2lyx,texmf,xelatex 34# private-bin atril,dvilualatex,env,latex,lua*,luatex,lyx,lyxclient,okular,pdf2latex,pdflatex,pdftex,perl*,python*,qpdf,qpdfview,sh,tex2lyx,texmf,xelatex
35private-etc alternatives,dconf,fonts,gtk-2.0,gtk-3.0,locale,locale.alias,locale.conf,lyx,machine-id,mime.types,passwd,texmf,X11,xdg 35private-etc alternatives,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.preload,locale,locale.alias,locale.conf,lyx,machine-id,mime.types,passwd,texmf,X11,xdg
36 36
37# Redirect 37# Redirect
38include latex-common.profile 38include latex-common.profile
diff --git a/etc/profile-m-z/QOwnNotes.profile b/etc/profile-m-z/QOwnNotes.profile
index 15cb931dd..235640eeb 100644
--- a/etc/profile-m-z/QOwnNotes.profile
+++ b/etc/profile-m-z/QOwnNotes.profile
@@ -50,6 +50,6 @@ tracelog
50disable-mnt 50disable-mnt
51private-bin gio,QOwnNotes 51private-bin gio,QOwnNotes
52private-dev 52private-dev
53private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hosts,ld.so.cache,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl 53private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hosts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl
54private-tmp 54private-tmp
55 55
diff --git a/etc/profile-m-z/Viber.profile b/etc/profile-m-z/Viber.profile
index 866d57e67..ca7165a5d 100644
--- a/etc/profile-m-z/Viber.profile
+++ b/etc/profile-m-z/Viber.profile
@@ -33,5 +33,5 @@ shell none
33 33
34disable-mnt 34disable-mnt
35private-bin awk,bash,dig,sh,Viber 35private-bin awk,bash,dig,sh,Viber
36private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hosts,localtime,machine-id,mailcap,nsswitch.conf,pki,proxychains.conf,pulse,resolv.conf,ssl,X11 36private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hosts,ld.so.preload,localtime,machine-id,mailcap,nsswitch.conf,pki,proxychains.conf,pulse,resolv.conf,ssl,X11
37private-tmp 37private-tmp
diff --git a/etc/profile-m-z/Xvfb.profile b/etc/profile-m-z/Xvfb.profile
index 1acd43023..722e12d9c 100644
--- a/etc/profile-m-z/Xvfb.profile
+++ b/etc/profile-m-z/Xvfb.profile
@@ -43,5 +43,5 @@ private
43# private-bin sh,xkbcomp,Xvfb 43# private-bin sh,xkbcomp,Xvfb
44# private-bin bash,cat,ls,sh,strace,xkbcomp,Xvfb 44# private-bin bash,cat,ls,sh,strace,xkbcomp,Xvfb
45private-dev 45private-dev
46private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,nsswitch.conf,resolv.conf 46private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.preload,nsswitch.conf,resolv.conf
47private-tmp 47private-tmp
diff --git a/etc/profile-m-z/magicor.profile b/etc/profile-m-z/magicor.profile
index fc5ae3ee9..b7cba2421 100644
--- a/etc/profile-m-z/magicor.profile
+++ b/etc/profile-m-z/magicor.profile
@@ -45,7 +45,7 @@ disable-mnt
45private-bin magicor,python2* 45private-bin magicor,python2*
46private-cache 46private-cache
47private-dev 47private-dev
48private-etc machine-id 48private-etc ld.so.preload,machine-id
49private-tmp 49private-tmp
50 50
51dbus-user none 51dbus-user none
diff --git a/etc/profile-m-z/make.profile b/etc/profile-m-z/make.profile
new file mode 100644
index 000000000..7e9638fe4
--- /dev/null
+++ b/etc/profile-m-z/make.profile
@@ -0,0 +1,13 @@
1# Firejail profile for make
2# Description: GNU make utility to maintain groups of programs
3# This file is overwritten after every install/update
4quiet
5# Persistent local customizations
6include make.local
7# Persistent global definitions
8include globals.local
9
10memory-deny-write-execute
11
12# Redirect
13include build-systems-common.profile
diff --git a/etc/profile-m-z/man.profile b/etc/profile-m-z/man.profile
index b2f761230..b6038cc91 100644
--- a/etc/profile-m-z/man.profile
+++ b/etc/profile-m-z/man.profile
@@ -58,7 +58,7 @@ disable-mnt
58#private-bin apropos,bash,cat,catman,col,gpreconv,groff,grotty,gunzip,gzip,less,man,most,nroff,preconv,sed,sh,tbl,tr,troff,whatis,which,xtotroff,zcat,zsoelim 58#private-bin apropos,bash,cat,catman,col,gpreconv,groff,grotty,gunzip,gzip,less,man,most,nroff,preconv,sed,sh,tbl,tr,troff,whatis,which,xtotroff,zcat,zsoelim
59private-cache 59private-cache
60private-dev 60private-dev
61private-etc alternatives,fonts,groff,locale,locale.alias,locale.conf,man_db.conf,manpath.config,selinux,sysless,xdg 61private-etc alternatives,fonts,groff,ld.so.preload,locale,locale.alias,locale.conf,man_db.conf,manpath.config,selinux,sysless,xdg
62#private-tmp 62#private-tmp
63 63
64dbus-user none 64dbus-user none
diff --git a/etc/profile-m-z/masterpdfeditor.profile b/etc/profile-m-z/masterpdfeditor.profile
index e61578ffe..dc2088a18 100644
--- a/etc/profile-m-z/masterpdfeditor.profile
+++ b/etc/profile-m-z/masterpdfeditor.profile
@@ -36,6 +36,6 @@ tracelog
36 36
37private-cache 37private-cache
38private-dev 38private-dev
39private-etc alternatives,fonts 39private-etc alternatives,fonts,ld.so.preload
40private-tmp 40private-tmp
41 41
diff --git a/etc/profile-m-z/mate-calc.profile b/etc/profile-m-z/mate-calc.profile
index 64b184482..cb14c6584 100644
--- a/etc/profile-m-z/mate-calc.profile
+++ b/etc/profile-m-z/mate-calc.profile
@@ -42,7 +42,7 @@ shell none
42 42
43disable-mnt 43disable-mnt
44private-bin mate-calc,mate-calculator 44private-bin mate-calc,mate-calculator
45private-etc alternatives,dconf,fonts,gtk-3.0 45private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.preload
46private-dev 46private-dev
47private-opt none 47private-opt none
48private-tmp 48private-tmp
diff --git a/etc/profile-m-z/mate-color-select.profile b/etc/profile-m-z/mate-color-select.profile
index a6b49315c..97793abd5 100644
--- a/etc/profile-m-z/mate-color-select.profile
+++ b/etc/profile-m-z/mate-color-select.profile
@@ -33,7 +33,7 @@ shell none
33 33
34disable-mnt 34disable-mnt
35private-bin mate-color-select 35private-bin mate-color-select
36private-etc alternatives,fonts 36private-etc alternatives,fonts,ld.so.preload
37private-dev 37private-dev
38private-lib 38private-lib
39private-tmp 39private-tmp
diff --git a/etc/profile-m-z/mate-dictionary.profile b/etc/profile-m-z/mate-dictionary.profile
index 3f3d027b9..cb0002af6 100644
--- a/etc/profile-m-z/mate-dictionary.profile
+++ b/etc/profile-m-z/mate-dictionary.profile
@@ -37,7 +37,7 @@ shell none
37 37
38disable-mnt 38disable-mnt
39private-bin mate-dictionary 39private-bin mate-dictionary
40private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl 40private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.preload,pki,resolv.conf,ssl
41private-opt mate-dictionary 41private-opt mate-dictionary
42private-dev 42private-dev
43private-tmp 43private-tmp
diff --git a/etc/profile-m-z/mcabber.profile b/etc/profile-m-z/mcabber.profile
index 7592d879c..87083f1e3 100644
--- a/etc/profile-m-z/mcabber.profile
+++ b/etc/profile-m-z/mcabber.profile
@@ -31,4 +31,4 @@ shell none
31 31
32private-bin mcabber 32private-bin mcabber
33private-dev 33private-dev
34private-etc alternatives,ca-certificates,crypto-policies,pki,ssl 34private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,pki,ssl
diff --git a/etc/profile-m-z/mdr.profile b/etc/profile-m-z/mdr.profile
index 08d56ede5..da5e0ffa8 100644
--- a/etc/profile-m-z/mdr.profile
+++ b/etc/profile-m-z/mdr.profile
@@ -45,7 +45,7 @@ disable-mnt
45private-bin mdr 45private-bin mdr
46private-cache 46private-cache
47private-dev 47private-dev
48private-etc none 48private-etc ld.so.preload,none
49private-lib 49private-lib
50private-tmp 50private-tmp
51 51
diff --git a/etc/profile-m-z/mediainfo.profile b/etc/profile-m-z/mediainfo.profile
index 7597d4067..9403321e2 100644
--- a/etc/profile-m-z/mediainfo.profile
+++ b/etc/profile-m-z/mediainfo.profile
@@ -42,7 +42,7 @@ x11 none
42private-bin mediainfo 42private-bin mediainfo
43private-cache 43private-cache
44private-dev 44private-dev
45private-etc alternatives 45private-etc alternatives,ld.so.preload
46private-tmp 46private-tmp
47 47
48dbus-user none 48dbus-user none
diff --git a/etc/profile-m-z/menulibre.profile b/etc/profile-m-z/menulibre.profile
index 4845e9cce..f9f7db3cb 100644
--- a/etc/profile-m-z/menulibre.profile
+++ b/etc/profile-m-z/menulibre.profile
@@ -52,7 +52,7 @@ tracelog
52disable-mnt 52disable-mnt
53private-cache 53private-cache
54private-dev 54private-dev
55private-etc alternatives,dconf,fonts,gtk-3.0,locale.alias,locale.conf,mime.types,nsswitch.conf,passwd,pki,selinux,X11,xdg 55private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.preload,locale.alias,locale.conf,mime.types,nsswitch.conf,passwd,pki,selinux,X11,xdg
56private-tmp 56private-tmp
57 57
58dbus-user none 58dbus-user none
diff --git a/etc/profile-m-z/meson.profile b/etc/profile-m-z/meson.profile
new file mode 100644
index 000000000..b4909a9d8
--- /dev/null
+++ b/etc/profile-m-z/meson.profile
@@ -0,0 +1,14 @@
1# Firejail profile for meson
2# Description: A high productivity build system
3# This file is overwritten after every install/update
4quiet
5# Persistent local customizations
6include meson.local
7# Persistent global definitions
8include globals.local
9
10# Allow python3 (blacklisted by disable-interpreters.inc)
11include allow-python3.inc
12
13# Redirect
14include build-systems-common.profile
diff --git a/etc/profile-m-z/microsoft-edge-beta.profile b/etc/profile-m-z/microsoft-edge-beta.profile
index 34d9f470a..095038f08 100644
--- a/etc/profile-m-z/microsoft-edge-beta.profile
+++ b/etc/profile-m-z/microsoft-edge-beta.profile
@@ -17,4 +17,4 @@ whitelist ${HOME}/.config/microsoft-edge-beta
17private-opt microsoft 17private-opt microsoft
18 18
19# Redirect 19# Redirect
20include chromium-common.profile \ No newline at end of file 20include chromium-common.profile
diff --git a/etc/profile-m-z/mindless.profile b/etc/profile-m-z/mindless.profile
index ad7e40b12..bcc7b232b 100644
--- a/etc/profile-m-z/mindless.profile
+++ b/etc/profile-m-z/mindless.profile
@@ -42,7 +42,7 @@ private
42private-bin mindless 42private-bin mindless
43private-cache 43private-cache
44private-dev 44private-dev
45private-etc fonts 45private-etc fonts,ld.so.preload
46private-tmp 46private-tmp
47 47
48dbus-user none 48dbus-user none
diff --git a/etc/profile-m-z/mirrormagic.profile b/etc/profile-m-z/mirrormagic.profile
index c47a16ffd..133a17350 100644
--- a/etc/profile-m-z/mirrormagic.profile
+++ b/etc/profile-m-z/mirrormagic.profile
@@ -44,7 +44,7 @@ private
44private-bin mirrormagic 44private-bin mirrormagic
45private-cache 45private-cache
46private-dev 46private-dev
47private-etc machine-id 47private-etc ld.so.preload,machine-id
48private-tmp 48private-tmp
49 49
50dbus-user none 50dbus-user none
diff --git a/etc/profile-m-z/mocp.profile b/etc/profile-m-z/mocp.profile
index dbc3c1d40..79f603f92 100644
--- a/etc/profile-m-z/mocp.profile
+++ b/etc/profile-m-z/mocp.profile
@@ -42,7 +42,7 @@ tracelog
42private-bin mocp 42private-bin mocp
43private-cache 43private-cache
44private-dev 44private-dev
45private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,machine-id,pki,pulse,resolv.conf,ssl 45private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl
46private-tmp 46private-tmp
47 47
48dbus-user none 48dbus-user none
diff --git a/etc/profile-m-z/mp3splt-gtk.profile b/etc/profile-m-z/mp3splt-gtk.profile
index f0063d250..445691f6a 100644
--- a/etc/profile-m-z/mp3splt-gtk.profile
+++ b/etc/profile-m-z/mp3splt-gtk.profile
@@ -37,7 +37,7 @@ tracelog
37private-bin mp3splt-gtk 37private-bin mp3splt-gtk
38private-cache 38private-cache
39private-dev 39private-dev
40private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-3.0,machine-id,openal,pulse 40private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-3.0,ld.so.preload,machine-id,openal,pulse
41private-tmp 41private-tmp
42 42
43dbus-user none 43dbus-user none
diff --git a/etc/profile-m-z/mp3splt.profile b/etc/profile-m-z/mp3splt.profile
index 400d8a6b6..4d6109250 100644
--- a/etc/profile-m-z/mp3splt.profile
+++ b/etc/profile-m-z/mp3splt.profile
@@ -44,7 +44,7 @@ disable-mnt
44private-bin flacsplt,mp3splt,mp3wrap,oggsplt 44private-bin flacsplt,mp3splt,mp3wrap,oggsplt
45private-cache 45private-cache
46private-dev 46private-dev
47private-etc alternatives 47private-etc alternatives,ld.so.preload
48private-tmp 48private-tmp
49 49
50memory-deny-write-execute 50memory-deny-write-execute
diff --git a/etc/profile-m-z/mpDris2.profile b/etc/profile-m-z/mpDris2.profile
index 10964ef24..597390914 100644
--- a/etc/profile-m-z/mpDris2.profile
+++ b/etc/profile-m-z/mpDris2.profile
@@ -49,7 +49,7 @@ shell none
49private-bin mpDris2,notify-send,python* 49private-bin mpDris2,notify-send,python*
50private-cache 50private-cache
51private-dev 51private-dev
52private-etc alternatives,hosts,nsswitch.conf 52private-etc alternatives,hosts,ld.so.preload,nsswitch.conf
53private-lib libdbus-1.so.*,libdbus-glib-1.so.*,libgirepository-1.0.so.*,libnotify.so.*,libpython*,python2*,python3* 53private-lib libdbus-1.so.*,libdbus-glib-1.so.*,libgirepository-1.0.so.*,libnotify.so.*,libpython*,python2*,python3*
54private-tmp 54private-tmp
55 55
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile
index fa433b672..74402a8de 100644
--- a/etc/profile-m-z/mpv.profile
+++ b/etc/profile-m-z/mpv.profile
@@ -11,7 +11,7 @@ include globals.local
11# edit ~/.config/mpv/foobar.conf: 11# edit ~/.config/mpv/foobar.conf:
12# screenshot-directory=~/Pictures 12# screenshot-directory=~/Pictures
13 13
14# Mpv has a powerfull lua-API, some off these lua-scripts interact 14# Mpv has a powerful lua-API, some off these lua-scripts interact
15# with external resources which are blocked by firejail. In such cases 15# with external resources which are blocked by firejail. In such cases
16# you need to allow these resources by 16# you need to allow these resources by
17# - adding additional binaries to private-bin 17# - adding additional binaries to private-bin
diff --git a/etc/profile-m-z/mrrescue.profile b/etc/profile-m-z/mrrescue.profile
index 530e779fc..16dc97d0c 100644
--- a/etc/profile-m-z/mrrescue.profile
+++ b/etc/profile-m-z/mrrescue.profile
@@ -53,7 +53,7 @@ disable-mnt
53private-bin love,mrrescue,sh 53private-bin love,mrrescue,sh
54private-cache 54private-cache
55private-dev 55private-dev
56private-etc machine-id 56private-etc ld.so.preload,machine-id
57private-tmp 57private-tmp
58 58
59dbus-user none 59dbus-user none
diff --git a/etc/profile-m-z/ms-office.profile b/etc/profile-m-z/ms-office.profile
index ad12f53a4..7b4a305e9 100644
--- a/etc/profile-m-z/ms-office.profile
+++ b/etc/profile-m-z/ms-office.profile
@@ -35,7 +35,7 @@ tracelog
35 35
36disable-mnt 36disable-mnt
37private-bin bash,env,fonts,jak,ms-office,python*,sh 37private-bin bash,env,fonts,jak,ms-office,python*,sh
38private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl 38private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,pki,resolv.conf,ssl
39private-dev 39private-dev
40private-tmp 40private-tmp
41 41
diff --git a/etc/profile-m-z/mupdf-x11-curl.profile b/etc/profile-m-z/mupdf-x11-curl.profile
index a04d386a2..b95ab2194 100644
--- a/etc/profile-m-z/mupdf-x11-curl.profile
+++ b/etc/profile-m-z/mupdf-x11-curl.profile
@@ -12,7 +12,7 @@ ignore net none
12netfilter 12netfilter
13protocol unix,inet,inet6 13protocol unix,inet,inet6
14 14
15private-etc ca-certificates,crypto-policies,hosts,nsswitch.conf,pki,resolv.conf,ssl 15private-etc ca-certificates,crypto-policies,hosts,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
16 16
17# Redirect 17# Redirect
18include mupdf.profile 18include mupdf.profile
diff --git a/etc/profile-m-z/musixmatch.profile b/etc/profile-m-z/musixmatch.profile
index 07661cac8..aab2ac19d 100644
--- a/etc/profile-m-z/musixmatch.profile
+++ b/etc/profile-m-z/musixmatch.profile
@@ -29,9 +29,9 @@ notv
29nou2f 29nou2f
30novideo 30novideo
31protocol unix,inet,inet6,netlink 31protocol unix,inet,inet6,netlink
32seccomp 32seccomp !chroot
33 33
34disable-mnt 34disable-mnt
35private-dev 35private-dev
36private-etc alternatives,asound.conf,ca-certificates,crypto-policies,machine-id,pki,pulse,ssl 36private-etc alternatives,asound.conf,ca-certificates,crypto-policies,ld.so.preload,machine-id,pki,pulse,ssl
37 37
diff --git a/etc/profile-m-z/mutt.profile b/etc/profile-m-z/mutt.profile
index c4d96711c..fb923051f 100644
--- a/etc/profile-m-z/mutt.profile
+++ b/etc/profile-m-z/mutt.profile
@@ -134,7 +134,7 @@ tracelog
134# disable-mnt 134# disable-mnt
135private-cache 135private-cache
136private-dev 136private-dev
137private-etc alternatives,ca-certificates,crypto-policies,fonts,gai.conf,gcrypt,gnupg,gnutls,hostname,hosts,hosts.conf,mail,mailname,Mutt,Muttrc,Muttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,terminfo,xdg 137private-etc alternatives,ca-certificates,crypto-policies,fonts,gai.conf,gcrypt,gnupg,gnutls,hostname,hosts,hosts.conf,ld.so.preload,mail,mailname,Mutt,Muttrc,Muttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,terminfo,xdg
138private-tmp 138private-tmp
139writable-run-user 139writable-run-user
140writable-var 140writable-var
diff --git a/etc/profile-m-z/mypaint.profile b/etc/profile-m-z/mypaint.profile
index 1b4fc4346..bf01aaa0e 100644
--- a/etc/profile-m-z/mypaint.profile
+++ b/etc/profile-m-z/mypaint.profile
@@ -43,7 +43,7 @@ tracelog
43 43
44private-cache 44private-cache
45private-dev 45private-dev
46private-etc alternatives,dconf,fonts,gtk-3.0 46private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.preload
47private-tmp 47private-tmp
48 48
49dbus-user none 49dbus-user none
diff --git a/etc/profile-m-z/nano.profile b/etc/profile-m-z/nano.profile
index 996a1722a..23a30bf97 100644
--- a/etc/profile-m-z/nano.profile
+++ b/etc/profile-m-z/nano.profile
@@ -49,7 +49,7 @@ private-dev
49# Add the next lines to your nano.local if you want to edit files in /etc directly. 49# Add the next lines to your nano.local if you want to edit files in /etc directly.
50#ignore private-etc 50#ignore private-etc
51#writable-etc 51#writable-etc
52private-etc alternatives,nanorc 52private-etc alternatives,ld.so.preload,nanorc
53# Add the next line to your nano.local if you want to edit files in /var directly. 53# Add the next line to your nano.local if you want to edit files in /var directly.
54#writable-var 54#writable-var
55 55
diff --git a/etc/profile-m-z/neochat.profile b/etc/profile-m-z/neochat.profile
index 58cc716d9..0f55b674f 100644
--- a/etc/profile-m-z/neochat.profile
+++ b/etc/profile-m-z/neochat.profile
@@ -60,6 +60,6 @@ private-tmp
60dbus-user filter 60dbus-user filter
61dbus-user.own org.kde.neochat 61dbus-user.own org.kde.neochat
62dbus-user.talk org.freedesktop.Notifications 62dbus-user.talk org.freedesktop.Notifications
63dbus-user.talk org.kde.StatusNotifierWatcher 63?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
64dbus-user.talk org.kde.kwalletd5 64dbus-user.talk org.kde.kwalletd5
65dbus-system none 65dbus-system none
diff --git a/etc/profile-m-z/neomutt.profile b/etc/profile-m-z/neomutt.profile
index 7e627a52e..1e59a1490 100644
--- a/etc/profile-m-z/neomutt.profile
+++ b/etc/profile-m-z/neomutt.profile
@@ -137,7 +137,7 @@ tracelog
137# disable-mnt 137# disable-mnt
138private-cache 138private-cache
139private-dev 139private-dev
140private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,hostname,hosts,hosts.conf,mail,mailname,Mutt,Muttrc,Muttrc.d,neomuttrc,neomuttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,xdg 140private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,hostname,hosts,hosts.conf,ld.so.preload,mail,mailname,Mutt,Muttrc,Muttrc.d,neomuttrc,neomuttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,xdg
141private-tmp 141private-tmp
142writable-run-user 142writable-run-user
143writable-var 143writable-var
diff --git a/etc/profile-m-z/netactview.profile b/etc/profile-m-z/netactview.profile
index 1bcc6a962..57f026a0b 100644
--- a/etc/profile-m-z/netactview.profile
+++ b/etc/profile-m-z/netactview.profile
@@ -45,7 +45,7 @@ disable-mnt
45private-bin netactview,netactview_polkit 45private-bin netactview,netactview_polkit
46private-cache 46private-cache
47private-dev 47private-dev
48private-etc alternatives,fonts 48private-etc alternatives,fonts,ld.so.preload
49private-lib 49private-lib
50private-tmp 50private-tmp
51 51
diff --git a/etc/profile-m-z/newsboat.profile b/etc/profile-m-z/newsboat.profile
index fa4ccea7c..34c6110cf 100644
--- a/etc/profile-m-z/newsboat.profile
+++ b/etc/profile-m-z/newsboat.profile
@@ -53,7 +53,7 @@ disable-mnt
53private-bin gzip,lynx,newsboat,sh,w3m 53private-bin gzip,lynx,newsboat,sh,w3m
54private-cache 54private-cache
55private-dev 55private-dev
56private-etc alternatives,ca-certificates,crypto-policies,lynx.cfg,lynx.lss,pki,resolv.conf,ssl,terminfo 56private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,lynx.cfg,lynx.lss,pki,resolv.conf,ssl,terminfo
57private-tmp 57private-tmp
58 58
59dbus-user none 59dbus-user none
diff --git a/etc/profile-m-z/nextcloud.profile b/etc/profile-m-z/nextcloud.profile
index cb499ba34..354d3351e 100644
--- a/etc/profile-m-z/nextcloud.profile
+++ b/etc/profile-m-z/nextcloud.profile
@@ -61,12 +61,11 @@ tracelog
61disable-mnt 61disable-mnt
62private-bin nextcloud,nextcloud-desktop 62private-bin nextcloud,nextcloud-desktop
63private-cache 63private-cache
64private-etc alternatives,ca-certificates,crypto-policies,drirc,fonts,gcrypt,host.conf,hosts,ld.so.cache,machine-id,Nextcloud,nsswitch.conf,os-release,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg 64private-etc alternatives,ca-certificates,crypto-policies,drirc,fonts,gcrypt,host.conf,hosts,ld.so.cache,ld.so.preload,machine-id,Nextcloud,nsswitch.conf,os-release,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
65private-dev 65private-dev
66private-tmp 66private-tmp
67 67
68dbus-user filter 68dbus-user filter
69dbus-user.talk org.freedesktop.secrets 69dbus-user.talk org.freedesktop.secrets
70# Add the next line to your nextcloud.local for tray icon support 70?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
71#dbus-user.talk org.kde.StatusNotifierWatcher
72dbus-system none 71dbus-system none
diff --git a/etc/profile-m-z/nheko.profile b/etc/profile-m-z/nheko.profile
index 035ad086a..89a146a09 100644
--- a/etc/profile-m-z/nheko.profile
+++ b/etc/profile-m-z/nheko.profile
@@ -51,11 +51,9 @@ private-dev
51private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg 51private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
52private-tmp 52private-tmp
53 53
54 54dbus-user filter
55# Add the next lines to your nheko.local to enable notification support. 55dbus-user.talk org.freedesktop.secrets
56#ignore dbus-user none 56?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
57#dbus-user filter 57# Add the next line to your nheko.local to enable notification support.
58#dbus-user.talk org.freedesktop.Notifications 58#dbus-user.talk org.freedesktop.Notifications
59#dbus-user.talk org.kde.StatusNotifierWatcher
60dbus-user none
61dbus-system none 59dbus-system none
diff --git a/etc/profile-m-z/nitroshare.profile b/etc/profile-m-z/nitroshare.profile
index d5dd4ca95..d6234cd04 100644
--- a/etc/profile-m-z/nitroshare.profile
+++ b/etc/profile-m-z/nitroshare.profile
@@ -42,7 +42,7 @@ disable-mnt
42private-bin awk,grep,nitroshare,nitroshare-cli,nitroshare-nmh,nitroshare-send,nitroshare-ui 42private-bin awk,grep,nitroshare,nitroshare-cli,nitroshare-nmh,nitroshare-send,nitroshare-ui
43private-cache 43private-cache
44private-dev 44private-dev
45private-etc alternatives,ca-certificates,dconf,fonts,hostname,hosts,ld.so.cache,machine-id,nsswitch.conf,ssl 45private-etc alternatives,ca-certificates,dconf,fonts,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,ssl
46# private-lib libnitroshare.so.*,libqhttpengine.so.*,libqmdnsengine.so.*,nitroshare 46# private-lib libnitroshare.so.*,libqhttpengine.so.*,libqmdnsengine.so.*,nitroshare
47private-tmp 47private-tmp
48 48
diff --git a/etc/profile-m-z/nomacs.profile b/etc/profile-m-z/nomacs.profile
index b044fb879..0bed12b1f 100644
--- a/etc/profile-m-z/nomacs.profile
+++ b/etc/profile-m-z/nomacs.profile
@@ -41,5 +41,5 @@ tracelog
41#private-bin nomacs 41#private-bin nomacs
42private-cache 42private-cache
43private-dev 43private-dev
44private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,login.defs,machine-id,pki,resolv.conf,ssl 44private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,ld.so.preload,login.defs,machine-id,pki,resolv.conf,ssl
45private-tmp 45private-tmp
diff --git a/etc/profile-m-z/notify-send.profile b/etc/profile-m-z/notify-send.profile
index 5caf3374d..a7bb93a02 100644
--- a/etc/profile-m-z/notify-send.profile
+++ b/etc/profile-m-z/notify-send.profile
@@ -49,7 +49,7 @@ private
49private-bin notify-send 49private-bin notify-send
50private-cache 50private-cache
51private-dev 51private-dev
52private-etc none 52private-etc ld.so.preload,none
53private-tmp 53private-tmp
54 54
55dbus-user filter 55dbus-user filter
diff --git a/etc/profile-m-z/nuclear.profile b/etc/profile-m-z/nuclear.profile
index 886403b9e..9e3093ea7 100644
--- a/etc/profile-m-z/nuclear.profile
+++ b/etc/profile-m-z/nuclear.profile
@@ -18,7 +18,7 @@ whitelist ${HOME}/.config/nuclear
18no3d 18no3d
19 19
20# private-bin nuclear 20# private-bin nuclear
21private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg 21private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
22private-opt nuclear 22private-opt nuclear
23 23
24# Redirect 24# Redirect
diff --git a/etc/profile-m-z/nyx.profile b/etc/profile-m-z/nyx.profile
index 460a580b3..9b431d76d 100644
--- a/etc/profile-m-z/nyx.profile
+++ b/etc/profile-m-z/nyx.profile
@@ -45,7 +45,7 @@ disable-mnt
45private-bin nyx,python* 45private-bin nyx,python*
46private-cache 46private-cache
47private-dev 47private-dev
48private-etc alternatives,fonts,passwd,tor 48private-etc alternatives,fonts,ld.so.preload,passwd,tor
49private-opt none 49private-opt none
50private-srv none 50private-srv none
51private-tmp 51private-tmp
diff --git a/etc/profile-m-z/ocenaudio.profile b/etc/profile-m-z/ocenaudio.profile
index 8e87f1d5d..0bfb35333 100644
--- a/etc/profile-m-z/ocenaudio.profile
+++ b/etc/profile-m-z/ocenaudio.profile
@@ -45,7 +45,7 @@ tracelog
45private-bin ocenaudio 45private-bin ocenaudio
46private-cache 46private-cache
47private-dev 47private-dev
48private-etc alternatives,asound.conf,fonts,ld.so.cache,pulse 48private-etc alternatives,asound.conf,fonts,ld.so.cache,ld.so.preload,pulse
49private-tmp 49private-tmp
50 50
51# breaks preferences 51# breaks preferences
diff --git a/etc/profile-m-z/odt2txt.profile b/etc/profile-m-z/odt2txt.profile
index 22cec475b..7d2374ccf 100644
--- a/etc/profile-m-z/odt2txt.profile
+++ b/etc/profile-m-z/odt2txt.profile
@@ -38,7 +38,7 @@ x11 none
38private-bin odt2txt 38private-bin odt2txt
39private-cache 39private-cache
40private-dev 40private-dev
41private-etc alternatives 41private-etc alternatives,ld.so.preload
42private-tmp 42private-tmp
43 43
44dbus-user none 44dbus-user none
diff --git a/etc/profile-m-z/okular.profile b/etc/profile-m-z/okular.profile
index 84edc65ef..0a200b46e 100644
--- a/etc/profile-m-z/okular.profile
+++ b/etc/profile-m-z/okular.profile
@@ -61,7 +61,7 @@ tracelog
61 61
62private-bin kbuildsycoca4,kdeinit4,lpr,okular,unar,unrar 62private-bin kbuildsycoca4,kdeinit4,lpr,okular,unar,unrar
63private-dev 63private-dev
64private-etc alternatives,cups,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,xdg 64private-etc alternatives,cups,fonts,kde4rc,kde5rc,ld.so.cache,ld.so.preload,machine-id,passwd,xdg
65# private-tmp - on KDE we need access to the real /tmp for data exchange with email clients 65# private-tmp - on KDE we need access to the real /tmp for data exchange with email clients
66 66
67# dbus-user none 67# dbus-user none
diff --git a/etc/profile-m-z/onboard.profile b/etc/profile-m-z/onboard.profile
index b0ffba19c..e70e5e81e 100644
--- a/etc/profile-m-z/onboard.profile
+++ b/etc/profile-m-z/onboard.profile
@@ -50,7 +50,7 @@ disable-mnt
50private-cache 50private-cache
51private-bin onboard,python*,tput 51private-bin onboard,python*,tput
52private-dev 52private-dev
53private-etc alternatives,dbus-1,dconf,fonts,gtk-2.0,gtk-3.0,locale,locale.alias,locale.conf,mime.types,selinux,X11,xdg 53private-etc alternatives,dbus-1,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.preload,locale,locale.alias,locale.conf,mime.types,selinux,X11,xdg
54private-tmp 54private-tmp
55 55
56dbus-system none 56dbus-system none
diff --git a/etc/profile-m-z/openarena.profile b/etc/profile-m-z/openarena.profile
index 076a655a1..de334defd 100644
--- a/etc/profile-m-z/openarena.profile
+++ b/etc/profile-m-z/openarena.profile
@@ -43,7 +43,7 @@ disable-mnt
43private-bin bash,cut,glxinfo,grep,head,openarena,openarena_ded,quake3,zenity 43private-bin bash,cut,glxinfo,grep,head,openarena,openarena_ded,quake3,zenity
44private-cache 44private-cache
45private-dev 45private-dev
46private-etc drirc,machine-id,openal,passwd,selinux,udev,xdg 46private-etc drirc,ld.so.preload,machine-id,openal,passwd,selinux,udev,xdg
47private-tmp 47private-tmp
48 48
49dbus-user none 49dbus-user none
diff --git a/etc/profile-m-z/pandoc.profile b/etc/profile-m-z/pandoc.profile
index 2595d8a8f..460f60beb 100644
--- a/etc/profile-m-z/pandoc.profile
+++ b/etc/profile-m-z/pandoc.profile
@@ -11,6 +11,8 @@ blacklist ${RUNUSER}
11 11
12noblacklist ${DOCUMENTS} 12noblacklist ${DOCUMENTS}
13 13
14include allow-bin-sh.inc
15
14include disable-common.inc 16include disable-common.inc
15include disable-devel.inc 17include disable-devel.inc
16include disable-exec.inc 18include disable-exec.inc
@@ -19,6 +21,7 @@ include disable-programs.inc
19include disable-shell.inc 21include disable-shell.inc
20include disable-xdg.inc 22include disable-xdg.inc
21 23
24include whitelist-runuser-common.inc
22# breaks pdf output 25# breaks pdf output
23#include whitelist-var-common.inc 26#include whitelist-var-common.inc
24 27
@@ -39,15 +42,15 @@ nou2f
39novideo 42novideo
40protocol unix 43protocol unix
41seccomp 44seccomp
45seccomp.block-secondary
42shell none 46shell none
43tracelog 47tracelog
44x11 none 48x11 none
45 49
46disable-mnt 50disable-mnt
47private-bin context,latex,mktexfmt,pandoc,pdflatex,pdfroff,prince,weasyprint,wkhtmltopdf
48private-cache 51private-cache
49private-dev 52private-dev
50private-etc alternatives,texlive,texmf 53private-etc alternatives,ld.so.preload,texlive,texmf
51private-tmp 54private-tmp
52 55
53dbus-user none 56dbus-user none
diff --git a/etc/profile-m-z/parole.profile b/etc/profile-m-z/parole.profile
index 33d75f0d2..a4737d388 100644
--- a/etc/profile-m-z/parole.profile
+++ b/etc/profile-m-z/parole.profile
@@ -27,4 +27,4 @@ shell none
27 27
28private-bin dbus-launch,parole 28private-bin dbus-launch,parole
29private-cache 29private-cache
30private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,machine-id,passwd,pki,pulse,ssl 30private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,ld.so.preload,machine-id,passwd,pki,pulse,ssl
diff --git a/etc/profile-m-z/pavucontrol.profile b/etc/profile-m-z/pavucontrol.profile
index 0bd14e88e..76f1c9704 100644
--- a/etc/profile-m-z/pavucontrol.profile
+++ b/etc/profile-m-z/pavucontrol.profile
@@ -45,7 +45,7 @@ disable-mnt
45private-bin pavucontrol 45private-bin pavucontrol
46private-cache 46private-cache
47private-dev 47private-dev
48private-etc alternatives,asound.conf,avahi,fonts,machine-id,pulse 48private-etc alternatives,asound.conf,avahi,fonts,ld.so.preload,machine-id,pulse
49private-lib 49private-lib
50private-tmp 50private-tmp
51 51
diff --git a/etc/profile-m-z/pdfchain.profile b/etc/profile-m-z/pdfchain.profile
index bebd4ba44..400fc3d77 100644
--- a/etc/profile-m-z/pdfchain.profile
+++ b/etc/profile-m-z/pdfchain.profile
@@ -34,7 +34,7 @@ shell none
34 34
35private-bin pdfchain,pdftk,sh 35private-bin pdfchain,pdftk,sh
36private-dev 36private-dev
37private-etc alternatives,dconf,fonts,gtk-3.0,xdg 37private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.preload,xdg
38private-tmp 38private-tmp
39 39
40dbus-user none 40dbus-user none
diff --git a/etc/profile-m-z/pdftotext.profile b/etc/profile-m-z/pdftotext.profile
index 0cb08aa74..b1c2dfb1c 100644
--- a/etc/profile-m-z/pdftotext.profile
+++ b/etc/profile-m-z/pdftotext.profile
@@ -48,7 +48,7 @@ x11 none
48private-bin pdftotext 48private-bin pdftotext
49private-cache 49private-cache
50private-dev 50private-dev
51private-etc alternatives 51private-etc alternatives,ld.so.preload
52private-tmp 52private-tmp
53 53
54dbus-user none 54dbus-user none
diff --git a/etc/profile-m-z/peek.profile b/etc/profile-m-z/peek.profile
index a8f925313..e216742a4 100644
--- a/etc/profile-m-z/peek.profile
+++ b/etc/profile-m-z/peek.profile
@@ -48,7 +48,7 @@ tracelog
48disable-mnt 48disable-mnt
49private-bin bash,convert,ffmpeg,firejail,fish,peek,sh,which,zsh 49private-bin bash,convert,ffmpeg,firejail,fish,peek,sh,which,zsh
50private-dev 50private-dev
51private-etc dconf,firejail,fonts,gtk-3.0,login.defs,pango,passwd,X11 51private-etc dconf,firejail,fonts,gtk-3.0,ld.so.preload,login.defs,pango,passwd,X11
52private-tmp 52private-tmp
53 53
54dbus-user filter 54dbus-user filter
diff --git a/etc/profile-m-z/photoflare.profile b/etc/profile-m-z/photoflare.profile
index c012504c4..c0d0ae4df 100644
--- a/etc/profile-m-z/photoflare.profile
+++ b/etc/profile-m-z/photoflare.profile
@@ -43,7 +43,7 @@ disable-mnt
43private-bin photoflare 43private-bin photoflare
44private-cache 44private-cache
45private-dev 45private-dev
46private-etc alternatives,fonts,locale,locale.alias,locale.conf,mime.types,X11 46private-etc alternatives,fonts,ld.so.preload,locale,locale.alias,locale.conf,mime.types,X11
47private-tmp 47private-tmp
48 48
49dbus-user none 49dbus-user none
diff --git a/etc/profile-m-z/pingus.profile b/etc/profile-m-z/pingus.profile
index 5b2d7a5a4..fb50e66ca 100644
--- a/etc/profile-m-z/pingus.profile
+++ b/etc/profile-m-z/pingus.profile
@@ -50,7 +50,7 @@ disable-mnt
50private-bin pingus,pingus.bin,sh 50private-bin pingus,pingus.bin,sh
51private-cache 51private-cache
52private-dev 52private-dev
53private-etc machine-id 53private-etc ld.so.preload,machine-id
54private-tmp 54private-tmp
55 55
56dbus-user none 56dbus-user none
diff --git a/etc/profile-m-z/pip.profile b/etc/profile-m-z/pip.profile
new file mode 100644
index 000000000..a0926371f
--- /dev/null
+++ b/etc/profile-m-z/pip.profile
@@ -0,0 +1,18 @@
1# Firejail profile for pip
2# Description: package manager for Python packages
3# This file is overwritten after every install/update
4quiet
5# Persistent local customizations
6include meson.local
7# Persistent global definitions
8include globals.local
9
10ignore read-only ${HOME}/.local/lib
11
12# Allow python3 (blacklisted by disable-interpreters.inc)
13include allow-python3.inc
14
15#whitelist ${HOME}/.local/lib/python*
16
17# Redirect
18include build-systems-common.profile
diff --git a/etc/profile-m-z/pkglog.profile b/etc/profile-m-z/pkglog.profile
index c2707dac4..23e21f347 100644
--- a/etc/profile-m-z/pkglog.profile
+++ b/etc/profile-m-z/pkglog.profile
@@ -44,7 +44,7 @@ private
44private-bin pkglog,python* 44private-bin pkglog,python*
45private-cache 45private-cache
46private-dev 46private-dev
47private-etc alternatives 47private-etc alternatives,ld.so.preload
48private-opt none 48private-opt none
49private-tmp 49private-tmp
50writable-var-log 50writable-var-log
diff --git a/etc/profile-m-z/plv.profile b/etc/profile-m-z/plv.profile
index 80f768170..a6b0768f1 100644
--- a/etc/profile-m-z/plv.profile
+++ b/etc/profile-m-z/plv.profile
@@ -46,7 +46,7 @@ disable-mnt
46private-bin plv 46private-bin plv
47private-cache 47private-cache
48private-dev 48private-dev
49private-etc alternatives,fonts 49private-etc alternatives,fonts,ld.so.preload
50private-opt none 50private-opt none
51private-tmp 51private-tmp
52writable-var-log 52writable-var-log
diff --git a/etc/profile-m-z/pngquant.profile b/etc/profile-m-z/pngquant.profile
index 0b3d2b44c..534cc5943 100644
--- a/etc/profile-m-z/pngquant.profile
+++ b/etc/profile-m-z/pngquant.profile
@@ -47,7 +47,7 @@ x11 none
47private-bin pngquant 47private-bin pngquant
48private-cache 48private-cache
49private-dev 49private-dev
50private-etc alternatives 50private-etc alternatives,ld.so.preload
51private-tmp 51private-tmp
52 52
53dbus-user none 53dbus-user none
diff --git a/etc/profile-m-z/pragha.profile b/etc/profile-m-z/pragha.profile
index bc0ff0e85..c9793433e 100644
--- a/etc/profile-m-z/pragha.profile
+++ b/etc/profile-m-z/pragha.profile
@@ -33,6 +33,6 @@ seccomp
33shell none 33shell none
34 34
35private-dev 35private-dev
36private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,machine-id,pki,pulse,resolv.conf,ssl,xdg 36private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl,xdg
37private-tmp 37private-tmp
38 38
diff --git a/etc/profile-m-z/profanity.profile b/etc/profile-m-z/profanity.profile
index 705af370b..af0ca5d8f 100644
--- a/etc/profile-m-z/profanity.profile
+++ b/etc/profile-m-z/profanity.profile
@@ -44,7 +44,7 @@ shell none
44private-bin profanity 44private-bin profanity
45private-cache 45private-cache
46private-dev 46private-dev
47private-etc alternatives,ca-certificates,crypto-policies,localtime,mime.types,nsswitch.conf,pki,resolv.conf,ssl 47private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,localtime,mime.types,nsswitch.conf,pki,resolv.conf,ssl
48private-tmp 48private-tmp
49 49
50dbus-user none 50dbus-user none
diff --git a/etc/profile-m-z/psi.profile b/etc/profile-m-z/psi.profile
index 450bb10c7..99a72adee 100644
--- a/etc/profile-m-z/psi.profile
+++ b/etc/profile-m-z/psi.profile
@@ -71,7 +71,7 @@ disable-mnt
71private-bin getopt,psi 71private-bin getopt,psi
72private-cache 72private-cache
73private-dev 73private-dev
74private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,gcrypt,group,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg 74private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,gcrypt,group,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.preload,machine-id,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
75private-tmp 75private-tmp
76 76
77dbus-user none 77dbus-user none
diff --git a/etc/profile-m-z/qgis.profile b/etc/profile-m-z/qgis.profile
index 3dc232b55..4ebd556d6 100644
--- a/etc/profile-m-z/qgis.profile
+++ b/etc/profile-m-z/qgis.profile
@@ -52,7 +52,7 @@ tracelog
52disable-mnt 52disable-mnt
53private-cache 53private-cache
54private-dev 54private-dev
55private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,QGIS,QGIS.conf,resolv.conf,ssl,Trolltech.conf 55private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.preload,machine-id,pki,QGIS,QGIS.conf,resolv.conf,ssl,Trolltech.conf
56private-tmp 56private-tmp
57 57
58dbus-user none 58dbus-user none
diff --git a/etc/profile-m-z/qnapi.profile b/etc/profile-m-z/qnapi.profile
index 4eee0df5f..89cb5baa8 100644
--- a/etc/profile-m-z/qnapi.profile
+++ b/etc/profile-m-z/qnapi.profile
@@ -47,7 +47,7 @@ tracelog
47private-bin 7z,qnapi 47private-bin 7z,qnapi
48private-cache 48private-cache
49private-dev 49private-dev
50private-etc alternatives,fonts 50private-etc alternatives,fonts,ld.so.preload
51private-opt none 51private-opt none
52private-tmp 52private-tmp
53 53
diff --git a/etc/profile-m-z/qrencode.profile b/etc/profile-m-z/qrencode.profile
index 7ef676068..691449b9f 100644
--- a/etc/profile-m-z/qrencode.profile
+++ b/etc/profile-m-z/qrencode.profile
@@ -47,7 +47,7 @@ disable-mnt
47private-bin qrencode 47private-bin qrencode
48private-cache 48private-cache
49private-dev 49private-dev
50private-etc none 50private-etc ld.so.preload,none
51private-lib libpcre* 51private-lib libpcre*
52private-tmp 52private-tmp
53 53
diff --git a/etc/profile-m-z/qtox.profile b/etc/profile-m-z/qtox.profile
index bae802cc6..60e1539fa 100644
--- a/etc/profile-m-z/qtox.profile
+++ b/etc/profile-m-z/qtox.profile
@@ -43,7 +43,7 @@ disable-mnt
43private-bin qtox 43private-bin qtox
44private-cache 44private-cache
45private-dev 45private-dev
46private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl 46private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,localtime,machine-id,pki,pulse,resolv.conf,ssl
47private-tmp 47private-tmp
48 48
49dbus-user none 49dbus-user none
diff --git a/etc/profile-m-z/regextester.profile b/etc/profile-m-z/regextester.profile
index 1de59bc7c..6b9144791 100644
--- a/etc/profile-m-z/regextester.profile
+++ b/etc/profile-m-z/regextester.profile
@@ -43,7 +43,7 @@ disable-mnt
43private-bin regextester 43private-bin regextester
44private-cache 44private-cache
45private-dev 45private-dev
46private-etc alternatives,fonts 46private-etc alternatives,fonts,ld.so.preload
47private-lib libgranite.so.* 47private-lib libgranite.so.*
48private-tmp 48private-tmp
49 49
diff --git a/etc/profile-m-z/rsync-download_only.profile b/etc/profile-m-z/rsync-download_only.profile
index 23a65f54a..e49f10b7b 100644
--- a/etc/profile-m-z/rsync-download_only.profile
+++ b/etc/profile-m-z/rsync-download_only.profile
@@ -49,7 +49,7 @@ disable-mnt
49private-bin rsync 49private-bin rsync
50private-cache 50private-cache
51private-dev 51private-dev
52private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl 52private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.preload,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
53private-tmp 53private-tmp
54 54
55dbus-user none 55dbus-user none
diff --git a/etc/profile-m-z/scorchwentbonkers.profile b/etc/profile-m-z/scorchwentbonkers.profile
index 1069c34ea..d256b2efe 100644
--- a/etc/profile-m-z/scorchwentbonkers.profile
+++ b/etc/profile-m-z/scorchwentbonkers.profile
@@ -43,7 +43,7 @@ disable-mnt
43private-bin scorchwentbonkers 43private-bin scorchwentbonkers
44private-cache 44private-cache
45private-dev 45private-dev
46private-etc alsa,asound.conf,machine-id,pulse 46private-etc alsa,asound.conf,ld.so.preload,machine-id,pulse
47private-tmp 47private-tmp
48 48
49dbus-user none 49dbus-user none
diff --git a/etc/profile-m-z/seahorse-adventures.profile b/etc/profile-m-z/seahorse-adventures.profile
index af7d5eeac..cb3378597 100644
--- a/etc/profile-m-z/seahorse-adventures.profile
+++ b/etc/profile-m-z/seahorse-adventures.profile
@@ -48,7 +48,7 @@ private
48private-bin bash,dash,python*,seahorse-adventures,sh 48private-bin bash,dash,python*,seahorse-adventures,sh
49private-cache 49private-cache
50private-dev 50private-dev
51private-etc machine-id 51private-etc ld.so.preload,machine-id
52private-tmp 52private-tmp
53 53
54dbus-user none 54dbus-user none
diff --git a/etc/profile-m-z/seahorse-tool.profile b/etc/profile-m-z/seahorse-tool.profile
index 96ff74edf..f08b852db 100644
--- a/etc/profile-m-z/seahorse-tool.profile
+++ b/etc/profile-m-z/seahorse-tool.profile
@@ -8,7 +8,7 @@ include seahorse-tool.local
8#include globals.local 8#include globals.local
9 9
10# private-etc workaround for: #2877 10# private-etc workaround for: #2877
11private-etc firejail,login.defs,passwd 11private-etc firejail,ld.so.preload,login.defs,passwd
12private-tmp 12private-tmp
13 13
14# Redirect 14# Redirect
diff --git a/etc/profile-m-z/shotwell.profile b/etc/profile-m-z/shotwell.profile
index b6a828636..304a1cda2 100644
--- a/etc/profile-m-z/shotwell.profile
+++ b/etc/profile-m-z/shotwell.profile
@@ -49,7 +49,7 @@ tracelog
49private-bin shotwell 49private-bin shotwell
50private-cache 50private-cache
51private-dev 51private-dev
52private-etc alternatives,fonts,machine-id 52private-etc alternatives,fonts,ld.so.preload,machine-id
53private-opt none 53private-opt none
54private-tmp 54private-tmp
55 55
diff --git a/etc/profile-m-z/slack.profile b/etc/profile-m-z/slack.profile
index 51f6c8b00..a511ebb1c 100644
--- a/etc/profile-m-z/slack.profile
+++ b/etc/profile-m-z/slack.profile
@@ -26,7 +26,7 @@ mkdir ${HOME}/.config/Slack
26whitelist ${HOME}/.config/Slack 26whitelist ${HOME}/.config/Slack
27 27
28private-bin electron,electron[0-9],electron[0-9][0-9],locale,sh,slack 28private-bin electron,electron[0-9],electron[0-9][0-9],locale,sh,slack
29private-etc alternatives,asound.conf,ca-certificates,crypto-policies,debian_version,fedora-release,fonts,group,ld.so.cache,ld.so.conf,localtime,machine-id,os-release,passwd,pki,pulse,redhat-release,resolv.conf,ssl,system-release,system-release-cpe 29private-etc alternatives,asound.conf,ca-certificates,crypto-policies,debian_version,fedora-release,fonts,group,ld.so.cache,ld.so.conf,ld.so.preload,localtime,machine-id,os-release,passwd,pki,pulse,redhat-release,resolv.conf,ssl,system-release,system-release-cpe
30 30
31# Redirect 31# Redirect
32include electron.profile 32include electron.profile
diff --git a/etc/profile-m-z/smuxi-frontend-gnome.profile b/etc/profile-m-z/smuxi-frontend-gnome.profile
index 31d14924c..0cdb5537e 100644
--- a/etc/profile-m-z/smuxi-frontend-gnome.profile
+++ b/etc/profile-m-z/smuxi-frontend-gnome.profile
@@ -48,7 +48,7 @@ disable-mnt
48private-bin bash,mono,mono-sgen,sh,smuxi-frontend-gnome 48private-bin bash,mono,mono-sgen,sh,smuxi-frontend-gnome
49private-cache 49private-cache
50private-dev 50private-dev
51private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,mono,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg 51private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.preload,machine-id,mono,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
52private-tmp 52private-tmp
53 53
54dbus-user none 54dbus-user none
diff --git a/etc/profile-m-z/softmaker-common.profile b/etc/profile-m-z/softmaker-common.profile
index ebdd5c1f8..47468a531 100644
--- a/etc/profile-m-z/softmaker-common.profile
+++ b/etc/profile-m-z/softmaker-common.profile
@@ -6,9 +6,9 @@ include softmaker-common.local
6# added by caller profile 6# added by caller profile
7#include globals.local 7#include globals.local
8 8
9# The offical packages install the desktop file under /usr/local/share/applications 9# The official packages install the desktop file under /usr/local/share/applications
10# with an absolute Exec line. These files are NOT handelt by firecfg, 10# with an absolute Exec line. These files are NOT handled by firecfg,
11# therefore you must manualy copy them in you home and remove '/usr/bin/'. 11# therefore you must manually copy them in you home and remove '/usr/bin/'.
12 12
13noblacklist ${HOME}/SoftMaker 13noblacklist ${HOME}/SoftMaker
14 14
diff --git a/etc/profile-m-z/spectacle.profile b/etc/profile-m-z/spectacle.profile
index d803fa5ce..fc4ae2b04 100644
--- a/etc/profile-m-z/spectacle.profile
+++ b/etc/profile-m-z/spectacle.profile
@@ -22,7 +22,7 @@ include disable-interpreters.inc
22include disable-programs.inc 22include disable-programs.inc
23include disable-xdg.inc 23include disable-xdg.inc
24 24
25mkfile ${HOME}/.config/spectaclerc 25mkfile ${HOME}/.config/spectaclerc
26whitelist ${HOME}/.config/spectaclerc 26whitelist ${HOME}/.config/spectaclerc
27whitelist ${PICTURES} 27whitelist ${PICTURES}
28whitelist /usr/share/kconf_update/spectacle_newConfig.upd 28whitelist /usr/share/kconf_update/spectacle_newConfig.upd
@@ -56,7 +56,7 @@ disable-mnt
56private-bin spectacle 56private-bin spectacle
57private-cache 57private-cache
58private-dev 58private-dev
59private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d 59private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload
60private-tmp 60private-tmp
61 61
62dbus-user filter 62dbus-user filter
diff --git a/etc/profile-m-z/spectral.profile b/etc/profile-m-z/spectral.profile
index 5f17b73dc..3f7f68009 100644
--- a/etc/profile-m-z/spectral.profile
+++ b/etc/profile-m-z/spectral.profile
@@ -49,10 +49,8 @@ private-dev
49private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg 49private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
50private-tmp 50private-tmp
51 51
52dbus-user none 52dbus-user filter
53# Add the next lines to your spectral.local to enable notification support. 53?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
54#ignore dbus-user none 54# Add the next line to your spectral.local to enable notification support.
55#dbus-user filter
56#dbus-user.talk org.freedesktop.Notifications 55#dbus-user.talk org.freedesktop.Notifications
57#dbus-user.talk org.kde.StatusNotifierWatcher
58dbus-system none 56dbus-system none
diff --git a/etc/profile-m-z/spotify.profile b/etc/profile-m-z/spotify.profile
index ffee76d23..0ce918161 100644
--- a/etc/profile-m-z/spotify.profile
+++ b/etc/profile-m-z/spotify.profile
@@ -44,7 +44,7 @@ disable-mnt
44private-bin bash,cat,dirname,find,grep,head,rm,sh,spotify,tclsh,touch,zenity 44private-bin bash,cat,dirname,find,grep,head,rm,sh,spotify,tclsh,touch,zenity
45private-dev 45private-dev
46# If you want to see album covers or want to use the radio, add 'ignore private-etc' to your spotify.local. 46# If you want to see album covers or want to use the radio, add 'ignore private-etc' to your spotify.local.
47private-etc alternatives,ca-certificates,crypto-policies,fonts,group,host.conf,hosts,ld.so.cache,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl 47private-etc alternatives,ca-certificates,crypto-policies,fonts,group,host.conf,hosts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl
48private-opt spotify 48private-opt spotify
49private-srv none 49private-srv none
50private-tmp 50private-tmp
diff --git a/etc/profile-m-z/sqlitebrowser.profile b/etc/profile-m-z/sqlitebrowser.profile
index e35f74404..21a77a0d1 100644
--- a/etc/profile-m-z/sqlitebrowser.profile
+++ b/etc/profile-m-z/sqlitebrowser.profile
@@ -42,7 +42,7 @@ shell none
42private-bin sqlitebrowser 42private-bin sqlitebrowser
43private-cache 43private-cache
44private-dev 44private-dev
45private-etc alternatives,ca-certificates,crypto-policies,fonts,group,machine-id,passwd,pki,ssl 45private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.preload,machine-id,passwd,pki,ssl
46private-tmp 46private-tmp
47 47
48# breaks proxy creation 48# breaks proxy creation
diff --git a/etc/profile-m-z/standardnotes-desktop.profile b/etc/profile-m-z/standardnotes-desktop.profile
index d54ddacdd..7a59274bf 100644
--- a/etc/profile-m-z/standardnotes-desktop.profile
+++ b/etc/profile-m-z/standardnotes-desktop.profile
@@ -38,7 +38,7 @@ seccomp !chroot
38disable-mnt 38disable-mnt
39private-dev 39private-dev
40private-tmp 40private-tmp
41private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,pki,resolv.conf,ssl,xdg 41private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl,xdg
42 42
43dbus-user none 43dbus-user none
44dbus-system none 44dbus-system none
diff --git a/etc/profile-m-z/straw-viewer.profile b/etc/profile-m-z/straw-viewer.profile
index d73927f2a..513abc21b 100644
--- a/etc/profile-m-z/straw-viewer.profile
+++ b/etc/profile-m-z/straw-viewer.profile
@@ -18,4 +18,4 @@ whitelist ${HOME}/.config/straw-viewer
18private-bin gtk-straw-viewer,straw-viewer 18private-bin gtk-straw-viewer,straw-viewer
19 19
20# Redirect 20# Redirect
21include youtube-viewers-common.profile \ No newline at end of file 21include youtube-viewers-common.profile
diff --git a/etc/profile-m-z/strawberry.profile b/etc/profile-m-z/strawberry.profile
index dfb0a3e3b..50ecc3432 100644
--- a/etc/profile-m-z/strawberry.profile
+++ b/etc/profile-m-z/strawberry.profile
@@ -43,7 +43,7 @@ disable-mnt
43private-bin strawberry,strawberry-tagreader 43private-bin strawberry,strawberry-tagreader
44private-cache 44private-cache
45private-dev 45private-dev
46private-etc ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,nsswitch.conf,pki,resolv.conf,ssl 46private-etc ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
47private-tmp 47private-tmp
48 48
49dbus-system none 49dbus-system none
diff --git a/etc/profile-m-z/subdownloader.profile b/etc/profile-m-z/subdownloader.profile
index 100ac9d14..65cb678d0 100644
--- a/etc/profile-m-z/subdownloader.profile
+++ b/etc/profile-m-z/subdownloader.profile
@@ -44,7 +44,7 @@ tracelog
44 44
45private-cache 45private-cache
46private-dev 46private-dev
47private-etc alternatives,fonts 47private-etc alternatives,fonts,ld.so.preload
48private-tmp 48private-tmp
49 49
50dbus-user none 50dbus-user none
diff --git a/etc/profile-m-z/supertux2.profile b/etc/profile-m-z/supertux2.profile
index 0e9113821..323849e35 100644
--- a/etc/profile-m-z/supertux2.profile
+++ b/etc/profile-m-z/supertux2.profile
@@ -45,7 +45,7 @@ tracelog
45disable-mnt 45disable-mnt
46# private-bin supertux2 46# private-bin supertux2
47private-cache 47private-cache
48private-etc machine-id 48private-etc ld.so.preload,machine-id
49private-dev 49private-dev
50private-tmp 50private-tmp
51 51
diff --git a/etc/profile-m-z/supertuxkart.profile b/etc/profile-m-z/supertuxkart.profile
index 7ba7e7023..5b5b4aae5 100644
--- a/etc/profile-m-z/supertuxkart.profile
+++ b/etc/profile-m-z/supertuxkart.profile
@@ -54,7 +54,7 @@ private-bin supertuxkart
54private-cache 54private-cache
55# Add the next line to your supertuxkart.local if you do not need controller support. 55# Add the next line to your supertuxkart.local if you do not need controller support.
56#private-dev 56#private-dev
57private-etc alternatives,ca-certificates,crypto-policies,drirc,hosts,machine-id,openal,pki,resolv.conf,ssl 57private-etc alternatives,ca-certificates,crypto-policies,drirc,hosts,ld.so.preload,machine-id,openal,pki,resolv.conf,ssl
58private-tmp 58private-tmp
59private-opt none 59private-opt none
60private-srv none 60private-srv none
diff --git a/etc/profile-m-z/surf.profile b/etc/profile-m-z/surf.profile
index 7c092fccc..cfecb6f62 100644
--- a/etc/profile-m-z/surf.profile
+++ b/etc/profile-m-z/surf.profile
@@ -34,6 +34,6 @@ tracelog
34disable-mnt 34disable-mnt
35private-bin bash,curl,dmenu,ls,printf,sed,sh,sleep,st,stterm,surf,xargs,xprop 35private-bin bash,curl,dmenu,ls,printf,sed,sh,sleep,st,stterm,surf,xargs,xprop
36private-dev 36private-dev
37private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,machine-id,passwd,pki,resolv.conf,ssl 37private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,ld.so.preload,machine-id,passwd,pki,resolv.conf,ssl
38private-tmp 38private-tmp
39 39
diff --git a/etc/profile-m-z/sway.profile b/etc/profile-m-z/sway.profile
index 4637419bf..046d1b4be 100644
--- a/etc/profile-m-z/sway.profile
+++ b/etc/profile-m-z/sway.profile
@@ -1,5 +1,5 @@
1# Firejail profile for Sway 1# Firejail profile for Sway
2# Description: i3-compatible Wayland compositor 2# Description: i3-compatible Wayland compositor
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4# Persistent local customizations 4# Persistent local customizations
5include sway.local 5include sway.local
diff --git a/etc/profile-m-z/sysprof.profile b/etc/profile-m-z/sysprof.profile
index ac4a380bb..c7119ae0f 100644
--- a/etc/profile-m-z/sysprof.profile
+++ b/etc/profile-m-z/sysprof.profile
@@ -63,7 +63,7 @@ disable-mnt
63#private-bin sysprof - breaks help menu 63#private-bin sysprof - breaks help menu
64private-cache 64private-cache
65private-dev 65private-dev
66private-etc alternatives,fonts,ld.so.cache,machine-id,ssl 66private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id,ssl
67# private-lib - breaks help menu 67# private-lib - breaks help menu
68#private-lib gdk-pixbuf-2.*,gio,gtk3,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*,libsysprof-2.so,libsysprof-ui-2.so 68#private-lib gdk-pixbuf-2.*,gio,gtk3,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*,libsysprof-2.so,libsysprof-ui-2.so
69private-tmp 69private-tmp
diff --git a/etc/profile-m-z/tar.profile b/etc/profile-m-z/tar.profile
index 0d3a900e9..388805f31 100644
--- a/etc/profile-m-z/tar.profile
+++ b/etc/profile-m-z/tar.profile
@@ -14,7 +14,7 @@ ignore include disable-shell.inc
14# all capabilities this is automatically read-only. 14# all capabilities this is automatically read-only.
15noblacklist /var/lib/pacman 15noblacklist /var/lib/pacman
16 16
17private-etc alternatives,group,localtime,login.defs,passwd 17private-etc alternatives,group,ld.so.preload,localtime,login.defs,passwd
18#private-lib libfakeroot,liblzma.so.*,libreadline.so.* 18#private-lib libfakeroot,liblzma.so.*,libreadline.so.*
19# Debian based distributions need this for 'dpkg --unpack' (incl. synaptic) 19# Debian based distributions need this for 'dpkg --unpack' (incl. synaptic)
20writable-var 20writable-var
diff --git a/etc/profile-m-z/teams-for-linux.profile b/etc/profile-m-z/teams-for-linux.profile
index c97921d92..310c440b1 100644
--- a/etc/profile-m-z/teams-for-linux.profile
+++ b/etc/profile-m-z/teams-for-linux.profile
@@ -20,7 +20,7 @@ mkdir ${HOME}/.config/teams-for-linux
20whitelist ${HOME}/.config/teams-for-linux 20whitelist ${HOME}/.config/teams-for-linux
21 21
22private-bin bash,cut,echo,egrep,electron,electron[0-9],electron[0-9][0-9],grep,head,sed,sh,teams-for-linux,tr,xdg-mime,xdg-open,zsh 22private-bin bash,cut,echo,egrep,electron,electron[0-9],electron[0-9][0-9],grep,head,sed,sh,teams-for-linux,tr,xdg-mime,xdg-open,zsh
23private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,resolv.conf,ssl 23private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,localtime,machine-id,pki,resolv.conf,ssl
24 24
25# Redirect 25# Redirect
26include electron.profile 26include electron.profile
diff --git a/etc/profile-m-z/telegram.profile b/etc/profile-m-z/telegram.profile
index 115be54eb..dc1f77664 100644
--- a/etc/profile-m-z/telegram.profile
+++ b/etc/profile-m-z/telegram.profile
@@ -41,16 +41,16 @@ seccomp.block-secondary
41shell none 41shell none
42 42
43disable-mnt 43disable-mnt
44#private-bin telegram,Telegram,telegram-desktop 44private-bin telegram,Telegram,telegram-desktop
45private-cache 45private-cache
46private-dev 46private-dev
47private-etc alsa,alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,machine-id,os-release,passwd,pki,pulse,resolv.conf,ssl,xdg 47private-etc alsa,alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,localtime,machine-id,os-release,passwd,pki,pulse,resolv.conf,ssl,xdg
48private-tmp 48private-tmp
49 49
50dbus-user filter 50dbus-user filter
51dbus-user.own org.telegram.desktop.* 51dbus-user.own org.telegram.desktop.*
52dbus-user.talk org.freedesktop.Notifications 52dbus-user.talk org.freedesktop.Notifications
53dbus-user.talk org.kde.StatusNotifierWatcher 53?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
54dbus-user.talk org.gnome.Mutter.IdleMonitor 54dbus-user.talk org.gnome.Mutter.IdleMonitor
55dbus-user.talk org.freedesktop.ScreenSaver 55dbus-user.talk org.freedesktop.ScreenSaver
56dbus-system none 56dbus-system none
diff --git a/etc/profile-m-z/tilp.profile b/etc/profile-m-z/tilp.profile
index 7c18aab50..07212a452 100644
--- a/etc/profile-m-z/tilp.profile
+++ b/etc/profile-m-z/tilp.profile
@@ -30,6 +30,6 @@ tracelog
30disable-mnt 30disable-mnt
31private-bin tilp 31private-bin tilp
32private-cache 32private-cache
33private-etc alternatives,fonts 33private-etc alternatives,fonts,ld.so.preload
34private-tmp 34private-tmp
35 35
diff --git a/etc/profile-m-z/tin.profile b/etc/profile-m-z/tin.profile
index 039063c1e..a43e53aae 100644
--- a/etc/profile-m-z/tin.profile
+++ b/etc/profile-m-z/tin.profile
@@ -58,7 +58,7 @@ disable-mnt
58private-bin rtin,tin 58private-bin rtin,tin
59private-cache 59private-cache
60private-dev 60private-dev
61private-etc passwd,resolv.conf,terminfo,tin 61private-etc ld.so.preload,passwd,resolv.conf,terminfo,tin
62private-lib terminfo 62private-lib terminfo
63private-tmp 63private-tmp
64 64
diff --git a/etc/profile-m-z/tor.profile b/etc/profile-m-z/tor.profile
index 08e949309..312123f59 100644
--- a/etc/profile-m-z/tor.profile
+++ b/etc/profile-m-z/tor.profile
@@ -46,6 +46,6 @@ private
46private-bin bash,tor 46private-bin bash,tor
47private-cache 47private-cache
48private-dev 48private-dev
49private-etc alternatives,ca-certificates,crypto-policies,passwd,pki,ssl,tor 49private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,passwd,pki,ssl,tor
50private-tmp 50private-tmp
51writable-var 51writable-var
diff --git a/etc/profile-m-z/transgui.profile b/etc/profile-m-z/transgui.profile
index 2b63f6448..0e23b7843 100644
--- a/etc/profile-m-z/transgui.profile
+++ b/etc/profile-m-z/transgui.profile
@@ -45,7 +45,7 @@ tracelog
45private-bin geoiplookup,geoiplookup6,transgui 45private-bin geoiplookup,geoiplookup6,transgui
46private-cache 46private-cache
47private-dev 47private-dev
48private-etc alternatives,fonts 48private-etc alternatives,fonts,ld.so.preload
49private-lib libgdk_pixbuf-2.0.so.*,libGeoIP.so*,libgthread-2.0.so.*,libgtk-x11-2.0.so.*,libX11.so.* 49private-lib libgdk_pixbuf-2.0.so.*,libGeoIP.so*,libgthread-2.0.so.*,libgtk-x11-2.0.so.*,libX11.so.*
50private-tmp 50private-tmp
51 51
diff --git a/etc/profile-m-z/transmission-cli.profile b/etc/profile-m-z/transmission-cli.profile
index 486be5fe6..b3fab083c 100644
--- a/etc/profile-m-z/transmission-cli.profile
+++ b/etc/profile-m-z/transmission-cli.profile
@@ -8,7 +8,7 @@ include transmission-cli.local
8include globals.local 8include globals.local
9 9
10private-bin transmission-cli 10private-bin transmission-cli
11private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl 11private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
12 12
13# Redirect 13# Redirect
14include transmission-common.profile 14include transmission-common.profile
diff --git a/etc/profile-m-z/transmission-daemon.profile b/etc/profile-m-z/transmission-daemon.profile
index 348d3cb80..9d91b8b81 100644
--- a/etc/profile-m-z/transmission-daemon.profile
+++ b/etc/profile-m-z/transmission-daemon.profile
@@ -17,7 +17,7 @@ caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot
17protocol packet 17protocol packet
18 18
19private-bin transmission-daemon 19private-bin transmission-daemon
20private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl 20private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
21 21
22read-write /var/lib/transmission 22read-write /var/lib/transmission
23writable-var-log 23writable-var-log
diff --git a/etc/profile-m-z/transmission-remote-gtk.profile b/etc/profile-m-z/transmission-remote-gtk.profile
index a6400e2c0..20d54500f 100644
--- a/etc/profile-m-z/transmission-remote-gtk.profile
+++ b/etc/profile-m-z/transmission-remote-gtk.profile
@@ -12,7 +12,7 @@ noblacklist ${HOME}/.config/transmission-remote-gtk
12mkdir ${HOME}/.config/transmission-remote-gtk 12mkdir ${HOME}/.config/transmission-remote-gtk
13whitelist ${HOME}/.config/transmission-remote-gtk 13whitelist ${HOME}/.config/transmission-remote-gtk
14 14
15private-etc fonts,hostname,hosts,resolv.conf 15private-etc fonts,hostname,hosts,ld.so.preload,resolv.conf
16# Problems with private-lib (see issue #2889) 16# Problems with private-lib (see issue #2889)
17ignore private-lib 17ignore private-lib
18 18
diff --git a/etc/profile-m-z/transmission-remote.profile b/etc/profile-m-z/transmission-remote.profile
index fee4999e6..ad4ad2172 100644
--- a/etc/profile-m-z/transmission-remote.profile
+++ b/etc/profile-m-z/transmission-remote.profile
@@ -8,7 +8,7 @@ include transmission-remote.local
8include globals.local 8include globals.local
9 9
10private-bin transmission-remote 10private-bin transmission-remote
11private-etc alternatives,hosts,nsswitch.conf 11private-etc alternatives,hosts,ld.so.preload,nsswitch.conf
12 12
13# Redirect 13# Redirect
14include transmission-common.profile 14include transmission-common.profile
diff --git a/etc/profile-m-z/transmission-show.profile b/etc/profile-m-z/transmission-show.profile
index 5a3c83f58..822a368da 100644
--- a/etc/profile-m-z/transmission-show.profile
+++ b/etc/profile-m-z/transmission-show.profile
@@ -8,7 +8,7 @@ include transmission-show.local
8include globals.local 8include globals.local
9 9
10private-bin transmission-show 10private-bin transmission-show
11private-etc alternatives,hosts,nsswitch.conf 11private-etc alternatives,hosts,ld.so.preload,nsswitch.conf
12 12
13# Redirect 13# Redirect
14include transmission-common.profile 14include transmission-common.profile
diff --git a/etc/profile-m-z/trojita.profile b/etc/profile-m-z/trojita.profile
index 41426c606..1959aee1e 100644
--- a/etc/profile-m-z/trojita.profile
+++ b/etc/profile-m-z/trojita.profile
@@ -54,7 +54,7 @@ tracelog
54private-bin trojita 54private-bin trojita
55private-cache 55private-cache
56private-dev 56private-dev
57private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,selinux,ssl,xdg 57private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.preload,pki,resolv.conf,selinux,ssl,xdg
58private-tmp 58private-tmp
59 59
60dbus-user filter 60dbus-user filter
diff --git a/etc/profile-m-z/twitch.profile b/etc/profile-m-z/twitch.profile
index d767b4c9d..bd2f1bcf9 100644
--- a/etc/profile-m-z/twitch.profile
+++ b/etc/profile-m-z/twitch.profile
@@ -18,7 +18,7 @@ mkdir ${HOME}/.config/Twitch
18whitelist ${HOME}/.config/Twitch 18whitelist ${HOME}/.config/Twitch
19 19
20private-bin electron,electron[0-9],electron[0-9][0-9],twitch 20private-bin electron,electron[0-9],electron[0-9][0-9],twitch
21private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg 21private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
22private-opt Twitch 22private-opt Twitch
23 23
24# Redirect 24# Redirect
diff --git a/etc/profile-m-z/unf.profile b/etc/profile-m-z/unf.profile
index 212e6d181..685e74e25 100644
--- a/etc/profile-m-z/unf.profile
+++ b/etc/profile-m-z/unf.profile
@@ -49,7 +49,7 @@ private-bin unf
49private-cache 49private-cache
50?HAS_APPIMAGE: ignore private-dev 50?HAS_APPIMAGE: ignore private-dev
51private-dev 51private-dev
52private-etc alternatives 52private-etc alternatives,ld.so.preload
53private-lib gcc/*/*/libgcc_s.so.* 53private-lib gcc/*/*/libgcc_s.so.*
54private-tmp 54private-tmp
55 55
diff --git a/etc/profile-m-z/unrar.profile b/etc/profile-m-z/unrar.profile
index 9d3d9b40e..761ee91c5 100644
--- a/etc/profile-m-z/unrar.profile
+++ b/etc/profile-m-z/unrar.profile
@@ -8,7 +8,7 @@ include unrar.local
8include globals.local 8include globals.local
9 9
10private-bin unrar 10private-bin unrar
11private-etc alternatives,group,localtime,passwd 11private-etc alternatives,group,ld.so.preload,localtime,passwd
12private-tmp 12private-tmp
13 13
14# Redirect 14# Redirect
diff --git a/etc/profile-m-z/unzip.profile b/etc/profile-m-z/unzip.profile
index 0231e3dba..981826b16 100644
--- a/etc/profile-m-z/unzip.profile
+++ b/etc/profile-m-z/unzip.profile
@@ -10,7 +10,7 @@ include globals.local
10# GNOME Shell integration (chrome-gnome-shell) 10# GNOME Shell integration (chrome-gnome-shell)
11noblacklist ${HOME}/.local/share/gnome-shell 11noblacklist ${HOME}/.local/share/gnome-shell
12 12
13private-etc alternatives,group,localtime,passwd 13private-etc alternatives,group,ld.so.preload,localtime,passwd
14 14
15# Redirect 15# Redirect
16include archiver-common.profile 16include archiver-common.profile
diff --git a/etc/profile-m-z/utox.profile b/etc/profile-m-z/utox.profile
index b164494fa..5a867a683 100644
--- a/etc/profile-m-z/utox.profile
+++ b/etc/profile-m-z/utox.profile
@@ -43,7 +43,7 @@ disable-mnt
43private-bin utox 43private-bin utox
44private-cache 44private-cache
45private-dev 45private-dev
46private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,openal,pki,pulse,resolv.conf,ssl 46private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,localtime,machine-id,openal,pki,pulse,resolv.conf,ssl
47private-tmp 47private-tmp
48 48
49memory-deny-write-execute 49memory-deny-write-execute
diff --git a/etc/profile-m-z/viewnior.profile b/etc/profile-m-z/viewnior.profile
index 469e65542..ed2f0103b 100644
--- a/etc/profile-m-z/viewnior.profile
+++ b/etc/profile-m-z/viewnior.profile
@@ -43,7 +43,7 @@ tracelog
43private-bin viewnior 43private-bin viewnior
44private-cache 44private-cache
45private-dev 45private-dev
46private-etc alternatives,fonts,machine-id 46private-etc alternatives,fonts,ld.so.preload,machine-id
47private-tmp 47private-tmp
48 48
49dbus-user none 49dbus-user none
diff --git a/etc/profile-m-z/virtualbox.profile b/etc/profile-m-z/virtualbox.profile
index 6ab9aa15b..a6d3eaafd 100644
--- a/etc/profile-m-z/virtualbox.profile
+++ b/etc/profile-m-z/virtualbox.profile
@@ -45,7 +45,7 @@ tracelog
45#disable-mnt 45#disable-mnt
46#private-bin awk,basename,bash,env,gawk,grep,ps,readlink,sh,virtualbox,VirtualBox,VBox*,vbox*,whoami 46#private-bin awk,basename,bash,env,gawk,grep,ps,readlink,sh,virtualbox,VirtualBox,VBox*,vbox*,whoami
47private-cache 47private-cache
48private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl 48private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,pki,pulse,resolv.conf,ssl
49private-tmp 49private-tmp
50 50
51dbus-user none 51dbus-user none
diff --git a/etc/profile-m-z/vmware.profile b/etc/profile-m-z/vmware.profile
index cb85836b7..8e25daee0 100644
--- a/etc/profile-m-z/vmware.profile
+++ b/etc/profile-m-z/vmware.profile
@@ -38,6 +38,6 @@ tracelog
38#disable-mnt 38#disable-mnt
39# Add the next line to your vmware.local to enable private-bin. 39# Add the next line to your vmware.local to enable private-bin.
40#private-bin env,bash,sh,ovftool,vmafossexec,vmaf_*,vmnet-*,vmplayer,vmrest,vmrun,vmss2core,vmstat,vmware,vmware-* 40#private-bin env,bash,sh,ovftool,vmafossexec,vmaf_*,vmnet-*,vmplayer,vmrest,vmrun,vmss2core,vmstat,vmware,vmware-*
41private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix 41private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix
42dbus-user none 42dbus-user none
43dbus-system none 43dbus-system none
diff --git a/etc/profile-m-z/vscodium.profile b/etc/profile-m-z/vscodium.profile
index a4a4fb7d8..9c0a887b2 100644
--- a/etc/profile-m-z/vscodium.profile
+++ b/etc/profile-m-z/vscodium.profile
@@ -1,4 +1,4 @@
1# Firejail profile alias for Visual Studio Code 1# Firejail profile alias for VSCodium
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations 3# Persistent local customizations
4include vscodium.local 4include vscodium.local
@@ -7,6 +7,8 @@ include vscodium.local
7#include globals.local 7#include globals.local
8 8
9noblacklist ${HOME}/.VSCodium 9noblacklist ${HOME}/.VSCodium
10noblacklist ${HOME}/.config/VSCodium
11noblacklist ${HOME}/.vscode-oss
10 12
11# Redirect 13# Redirect
12include code.profile 14include code.profile
diff --git a/etc/profile-m-z/w3m.profile b/etc/profile-m-z/w3m.profile
index 81c8a2f5c..d2e30e824 100644
--- a/etc/profile-m-z/w3m.profile
+++ b/etc/profile-m-z/w3m.profile
@@ -62,7 +62,7 @@ disable-mnt
62private-bin perl,sh,w3m 62private-bin perl,sh,w3m
63private-cache 63private-cache
64private-dev 64private-dev
65private-etc alternatives,ca-certificates,crypto-policies,mailcap,nsswitch.conf,pki,resolv.conf,ssl 65private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,mailcap,nsswitch.conf,pki,resolv.conf,ssl
66private-tmp 66private-tmp
67 67
68dbus-user none 68dbus-user none
diff --git a/etc/profile-m-z/warmux.profile b/etc/profile-m-z/warmux.profile
index 92e0e7a83..fc59b7239 100644
--- a/etc/profile-m-z/warmux.profile
+++ b/etc/profile-m-z/warmux.profile
@@ -49,7 +49,7 @@ disable-mnt
49private-bin warmux 49private-bin warmux
50private-cache 50private-cache
51private-dev 51private-dev
52private-etc ca-certificates,crypto-policies,host.conf,hostname,hosts,machine-id,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl 52private-etc ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.preload,machine-id,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
53private-tmp 53private-tmp
54 54
55dbus-user none 55dbus-user none
diff --git a/etc/profile-m-z/whalebird.profile b/etc/profile-m-z/whalebird.profile
index 2f26bf14c..ae3944561 100644
--- a/etc/profile-m-z/whalebird.profile
+++ b/etc/profile-m-z/whalebird.profile
@@ -21,7 +21,7 @@ whitelist ${HOME}/.config/Whalebird
21no3d 21no3d
22 22
23private-bin electron,electron[0-9],electron[0-9][0-9],whalebird 23private-bin electron,electron[0-9],electron[0-9][0-9],whalebird
24private-etc fonts,machine-id 24private-etc fonts,ld.so.preload,machine-id
25 25
26# Redirect 26# Redirect
27include electron.profile 27include electron.profile
diff --git a/etc/profile-m-z/whois.profile b/etc/profile-m-z/whois.profile
index 755e62f60..0650e41ad 100644
--- a/etc/profile-m-z/whois.profile
+++ b/etc/profile-m-z/whois.profile
@@ -47,7 +47,7 @@ private
47private-bin bash,sh,whois 47private-bin bash,sh,whois
48private-cache 48private-cache
49private-dev 49private-dev
50private-etc alternatives,hosts,jwhois.conf,resolv.conf,services,whois.conf 50private-etc alternatives,hosts,jwhois.conf,ld.so.preload,resolv.conf,services,whois.conf
51private-lib gconv 51private-lib gconv
52private-tmp 52private-tmp
53 53
diff --git a/etc/profile-m-z/wire-desktop.profile b/etc/profile-m-z/wire-desktop.profile
index 151cd2adb..eebad4a19 100644
--- a/etc/profile-m-z/wire-desktop.profile
+++ b/etc/profile-m-z/wire-desktop.profile
@@ -26,7 +26,7 @@ mkdir ${HOME}/.config/Wire
26whitelist ${HOME}/.config/Wire 26whitelist ${HOME}/.config/Wire
27 27
28private-bin bash,electron,electron[0-9],electron[0-9][0-9],env,sh,wire-desktop 28private-bin bash,electron,electron[0-9],electron[0-9][0-9],env,sh,wire-desktop
29private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,resolv.conf,ssl 29private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.preload,machine-id,pki,resolv.conf,ssl
30 30
31# Redirect 31# Redirect
32include electron.profile 32include electron.profile
diff --git a/etc/profile-m-z/wordwarvi.profile b/etc/profile-m-z/wordwarvi.profile
index b2f3341ee..374290ed0 100644
--- a/etc/profile-m-z/wordwarvi.profile
+++ b/etc/profile-m-z/wordwarvi.profile
@@ -45,7 +45,7 @@ private
45private-bin wordwarvi 45private-bin wordwarvi
46private-cache 46private-cache
47private-dev 47private-dev
48private-etc alsa,asound.conf,machine-id,pulse 48private-etc alsa,asound.conf,ld.so.preload,machine-id,pulse
49private-tmp 49private-tmp
50 50
51dbus-user none 51dbus-user none
diff --git a/etc/profile-m-z/xbill.profile b/etc/profile-m-z/xbill.profile
index c9e408ccd..738b5ca13 100644
--- a/etc/profile-m-z/xbill.profile
+++ b/etc/profile-m-z/xbill.profile
@@ -44,7 +44,7 @@ private
44private-bin xbill 44private-bin xbill
45private-cache 45private-cache
46private-dev 46private-dev
47private-etc none 47private-etc ld.so.preload,none
48private-tmp 48private-tmp
49 49
50dbus-user none 50dbus-user none
diff --git a/etc/profile-m-z/xfce4-mixer.profile b/etc/profile-m-z/xfce4-mixer.profile
index 05c46dffb..21857dbe6 100644
--- a/etc/profile-m-z/xfce4-mixer.profile
+++ b/etc/profile-m-z/xfce4-mixer.profile
@@ -46,7 +46,7 @@ disable-mnt
46private-bin xfce4-mixer,xfconf-query 46private-bin xfce4-mixer,xfconf-query
47private-cache 47private-cache
48private-dev 48private-dev
49private-etc alternatives,asound.conf,fonts,machine-id,pulse 49private-etc alternatives,asound.conf,fonts,ld.so.preload,machine-id,pulse
50private-tmp 50private-tmp
51 51
52dbus-user filter 52dbus-user filter
diff --git a/etc/profile-m-z/xfce4-screenshooter.profile b/etc/profile-m-z/xfce4-screenshooter.profile
index b869ae005..ad3058ce2 100644
--- a/etc/profile-m-z/xfce4-screenshooter.profile
+++ b/etc/profile-m-z/xfce4-screenshooter.profile
@@ -42,7 +42,7 @@ tracelog
42disable-mnt 42disable-mnt
43private-bin xfce4-screenshooter,xfconf-query 43private-bin xfce4-screenshooter,xfconf-query
44private-dev 44private-dev
45private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,pki,resolv.conf,ssl 45private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,ld.so.preload,pki,resolv.conf,ssl
46private-tmp 46private-tmp
47 47
48dbus-user none 48dbus-user none
diff --git a/etc/profile-m-z/xiphos.profile b/etc/profile-m-z/xiphos.profile
index 070e5e0f7..9b7a006d2 100644
--- a/etc/profile-m-z/xiphos.profile
+++ b/etc/profile-m-z/xiphos.profile
@@ -47,5 +47,5 @@ disable-mnt
47private-bin xiphos 47private-bin xiphos
48private-cache 48private-cache
49private-dev 49private-dev
50private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssli,sword,sword.conf 50private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.preload,pki,resolv.conf,ssli,sword,sword.conf
51private-tmp 51private-tmp
diff --git a/etc/profile-m-z/xlinks.profile b/etc/profile-m-z/xlinks.profile
index d5e25cfe7..1c9310986 100644
--- a/etc/profile-m-z/xlinks.profile
+++ b/etc/profile-m-z/xlinks.profile
@@ -14,7 +14,7 @@ include whitelist-common.inc
14# if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2' 14# if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2'
15# to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line 15# to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line
16private-bin xlinks 16private-bin xlinks
17private-etc fonts 17private-etc fonts,ld.so.preload
18 18
19# Redirect 19# Redirect
20include links.profile 20include links.profile
diff --git a/etc/profile-m-z/xlinks2 b/etc/profile-m-z/xlinks2
index 1ae6a60ca..bbf660e29 100644
--- a/etc/profile-m-z/xlinks2
+++ b/etc/profile-m-z/xlinks2
@@ -14,7 +14,7 @@ include whitelist-common.inc
14# if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2' 14# if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2'
15# to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line 15# to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line
16private-bin xlinks2 16private-bin xlinks2
17private-etc fonts 17private-etc fonts,ld.so.preload
18 18
19# Redirect 19# Redirect
20include links2.profile 20include links2.profile
diff --git a/etc/profile-m-z/xmr-stak.profile b/etc/profile-m-z/xmr-stak.profile
index 8179e8d76..2a9fbf171 100644
--- a/etc/profile-m-z/xmr-stak.profile
+++ b/etc/profile-m-z/xmr-stak.profile
@@ -38,7 +38,7 @@ disable-mnt
38private ${HOME}/.xmr-stak 38private ${HOME}/.xmr-stak
39private-bin xmr-stak 39private-bin xmr-stak
40private-dev 40private-dev
41private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl 41private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
42#private-lib libxmrstak_opencl_backend,libxmrstak_cuda_backend 42#private-lib libxmrstak_opencl_backend,libxmrstak_cuda_backend
43private-opt cuda 43private-opt cuda
44private-tmp 44private-tmp
diff --git a/etc/profile-m-z/xournal.profile b/etc/profile-m-z/xournal.profile
index e4282a125..fe7395078 100644
--- a/etc/profile-m-z/xournal.profile
+++ b/etc/profile-m-z/xournal.profile
@@ -43,7 +43,7 @@ tracelog
43private-bin xournal 43private-bin xournal
44private-cache 44private-cache
45private-dev 45private-dev
46private-etc alternatives,fonts,group,machine-id,passwd 46private-etc alternatives,fonts,group,ld.so.preload,machine-id,passwd
47# TODO should use private-lib 47# TODO should use private-lib
48private-tmp 48private-tmp
49 49
diff --git a/etc/profile-m-z/xreader.profile b/etc/profile-m-z/xreader.profile
index f59adc6e2..8b880426f 100644
--- a/etc/profile-m-z/xreader.profile
+++ b/etc/profile-m-z/xreader.profile
@@ -39,7 +39,7 @@ tracelog
39 39
40private-bin xreader,xreader-previewer,xreader-thumbnailer 40private-bin xreader,xreader-previewer,xreader-thumbnailer
41private-dev 41private-dev
42private-etc alternatives,fonts,ld.so.cache 42private-etc alternatives,fonts,ld.so.cache,ld.so.preload
43private-tmp 43private-tmp
44 44
45memory-deny-write-execute 45memory-deny-write-execute
diff --git a/etc/profile-m-z/yelp.profile b/etc/profile-m-z/yelp.profile
index 2a6dbe1bf..c5e44c6b4 100644
--- a/etc/profile-m-z/yelp.profile
+++ b/etc/profile-m-z/yelp.profile
@@ -56,7 +56,7 @@ disable-mnt
56private-bin groff,man,tbl,troff,yelp 56private-bin groff,man,tbl,troff,yelp
57private-cache 57private-cache
58private-dev 58private-dev
59private-etc alsa,alternatives,asound.conf,crypto-policies,cups,dconf,drirc,fonts,gcrypt,groff,gtk-3.0,machine-id,man_db.conf,openal,os-release,pulse,sgml,xml 59private-etc alsa,alternatives,asound.conf,crypto-policies,cups,dconf,drirc,fonts,gcrypt,groff,gtk-3.0,ld.so.preload,machine-id,man_db.conf,openal,os-release,pulse,sgml,xml
60private-tmp 60private-tmp
61 61
62dbus-user filter 62dbus-user filter
diff --git a/etc/profile-m-z/youtube-dl-gui.profile b/etc/profile-m-z/youtube-dl-gui.profile
index 5d6fb47c1..94f37a92b 100644
--- a/etc/profile-m-z/youtube-dl-gui.profile
+++ b/etc/profile-m-z/youtube-dl-gui.profile
@@ -49,7 +49,7 @@ disable-mnt
49private-bin atomicparsley,ffmpeg,ffprobe,python*,youtube-dl-gui 49private-bin atomicparsley,ffmpeg,ffprobe,python*,youtube-dl-gui
50private-cache 50private-cache
51private-dev 51private-dev
52private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,locale,locale.conf,passwd,pki,resolv.conf,ssl 52private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,locale,locale.conf,passwd,pki,resolv.conf,ssl
53private-tmp 53private-tmp
54 54
55dbus-user none 55dbus-user none
diff --git a/etc/profile-m-z/youtube-dl.profile b/etc/profile-m-z/youtube-dl.profile
index 145e565fd..71e50ab11 100644
--- a/etc/profile-m-z/youtube-dl.profile
+++ b/etc/profile-m-z/youtube-dl.profile
@@ -58,7 +58,7 @@ tracelog
58private-bin env,ffmpeg,python*,youtube-dl 58private-bin env,ffmpeg,python*,youtube-dl
59private-cache 59private-cache
60private-dev 60private-dev
61private-etc alternatives,ca-certificates,crypto-policies,hostname,hosts,ld.so.cache,mime.types,pki,resolv.conf,ssl,youtube-dl.conf 61private-etc alternatives,ca-certificates,crypto-policies,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,pki,resolv.conf,ssl,youtube-dl.conf
62private-tmp 62private-tmp
63 63
64dbus-user none 64dbus-user none
diff --git a/etc/profile-m-z/youtube-viewer.profile b/etc/profile-m-z/youtube-viewer.profile
index b54dd37ad..825599fcc 100644
--- a/etc/profile-m-z/youtube-viewer.profile
+++ b/etc/profile-m-z/youtube-viewer.profile
@@ -18,4 +18,4 @@ whitelist ${HOME}/.config/youtube-viewer
18private-bin gtk-youtube-viewer,gtk2-youtube-viewer,gtk3-youtube-viewer,youtube-viewer 18private-bin gtk-youtube-viewer,gtk2-youtube-viewer,gtk3-youtube-viewer,youtube-viewer
19 19
20# Redirect 20# Redirect
21include youtube-viewers-common.profile \ No newline at end of file 21include youtube-viewers-common.profile
diff --git a/etc/profile-m-z/youtube-viewers-common.profile b/etc/profile-m-z/youtube-viewers-common.profile
index a05f05c51..3224f8fc6 100644
--- a/etc/profile-m-z/youtube-viewers-common.profile
+++ b/etc/profile-m-z/youtube-viewers-common.profile
@@ -53,7 +53,7 @@ disable-mnt
53private-bin bash,ffmpeg,ffprobe,firefox,mpv,perl,python*,sh,smplayer,stty,wget,which,xterm,youtube-dl,yt-dlp 53private-bin bash,ffmpeg,ffprobe,firefox,mpv,perl,python*,sh,smplayer,stty,wget,which,xterm,youtube-dl,yt-dlp
54private-cache 54private-cache
55private-dev 55private-dev
56private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg 56private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg
57private-tmp 57private-tmp
58 58
59dbus-user none 59dbus-user none
diff --git a/etc/profile-m-z/youtube.profile b/etc/profile-m-z/youtube.profile
index efb001ee6..c7dbec968 100644
--- a/etc/profile-m-z/youtube.profile
+++ b/etc/profile-m-z/youtube.profile
@@ -17,7 +17,7 @@ mkdir ${HOME}/.config/Youtube
17whitelist ${HOME}/.config/Youtube 17whitelist ${HOME}/.config/Youtube
18 18
19private-bin electron,electron[0-9],electron[0-9][0-9],youtube 19private-bin electron,electron[0-9],electron[0-9][0-9],youtube
20private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg 20private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
21private-opt Youtube 21private-opt Youtube
22 22
23# Redirect 23# Redirect
diff --git a/etc/profile-m-z/youtubemusic-nativefier.profile b/etc/profile-m-z/youtubemusic-nativefier.profile
index ce7161a70..35ecf059d 100644
--- a/etc/profile-m-z/youtubemusic-nativefier.profile
+++ b/etc/profile-m-z/youtubemusic-nativefier.profile
@@ -14,7 +14,7 @@ mkdir ${HOME}/.config/youtubemusic-nativefier-040164
14whitelist ${HOME}/.config/youtubemusic-nativefier-040164 14whitelist ${HOME}/.config/youtubemusic-nativefier-040164
15 15
16private-bin electron,electron[0-9],electron[0-9][0-9],youtubemusic-nativefier 16private-bin electron,electron[0-9],electron[0-9][0-9],youtubemusic-nativefier
17private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg 17private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
18private-opt youtubemusic-nativefier 18private-opt youtubemusic-nativefier
19 19
20# Redirect 20# Redirect
diff --git a/etc/profile-m-z/yt-dlp.profile b/etc/profile-m-z/yt-dlp.profile
index 1c3382a08..bfb24b488 100644
--- a/etc/profile-m-z/yt-dlp.profile
+++ b/etc/profile-m-z/yt-dlp.profile
@@ -13,7 +13,7 @@ noblacklist ${HOME}/.config/yt-dlp
13noblacklist ${HOME}/yt-dlp.conf 13noblacklist ${HOME}/yt-dlp.conf
14 14
15private-bin yt-dlp 15private-bin yt-dlp
16private-etc yt-dlp.conf 16private-etc ld.so.preload,yt-dlp.conf
17 17
18# Redirect 18# Redirect
19include youtube-dl.profile 19include youtube-dl.profile
diff --git a/etc/profile-m-z/ytmdesktop.profile b/etc/profile-m-z/ytmdesktop.profile
index ab46fccc2..84f2f3cb2 100644
--- a/etc/profile-m-z/ytmdesktop.profile
+++ b/etc/profile-m-z/ytmdesktop.profile
@@ -14,7 +14,7 @@ mkdir ${HOME}/.config/youtube-music-desktop-app
14whitelist ${HOME}/.config/youtube-music-desktop-app 14whitelist ${HOME}/.config/youtube-music-desktop-app
15 15
16# private-bin env,ytmdesktop 16# private-bin env,ytmdesktop
17private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg 17private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
18# private-opt 18# private-opt
19 19
20# Redirect 20# Redirect
diff --git a/etc/profile-m-z/zulip.profile b/etc/profile-m-z/zulip.profile
index 604da4c8e..c1c94d74f 100644
--- a/etc/profile-m-z/zulip.profile
+++ b/etc/profile-m-z/zulip.profile
@@ -44,5 +44,5 @@ disable-mnt
44private-bin locale,zulip 44private-bin locale,zulip
45private-cache 45private-cache
46private-dev 46private-dev
47private-etc asound.conf,fonts,machine-id 47private-etc asound.conf,fonts,ld.so.preload,machine-id
48private-tmp 48private-tmp
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index 049a41328..44197b547 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -205,7 +205,7 @@ include globals.local
205 205
206# Since 0.9.63 also a more granular control of dbus is supported. 206# Since 0.9.63 also a more granular control of dbus is supported.
207# To get the dbus-addresses an application needs access to you can 207# To get the dbus-addresses an application needs access to you can
208# check with flatpak (when the application is distriputed that way): 208# check with flatpak (when the application is distributed that way):
209# flatpak remote-info --show-metadata flathub <APP-ID> 209# flatpak remote-info --show-metadata flathub <APP-ID>
210# Notes: 210# Notes:
211# - flatpak implicitly allows an app to own <APP-ID> on the session bus 211# - flatpak implicitly allows an app to own <APP-ID> on the session bus
diff --git a/gcov.sh b/gcov.sh
index 65f06a4d4..9bb2596f6 100755
--- a/gcov.sh
+++ b/gcov.sh
@@ -24,8 +24,8 @@ gcov_init() {
24} 24}
25 25
26generate() { 26generate() {
27 lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file-new 27 lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file-new
28 lcov --add-tracefile gcov-file-old --add-tracefile gcov-file-new --output-file gcov-file 28 lcov --add-tracefile gcov-file-old --add-tracefile gcov-file-new --output-file gcov-file
29 rm -fr gcov-dir 29 rm -fr gcov-dir
30 genhtml -q gcov-file --output-directory gcov-dir 30 genhtml -q gcov-file --output-directory gcov-dir
31 sudo rm `find . -name *.gcda` 31 sudo rm `find . -name *.gcda`
@@ -35,7 +35,7 @@ generate() {
35 35
36 36
37gcov_init 37gcov_init
38lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file-old 38lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file-old
39 39
40#make test-utils 40#make test-utils
41#generate 41#generate
diff --git a/linecnt.sh b/linecnt.sh
index ccce2da82..86bccbc07 100755
--- a/linecnt.sh
+++ b/linecnt.sh
@@ -26,6 +26,6 @@ gcov_init() {
26rm -fr gcov-dir 26rm -fr gcov-dir
27gcov_init 27gcov_init
28lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder \ 28lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder \
29 -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp \ 29 -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp \
30 -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file 30 -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file
31genhtml -q gcov-file --output-directory gcov-dir 31genhtml -q gcov-file --output-directory gcov-dir
diff --git a/src/bash_completion/firejail.bash_completion.in b/src/bash_completion/firejail.bash_completion.in
index f68edf380..ff411c807 100644
--- a/src/bash_completion/firejail.bash_completion.in
+++ b/src/bash_completion/firejail.bash_completion.in
@@ -5,7 +5,7 @@
5# http://bash-completion.alioth.debian.org 5# http://bash-completion.alioth.debian.org
6#******************************************************************* 6#*******************************************************************
7 7
8__interfaces(){ 8__interfaces() {
9 cut -f 1 -d ':' /proc/net/dev | tail -n +3 | grep -v lo | xargs 9 cut -f 1 -d ':' /proc/net/dev | tail -n +3 | grep -v lo | xargs
10} 10}
11 11
@@ -90,11 +90,11 @@ _firejail()
90 _filedir 90 _filedir
91 return 0 91 return 0
92 ;; 92 ;;
93 --net) 93 --net)
94 comps=$(__interfaces) 94 comps=$(__interfaces)
95 COMPREPLY=( $(compgen -W '$comps' -- "$cur") ) 95 COMPREPLY=( $(compgen -W '$comps' -- "$cur") )
96 return 0 96 return 0
97 ;; 97 ;;
98 esac 98 esac
99 99
100 $split && return 0 100 $split && return 0
diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c
index 019c3ac5a..a1847284c 100644
--- a/src/fbuilder/build_fs.c
+++ b/src/fbuilder/build_fs.c
@@ -182,12 +182,12 @@ static void var_callback(char *ptr) {
182void build_var(const char *fname, FILE *fp) { 182void build_var(const char *fname, FILE *fp) {
183 assert(fname); 183 assert(fname);
184 184
185 var_skip = filedb_load_whitelist(var_skip, "whitelist-var-common.inc", "allow /var/"); 185 var_skip = filedb_load_whitelist(var_skip, "whitelist-var-common.inc", "whitelist /var/");
186 process_files(fname, "/var", var_callback); 186 process_files(fname, "/var", var_callback);
187 187
188 // always whitelist /var 188 // always whitelist /var
189 if (var_out) 189 if (var_out)
190 filedb_print(var_out, "allow /var/", fp); 190 filedb_print(var_out, "whitelist /var/", fp);
191 fprintf(fp, "include whitelist-var-common.inc\n"); 191 fprintf(fp, "include whitelist-var-common.inc\n");
192} 192}
193 193
@@ -222,12 +222,12 @@ static void share_callback(char *ptr) {
222void build_share(const char *fname, FILE *fp) { 222void build_share(const char *fname, FILE *fp) {
223 assert(fname); 223 assert(fname);
224 224
225 share_skip = filedb_load_whitelist(share_skip, "whitelist-usr-share-common.inc", "allow /usr/share/"); 225 share_skip = filedb_load_whitelist(share_skip, "whitelist-usr-share-common.inc", "whitelist /usr/share/");
226 process_files(fname, "/usr/share", share_callback); 226 process_files(fname, "/usr/share", share_callback);
227 227
228 // always whitelist /usr/share 228 // always whitelist /usr/share
229 if (share_out) 229 if (share_out)
230 filedb_print(share_out, "allow /usr/share/", fp); 230 filedb_print(share_out, "whitelist /usr/share/", fp);
231 fprintf(fp, "include whitelist-usr-share-common.inc\n"); 231 fprintf(fp, "include whitelist-usr-share-common.inc\n");
232} 232}
233 233
@@ -236,9 +236,6 @@ void build_share(const char *fname, FILE *fp) {
236//******************************************* 236//*******************************************
237static FileDB *tmp_out = NULL; 237static FileDB *tmp_out = NULL;
238static void tmp_callback(char *ptr) { 238static void tmp_callback(char *ptr) {
239 // skip strace file
240 if (strncmp(ptr, "/tmp/firejail-strace", 20) == 0)
241 return;
242 if (strncmp(ptr, "/tmp/runtime-", 13) == 0) 239 if (strncmp(ptr, "/tmp/runtime-", 13) == 0)
243 return; 240 return;
244 if (strcmp(ptr, "/tmp") == 0) 241 if (strcmp(ptr, "/tmp") == 0)
diff --git a/src/fbuilder/build_home.c b/src/fbuilder/build_home.c
index c85474779..0fe0ffef6 100644
--- a/src/fbuilder/build_home.c
+++ b/src/fbuilder/build_home.c
@@ -140,7 +140,7 @@ void build_home(const char *fname, FILE *fp) {
140 assert(fname); 140 assert(fname);
141 141
142 // load whitelist common 142 // load whitelist common
143 db_skip = filedb_load_whitelist(db_skip, "whitelist-common.inc", "allow ${HOME}/"); 143 db_skip = filedb_load_whitelist(db_skip, "whitelist-common.inc", "whitelist ${HOME}/");
144 144
145 // find user home directory 145 // find user home directory
146 struct passwd *pw = getpwuid(getuid()); 146 struct passwd *pw = getpwuid(getuid());
@@ -168,7 +168,7 @@ void build_home(const char *fname, FILE *fp) {
168 168
169 // print the out list if any 169 // print the out list if any
170 if (db_out) { 170 if (db_out) {
171 filedb_print(db_out, "allow ${HOME}/", fp); 171 filedb_print(db_out, "whitelist ${HOME}/", fp);
172 fprintf(fp, "include whitelist-common.inc\n"); 172 fprintf(fp, "include whitelist-common.inc\n");
173 } 173 }
174 else 174 else
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c
index 0b9a99739..c945d7253 100644
--- a/src/fbuilder/build_profile.c
+++ b/src/fbuilder/build_profile.c
@@ -92,7 +92,7 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
92 92
93 if (WIFEXITED(status) && WEXITSTATUS(status) == 0) { 93 if (WIFEXITED(status) && WEXITSTATUS(status) == 0) {
94 if (fp == stdout) 94 if (fp == stdout)
95 printf("--- Built profile beings after this line ---\n"); 95 printf("--- Built profile begins after this line ---\n");
96 fprintf(fp, "# Save this file as \"application.profile\" (change \"application\" with the\n"); 96 fprintf(fp, "# Save this file as \"application.profile\" (change \"application\" with the\n");
97 fprintf(fp, "# program name) in ~/.config/firejail directory. Firejail will find it\n"); 97 fprintf(fp, "# program name) in ~/.config/firejail directory. Firejail will find it\n");
98 fprintf(fp, "# automatically every time you sandbox your application.\n#\n"); 98 fprintf(fp, "# automatically every time you sandbox your application.\n#\n");
diff --git a/src/fcopy/main.c b/src/fcopy/main.c
index 31810de9a..f279af89f 100644
--- a/src/fcopy/main.c
+++ b/src/fcopy/main.c
@@ -88,7 +88,8 @@ static void selinux_relabel_path(const char *path, const char *inside_path) {
88 if (arg_debug) 88 if (arg_debug)
89 printf("Relabeling %s as %s (%s)\n", path, inside_path, fcon); 89 printf("Relabeling %s as %s (%s)\n", path, inside_path, fcon);
90 90
91 setfilecon_raw(procfs_path, fcon); 91 if (setfilecon_raw(procfs_path, fcon) != 0 && arg_debug)
92 printf("Cannot relabel %s: %s\n", path, strerror(errno));
92 } 93 }
93 freecon(fcon); 94 freecon(fcon);
94 close: 95 close:
diff --git a/src/fids/fids.h b/src/fids/fids.h
index a2e2886fe..eaf2bbd29 100644
--- a/src/fids/fids.h
+++ b/src/fids/fids.h
@@ -48,4 +48,4 @@ int db_exclude_check(const char *fname);
48//#define KEY_SIZE 512 48//#define KEY_SIZE 512
49int blake2b(void *out, size_t outlen, const void *in, size_t inlen); 49int blake2b(void *out, size_t outlen, const void *in, size_t inlen);
50 50
51#endif \ No newline at end of file 51#endif
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 698630180..aad22ec7a 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -151,6 +151,7 @@ clocks
151cmus 151cmus
152code 152code
153code-oss 153code-oss
154codium
154cola 155cola
155colorful 156colorful
156com.github.bleakgrey.tootle 157com.github.bleakgrey.tootle
@@ -348,6 +349,7 @@ gnome-weather
348gnote 349gnote
349gnubik 350gnubik
350godot 351godot
352goldendict
351goobox 353goobox
352google-chrome 354google-chrome
353google-chrome-beta 355google-chrome-beta
diff --git a/src/firejail/cgroup.c b/src/firejail/cgroup.c
index e7ffbca36..38b3c32d3 100644
--- a/src/firejail/cgroup.c
+++ b/src/firejail/cgroup.c
@@ -18,7 +18,8 @@
18 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 18 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
19*/ 19*/
20#include "firejail.h" 20#include "firejail.h"
21#include <sys/stat.h> 21#include <sys/wait.h>
22#include <errno.h>
22 23
23#define MAXBUF 4096 24#define MAXBUF 4096
24 25
@@ -68,52 +69,60 @@ errout:
68 fclose(fp); 69 fclose(fp);
69} 70}
70 71
72static int is_cgroup_path(const char *fname) {
73 // path starts with /sys/fs/cgroup
74 if (strncmp(fname, "/sys/fs/cgroup", 14) != 0)
75 return 0;
71 76
72void set_cgroup(const char *path) { 77 // no .. traversal
73 EUID_ASSERT(); 78 char *ptr = strstr(fname, "..");
79 if (ptr)
80 return 0;
74 81
75 invalid_filename(path, 0); // no globbing 82 return 1;
83}
76 84
77 // path starts with /sys/fs/cgroup 85void check_cgroup_file(const char *fname) {
78 if (strncmp(path, "/sys/fs/cgroup", 14) != 0) 86 assert(fname);
79 goto errout; 87 invalid_filename(fname, 0); // no globbing
80 88
81 // path ends in tasks 89 if (!is_cgroup_path(fname))
82 char *ptr = strstr(path, "tasks");
83 if (!ptr)
84 goto errout;
85 if (*(ptr + 5) != '\0')
86 goto errout; 90 goto errout;
87 91
88 // no .. traversal 92 const char *base = gnu_basename(fname);
89 ptr = strstr(path, ".."); 93 if (strcmp(base, "tasks") != 0 && // cgroup v1
90 if (ptr) 94 strcmp(base, "cgroup.procs") != 0)
91 goto errout; 95 goto errout;
92 96
93 // tasks file exists 97 if (access(fname, W_OK) == 0)
94 FILE *fp = fopen(path, "ae"); 98 return;
95 if (!fp)
96 goto errout;
97 // task file belongs to the user running the sandbox
98 int fd = fileno(fp);
99 if (fd == -1)
100 errExit("fileno");
101 struct stat s;
102 if (fstat(fd, &s) == -1)
103 errExit("fstat");
104 if (s.st_uid != getuid() && s.st_gid != getgid())
105 goto errout2;
106 // add the task to cgroup
107 pid_t pid = getpid();
108 int rv = fprintf(fp, "%d\n", pid);
109 (void) rv;
110 fclose(fp);
111 return;
112 99
113errout: 100errout:
114 fprintf(stderr, "Error: invalid cgroup\n"); 101 fprintf(stderr, "Error: invalid cgroup\n");
115 exit(1); 102 exit(1);
116errout2: 103}
117 fprintf(stderr, "Error: you don't have permissions to use this control group\n"); 104
118 exit(1); 105static void do_set_cgroup(const char *fname, pid_t pid) {
106 FILE *fp = fopen(fname, "ae");
107 if (!fp) {
108 fwarning("cannot open %s for writing: %s\n", fname, strerror(errno));
109 return;
110 }
111
112 int rv = fprintf(fp, "%d\n", pid);
113 (void) rv;
114 fclose(fp);
115}
116
117void set_cgroup(const char *fname, pid_t pid) {
118 pid_t child = fork();
119 if (child < 0)
120 errExit("fork");
121 if (child == 0) {
122 drop_privs(0);
123
124 do_set_cgroup(fname, pid);
125 _exit(0);
126 }
127 waitpid(child, NULL, 0);
119} 128}
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 06e6f0ccb..e5d837bbb 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -58,6 +58,7 @@ int checkcfg(int val) {
58 cfg_val[CFG_XPRA_ATTACH] = 0; 58 cfg_val[CFG_XPRA_ATTACH] = 0;
59 cfg_val[CFG_SECCOMP_ERROR_ACTION] = -1; 59 cfg_val[CFG_SECCOMP_ERROR_ACTION] = -1;
60 cfg_val[CFG_BROWSER_ALLOW_DRM] = 0; 60 cfg_val[CFG_BROWSER_ALLOW_DRM] = 0;
61 cfg_val[CFG_ALLOW_TRAY] = 0;
61 62
62 // open configuration file 63 // open configuration file
63 const char *fname = SYSCONFDIR "/firejail.config"; 64 const char *fname = SYSCONFDIR "/firejail.config";
@@ -122,6 +123,7 @@ int checkcfg(int val) {
122 PARSE_YESNO(CFG_XPRA_ATTACH, "xpra-attach") 123 PARSE_YESNO(CFG_XPRA_ATTACH, "xpra-attach")
123 PARSE_YESNO(CFG_BROWSER_DISABLE_U2F, "browser-disable-u2f") 124 PARSE_YESNO(CFG_BROWSER_DISABLE_U2F, "browser-disable-u2f")
124 PARSE_YESNO(CFG_BROWSER_ALLOW_DRM, "browser-allow-drm") 125 PARSE_YESNO(CFG_BROWSER_ALLOW_DRM, "browser-allow-drm")
126 PARSE_YESNO(CFG_ALLOW_TRAY, "allow-tray")
125#undef PARSE_YESNO 127#undef PARSE_YESNO
126 128
127 // netfilter 129 // netfilter
diff --git a/src/firejail/chroot.c b/src/firejail/chroot.c
index 37ec22117..9425638ea 100644
--- a/src/firejail/chroot.c
+++ b/src/firejail/chroot.c
@@ -86,7 +86,7 @@ static void update_file(int parentfd, const char *relpath) {
86 if (arg_debug) 86 if (arg_debug)
87 printf("Updating chroot /%s\n", relpath); 87 printf("Updating chroot /%s\n", relpath);
88 unlinkat(parentfd, relpath, 0); 88 unlinkat(parentfd, relpath, 0);
89 int out = openat(parentfd, relpath, O_WRONLY|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); 89 int out = openat(parentfd, relpath, O_WRONLY|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
90 if (out == -1) { 90 if (out == -1) {
91 close(in); 91 close(in);
92 goto errout; 92 goto errout;
diff --git a/src/firejail/env.c b/src/firejail/env.c
index f5e9dd980..4c0d729a1 100644
--- a/src/firejail/env.c
+++ b/src/firejail/env.c
@@ -22,6 +22,7 @@
22#include <sys/stat.h> 22#include <sys/stat.h>
23#include <unistd.h> 23#include <unistd.h>
24#include <dirent.h> 24#include <dirent.h>
25#include <limits.h>
25 26
26typedef struct env_t { 27typedef struct env_t {
27 struct env_t *next; 28 struct env_t *next;
@@ -262,7 +263,7 @@ static const char * const env_whitelist[] = {
262 "LANG", 263 "LANG",
263 "LANGUAGE", 264 "LANGUAGE",
264 "LC_MESSAGES", 265 "LC_MESSAGES",
265 "PATH", 266 // "PATH",
266 "DISPLAY" // required by X11 267 "DISPLAY" // required by X11
267}; 268};
268 269
@@ -311,6 +312,10 @@ void env_apply_whitelist(void) {
311 errExit("clearenv"); 312 errExit("clearenv");
312 313
313 env_apply_list(env_whitelist, ARRAY_SIZE(env_whitelist)); 314 env_apply_list(env_whitelist, ARRAY_SIZE(env_whitelist));
315
316 // hardcoding PATH
317 if (setenv("PATH", "/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin", 1) < 0)
318 errExit("setenv");
314} 319}
315 320
316// Filter env variables for a sbox app 321// Filter env variables for a sbox app
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 2a7d88575..a6924b830 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -22,6 +22,7 @@
22#include "../include/common.h" 22#include "../include/common.h"
23#include "../include/euid_common.h" 23#include "../include/euid_common.h"
24#include "../include/rundefs.h" 24#include "../include/rundefs.h"
25#include <linux/limits.h> // Note: Plain limits.h may break ARG_MAX (see #4583)
25#include <stdarg.h> 26#include <stdarg.h>
26#include <sys/stat.h> 27#include <sys/stat.h>
27 28
@@ -433,13 +434,15 @@ void fs_proc_sys_dev_boot(void);
433void disable_config(void); 434void disable_config(void);
434// build a basic read-only filesystem 435// build a basic read-only filesystem
435void fs_basic_fs(void); 436void fs_basic_fs(void);
436// mount overlayfs on top of / directory
437char *fs_check_overlay_dir(const char *subdirname, int allow_reuse);
438void fs_overlayfs(void);
439void fs_private_tmp(void); 437void fs_private_tmp(void);
440void fs_private_cache(void); 438void fs_private_cache(void);
441void fs_mnt(const int enforce); 439void fs_mnt(const int enforce);
442 440
441// fs_overlayfs.c
442char *fs_check_overlay_dir(const char *subdirname, int allow_reuse);
443void fs_overlayfs(void);
444int remove_overlay_directory(void);
445
443// chroot.c 446// chroot.c
444// chroot into an existing directory; mount existing /dev and update /etc/resolv.conf 447// chroot into an existing directory; mount existing /dev and update /etc/resolv.conf
445void fs_check_chroot_dir(void); 448void fs_check_chroot_dir(void);
@@ -516,6 +519,7 @@ void touch_file_as_user(const char *fname, mode_t mode);
516int is_dir(const char *fname); 519int is_dir(const char *fname);
517int is_link(const char *fname); 520int is_link(const char *fname);
518char *realpath_as_user(const char *fname); 521char *realpath_as_user(const char *fname);
522ssize_t readlink_as_user(const char *fname, char *buf, size_t sz);
519int stat_as_user(const char *fname, struct stat *s); 523int stat_as_user(const char *fname, struct stat *s);
520int lstat_as_user(const char *fname, struct stat *s); 524int lstat_as_user(const char *fname, struct stat *s);
521void trim_trailing_slash_or_dot(char *path); 525void trim_trailing_slash_or_dot(char *path);
@@ -529,8 +533,7 @@ void update_map(char *mapping, char *map_file);
529void wait_for_other(int fd); 533void wait_for_other(int fd);
530void notify_other(int fd); 534void notify_other(int fd);
531uid_t pid_get_uid(pid_t pid); 535uid_t pid_get_uid(pid_t pid);
532uid_t get_group_id(const char *group); 536gid_t get_group_id(const char *groupname);
533int remove_overlay_directory(void);
534void flush_stdin(void); 537void flush_stdin(void);
535int create_empty_dir_as_user(const char *dir, mode_t mode); 538int create_empty_dir_as_user(const char *dir, mode_t mode);
536void create_empty_dir_as_root(const char *dir, mode_t mode); 539void create_empty_dir_as_root(const char *dir, mode_t mode);
@@ -563,8 +566,8 @@ typedef struct {
563 566
564// mountinfo.c 567// mountinfo.c
565MountData *get_last_mount(void); 568MountData *get_last_mount(void);
566int get_mount_id(const char *path); 569int get_mount_id(int fd);
567char **build_mount_array(const int mount_id, const char *path); 570char **build_mount_array(const int mountid, const char *path);
568 571
569// fs_var.c 572// fs_var.c
570void fs_var_log(void); // mounting /var/log 573void fs_var_log(void); // mounting /var/log
@@ -621,7 +624,8 @@ void caps_print_filter(pid_t pid) __attribute__((noreturn));
621void caps_drop_dac_override(void); 624void caps_drop_dac_override(void);
622 625
623// fs_trace.c 626// fs_trace.c
624void fs_trace_preload(void); 627void fs_trace_touch_preload(void);
628void fs_trace_touch_or_store_preload(void);
625void fs_tracefile(void); 629void fs_tracefile(void);
626void fs_trace(void); 630void fs_trace(void);
627 631
@@ -644,7 +648,8 @@ void cpu_print_filter(pid_t pid) __attribute__((noreturn));
644// cgroup.c 648// cgroup.c
645void save_cgroup(void); 649void save_cgroup(void);
646void load_cgroup(const char *fname); 650void load_cgroup(const char *fname);
647void set_cgroup(const char *path); 651void check_cgroup_file(const char *fname);
652void set_cgroup(const char *fname, pid_t pid);
648 653
649// output.c 654// output.c
650void check_output(int argc, char **argv); 655void check_output(int argc, char **argv);
@@ -801,6 +806,7 @@ enum {
801 CFG_NAME_CHANGE, 806 CFG_NAME_CHANGE,
802 CFG_SECCOMP_ERROR_ACTION, 807 CFG_SECCOMP_ERROR_ACTION,
803 // CFG_FILE_COPY_LIMIT - file copy limit handled using setenv/getenv 808 // CFG_FILE_COPY_LIMIT - file copy limit handled using setenv/getenv
809 CFG_ALLOW_TRAY,
804 CFG_MAX // this should always be the last entry 810 CFG_MAX // this should always be the last entry
805}; 811};
806extern char *xephyr_screen; 812extern char *xephyr_screen;
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 5ac2da164..9c1b889ed 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -20,10 +20,7 @@
20#include "firejail.h" 20#include "firejail.h"
21#include "../include/gcov_wrapper.h" 21#include "../include/gcov_wrapper.h"
22#include <sys/mount.h> 22#include <sys/mount.h>
23#include <sys/stat.h>
24#include <sys/statvfs.h> 23#include <sys/statvfs.h>
25#include <sys/wait.h>
26#include <linux/limits.h>
27#include <fnmatch.h> 24#include <fnmatch.h>
28#include <glob.h> 25#include <glob.h>
29#include <dirent.h> 26#include <dirent.h>
@@ -35,7 +32,7 @@
35#endif 32#endif
36 33
37#define MAX_BUF 4096 34#define MAX_BUF 4096
38#define EMPTY_STRING ("") 35
39// check noblacklist statements not matched by a proper blacklist in disable-*.inc files 36// check noblacklist statements not matched by a proper blacklist in disable-*.inc files
40//#define TEST_NO_BLACKLIST_MATCHING 37//#define TEST_NO_BLACKLIST_MATCHING
41 38
@@ -108,7 +105,7 @@ static void disable_file(OPERATION op, const char *filename) {
108 } 105 }
109 106
110 // check for firejail executable 107 // check for firejail executable
111 // we migth have a file found in ${PATH} pointing to /usr/bin/firejail 108 // we might have a file found in ${PATH} pointing to /usr/bin/firejail
112 // blacklisting it here will end up breaking situations like user clicks on a link in Thunderbird 109 // blacklisting it here will end up breaking situations like user clicks on a link in Thunderbird
113 // and expects Firefox to open in the same sandbox 110 // and expects Firefox to open in the same sandbox
114 if (strcmp(BINDIR "/firejail", fname) == 0) { 111 if (strcmp(BINDIR "/firejail", fname) == 0) {
@@ -200,8 +197,6 @@ static void disable_file(OPERATION op, const char *filename) {
200 } 197 }
201 198
202 fs_tmpfs(fname, uid); 199 fs_tmpfs(fname, uid);
203 EUID_USER(); // fs_tmpfs returns with EUID 0
204
205 selinux_relabel_path(fname, fname); 200 selinux_relabel_path(fname, fname);
206 } 201 }
207 else 202 else
@@ -282,6 +277,8 @@ static void globbing(OPERATION op, const char *pattern, const char *noblacklist[
282 277
283// blacklist files or directories by mounting empty files on top of them 278// blacklist files or directories by mounting empty files on top of them
284void fs_blacklist(void) { 279void fs_blacklist(void) {
280 EUID_ASSERT();
281
285 ProfileEntry *entry = cfg.profile; 282 ProfileEntry *entry = cfg.profile;
286 if (!entry) 283 if (!entry)
287 return; 284 return;
@@ -293,7 +290,6 @@ void fs_blacklist(void) {
293 if (noblacklist == NULL) 290 if (noblacklist == NULL)
294 errExit("failed allocating memory for noblacklist entries"); 291 errExit("failed allocating memory for noblacklist entries");
295 292
296 EUID_USER();
297 while (entry) { 293 while (entry) {
298 OPERATION op = OPERATION_MAX; 294 OPERATION op = OPERATION_MAX;
299 char *ptr; 295 char *ptr;
@@ -469,8 +465,6 @@ void fs_blacklist(void) {
469 for (i = 0; i < noblacklist_c; i++) 465 for (i = 0; i < noblacklist_c; i++)
470 free(noblacklist[i]); 466 free(noblacklist[i]);
471 free(noblacklist); 467 free(noblacklist);
472
473 EUID_ROOT();
474} 468}
475 469
476//*********************************************** 470//***********************************************
@@ -479,7 +473,7 @@ void fs_blacklist(void) {
479 473
480// mount a writable tmpfs on directory; requires a resolved path 474// mount a writable tmpfs on directory; requires a resolved path
481void fs_tmpfs(const char *dir, unsigned check_owner) { 475void fs_tmpfs(const char *dir, unsigned check_owner) {
482 EUID_USER(); 476 EUID_ASSERT();
483 assert(dir); 477 assert(dir);
484 if (arg_debug) 478 if (arg_debug)
485 printf("Mounting tmpfs on %s, check owner: %s\n", dir, (check_owner)? "yes": "no"); 479 printf("Mounting tmpfs on %s, check owner: %s\n", dir, (check_owner)? "yes": "no");
@@ -504,12 +498,13 @@ void fs_tmpfs(const char *dir, unsigned check_owner) {
504 errExit("fstatvfs"); 498 errExit("fstatvfs");
505 unsigned long flags = buf.f_flag & ~(MS_RDONLY|MS_BIND|MS_REMOUNT); 499 unsigned long flags = buf.f_flag & ~(MS_RDONLY|MS_BIND|MS_REMOUNT);
506 // mount via the symbolic link in /proc/self/fd 500 // mount via the symbolic link in /proc/self/fd
507 EUID_ROOT();
508 char *proc; 501 char *proc;
509 if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) 502 if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
510 errExit("asprintf"); 503 errExit("asprintf");
504 EUID_ROOT();
511 if (mount("tmpfs", proc, "tmpfs", flags|MS_NOSUID|MS_NODEV, options) < 0) 505 if (mount("tmpfs", proc, "tmpfs", flags|MS_NOSUID|MS_NODEV, options) < 0)
512 errExit("mounting tmpfs"); 506 errExit("mounting tmpfs");
507 EUID_USER();
513 // check the last mount operation 508 // check the last mount operation
514 MountData *mdata = get_last_mount(); 509 MountData *mdata = get_last_mount();
515 if (strcmp(mdata->fstype, "tmpfs") != 0 || strcmp(mdata->dir, dir) != 0) 510 if (strcmp(mdata->fstype, "tmpfs") != 0 || strcmp(mdata->dir, dir) != 0)
@@ -635,40 +630,37 @@ out:
635} 630}
636 631
637// remount recursively; requires a resolved path 632// remount recursively; requires a resolved path
638static void fs_remount_rec(const char *dir, OPERATION op) { 633static void fs_remount_rec(const char *path, OPERATION op) {
639 EUID_ASSERT(); 634 EUID_ASSERT();
640 assert(dir); 635 assert(op < OPERATION_MAX);
636 assert(path);
641 637
642 struct stat s; 638 // no need to search /proc/self/mountinfo for submounts if not a directory
643 if (stat(dir, &s) != 0) 639 int fd = open(path, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
644 return; 640 if (fd < 0) {
645 if (!S_ISDIR(s.st_mode)) { 641 fs_remount_simple(path, op);
646 // no need to search in /proc/self/mountinfo for submounts if not a directory
647 fs_remount_simple(dir, op);
648 return; 642 return;
649 } 643 }
650 // get mount point of the directory 644
651 int mountid = get_mount_id(dir); 645 // get mount id of the directory
652 if (mountid == -1) 646 int mountid = get_mount_id(fd);
653 return; 647 close(fd);
654 if (mountid == -2) { 648 if (mountid < 0) {
655 // falling back to a simple remount on old kernels 649 // falling back to a simple remount
656 static int mount_warning = 0; 650 fwarning("%s %s not applied recursively\n", opstr[op], path);
657 if (!mount_warning) { 651 fs_remount_simple(path, op);
658 fwarning("read-only, read-write and noexec options are not applied recursively\n");
659 mount_warning = 1;
660 }
661 fs_remount_simple(dir, op);
662 return; 652 return;
663 } 653 }
654
664 // build array with all mount points that need to get remounted 655 // build array with all mount points that need to get remounted
665 char **arr = build_mount_array(mountid, dir); 656 char **arr = build_mount_array(mountid, path);
666 assert(arr); 657 if (!arr)
658 return;
667 // remount 659 // remount
668 char **tmp = arr; 660 int i;
669 while (*tmp) { 661 for (i = 0; arr[i]; i++) {
670 fs_remount_simple(*tmp, op); 662 fs_remount_simple(arr[i], op);
671 free(*tmp++); 663 free(arr[i]);
672 } 664 }
673 free(arr); 665 free(arr);
674} 666}
@@ -903,367 +895,6 @@ void fs_basic_fs(void) {
903} 895}
904 896
905 897
906
907#ifdef HAVE_OVERLAYFS
908char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) {
909 assert(subdirname);
910 EUID_ASSERT();
911 struct stat s;
912 char *dirname;
913
914 if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1)
915 errExit("asprintf");
916 // check if ~/.firejail already exists
917 if (lstat(dirname, &s) == 0) {
918 if (!S_ISDIR(s.st_mode)) {
919 if (S_ISLNK(s.st_mode))
920 fprintf(stderr, "Error: %s is a symbolic link\n", dirname);
921 else
922 fprintf(stderr, "Error: %s is not a directory\n", dirname);
923 exit(1);
924 }
925 if (s.st_uid != getuid()) {
926 fprintf(stderr, "Error: %s is not owned by the current user\n", dirname);
927 exit(1);
928 }
929 }
930 else {
931 // create ~/.firejail directory
932 create_empty_dir_as_user(dirname, 0700);
933 if (stat(dirname, &s) == -1) {
934 fprintf(stderr, "Error: cannot create directory %s\n", dirname);
935 exit(1);
936 }
937 }
938 free(dirname);
939
940 // check overlay directory
941 if (asprintf(&dirname, "%s/.firejail/%s", cfg.homedir, subdirname) == -1)
942 errExit("asprintf");
943 if (lstat(dirname, &s) == 0) {
944 if (!S_ISDIR(s.st_mode)) {
945 if (S_ISLNK(s.st_mode))
946 fprintf(stderr, "Error: %s is a symbolic link\n", dirname);
947 else
948 fprintf(stderr, "Error: %s is not a directory\n", dirname);
949 exit(1);
950 }
951 if (s.st_uid != 0) {
952 fprintf(stderr, "Error: overlay directory %s is not owned by the root user\n", dirname);
953 exit(1);
954 }
955 if (allow_reuse == 0) {
956 fprintf(stderr, "Error: overlay directory exists, but reuse is not allowed\n");
957 exit(1);
958 }
959 }
960
961 return dirname;
962}
963
964
965
966// mount overlayfs on top of / directory
967// mounting an overlay and chrooting into it:
968//
969// Old Ubuntu kernel
970// # cd ~
971// # mkdir -p overlay/root
972// # mkdir -p overlay/diff
973// # mount -t overlayfs -o lowerdir=/,upperdir=/root/overlay/diff overlayfs /root/overlay/root
974// # chroot /root/overlay/root
975// to shutdown, first exit the chroot and then unmount the overlay
976// # exit
977// # umount /root/overlay/root
978//
979// Kernels 3.18+
980// # cd ~
981// # mkdir -p overlay/root
982// # mkdir -p overlay/diff
983// # mkdir -p overlay/work
984// # mount -t overlay -o lowerdir=/,upperdir=/root/overlay/diff,workdir=/root/overlay/work overlay /root/overlay/root
985// # cat /etc/mtab | grep overlay
986// /root/overlay /root/overlay/root overlay rw,relatime,lowerdir=/,upperdir=/root/overlay/diff,workdir=/root/overlay/work 0 0
987// # chroot /root/overlay/root
988// to shutdown, first exit the chroot and then unmount the overlay
989// # exit
990// # umount /root/overlay/root
991
992
993// to do: fix the code below; also, it might work without /dev, but consider keeping /dev/shm; add locking mechanism for overlay-clean
994#include <sys/utsname.h>
995void fs_overlayfs(void) {
996 struct stat s;
997
998 // check kernel version
999 struct utsname u;
1000 int rv = uname(&u);
1001 if (rv != 0)
1002 errExit("uname");
1003 int major;
1004 int minor;
1005 if (2 != sscanf(u.release, "%d.%d", &major, &minor)) {
1006 fprintf(stderr, "Error: cannot extract Linux kernel version: %s\n", u.version);
1007 exit(1);
1008 }
1009
1010 if (arg_debug)
1011 printf("Linux kernel version %d.%d\n", major, minor);
1012 int oldkernel = 0;
1013 if (major < 3) {
1014 fprintf(stderr, "Error: minimum kernel version required 3.x\n");
1015 exit(1);
1016 }
1017 if (major == 3 && minor < 18)
1018 oldkernel = 1;
1019
1020 // mounting an overlayfs on top of / seems to be broken for kernels > 4.19
1021 // we disable overlayfs for now, pending fixing
1022 if (major >= 4 &&minor >= 19) {
1023 fprintf(stderr, "Error: OverlayFS disabled for Linux kernels 4.19 and newer, pending fixing.\n");
1024 exit(1);
1025 }
1026
1027 char *oroot = RUN_OVERLAY_ROOT;
1028 mkdir_attr(oroot, 0755, 0, 0);
1029
1030 // set base for working and diff directories
1031 char *basedir = RUN_MNT_DIR;
1032 int basefd = -1;
1033
1034 if (arg_overlay_keep) {
1035 basedir = cfg.overlay_dir;
1036 assert(basedir);
1037 // get a file descriptor for ~/.firejail, fails if there is any symlink
1038 char *firejail;
1039 if (asprintf(&firejail, "%s/.firejail", cfg.homedir) == -1)
1040 errExit("asprintf");
1041 int fd = safer_openat(-1, firejail, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
1042 if (fd == -1)
1043 errExit("safer_openat");
1044 free(firejail);
1045 // create basedir if it doesn't exist
1046 // the new directory will be owned by root
1047 const char *dirname = gnu_basename(basedir);
1048 if (mkdirat(fd, dirname, 0755) == -1 && errno != EEXIST) {
1049 perror("mkdir");
1050 fprintf(stderr, "Error: cannot create overlay directory %s\n", basedir);
1051 exit(1);
1052 }
1053 // open basedir
1054 basefd = openat(fd, dirname, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
1055 close(fd);
1056 }
1057 else {
1058 basefd = open(basedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
1059 }
1060 if (basefd == -1) {
1061 perror("open");
1062 fprintf(stderr, "Error: cannot open overlay directory %s\n", basedir);
1063 exit(1);
1064 }
1065
1066 // confirm once more base is owned by root
1067 if (fstat(basefd, &s) == -1)
1068 errExit("fstat");
1069 if (s.st_uid != 0) {
1070 fprintf(stderr, "Error: overlay directory %s is not owned by the root user\n", basedir);
1071 exit(1);
1072 }
1073 // confirm permissions of base are 0755
1074 if (((S_IRWXU|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH) & s.st_mode) != (S_IRWXU|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH)) {
1075 fprintf(stderr, "Error: invalid permissions on overlay directory %s\n", basedir);
1076 exit(1);
1077 }
1078
1079 // create diff and work directories inside base
1080 // no need to check arg_overlay_reuse
1081 char *odiff;
1082 if (asprintf(&odiff, "%s/odiff", basedir) == -1)
1083 errExit("asprintf");
1084 // the new directory will be owned by root
1085 if (mkdirat(basefd, "odiff", 0755) == -1 && errno != EEXIST) {
1086 perror("mkdir");
1087 fprintf(stderr, "Error: cannot create overlay directory %s\n", odiff);
1088 exit(1);
1089 }
1090 ASSERT_PERMS(odiff, 0, 0, 0755);
1091
1092 char *owork;
1093 if (asprintf(&owork, "%s/owork", basedir) == -1)
1094 errExit("asprintf");
1095 // the new directory will be owned by root
1096 if (mkdirat(basefd, "owork", 0755) == -1 && errno != EEXIST) {
1097 perror("mkdir");
1098 fprintf(stderr, "Error: cannot create overlay directory %s\n", owork);
1099 exit(1);
1100 }
1101 ASSERT_PERMS(owork, 0, 0, 0755);
1102
1103 // mount overlayfs
1104 if (arg_debug)
1105 printf("Mounting OverlayFS\n");
1106 char *option;
1107 if (oldkernel) { // old Ubuntu/OpenSUSE kernels
1108 if (arg_overlay_keep) {
1109 fprintf(stderr, "Error: option --overlay= not available for kernels older than 3.18\n");
1110 exit(1);
1111 }
1112 if (asprintf(&option, "lowerdir=/,upperdir=%s", odiff) == -1)
1113 errExit("asprintf");
1114 if (mount("overlayfs", oroot, "overlayfs", MS_MGC_VAL, option) < 0)
1115 errExit("mounting overlayfs");
1116 }
1117 else { // kernel 3.18 or newer
1118 if (asprintf(&option, "lowerdir=/,upperdir=%s,workdir=%s", odiff, owork) == -1)
1119 errExit("asprintf");
1120 if (mount("overlay", oroot, "overlay", MS_MGC_VAL, option) < 0) {
1121 fprintf(stderr, "Debug: running on kernel version %d.%d\n", major, minor);
1122 errExit("mounting overlayfs");
1123 }
1124
1125 //***************************
1126 // issue #263 start code
1127 // My setup has a separate mount point for /home. When the overlay is mounted,
1128 // the overlay does not contain the original /home contents.
1129 // I added code to create a second overlay for /home if the overlay home dir is empty and this seems to work
1130 // @dshmgh, Jan 2016
1131 {
1132 char *overlayhome;
1133 struct stat s;
1134 char *hroot;
1135 char *hdiff;
1136 char *hwork;
1137
1138 // dons add debug
1139 if (arg_debug) printf ("DEBUG: chroot dirs are oroot %s odiff %s owork %s\n",oroot,odiff,owork);
1140
1141 // BEFORE NEXT, WE NEED TO TEST IF /home has any contents or do we need to mount it?
1142 // must create var for oroot/cfg.homedir
1143 if (asprintf(&overlayhome, "%s%s", oroot, cfg.homedir) == -1)
1144 errExit("asprintf");
1145 if (arg_debug) printf ("DEBUG: overlayhome var holds ##%s##\n", overlayhome);
1146
1147 // if no homedir in overlay -- create another overlay for /home
1148 if (stat(cfg.homedir, &s) == 0 && stat(overlayhome, &s) == -1) {
1149
1150 // no need to check arg_overlay_reuse
1151 if (asprintf(&hdiff, "%s/hdiff", basedir) == -1)
1152 errExit("asprintf");
1153 // the new directory will be owned by root
1154 if (mkdirat(basefd, "hdiff", 0755) == -1 && errno != EEXIST) {
1155 perror("mkdir");
1156 fprintf(stderr, "Error: cannot create overlay directory %s\n", hdiff);
1157 exit(1);
1158 }
1159 ASSERT_PERMS(hdiff, 0, 0, 0755);
1160
1161 // no need to check arg_overlay_reuse
1162 if (asprintf(&hwork, "%s/hwork", basedir) == -1)
1163 errExit("asprintf");
1164 // the new directory will be owned by root
1165 if (mkdirat(basefd, "hwork", 0755) == -1 && errno != EEXIST) {
1166 perror("mkdir");
1167 fprintf(stderr, "Error: cannot create overlay directory %s\n", hwork);
1168 exit(1);
1169 }
1170 ASSERT_PERMS(hwork, 0, 0, 0755);
1171
1172 // no homedir in overlay so now mount another overlay for /home
1173 if (asprintf(&hroot, "%s/home", oroot) == -1)
1174 errExit("asprintf");
1175 if (asprintf(&option, "lowerdir=/home,upperdir=%s,workdir=%s", hdiff, hwork) == -1)
1176 errExit("asprintf");
1177 if (mount("overlay", hroot, "overlay", MS_MGC_VAL, option) < 0)
1178 errExit("mounting overlayfs for mounted home directory");
1179
1180 printf("OverlayFS for /home configured in %s directory\n", basedir);
1181 free(hroot);
1182 free(hdiff);
1183 free(hwork);
1184
1185 } // stat(overlayhome)
1186 free(overlayhome);
1187 }
1188 // issue #263 end code
1189 //***************************
1190 }
1191 fmessage("OverlayFS configured in %s directory\n", basedir);
1192 close(basefd);
1193
1194 // /dev, /run and /tmp are not covered by the overlay
1195 // mount-bind dev directory
1196 if (arg_debug)
1197 printf("Mounting /dev\n");
1198 char *dev;
1199 if (asprintf(&dev, "%s/dev", oroot) == -1)
1200 errExit("asprintf");
1201 if (mount("/dev", dev, NULL, MS_BIND|MS_REC, NULL) < 0)
1202 errExit("mounting /dev");
1203 fs_logger("whitelist /dev");
1204
1205 // mount-bind run directory
1206 if (arg_debug)
1207 printf("Mounting /run\n");
1208 char *run;
1209 if (asprintf(&run, "%s/run", oroot) == -1)
1210 errExit("asprintf");
1211 if (mount("/run", run, NULL, MS_BIND|MS_REC, NULL) < 0)
1212 errExit("mounting /run");
1213 fs_logger("whitelist /run");
1214
1215 // mount-bind tmp directory
1216 if (arg_debug)
1217 printf("Mounting /tmp\n");
1218 char *tmp;
1219 if (asprintf(&tmp, "%s/tmp", oroot) == -1)
1220 errExit("asprintf");
1221 if (mount("/tmp", tmp, NULL, MS_BIND|MS_REC, NULL) < 0)
1222 errExit("mounting /tmp");
1223 fs_logger("whitelist /tmp");
1224
1225 // chroot in the new filesystem
1226 __gcov_flush();
1227
1228 if (chroot(oroot) == -1)
1229 errExit("chroot");
1230
1231 // mount a new proc filesystem
1232 if (arg_debug)
1233 printf("Mounting /proc filesystem representing the PID namespace\n");
1234 if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0)
1235 errExit("mounting /proc");
1236
1237 // update /var directory in order to support multiple sandboxes running on the same root directory
1238// if (!arg_private_dev)
1239// fs_dev_shm();
1240 fs_var_lock();
1241 if (!arg_keep_var_tmp)
1242 fs_var_tmp();
1243 if (!arg_writable_var_log)
1244 fs_var_log();
1245 fs_var_lib();
1246 fs_var_cache();
1247 fs_var_utmp();
1248 fs_machineid();
1249
1250 // don't leak user information
1251 restrict_users();
1252
1253 // when starting as root, firejail config is not disabled;
1254 if (getuid() != 0)
1255 disable_config();
1256
1257 // cleanup and exit
1258 free(option);
1259 free(odiff);
1260 free(owork);
1261 free(dev);
1262 free(run);
1263 free(tmp);
1264}
1265#endif
1266
1267// this function is called from sandbox.c before blacklist/whitelist functions 898// this function is called from sandbox.c before blacklist/whitelist functions
1268void fs_private_tmp(void) { 899void fs_private_tmp(void) {
1269 EUID_ASSERT(); 900 EUID_ASSERT();
@@ -1287,7 +918,6 @@ void fs_private_tmp(void) {
1287 918
1288 // whitelist x11 directory 919 // whitelist x11 directory
1289 profile_add("whitelist /tmp/.X11-unix"); 920 profile_add("whitelist /tmp/.X11-unix");
1290 // read-only x11 directory
1291 profile_add("read-only /tmp/.X11-unix"); 921 profile_add("read-only /tmp/.X11-unix");
1292 922
1293 // whitelist sndio directory 923 // whitelist sndio directory
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index 8cc3ecc62..694d0a379 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -20,7 +20,6 @@
20#include "firejail.h" 20#include "firejail.h"
21#include <sys/mount.h> 21#include <sys/mount.h>
22#include <sys/stat.h> 22#include <sys/stat.h>
23#include <linux/limits.h>
24#include <glob.h> 23#include <glob.h>
25#include <dirent.h> 24#include <dirent.h>
26#include <fcntl.h> 25#include <fcntl.h>
@@ -330,8 +329,10 @@ void fs_dev_disable_sound(void) {
330 } 329 }
331 330
332 // disable all jack sockets in /dev/shm 331 // disable all jack sockets in /dev/shm
332 EUID_USER();
333 glob_t globbuf; 333 glob_t globbuf;
334 int globerr = glob("/dev/shm/jack*", GLOB_NOSORT, NULL, &globbuf); 334 int globerr = glob("/dev/shm/jack*", GLOB_NOSORT, NULL, &globbuf);
335 EUID_ROOT();
335 if (globerr) 336 if (globerr)
336 return; 337 return;
337 338
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index 0ed476063..8d8530d81 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -19,7 +19,6 @@
19*/ 19*/
20#include "firejail.h" 20#include "firejail.h"
21#include <sys/mount.h> 21#include <sys/mount.h>
22#include <linux/limits.h>
23#include <dirent.h> 22#include <dirent.h>
24#include <errno.h> 23#include <errno.h>
25#include <sys/stat.h> 24#include <sys/stat.h>
@@ -395,14 +394,16 @@ void fs_private(void) {
395 } 394 }
396 if (chown(homedir, u, g) < 0) 395 if (chown(homedir, u, g) < 0)
397 errExit("chown"); 396 errExit("chown");
398
399 fs_logger2("mkdir", homedir); 397 fs_logger2("mkdir", homedir);
400 fs_logger2("tmpfs", homedir); 398 fs_logger2("tmpfs", homedir);
401 } 399 }
402 else 400 else {
403 // mask user home directory 401 // mask user home directory
404 // the directory should be owned by the current user 402 // the directory should be owned by the current user
403 EUID_USER();
405 fs_tmpfs(homedir, 1); 404 fs_tmpfs(homedir, 1);
405 EUID_ROOT();
406 }
406 407
407 selinux_relabel_path(homedir, homedir); 408 selinux_relabel_path(homedir, homedir);
408 } 409 }
@@ -564,12 +565,13 @@ void fs_private_home_list(void) {
564 int xflag = store_xauthority(); 565 int xflag = store_xauthority();
565 int aflag = store_asoundrc(); 566 int aflag = store_asoundrc();
566 567
567 // create /run/firejail/mnt/home directory
568 EUID_ROOT(); 568 EUID_ROOT();
569 // create /run/firejail/mnt/home directory
569 mkdir_attr(RUN_HOME_DIR, 0755, uid, gid); 570 mkdir_attr(RUN_HOME_DIR, 0755, uid, gid);
570 selinux_relabel_path(RUN_HOME_DIR, homedir); 571 selinux_relabel_path(RUN_HOME_DIR, homedir);
571 572
572 fs_logger_print(); // save the current log 573 // save the current log
574 fs_logger_print();
573 EUID_USER(); 575 EUID_USER();
574 576
575 // copy the list of files in the new home directory 577 // copy the list of files in the new home directory
diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c
index 1a9a78ceb..8b7e94f51 100644
--- a/src/firejail/fs_hostname.c
+++ b/src/firejail/fs_hostname.c
@@ -20,7 +20,6 @@
20#include "firejail.h" 20#include "firejail.h"
21#include <sys/mount.h> 21#include <sys/mount.h>
22#include <sys/stat.h> 22#include <sys/stat.h>
23#include <linux/limits.h>
24#include <glob.h> 23#include <glob.h>
25#include <dirent.h> 24#include <dirent.h>
26#include <fcntl.h> 25#include <fcntl.h>
@@ -33,7 +32,7 @@ void fs_hostname(const char *hostname) {
33 if (arg_debug) 32 if (arg_debug)
34 printf("Creating a new /etc/hostname file\n"); 33 printf("Creating a new /etc/hostname file\n");
35 34
36 create_empty_file_as_root(RUN_HOSTNAME_FILE, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); 35 create_empty_file_as_root(RUN_HOSTNAME_FILE, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
37 36
38 // bind-mount the file on top of /etc/hostname 37 // bind-mount the file on top of /etc/hostname
39 if (mount(RUN_HOSTNAME_FILE, "/etc/hostname", NULL, MS_BIND|MS_REC, NULL) < 0) 38 if (mount(RUN_HOSTNAME_FILE, "/etc/hostname", NULL, MS_BIND|MS_REC, NULL) < 0)
@@ -75,7 +74,7 @@ void fs_hostname(const char *hostname) {
75 } 74 }
76 fclose(fp1); 75 fclose(fp1);
77 // mode and owner 76 // mode and owner
78 SET_PERMS_STREAM(fp2, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); 77 SET_PERMS_STREAM(fp2, 0, 0, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
79 fclose(fp2); 78 fclose(fp2);
80 79
81 // bind-mount the file on top of /etc/hostname 80 // bind-mount the file on top of /etc/hostname
@@ -93,10 +92,6 @@ char *fs_check_hosts_file(const char *fname) {
93 invalid_filename(fname, 0); // no globbing 92 invalid_filename(fname, 0); // no globbing
94 char *rv = expand_macros(fname); 93 char *rv = expand_macros(fname);
95 94
96 // no a link
97 if (is_link(rv))
98 goto errexit;
99
100 // the user has read access to the file 95 // the user has read access to the file
101 if (access(rv, R_OK)) 96 if (access(rv, R_OK))
102 goto errexit; 97 goto errexit;
@@ -119,9 +114,6 @@ void fs_mount_hosts_file(void) {
119 struct stat s; 114 struct stat s;
120 if (stat("/etc/hosts", &s) == -1) 115 if (stat("/etc/hosts", &s) == -1)
121 goto errexit; 116 goto errexit;
122 // not a link
123 if (is_link("/etc/hosts"))
124 goto errexit;
125 // owned by root 117 // owned by root
126 if (s.st_uid != 0) 118 if (s.st_uid != 0)
127 goto errexit; 119 goto errexit;
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c
index 9d7a17cf3..848c186fa 100644
--- a/src/firejail/fs_lib.c
+++ b/src/firejail/fs_lib.c
@@ -195,6 +195,11 @@ void fslib_mount_libs(const char *full_path, unsigned user) {
195 assert(full_path); 195 assert(full_path);
196 // if library/executable does not exist or the user does not have read access to it 196 // if library/executable does not exist or the user does not have read access to it
197 // print a warning and exit the function. 197 // print a warning and exit the function.
198 if (access(full_path, F_OK)) {
199 if (arg_debug || arg_debug_private_lib)
200 printf("Cannot find %s, skipping...\n", full_path);
201 return;
202 }
198 if (user && access(full_path, R_OK)) { 203 if (user && access(full_path, R_OK)) {
199 if (arg_debug || arg_debug_private_lib) 204 if (arg_debug || arg_debug_private_lib)
200 printf("Cannot read %s, skipping...\n", full_path); 205 printf("Cannot read %s, skipping...\n", full_path);
diff --git a/src/firejail/fs_lib2.c b/src/firejail/fs_lib2.c
index c69bf7c98..a347b380c 100644
--- a/src/firejail/fs_lib2.c
+++ b/src/firejail/fs_lib2.c
@@ -143,7 +143,7 @@ static void fdir(void) {
143 NULL, 143 NULL,
144 }; 144 };
145 145
146 // need to parse as root user, unprivileged users have no read permission on executables 146 // need to parse as root user, unprivileged users have no read permission on some of these binaries
147 int i; 147 int i;
148 for (i = 0; fbin[i]; i++) 148 for (i = 0; fbin[i]; i++)
149 fslib_mount_libs(fbin[i], 0); 149 fslib_mount_libs(fbin[i], 0);
@@ -153,7 +153,9 @@ void fslib_install_firejail(void) {
153 timetrace_start(); 153 timetrace_start();
154 // bring in firejail executable libraries, in case we are redirected here 154 // bring in firejail executable libraries, in case we are redirected here
155 // by a firejail symlink from /usr/local/bin/firejail 155 // by a firejail symlink from /usr/local/bin/firejail
156 fslib_mount_libs(PATH_FIREJAIL, 1); // parse as user 156 // fldd might have no read permission on the firejail executable
157 // parse as root in order to support these setups
158 fslib_mount_libs(PATH_FIREJAIL, 0);
157 159
158 // bring in firejail directory 160 // bring in firejail directory
159 fdir(); 161 fdir();
diff --git a/src/firejail/fs_overlayfs.c b/src/firejail/fs_overlayfs.c
new file mode 100644
index 000000000..fe3761cb6
--- /dev/null
+++ b/src/firejail/fs_overlayfs.c
@@ -0,0 +1,470 @@
1/*
2 * Copyright (C) 2014-2021 Firejail Authors
3 *
4 * This file is part of firejail project
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License along
17 * with this program; if not, write to the Free Software Foundation, Inc.,
18 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
19*/
20
21#ifdef HAVE_OVERLAYFS
22#include "firejail.h"
23#include "../include/gcov_wrapper.h"
24#include <sys/mount.h>
25#include <sys/wait.h>
26#include <ftw.h>
27#include <errno.h>
28
29#include <fcntl.h>
30#ifndef O_PATH
31#define O_PATH 010000000
32#endif
33
34
35char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) {
36 assert(subdirname);
37 EUID_ASSERT();
38 struct stat s;
39 char *dirname;
40
41 if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1)
42 errExit("asprintf");
43 // check if ~/.firejail already exists
44 if (lstat(dirname, &s) == 0) {
45 if (!S_ISDIR(s.st_mode)) {
46 if (S_ISLNK(s.st_mode))
47 fprintf(stderr, "Error: %s is a symbolic link\n", dirname);
48 else
49 fprintf(stderr, "Error: %s is not a directory\n", dirname);
50 exit(1);
51 }
52 if (s.st_uid != getuid()) {
53 fprintf(stderr, "Error: %s is not owned by the current user\n", dirname);
54 exit(1);
55 }
56 }
57 else {
58 // create ~/.firejail directory
59 create_empty_dir_as_user(dirname, 0700);
60 if (stat(dirname, &s) == -1) {
61 fprintf(stderr, "Error: cannot create directory %s\n", dirname);
62 exit(1);
63 }
64 }
65 free(dirname);
66
67 // check overlay directory
68 if (asprintf(&dirname, "%s/.firejail/%s", cfg.homedir, subdirname) == -1)
69 errExit("asprintf");
70 if (lstat(dirname, &s) == 0) {
71 if (!S_ISDIR(s.st_mode)) {
72 if (S_ISLNK(s.st_mode))
73 fprintf(stderr, "Error: %s is a symbolic link\n", dirname);
74 else
75 fprintf(stderr, "Error: %s is not a directory\n", dirname);
76 exit(1);
77 }
78 if (s.st_uid != 0) {
79 fprintf(stderr, "Error: overlay directory %s is not owned by the root user\n", dirname);
80 exit(1);
81 }
82 if (allow_reuse == 0) {
83 fprintf(stderr, "Error: overlay directory exists, but reuse is not allowed\n");
84 exit(1);
85 }
86 }
87
88 return dirname;
89}
90
91
92// mount overlayfs on top of / directory
93// mounting an overlay and chrooting into it:
94//
95// Old Ubuntu kernel
96// # cd ~
97// # mkdir -p overlay/root
98// # mkdir -p overlay/diff
99// # mount -t overlayfs -o lowerdir=/,upperdir=/root/overlay/diff overlayfs /root/overlay/root
100// # chroot /root/overlay/root
101// to shutdown, first exit the chroot and then unmount the overlay
102// # exit
103// # umount /root/overlay/root
104//
105// Kernels 3.18+
106// # cd ~
107// # mkdir -p overlay/root
108// # mkdir -p overlay/diff
109// # mkdir -p overlay/work
110// # mount -t overlay -o lowerdir=/,upperdir=/root/overlay/diff,workdir=/root/overlay/work overlay /root/overlay/root
111// # cat /etc/mtab | grep overlay
112// /root/overlay /root/overlay/root overlay rw,relatime,lowerdir=/,upperdir=/root/overlay/diff,workdir=/root/overlay/work 0 0
113// # chroot /root/overlay/root
114// to shutdown, first exit the chroot and then unmount the overlay
115// # exit
116// # umount /root/overlay/root
117
118// to do: fix the code below
119#include <sys/utsname.h>
120void fs_overlayfs(void) {
121 struct stat s;
122
123 // check kernel version
124 struct utsname u;
125 int rv = uname(&u);
126 if (rv != 0)
127 errExit("uname");
128 int major;
129 int minor;
130 if (2 != sscanf(u.release, "%d.%d", &major, &minor)) {
131 fprintf(stderr, "Error: cannot extract Linux kernel version: %s\n", u.version);
132 exit(1);
133 }
134
135 if (arg_debug)
136 printf("Linux kernel version %d.%d\n", major, minor);
137 int oldkernel = 0;
138 if (major < 3) {
139 fprintf(stderr, "Error: minimum kernel version required 3.x\n");
140 exit(1);
141 }
142 if (major == 3 && minor < 18)
143 oldkernel = 1;
144
145 // mounting an overlayfs on top of / seems to be broken for kernels > 4.19
146 // we disable overlayfs for now, pending fixing
147 if (major >= 4 &&minor >= 19) {
148 fprintf(stderr, "Error: OverlayFS disabled for Linux kernels 4.19 and newer, pending fixing.\n");
149 exit(1);
150 }
151
152 char *oroot = RUN_OVERLAY_ROOT;
153 mkdir_attr(oroot, 0755, 0, 0);
154
155 // set base for working and diff directories
156 char *basedir = RUN_MNT_DIR;
157 int basefd = -1;
158
159 if (arg_overlay_keep) {
160 basedir = cfg.overlay_dir;
161 assert(basedir);
162 // get a file descriptor for ~/.firejail, fails if there is any symlink
163 char *firejail;
164 if (asprintf(&firejail, "%s/.firejail", cfg.homedir) == -1)
165 errExit("asprintf");
166 int fd = safer_openat(-1, firejail, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
167 if (fd == -1)
168 errExit("safer_openat");
169 free(firejail);
170 // create basedir if it doesn't exist
171 // the new directory will be owned by root
172 const char *dirname = gnu_basename(basedir);
173 if (mkdirat(fd, dirname, 0755) == -1 && errno != EEXIST) {
174 perror("mkdir");
175 fprintf(stderr, "Error: cannot create overlay directory %s\n", basedir);
176 exit(1);
177 }
178 // open basedir
179 basefd = openat(fd, dirname, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
180 close(fd);
181 }
182 else {
183 basefd = open(basedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
184 }
185 if (basefd == -1) {
186 perror("open");
187 fprintf(stderr, "Error: cannot open overlay directory %s\n", basedir);
188 exit(1);
189 }
190
191 // confirm once more base is owned by root
192 if (fstat(basefd, &s) == -1)
193 errExit("fstat");
194 if (s.st_uid != 0) {
195 fprintf(stderr, "Error: overlay directory %s is not owned by the root user\n", basedir);
196 exit(1);
197 }
198 // confirm permissions of base are 0755
199 if (((S_IRWXU|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH) & s.st_mode) != (S_IRWXU|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH)) {
200 fprintf(stderr, "Error: invalid permissions on overlay directory %s\n", basedir);
201 exit(1);
202 }
203
204 // create diff and work directories inside base
205 // no need to check arg_overlay_reuse
206 char *odiff;
207 if (asprintf(&odiff, "%s/odiff", basedir) == -1)
208 errExit("asprintf");
209 // the new directory will be owned by root
210 if (mkdirat(basefd, "odiff", 0755) == -1 && errno != EEXIST) {
211 perror("mkdir");
212 fprintf(stderr, "Error: cannot create overlay directory %s\n", odiff);
213 exit(1);
214 }
215 ASSERT_PERMS(odiff, 0, 0, 0755);
216
217 char *owork;
218 if (asprintf(&owork, "%s/owork", basedir) == -1)
219 errExit("asprintf");
220 // the new directory will be owned by root
221 if (mkdirat(basefd, "owork", 0755) == -1 && errno != EEXIST) {
222 perror("mkdir");
223 fprintf(stderr, "Error: cannot create overlay directory %s\n", owork);
224 exit(1);
225 }
226 ASSERT_PERMS(owork, 0, 0, 0755);
227
228 // mount overlayfs
229 if (arg_debug)
230 printf("Mounting OverlayFS\n");
231 char *option;
232 if (oldkernel) { // old Ubuntu/OpenSUSE kernels
233 if (arg_overlay_keep) {
234 fprintf(stderr, "Error: option --overlay= not available for kernels older than 3.18\n");
235 exit(1);
236 }
237 if (asprintf(&option, "lowerdir=/,upperdir=%s", odiff) == -1)
238 errExit("asprintf");
239 if (mount("overlayfs", oroot, "overlayfs", MS_MGC_VAL, option) < 0)
240 errExit("mounting overlayfs");
241 }
242 else { // kernel 3.18 or newer
243 if (asprintf(&option, "lowerdir=/,upperdir=%s,workdir=%s", odiff, owork) == -1)
244 errExit("asprintf");
245 if (mount("overlay", oroot, "overlay", MS_MGC_VAL, option) < 0) {
246 fprintf(stderr, "Debug: running on kernel version %d.%d\n", major, minor);
247 errExit("mounting overlayfs");
248 }
249
250 //***************************
251 // issue #263 start code
252 // My setup has a separate mount point for /home. When the overlay is mounted,
253 // the overlay does not contain the original /home contents.
254 // I added code to create a second overlay for /home if the overlay home dir is empty and this seems to work
255 // @dshmgh, Jan 2016
256 {
257 char *overlayhome;
258 struct stat s;
259 char *hroot;
260 char *hdiff;
261 char *hwork;
262
263 // dons add debug
264 if (arg_debug) printf ("DEBUG: chroot dirs are oroot %s odiff %s owork %s\n",oroot,odiff,owork);
265
266 // BEFORE NEXT, WE NEED TO TEST IF /home has any contents or do we need to mount it?
267 // must create var for oroot/cfg.homedir
268 if (asprintf(&overlayhome, "%s%s", oroot, cfg.homedir) == -1)
269 errExit("asprintf");
270 if (arg_debug) printf ("DEBUG: overlayhome var holds ##%s##\n", overlayhome);
271
272 // if no homedir in overlay -- create another overlay for /home
273 if (stat(cfg.homedir, &s) == 0 && stat(overlayhome, &s) == -1) {
274
275 // no need to check arg_overlay_reuse
276 if (asprintf(&hdiff, "%s/hdiff", basedir) == -1)
277 errExit("asprintf");
278 // the new directory will be owned by root
279 if (mkdirat(basefd, "hdiff", 0755) == -1 && errno != EEXIST) {
280 perror("mkdir");
281 fprintf(stderr, "Error: cannot create overlay directory %s\n", hdiff);
282 exit(1);
283 }
284 ASSERT_PERMS(hdiff, 0, 0, 0755);
285
286 // no need to check arg_overlay_reuse
287 if (asprintf(&hwork, "%s/hwork", basedir) == -1)
288 errExit("asprintf");
289 // the new directory will be owned by root
290 if (mkdirat(basefd, "hwork", 0755) == -1 && errno != EEXIST) {
291 perror("mkdir");
292 fprintf(stderr, "Error: cannot create overlay directory %s\n", hwork);
293 exit(1);
294 }
295 ASSERT_PERMS(hwork, 0, 0, 0755);
296
297 // no homedir in overlay so now mount another overlay for /home
298 if (asprintf(&hroot, "%s/home", oroot) == -1)
299 errExit("asprintf");
300 if (asprintf(&option, "lowerdir=/home,upperdir=%s,workdir=%s", hdiff, hwork) == -1)
301 errExit("asprintf");
302 if (mount("overlay", hroot, "overlay", MS_MGC_VAL, option) < 0)
303 errExit("mounting overlayfs for mounted home directory");
304
305 printf("OverlayFS for /home configured in %s directory\n", basedir);
306 free(hroot);
307 free(hdiff);
308 free(hwork);
309
310 } // stat(overlayhome)
311 free(overlayhome);
312 }
313 // issue #263 end code
314 //***************************
315 }
316 fmessage("OverlayFS configured in %s directory\n", basedir);
317 close(basefd);
318
319 // /dev, /run and /tmp are not covered by the overlay
320 // mount-bind dev directory
321 if (arg_debug)
322 printf("Mounting /dev\n");
323 char *dev;
324 if (asprintf(&dev, "%s/dev", oroot) == -1)
325 errExit("asprintf");
326 if (mount("/dev", dev, NULL, MS_BIND|MS_REC, NULL) < 0)
327 errExit("mounting /dev");
328 fs_logger("whitelist /dev");
329
330 // mount-bind run directory
331 if (arg_debug)
332 printf("Mounting /run\n");
333 char *run;
334 if (asprintf(&run, "%s/run", oroot) == -1)
335 errExit("asprintf");
336 if (mount("/run", run, NULL, MS_BIND|MS_REC, NULL) < 0)
337 errExit("mounting /run");
338 fs_logger("whitelist /run");
339
340 // mount-bind tmp directory
341 if (arg_debug)
342 printf("Mounting /tmp\n");
343 char *tmp;
344 if (asprintf(&tmp, "%s/tmp", oroot) == -1)
345 errExit("asprintf");
346 if (mount("/tmp", tmp, NULL, MS_BIND|MS_REC, NULL) < 0)
347 errExit("mounting /tmp");
348 fs_logger("whitelist /tmp");
349
350 // chroot in the new filesystem
351 __gcov_flush();
352
353 if (chroot(oroot) == -1)
354 errExit("chroot");
355
356 // mount a new proc filesystem
357 if (arg_debug)
358 printf("Mounting /proc filesystem representing the PID namespace\n");
359 if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0)
360 errExit("mounting /proc");
361
362 // update /var directory in order to support multiple sandboxes running on the same root directory
363// if (!arg_private_dev)
364// fs_dev_shm();
365 fs_var_lock();
366 if (!arg_keep_var_tmp)
367 fs_var_tmp();
368 if (!arg_writable_var_log)
369 fs_var_log();
370 fs_var_lib();
371 fs_var_cache();
372 fs_var_utmp();
373 fs_machineid();
374
375 // don't leak user information
376 restrict_users();
377
378 // when starting as root, firejail config is not disabled;
379 if (getuid() != 0)
380 disable_config();
381
382 // cleanup and exit
383 free(option);
384 free(odiff);
385 free(owork);
386 free(dev);
387 free(run);
388 free(tmp);
389}
390
391
392static int remove_callback(const char *fpath, const struct stat *sb, int typeflag, struct FTW *ftwbuf) {
393 (void) sb;
394 (void) typeflag;
395 (void) ftwbuf;
396 assert(fpath);
397
398 if (strcmp(fpath, ".") == 0) // rmdir would fail with EINVAL
399 return 0;
400
401 if (remove(fpath)) { // removes the link not the actual file
402 fprintf(stderr, "Error: cannot remove file: %s\n", strerror(errno));
403 exit(1);
404 }
405
406 return 0;
407}
408
409int remove_overlay_directory(void) {
410 EUID_ASSERT();
411 sleep(1);
412
413 char *path;
414 if (asprintf(&path, "%s/.firejail", cfg.homedir) == -1)
415 errExit("asprintf");
416
417 if (access(path, F_OK) == 0) {
418 pid_t child = fork();
419 if (child < 0)
420 errExit("fork");
421 if (child == 0) {
422 // open ~/.firejail
423 int fd = safer_openat(-1, path, O_PATH|O_NOFOLLOW|O_CLOEXEC);
424 if (fd == -1) {
425 fprintf(stderr, "Error: cannot open %s\n", path);
426 exit(1);
427 }
428 struct stat s;
429 if (fstat(fd, &s) == -1)
430 errExit("fstat");
431 if (!S_ISDIR(s.st_mode)) {
432 if (S_ISLNK(s.st_mode))
433 fprintf(stderr, "Error: %s is a symbolic link\n", path);
434 else
435 fprintf(stderr, "Error: %s is not a directory\n", path);
436 exit(1);
437 }
438 if (s.st_uid != getuid()) {
439 fprintf(stderr, "Error: %s is not owned by the current user\n", path);
440 exit(1);
441 }
442 // chdir to ~/.firejail
443 if (fchdir(fd) == -1)
444 errExit("fchdir");
445 close(fd);
446
447 EUID_ROOT();
448 // FTW_PHYS - do not follow symbolic links
449 if (nftw(".", remove_callback, 64, FTW_DEPTH | FTW_PHYS) == -1)
450 errExit("nftw");
451
452 EUID_USER();
453 // remove ~/.firejail
454 if (rmdir(path) == -1)
455 errExit("rmdir");
456
457 __gcov_flush();
458
459 _exit(0);
460 }
461 // wait for the child to finish
462 waitpid(child, NULL, 0);
463 // check if ~/.firejail was deleted
464 if (access(path, F_OK) == 0)
465 return 1;
466 }
467 return 0;
468}
469
470#endif // HAVE_OVERLAYFS
diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c
index 475a391ec..17a7b3d23 100644
--- a/src/firejail/fs_trace.c
+++ b/src/firejail/fs_trace.c
@@ -20,25 +20,31 @@
20#include "firejail.h" 20#include "firejail.h"
21#include <sys/mount.h> 21#include <sys/mount.h>
22#include <sys/stat.h> 22#include <sys/stat.h>
23#include <linux/limits.h>
24#include <glob.h> 23#include <glob.h>
25#include <dirent.h> 24#include <dirent.h>
26#include <fcntl.h> 25#include <fcntl.h>
27#include <pwd.h> 26#include <pwd.h>
28 27
29void fs_trace_preload(void) { 28// create an empty /etc/ld.so.preload
29void fs_trace_touch_preload(void) {
30 create_empty_file_as_root("/etc/ld.so.preload", S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
31}
32
33void fs_trace_touch_or_store_preload(void) {
30 struct stat s; 34 struct stat s;
31 35
32 // create an empty /etc/ld.so.preload 36 if (stat("/etc/ld.so.preload", &s) != 0) {
33 if (stat("/etc/ld.so.preload", &s)) { 37 fs_trace_touch_preload();
34 if (arg_debug) 38 return;
35 printf("Creating an empty /etc/ld.so.preload file\n"); 39 }
36 FILE *fp = fopen("/etc/ld.so.preload", "wxe"); 40
37 if (!fp) 41 if (s.st_size == 0)
38 errExit("fopen"); 42 return;
39 SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); 43
40 fclose(fp); 44 // create a copy of /etc/ld.so.preload
41 fs_logger("touch /etc/ld.so.preload"); 45 if (copy_file("/etc/ld.so.preload", RUN_LDPRELOAD_FILE, 0, 0, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH)) {
46 fprintf(stderr, "Error: cannot copy /etc/ld.so.preload file\n");
47 exit(1);
42 } 48 }
43} 49}
44 50
@@ -47,7 +53,7 @@ void fs_tracefile(void) {
47 if (arg_debug) 53 if (arg_debug)
48 printf("Creating an empty trace log file: %s\n", arg_tracefile); 54 printf("Creating an empty trace log file: %s\n", arg_tracefile);
49 EUID_USER(); 55 EUID_USER();
50 int fd = open(arg_tracefile, O_CREAT|O_WRONLY|O_CLOEXEC, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); 56 int fd = open(arg_tracefile, O_CREAT|O_WRONLY|O_CLOEXEC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
51 if (fd == -1) { 57 if (fd == -1) {
52 perror("open"); 58 perror("open");
53 fprintf(stderr, "Error: cannot open trace log file %s for writing\n", arg_tracefile); 59 fprintf(stderr, "Error: cannot open trace log file %s for writing\n", arg_tracefile);
@@ -83,7 +89,7 @@ void fs_trace(void) {
83 if (arg_debug) 89 if (arg_debug)
84 printf("Create the new ld.so.preload file\n"); 90 printf("Create the new ld.so.preload file\n");
85 91
86 FILE *fp = fopen(RUN_LDPRELOAD_FILE, "we"); 92 FILE *fp = fopen(RUN_LDPRELOAD_FILE, "ae");
87 if (!fp) 93 if (!fp)
88 errExit("fopen"); 94 errExit("fopen");
89 const char *prefix = RUN_FIREJAIL_LIB_DIR; 95 const char *prefix = RUN_FIREJAIL_LIB_DIR;
@@ -100,7 +106,7 @@ void fs_trace(void) {
100 fmessage("Post-exec seccomp protector enabled\n"); 106 fmessage("Post-exec seccomp protector enabled\n");
101 } 107 }
102 108
103 SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); 109 SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
104 fclose(fp); 110 fclose(fp);
105 111
106 // mount the new preload file 112 // mount the new preload file
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c
index 20e262d80..e19d0df96 100644
--- a/src/firejail/fs_var.c
+++ b/src/firejail/fs_var.c
@@ -20,7 +20,6 @@
20#include "firejail.h" 20#include "firejail.h"
21#include <sys/mount.h> 21#include <sys/mount.h>
22#include <sys/stat.h> 22#include <sys/stat.h>
23#include <linux/limits.h>
24#include <glob.h> 23#include <glob.h>
25#include <dirent.h> 24#include <dirent.h>
26#include <fcntl.h> 25#include <fcntl.h>
@@ -129,7 +128,7 @@ void fs_var_log(void) {
129 /* coverity[toctou] */ 128 /* coverity[toctou] */
130 FILE *fp = fopen("/var/log/wtmp", "wxe"); 129 FILE *fp = fopen("/var/log/wtmp", "wxe");
131 if (fp) { 130 if (fp) {
132 SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH); 131 SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH);
133 fclose(fp); 132 fclose(fp);
134 } 133 }
135 fs_logger("touch /var/log/wtmp"); 134 fs_logger("touch /var/log/wtmp");
@@ -137,7 +136,7 @@ void fs_var_log(void) {
137 // create an empty /var/log/btmp file 136 // create an empty /var/log/btmp file
138 fp = fopen("/var/log/btmp", "wxe"); 137 fp = fopen("/var/log/btmp", "wxe");
139 if (fp) { 138 if (fp) {
140 SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP); 139 SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP);
141 fclose(fp); 140 fclose(fp);
142 } 141 }
143 fs_logger("touch /var/log/btmp"); 142 fs_logger("touch /var/log/btmp");
@@ -314,7 +313,7 @@ void fs_var_utmp(void) {
314 // save new utmp file 313 // save new utmp file
315 int rv = fwrite(&u_boot, sizeof(u_boot), 1, fp); 314 int rv = fwrite(&u_boot, sizeof(u_boot), 1, fp);
316 (void) rv; 315 (void) rv;
317 SET_PERMS_STREAM(fp, 0, utmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH); 316 SET_PERMS_STREAM(fp, 0, utmp_group, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH);
318 fclose(fp); 317 fclose(fp);
319 318
320 // mount the new utmp file 319 // mount the new utmp file
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index 943f275de..7afebed1f 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -105,6 +105,7 @@ static int whitelist_mkpath(const char* path, mode_t mode) {
105} 105}
106 106
107static void whitelist_file(int dirfd, const char *relpath, const char *path) { 107static void whitelist_file(int dirfd, const char *relpath, const char *path) {
108 EUID_ASSERT();
108 assert(relpath && path); 109 assert(relpath && path);
109 110
110 // open mount source, using a file descriptor that refers to the 111 // open mount source, using a file descriptor that refers to the
@@ -130,12 +131,9 @@ static void whitelist_file(int dirfd, const char *relpath, const char *path) {
130 } 131 }
131 132
132 // create mount target as root, except if inside home or run/user/$UID directory 133 // create mount target as root, except if inside home or run/user/$UID directory
133 int userprivs = 0; 134 if ((strncmp(path, cfg.homedir, homedir_len) != 0 || path[homedir_len] != '/') &&
134 if ((strncmp(path, cfg.homedir, homedir_len) == 0 && path[homedir_len] == '/') || 135 (strncmp(path, runuser, runuser_len) != 0 || path[runuser_len] != '/'))
135 (strncmp(path, runuser, runuser_len) == 0 && path[runuser_len] == '/')) { 136 EUID_ROOT();
136 EUID_USER();
137 userprivs = 1;
138 }
139 137
140 // create path of the mount target 138 // create path of the mount target
141 int fd2 = whitelist_mkpath(path, 0755); 139 int fd2 = whitelist_mkpath(path, 0755);
@@ -146,8 +144,7 @@ static void whitelist_file(int dirfd, const char *relpath, const char *path) {
146 if (arg_debug || arg_debug_whitelists) 144 if (arg_debug || arg_debug_whitelists)
147 printf("Debug %d: skip whitelist %s\n", __LINE__, path); 145 printf("Debug %d: skip whitelist %s\n", __LINE__, path);
148 close(fd); 146 close(fd);
149 if (userprivs) 147 EUID_USER();
150 EUID_ROOT();
151 return; 148 return;
152 } 149 }
153 150
@@ -166,8 +163,7 @@ static void whitelist_file(int dirfd, const char *relpath, const char *path) {
166 } 163 }
167 close(fd); 164 close(fd);
168 close(fd2); 165 close(fd2);
169 if (userprivs) 166 EUID_USER();
170 EUID_ROOT();
171 return; 167 return;
172 } 168 }
173 fd3 = openat(fd2, file, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); 169 fd3 = openat(fd2, file, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
@@ -184,19 +180,17 @@ static void whitelist_file(int dirfd, const char *relpath, const char *path) {
184 } 180 }
185 close(fd); 181 close(fd);
186 close(fd2); 182 close(fd2);
187 if (userprivs) 183 EUID_USER();
188 EUID_ROOT();
189 return; 184 return;
190 } 185 }
191
192 close(fd2); 186 close(fd2);
193 if (userprivs)
194 EUID_ROOT();
195 187
196 if (arg_debug || arg_debug_whitelists) 188 if (arg_debug || arg_debug_whitelists)
197 printf("Whitelisting %s\n", path); 189 printf("Whitelisting %s\n", path);
190 EUID_ROOT();
198 if (bind_mount_by_fd(fd, fd3)) 191 if (bind_mount_by_fd(fd, fd3))
199 errExit("mount bind"); 192 errExit("mount bind");
193 EUID_USER();
200 // check the last mount operation 194 // check the last mount operation
201 MountData *mptr = get_last_mount(); // will do exit(1) if the mount cannot be found 195 MountData *mptr = get_last_mount(); // will do exit(1) if the mount cannot be found
202#ifdef TEST_MOUNTINFO 196#ifdef TEST_MOUNTINFO
@@ -219,22 +213,19 @@ static void whitelist_file(int dirfd, const char *relpath, const char *path) {
219} 213}
220 214
221static void whitelist_symlink(const char *link, const char *target) { 215static void whitelist_symlink(const char *link, const char *target) {
216 EUID_ASSERT();
222 assert(link && target); 217 assert(link && target);
223 218
224 // create files as root, except if inside home or run/user/$UID directory 219 // create files as root, except if inside home or run/user/$UID directory
225 int userprivs = 0; 220 if ((strncmp(link, cfg.homedir, homedir_len) != 0 || link[homedir_len] != '/') &&
226 if ((strncmp(link, cfg.homedir, homedir_len) == 0 && link[homedir_len] == '/') || 221 (strncmp(link, runuser, runuser_len) != 0 || link[runuser_len] != '/'))
227 (strncmp(link, runuser, runuser_len) == 0 && link[runuser_len] == '/')) { 222 EUID_ROOT();
228 EUID_USER();
229 userprivs = 1;
230 }
231 223
232 int fd = whitelist_mkpath(link, 0755); 224 int fd = whitelist_mkpath(link, 0755);
233 if (fd == -1) { 225 if (fd == -1) {
234 if (arg_debug || arg_debug_whitelists) 226 if (arg_debug || arg_debug_whitelists)
235 printf("Debug %d: cannot create symbolic link %s\n", __LINE__, link); 227 printf("Debug %d: cannot create symbolic link %s\n", __LINE__, link);
236 if (userprivs) 228 EUID_USER();
237 EUID_ROOT();
238 return; 229 return;
239 } 230 }
240 231
@@ -252,8 +243,7 @@ static void whitelist_symlink(const char *link, const char *target) {
252 printf("Created symbolic link %s -> %s\n", link, target); 243 printf("Created symbolic link %s -> %s\n", link, target);
253 244
254 close(fd); 245 close(fd);
255 if (userprivs) 246 EUID_USER();
256 EUID_ROOT();
257} 247}
258 248
259static void globbing(const char *pattern) { 249static void globbing(const char *pattern) {
@@ -330,10 +320,11 @@ static void tmpfs_topdirs(const TopDir *topdirs) {
330 // init tmpfs 320 // init tmpfs
331 if (strcmp(topdirs[i].path, "/run") == 0) { 321 if (strcmp(topdirs[i].path, "/run") == 0) {
332 // restore /run/firejail directory 322 // restore /run/firejail directory
333 if (mkdir(RUN_FIREJAIL_DIR, 0755) == -1) 323 EUID_ROOT();
334 errExit("mkdir"); 324 mkdir_attr(RUN_FIREJAIL_DIR, 0755, 0, 0);
335 if (bind_mount_fd_to_path(fd, RUN_FIREJAIL_DIR)) 325 if (bind_mount_fd_to_path(fd, RUN_FIREJAIL_DIR))
336 errExit("mount bind"); 326 errExit("mount bind");
327 EUID_USER();
337 close(fd); 328 close(fd);
338 fs_logger2("whitelist", RUN_FIREJAIL_DIR); 329 fs_logger2("whitelist", RUN_FIREJAIL_DIR);
339 330
@@ -351,12 +342,14 @@ static void tmpfs_topdirs(const TopDir *topdirs) {
351 errExit("asprintf"); 342 errExit("asprintf");
352 if (strcmp(env, pamtmpdir) == 0) { 343 if (strcmp(env, pamtmpdir) == 0) {
353 // create empty user-owned /tmp/user/$UID directory 344 // create empty user-owned /tmp/user/$UID directory
345 EUID_ROOT();
354 mkdir_attr("/tmp/user", 0711, 0, 0); 346 mkdir_attr("/tmp/user", 0711, 0, 0);
355 selinux_relabel_path("/tmp/user", "/tmp/user"); 347 selinux_relabel_path("/tmp/user", "/tmp/user");
356 fs_logger("mkdir /tmp/user"); 348 fs_logger("mkdir /tmp/user");
357 mkdir_attr(pamtmpdir, 0700, getuid(), 0); 349 mkdir_attr(pamtmpdir, 0700, getuid(), 0);
358 selinux_relabel_path(pamtmpdir, pamtmpdir); 350 selinux_relabel_path(pamtmpdir, pamtmpdir);
359 fs_logger2("mkdir", pamtmpdir); 351 fs_logger2("mkdir", pamtmpdir);
352 EUID_USER();
360 } 353 }
361 free(pamtmpdir); 354 free(pamtmpdir);
362 } 355 }
@@ -374,11 +367,8 @@ static void tmpfs_topdirs(const TopDir *topdirs) {
374 } 367 }
375 368
376 // user home directory 369 // user home directory
377 if (tmpfs_home) { 370 if (tmpfs_home)
378 EUID_USER();
379 fs_private(); // checks owner if outside /home 371 fs_private(); // checks owner if outside /home
380 EUID_ROOT();
381 }
382 372
383 // /run/user/$UID directory 373 // /run/user/$UID directory
384 if (tmpfs_runuser) { 374 if (tmpfs_runuser) {
@@ -402,6 +392,7 @@ static int reject_topdir(const char *dir) {
402// keep track of whitelist top level directories by adding them to an array 392// keep track of whitelist top level directories by adding them to an array
403// open each directory 393// open each directory
404static TopDir *add_topdir(const char *dir, TopDir *topdirs, const char *path) { 394static TopDir *add_topdir(const char *dir, TopDir *topdirs, const char *path) {
395 EUID_ASSERT();
405 assert(dir && path); 396 assert(dir && path);
406 397
407 // /proc and /sys are not allowed 398 // /proc and /sys are not allowed
@@ -516,6 +507,8 @@ static char *extract_topdir(const char *path) {
516} 507}
517 508
518void fs_whitelist(void) { 509void fs_whitelist(void) {
510 EUID_ASSERT();
511
519 ProfileEntry *entry = cfg.profile; 512 ProfileEntry *entry = cfg.profile;
520 if (!entry) 513 if (!entry)
521 return; 514 return;
@@ -536,7 +529,6 @@ void fs_whitelist(void) {
536 errExit("calloc"); 529 errExit("calloc");
537 530
538 // verify whitelist files, extract symbolic links, etc. 531 // verify whitelist files, extract symbolic links, etc.
539 EUID_USER();
540 while (entry) { 532 while (entry) {
541 int nowhitelist_flag = 0; 533 int nowhitelist_flag = 0;
542 534
@@ -630,7 +622,7 @@ void fs_whitelist(void) {
630 if (!fname) { 622 if (!fname) {
631 if (arg_debug || arg_debug_whitelists) { 623 if (arg_debug || arg_debug_whitelists) {
632 printf("Removed path: %s\n", entry->data); 624 printf("Removed path: %s\n", entry->data);
633 printf("\texpanded: %s\n", new_name); 625 printf("\tnew_name: %s\n", new_name);
634 printf("\trealpath: (null)\n"); 626 printf("\trealpath: (null)\n");
635 printf("\t%s\n", strerror(errno)); 627 printf("\t%s\n", strerror(errno));
636 } 628 }
@@ -712,7 +704,6 @@ void fs_whitelist(void) {
712 free(nowhitelist); 704 free(nowhitelist);
713 705
714 // mount tmpfs on all top level directories 706 // mount tmpfs on all top level directories
715 EUID_ROOT();
716 tmpfs_topdirs(topdirs); 707 tmpfs_topdirs(topdirs);
717 708
718 // go through profile rules again, and interpret whitelist commands 709 // go through profile rules again, and interpret whitelist commands
diff --git a/src/firejail/ids.c b/src/firejail/ids.c
index 59acdb1fe..a9ff59be4 100644
--- a/src/firejail/ids.c
+++ b/src/firejail/ids.c
@@ -86,4 +86,4 @@ void run_ids(int argc, char **argv) {
86 fprintf(stderr, "Error: unrecognized IDS command\n"); 86 fprintf(stderr, "Error: unrecognized IDS command\n");
87 87
88 exit(0); 88 exit(0);
89} \ No newline at end of file 89}
diff --git a/src/firejail/join.c b/src/firejail/join.c
index 394bbb528..0e76fd944 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -45,7 +45,7 @@ static unsigned display = 0;
45static void signal_handler(int sig){ 45static void signal_handler(int sig){
46 flush_stdin(); 46 flush_stdin();
47 47
48 exit(sig); 48 exit(128 + sig);
49} 49}
50 50
51static void install_handler(void) { 51static void install_handler(void) {
@@ -431,7 +431,7 @@ void join(pid_t pid, int argc, char **argv, int index) {
431 431
432 // set cgroup 432 // set cgroup
433 if (cfg.cgroup) // not available for uid 0 433 if (cfg.cgroup) // not available for uid 0
434 set_cgroup(cfg.cgroup); 434 set_cgroup(cfg.cgroup, getpid());
435 435
436 // join namespaces 436 // join namespaces
437 if (arg_join_network) { 437 if (arg_join_network) {
@@ -536,7 +536,6 @@ void join(pid_t pid, int argc, char **argv, int index) {
536 prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); 536 prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
537 537
538#ifdef HAVE_APPARMOR 538#ifdef HAVE_APPARMOR
539 // add apparmor confinement after the execve
540 set_apparmor(); 539 set_apparmor();
541#endif 540#endif
542 541
@@ -552,10 +551,6 @@ void join(pid_t pid, int argc, char **argv, int index) {
552 if (cfg.cpus) // not available for uid 0 551 if (cfg.cpus) // not available for uid 0
553 set_cpu_affinity(); 552 set_cpu_affinity();
554 553
555 // set nice value
556 if (arg_nice)
557 set_nice(cfg.nice);
558
559 // add x11 display 554 // add x11 display
560 if (display) { 555 if (display) {
561 char *display_str; 556 char *display_str;
@@ -574,6 +569,11 @@ void join(pid_t pid, int argc, char **argv, int index) {
574 dbus_set_system_bus_env(); 569 dbus_set_system_bus_env();
575#endif 570#endif
576 571
572 // set nice and rlimits
573 if (arg_nice)
574 set_nice(cfg.nice);
575 set_rlimits();
576
577 start_application(0, shfd, NULL); 577 start_application(0, shfd, NULL);
578 578
579 __builtin_unreachable(); 579 __builtin_unreachable();
@@ -596,15 +596,17 @@ void join(pid_t pid, int argc, char **argv, int index) {
596 596
597 // end of signal-safe code 597 // end of signal-safe code
598 //***************************** 598 //*****************************
599 flush_stdin();
600 599
601 if (WIFEXITED(status)) { 600 if (WIFEXITED(status)) {
601 // if we had a proper exit, return that exit status
602 status = WEXITSTATUS(status); 602 status = WEXITSTATUS(status);
603 } else if (WIFSIGNALED(status)) { 603 } else if (WIFSIGNALED(status)) {
604 status = WTERMSIG(status); 604 // distinguish fatal signals by adding 128
605 status = 128 + WTERMSIG(status);
605 } else { 606 } else {
606 status = 0; 607 status = -1;
607 } 608 }
608 609
610 flush_stdin();
609 exit(status); 611 exit(status);
610} 612}
diff --git a/src/firejail/ls.c b/src/firejail/ls.c
index 70985ba9e..53e918dde 100644
--- a/src/firejail/ls.c
+++ b/src/firejail/ls.c
@@ -305,7 +305,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
305 } 305 }
306 // create destination file if necessary 306 // create destination file if necessary
307 EUID_ASSERT(); 307 EUID_ASSERT();
308 int fd = open(dest_fname, O_WRONLY|O_CREAT|O_CLOEXEC, S_IRUSR | S_IWRITE); 308 int fd = open(dest_fname, O_WRONLY|O_CREAT|O_CLOEXEC, S_IRUSR | S_IWUSR);
309 if (fd == -1) { 309 if (fd == -1) {
310 fprintf(stderr, "Error: cannot open %s for writing\n", dest_fname); 310 fprintf(stderr, "Error: cannot open %s for writing\n", dest_fname);
311 exit(1); 311 exit(1);
diff --git a/src/firejail/main.c b/src/firejail/main.c
index e0bf44f62..c5b3d5739 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -32,7 +32,8 @@
32#include <dirent.h> 32#include <dirent.h>
33#include <pwd.h> 33#include <pwd.h>
34#include <errno.h> 34#include <errno.h>
35//#include <limits.h> 35
36#include <limits.h>
36#include <sys/file.h> 37#include <sys/file.h>
37#include <sys/prctl.h> 38#include <sys/prctl.h>
38#include <signal.h> 39#include <signal.h>
@@ -189,13 +190,15 @@ static void my_handler(int s) {
189 logsignal(s); 190 logsignal(s);
190 191
191 if (waitpid(child, NULL, WNOHANG) == 0) { 192 if (waitpid(child, NULL, WNOHANG) == 0) {
192 if (has_handler(child, s)) // signals are not delivered if there is no handler yet 193 // child is pid 1 of a pid namespace:
194 // signals are not delivered if there is no handler yet
195 if (has_handler(child, s))
193 kill(child, s); 196 kill(child, s);
194 else 197 else
195 kill(child, SIGKILL); 198 kill(child, SIGKILL);
196 waitpid(child, NULL, 0); 199 waitpid(child, NULL, 0);
197 } 200 }
198 myexit(s); 201 myexit(128 + s);
199} 202}
200 203
201static void install_handler(void) { 204static void install_handler(void) {
@@ -1263,9 +1266,9 @@ int main(int argc, char **argv, char **envp) {
1263 arg_debug = 1; 1266 arg_debug = 1;
1264 arg_quiet = 0; 1267 arg_quiet = 0;
1265 } 1268 }
1266 else if (strcmp(argv[i], "--debug-deny") == 0) 1269 else if (strcmp(argv[i], "--debug-blacklists") == 0)
1267 arg_debug_blacklists = 1; 1270 arg_debug_blacklists = 1;
1268 else if (strcmp(argv[i], "--debug-allow") == 0) 1271 else if (strcmp(argv[i], "--debug-whitelists") == 0)
1269 arg_debug_whitelists = 1; 1272 arg_debug_whitelists = 1;
1270 else if (strcmp(argv[i], "--debug-private-lib") == 0) 1273 else if (strcmp(argv[i], "--debug-private-lib") == 0)
1271 arg_debug_private_lib = 1; 1274 arg_debug_private_lib = 1;
@@ -1526,15 +1529,16 @@ int main(int argc, char **argv, char **envp) {
1526 else if (strncmp(argv[i], "--cgroup=", 9) == 0) { 1529 else if (strncmp(argv[i], "--cgroup=", 9) == 0) {
1527 if (checkcfg(CFG_CGROUP)) { 1530 if (checkcfg(CFG_CGROUP)) {
1528 if (option_cgroup) { 1531 if (option_cgroup) {
1529 fprintf(stderr, "Error: only a cgroup can be defined\n"); 1532 fprintf(stderr, "Error: only one cgroup can be defined\n");
1530 exit(1); 1533 exit(1);
1531 } 1534 }
1532
1533 option_cgroup = 1;
1534 cfg.cgroup = strdup(argv[i] + 9); 1535 cfg.cgroup = strdup(argv[i] + 9);
1535 if (!cfg.cgroup) 1536 if (!cfg.cgroup)
1536 errExit("strdup"); 1537 errExit("strdup");
1537 set_cgroup(cfg.cgroup); 1538
1539 check_cgroup_file(cfg.cgroup);
1540 set_cgroup(cfg.cgroup, getpid());
1541 option_cgroup = 1;
1538 } 1542 }
1539 else 1543 else
1540 exit_err_feature("cgroup"); 1544 exit_err_feature("cgroup");
@@ -3216,10 +3220,11 @@ printf("link #%s#\n", prf->link);
3216 if (WIFEXITED(status)){ 3220 if (WIFEXITED(status)){
3217 myexit(WEXITSTATUS(status)); 3221 myexit(WEXITSTATUS(status));
3218 } else if (WIFSIGNALED(status)) { 3222 } else if (WIFSIGNALED(status)) {
3219 myexit(WTERMSIG(status)); 3223 // distinguish fatal signals by adding 128
3224 myexit(128 + WTERMSIG(status));
3220 } else { 3225 } else {
3221 myexit(0); 3226 myexit(1);
3222 } 3227 }
3223 3228
3224 return 0; 3229 return 1;
3225} 3230}
diff --git a/src/firejail/mountinfo.c b/src/firejail/mountinfo.c
index 64a94bd84..ee437e10b 100644
--- a/src/firejail/mountinfo.c
+++ b/src/firejail/mountinfo.c
@@ -19,6 +19,7 @@
19*/ 19*/
20 20
21#include "firejail.h" 21#include "firejail.h"
22#include <errno.h>
22 23
23#include <fcntl.h> 24#include <fcntl.h>
24#ifndef O_PATH 25#ifndef O_PATH
@@ -32,43 +33,38 @@ static MountData mdata;
32 33
33 34
34// Convert octal escape sequence to decimal value 35// Convert octal escape sequence to decimal value
35static int read_oct(const char *path) { 36static unsigned read_oct(char *s) {
36 int dec = 0; 37 assert(s[0] == '\\');
37 int digit, i; 38 s++;
38 // there are always exactly three octal digits 39
39 for (i = 1; i < 4; i++) { 40 int i;
40 digit = *(path + i); 41 for (i = 0; i < 3; i++)
41 if (digit < '0' || digit > '7') { 42 assert(s[i] >= '0' && s[i] <= '7');
42 fprintf(stderr, "Error: cannot read /proc/self/mountinfo\n"); 43
43 exit(1); 44 return ((s[0] - '0') << 6 |
44 } 45 (s[1] - '0') << 3 |
45 dec = (dec << 3) + (digit - '0'); 46 (s[2] - '0') << 0);
46 }
47 return dec;
48} 47}
49 48
50// Restore empty spaces in pathnames extracted from /proc/self/mountinfo 49// Restore empty spaces in pathnames extracted from /proc/self/mountinfo
51static void unmangle_path(char *path) { 50static void unmangle_path(char *path) {
52 char *p = strchr(path, '\\'); 51 char *r = strchr(path, '\\');
53 if (p && read_oct(p) == ' ') { 52 if (!r)
54 *p = ' '; 53 return;
55 int i = 3; 54
56 do { 55 char *w = r;
57 p++; 56 do {
58 if (*(p + i) == '\\' && read_oct(p + i) == ' ') { 57 while (*r == '\\') {
59 *p = ' '; 58 *w++ = read_oct(r);
60 i += 3; 59 r += 4;
61 } 60 }
62 else 61 *w++ = *r;
63 *p = *(p + i); 62 } while (*r++);
64 } while (*p);
65 }
66} 63}
67 64
68// Parse a line from /proc/self/mountinfo, 65// Parse a line from /proc/self/mountinfo,
69// the function does an exit(1) if anything goes wrong. 66// the function does an exit(1) if anything goes wrong.
70static void parse_line(char *line, MountData *output) { 67static void parse_line(char *line, MountData *output) {
71 assert(line && output);
72 memset(output, 0, sizeof(*output)); 68 memset(output, 0, sizeof(*output));
73 // extract mount id, filesystem name, directory and filesystem types 69 // extract mount id, filesystem name, directory and filesystem types
74 // examples: 70 // examples:
@@ -86,8 +82,6 @@ static void parse_line(char *line, MountData *output) {
86 char *ptr = strtok(line, " "); 82 char *ptr = strtok(line, " ");
87 if (!ptr) 83 if (!ptr)
88 goto errexit; 84 goto errexit;
89 if (ptr != line)
90 goto errexit;
91 output->mountid = atoi(ptr); 85 output->mountid = atoi(ptr);
92 int cnt = 1; 86 int cnt = 1;
93 87
@@ -108,10 +102,9 @@ static void parse_line(char *line, MountData *output) {
108 ptr = strtok(NULL, " "); 102 ptr = strtok(NULL, " ");
109 if (!ptr) 103 if (!ptr)
110 goto errexit; 104 goto errexit;
111 output->fstype = ptr++; 105 output->fstype = ptr;
112
113 106
114 if (output->mountid == 0 || 107 if (output->mountid < 0 ||
115 output->fsname == NULL || 108 output->fsname == NULL ||
116 output->dir == NULL || 109 output->dir == NULL ||
117 output->fstype == NULL) 110 output->fstype == NULL)
@@ -151,111 +144,117 @@ MountData *get_last_mount(void) {
151 return &mdata; 144 return &mdata;
152} 145}
153 146
154// Extract the mount id from /proc/self/fdinfo and return it. 147// Returns mount id, or -1 if fd refers to a procfs or sysfs file
155int get_mount_id(const char *path) { 148static int get_mount_id_from_handle(int fd) {
156 EUID_ASSERT(); 149 EUID_ASSERT();
157 assert(path);
158 150
159 int fd = open(path, O_PATH|O_CLOEXEC); 151 char *proc;
160 if (fd == -1) 152 if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
161 return -1; 153 errExit("asprintf");
154 struct file_handle *fh = malloc(sizeof *fh);
155 if (!fh)
156 errExit("malloc");
157 fh->handle_bytes = 0;
158
159 int rv = -1;
160 int tmp;
161 if (name_to_handle_at(-1, proc, fh, &tmp, AT_SYMLINK_FOLLOW) != -1) {
162 fprintf(stderr, "Error: unexpected result from name_to_handle_at\n");
163 exit(1);
164 }
165 if (errno == EOVERFLOW && fh->handle_bytes)
166 rv = tmp;
167
168 free(proc);
169 free(fh);
170 return rv;
171}
172
173// Returns mount id, or -1 on kernels < 3.15
174static int get_mount_id_from_fdinfo(int fd) {
175 EUID_ASSERT();
176 int rv = -1;
162 177
163 char *fdinfo; 178 char *proc;
164 if (asprintf(&fdinfo, "/proc/self/fdinfo/%d", fd) == -1) 179 if (asprintf(&proc, "/proc/self/fdinfo/%d", fd) == -1)
165 errExit("asprintf"); 180 errExit("asprintf");
166 EUID_ROOT(); 181 EUID_ROOT();
167 FILE *fp = fopen(fdinfo, "re"); 182 FILE *fp = fopen(proc, "re");
168 EUID_USER(); 183 EUID_USER();
169 free(fdinfo);
170 if (!fp) 184 if (!fp)
171 goto errexit; 185 goto errexit;
172 186
173 // read the file
174 char buf[MAX_BUF]; 187 char buf[MAX_BUF];
175 if (fgets(buf, MAX_BUF, fp) == NULL) 188 while (fgets(buf, MAX_BUF, fp)) {
176 goto errexit;
177 do {
178 if (strncmp(buf, "mnt_id:", 7) == 0) { 189 if (strncmp(buf, "mnt_id:", 7) == 0) {
179 char *ptr = buf + 7; 190 if (sscanf(buf + 7, "%d", &rv) == 1)
180 while (*ptr != '\0' && (*ptr == ' ' || *ptr == '\t')) { 191 break;
181 ptr++; 192 goto errexit;
182 }
183 if (*ptr == '\0')
184 goto errexit;
185 fclose(fp);
186 close(fd);
187 return atoi(ptr);
188 } 193 }
189 } while (fgets(buf, MAX_BUF, fp)); 194 }
190 195
191 // fallback, kernels older than 3.15 don't expose the mount id in this place 196 free(proc);
192 fclose(fp); 197 fclose(fp);
193 close(fd); 198 return rv;
194 return -2;
195 199
196errexit: 200errexit:
197 fprintf(stderr, "Error: cannot read proc file\n"); 201 fprintf(stderr, "Error: cannot read proc file\n");
198 exit(1); 202 exit(1);
199} 203}
200 204
205int get_mount_id(int fd) {
206 int rv = get_mount_id_from_fdinfo(fd);
207 if (rv < 0)
208 rv = get_mount_id_from_handle(fd);
209 return rv;
210}
211
201// Check /proc/self/mountinfo if path contains any mounts points. 212// Check /proc/self/mountinfo if path contains any mounts points.
202// Returns an array that can be iterated over for recursive remounting. 213// Returns an array that can be iterated over for recursive remounting.
203char **build_mount_array(const int mount_id, const char *path) { 214char **build_mount_array(const int mountid, const char *path) {
204 assert(path); 215 assert(path);
205 216
206 // open /proc/self/mountinfo
207 FILE *fp = fopen("/proc/self/mountinfo", "re"); 217 FILE *fp = fopen("/proc/self/mountinfo", "re");
208 if (!fp) { 218 if (!fp) {
209 fprintf(stderr, "Error: cannot read /proc/self/mountinfo\n"); 219 fprintf(stderr, "Error: cannot read /proc/self/mountinfo\n");
210 exit(1); 220 exit(1);
211 } 221 }
212 222
213 // array to be returned 223 // try to find line with mount id
214 size_t cnt = 0; 224 int found = 0;
225 MountData mntp;
226 char line[MAX_BUF];
227 while (fgets(line, MAX_BUF, fp)) {
228 parse_line(line, &mntp);
229 if (mntp.mountid == mountid) {
230 found = 1;
231 break;
232 }
233 }
234
235 if (!found) {
236 fclose(fp);
237 return NULL;
238 }
239
240 // allocate array
215 size_t size = 32; 241 size_t size = 32;
216 char **rv = malloc(size * sizeof(*rv)); 242 char **rv = malloc(size * sizeof(*rv));
217 if (!rv) 243 if (!rv)
218 errExit("malloc"); 244 errExit("malloc");
219 245
220 // read /proc/self/mountinfo 246 // add directory itself
221 size_t pathlen = strlen(path); 247 size_t cnt = 0;
222 char buf[MAX_BUF]; 248 rv[cnt] = strdup(path);
223 MountData mntp; 249 if (rv[cnt] == NULL)
224 int found = 0; 250 errExit("strdup");
225 251
226 if (fgets(buf, MAX_BUF, fp) == NULL) { 252 // and add all following mountpoints contained in this directory
227 fprintf(stderr, "Error: cannot read /proc/self/mountinfo\n"); 253 size_t pathlen = strlen(path);
228 exit(1); 254 while (fgets(line, MAX_BUF, fp)) {
229 } 255 parse_line(line, &mntp);
230 do { 256 if (strncmp(mntp.dir, path, pathlen) == 0 && mntp.dir[pathlen] == '/') {
231 parse_line(buf, &mntp); 257 if (++cnt == size) {
232 // find mount point with mount id
233 if (!found) {
234 if (mntp.mountid == mount_id) {
235 // give up if mount id has been reassigned,
236 // don't remount blacklisted path
237 if (strncmp(mntp.dir, path, strlen(mntp.dir)) ||
238 strstr(mntp.fsname, "firejail.ro.dir") ||
239 strstr(mntp.fsname, "firejail.ro.file"))
240 break;
241
242 rv[cnt] = strdup(path);
243 if (rv[cnt] == NULL)
244 errExit("strdup");
245 cnt++;
246 found = 1;
247 continue;
248 }
249 continue;
250 }
251 // from here on add all mount points below path,
252 // don't remount blacklisted paths
253 if (strncmp(mntp.dir, path, pathlen) == 0 &&
254 mntp.dir[pathlen] == '/' &&
255 strstr(mntp.fsname, "firejail.ro.dir") == NULL &&
256 strstr(mntp.fsname, "firejail.ro.file") == NULL) {
257
258 if (cnt == size) {
259 size *= 2; 258 size *= 2;
260 rv = realloc(rv, size * sizeof(*rv)); 259 rv = realloc(rv, size * sizeof(*rv));
261 if (!rv) 260 if (!rv)
@@ -264,18 +263,17 @@ char **build_mount_array(const int mount_id, const char *path) {
264 rv[cnt] = strdup(mntp.dir); 263 rv[cnt] = strdup(mntp.dir);
265 if (rv[cnt] == NULL) 264 if (rv[cnt] == NULL)
266 errExit("strdup"); 265 errExit("strdup");
267 cnt++;
268 } 266 }
269 } while (fgets(buf, MAX_BUF, fp)); 267 }
268 fclose(fp);
270 269
271 if (cnt == size) { 270 // end of array
272 size++; 271 if (++cnt == size) {
272 ++size;
273 rv = realloc(rv, size * sizeof(*rv)); 273 rv = realloc(rv, size * sizeof(*rv));
274 if (!rv) 274 if (!rv)
275 errExit("realloc"); 275 errExit("realloc");
276 } 276 }
277 rv[cnt] = NULL; // end of the array 277 rv[cnt] = NULL;
278
279 fclose(fp);
280 return rv; 278 return rv;
281} 279}
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index b7c7185a6..9d92b6199 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -175,6 +175,10 @@ static int check_allow_drm(void) {
175 return checkcfg(CFG_BROWSER_ALLOW_DRM) != 0; 175 return checkcfg(CFG_BROWSER_ALLOW_DRM) != 0;
176} 176}
177 177
178static int check_allow_tray(void) {
179 return checkcfg(CFG_ALLOW_TRAY) != 0;
180}
181
178Cond conditionals[] = { 182Cond conditionals[] = {
179 {"HAS_APPIMAGE", check_appimage}, 183 {"HAS_APPIMAGE", check_appimage},
180 {"HAS_NET", check_netoptions}, 184 {"HAS_NET", check_netoptions},
@@ -184,6 +188,7 @@ Cond conditionals[] = {
184 {"HAS_X11", check_x11}, 188 {"HAS_X11", check_x11},
185 {"BROWSER_DISABLE_U2F", check_disable_u2f}, 189 {"BROWSER_DISABLE_U2F", check_disable_u2f},
186 {"BROWSER_ALLOW_DRM", check_allow_drm}, 190 {"BROWSER_ALLOW_DRM", check_allow_drm},
191 {"ALLOW_TRAY", check_allow_tray},
187 { NULL, NULL } 192 { NULL, NULL }
188}; 193};
189 194
@@ -630,7 +635,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
630#endif 635#endif
631 return 0; 636 return 0;
632 } 637 }
633 else if (strncmp(ptr, "netns ", 6) == 0) { 638 else if (strncmp(ptr, "netns ", 6) == 0) {
634#ifdef HAVE_NETWORK 639#ifdef HAVE_NETWORK
635 if (checkcfg(CFG_NETWORK)) { 640 if (checkcfg(CFG_NETWORK)) {
636 arg_netns = ptr + 6; 641 arg_netns = ptr + 6;
@@ -981,10 +986,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
981 warning_feature_disabled("seccomp"); 986 warning_feature_disabled("seccomp");
982 return 0; 987 return 0;
983 } 988 }
984 if (strncmp(ptr, "seccomp.32.drop ", 13) == 0) { 989 if (strncmp(ptr, "seccomp.32.drop ", 16) == 0) {
985 if (checkcfg(CFG_SECCOMP)) { 990 if (checkcfg(CFG_SECCOMP)) {
986 arg_seccomp32 = 1; 991 arg_seccomp32 = 1;
987 cfg.seccomp_list_drop32 = seccomp_check_list(ptr + 13); 992 cfg.seccomp_list_drop32 = seccomp_check_list(ptr + 16);
988 } 993 }
989 else 994 else
990 warning_feature_disabled("seccomp"); 995 warning_feature_disabled("seccomp");
@@ -1001,10 +1006,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
1001 warning_feature_disabled("seccomp"); 1006 warning_feature_disabled("seccomp");
1002 return 0; 1007 return 0;
1003 } 1008 }
1004 if (strncmp(ptr, "seccomp.32.keep ", 13) == 0) { 1009 if (strncmp(ptr, "seccomp.32.keep ", 16) == 0) {
1005 if (checkcfg(CFG_SECCOMP)) { 1010 if (checkcfg(CFG_SECCOMP)) {
1006 arg_seccomp32 = 1; 1011 arg_seccomp32 = 1;
1007 cfg.seccomp_list_keep32 = seccomp_check_list(ptr + 13); 1012 cfg.seccomp_list_keep32 = seccomp_check_list(ptr + 16);
1008 } 1013 }
1009 else 1014 else
1010 warning_feature_disabled("seccomp"); 1015 warning_feature_disabled("seccomp");
@@ -1124,8 +1129,14 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
1124 1129
1125 // cgroup 1130 // cgroup
1126 if (strncmp(ptr, "cgroup ", 7) == 0) { 1131 if (strncmp(ptr, "cgroup ", 7) == 0) {
1127 if (checkcfg(CFG_CGROUP)) 1132 if (checkcfg(CFG_CGROUP)) {
1128 set_cgroup(ptr + 7); 1133 cfg.cgroup = strdup(ptr + 7);
1134 if (!cfg.cgroup)
1135 errExit("strdup");
1136
1137 check_cgroup_file(cfg.cgroup);
1138 set_cgroup(cfg.cgroup, getpid());
1139 }
1129 else 1140 else
1130 warning_feature_disabled("cgroup"); 1141 warning_feature_disabled("cgroup");
1131 return 0; 1142 return 0;
@@ -1938,7 +1949,7 @@ char *profile_list_compress(char *list)
1938 /* Include non-empty item */ 1949 /* Include non-empty item */
1939 if (!*item) 1950 if (!*item)
1940 in[i] = 0; 1951 in[i] = 0;
1941 /* Remove all allready included items */ 1952 /* Remove all already included items */
1942 for (k = 0; k < i; ++k) 1953 for (k = 0; k < i; ++k)
1943 in[k] = 0; 1954 in[k] = 0;
1944 break; 1955 break;
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c
index 6f17231a4..59077dada 100644
--- a/src/firejail/restrict_users.c
+++ b/src/firejail/restrict_users.c
@@ -21,7 +21,6 @@
21#include "../include/firejail_user.h" 21#include "../include/firejail_user.h"
22#include <sys/mount.h> 22#include <sys/mount.h>
23#include <sys/stat.h> 23#include <sys/stat.h>
24#include <linux/limits.h>
25#include <fnmatch.h> 24#include <fnmatch.h>
26#include <glob.h> 25#include <glob.h>
27#include <dirent.h> 26#include <dirent.h>
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 59ddfb855..d66b6c573 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -87,9 +87,9 @@ static void sandbox_handler(int sig){
87 87
88 // broadcast a SIGKILL 88 // broadcast a SIGKILL
89 kill(-1, SIGKILL); 89 kill(-1, SIGKILL);
90 flush_stdin();
91 90
92 exit(sig); 91 flush_stdin();
92 exit(128 + sig);
93} 93}
94 94
95static void install_handler(void) { 95static void install_handler(void) {
@@ -204,7 +204,7 @@ static void save_umask(void) {
204} 204}
205 205
206static char *create_join_file(void) { 206static char *create_join_file(void) {
207 int fd = open(RUN_JOIN_FILE, O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); 207 int fd = open(RUN_JOIN_FILE, O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
208 if (fd == -1) 208 if (fd == -1)
209 errExit("open"); 209 errExit("open");
210 if (ftruncate(fd, 1) == -1) 210 if (ftruncate(fd, 1) == -1)
@@ -798,7 +798,7 @@ int sandbox(void* sandbox_arg) {
798 798
799 // trace pre-install 799 // trace pre-install
800 if (need_preload) 800 if (need_preload)
801 fs_trace_preload(); 801 fs_trace_touch_or_store_preload();
802 802
803 // store hosts file 803 // store hosts file
804 if (cfg.hosts_file) 804 if (cfg.hosts_file)
@@ -814,8 +814,11 @@ int sandbox(void* sandbox_arg) {
814 //**************************** 814 //****************************
815 // trace pre-install, this time inside chroot 815 // trace pre-install, this time inside chroot
816 //**************************** 816 //****************************
817 if (need_preload) 817 if (need_preload) {
818 fs_trace_preload(); 818 int rv = unlink(RUN_LDPRELOAD_FILE);
819 (void) rv;
820 fs_trace_touch_or_store_preload();
821 }
819 } 822 }
820 else 823 else
821#endif 824#endif
@@ -992,7 +995,7 @@ int sandbox(void* sandbox_arg) {
992 995
993 // create /etc/ld.so.preload file again 996 // create /etc/ld.so.preload file again
994 if (need_preload) 997 if (need_preload)
995 fs_trace_preload(); 998 fs_trace_touch_preload();
996 999
997 // openSUSE configuration is split between /etc and /usr/etc 1000 // openSUSE configuration is split between /etc and /usr/etc
998 // process private-etc a second time 1001 // process private-etc a second time
@@ -1004,10 +1007,12 @@ int sandbox(void* sandbox_arg) {
1004 // apply the profile file 1007 // apply the profile file
1005 //**************************** 1008 //****************************
1006 // apply all whitelist commands ... 1009 // apply all whitelist commands ...
1010 EUID_USER();
1007 fs_whitelist(); 1011 fs_whitelist();
1008 1012
1009 // ... followed by blacklist commands 1013 // ... followed by blacklist commands
1010 fs_blacklist(); // mkdir and mkfile are processed all over again 1014 fs_blacklist(); // mkdir and mkfile are processed all over again
1015 EUID_ROOT();
1011 1016
1012 //**************************** 1017 //****************************
1013 // nosound/no3d/notv/novideo and fix for pulseaudio 7.0 1018 // nosound/no3d/notv/novideo and fix for pulseaudio 7.0
@@ -1243,7 +1248,6 @@ int sandbox(void* sandbox_arg) {
1243 1248
1244 if (app_pid == 0) { 1249 if (app_pid == 0) {
1245#ifdef HAVE_APPARMOR 1250#ifdef HAVE_APPARMOR
1246 // add apparmor confinement after the execve
1247 set_apparmor(); 1251 set_apparmor();
1248#endif 1252#endif
1249 1253
@@ -1258,13 +1262,17 @@ int sandbox(void* sandbox_arg) {
1258 munmap(set_sandbox_status, 1); 1262 munmap(set_sandbox_status, 1);
1259 1263
1260 int status = monitor_application(app_pid); // monitor application 1264 int status = monitor_application(app_pid); // monitor application
1261 flush_stdin();
1262 1265
1263 if (WIFEXITED(status)) { 1266 if (WIFEXITED(status)) {
1264 // if we had a proper exit, return that exit status 1267 // if we had a proper exit, return that exit status
1265 return WEXITSTATUS(status); 1268 status = WEXITSTATUS(status);
1269 } else if (WIFSIGNALED(status)) {
1270 // distinguish fatal signals by adding 128
1271 status = 128 + WTERMSIG(status);
1266 } else { 1272 } else {
1267 // something else went wrong! 1273 status = -1;
1268 return -1;
1269 } 1274 }
1275
1276 flush_stdin();
1277 return status;
1270} 1278}
diff --git a/src/firejail/selinux.c b/src/firejail/selinux.c
index 6969e7a3d..fa59882ed 100644
--- a/src/firejail/selinux.c
+++ b/src/firejail/selinux.c
@@ -21,6 +21,7 @@
21#include "firejail.h" 21#include "firejail.h"
22#include <sys/types.h> 22#include <sys/types.h>
23#include <sys/stat.h> 23#include <sys/stat.h>
24#include <errno.h>
24 25
25#include <fcntl.h> 26#include <fcntl.h>
26#ifndef O_PATH 27#ifndef O_PATH
@@ -57,7 +58,17 @@ void selinux_relabel_path(const char *path, const char *inside_path)
57 58
58 /* Open the file as O_PATH, to pin it while we determine and adjust the label 59 /* Open the file as O_PATH, to pin it while we determine and adjust the label
59 * Defeat symlink races by not allowing symbolic links */ 60 * Defeat symlink races by not allowing symbolic links */
61 int called_as_root = 0;
62 if (geteuid() == 0)
63 called_as_root = 1;
64 if (called_as_root)
65 EUID_USER();
66
60 fd = safer_openat(-1, path, O_NOFOLLOW|O_CLOEXEC|O_PATH); 67 fd = safer_openat(-1, path, O_NOFOLLOW|O_CLOEXEC|O_PATH);
68
69 if (called_as_root)
70 EUID_ROOT();
71
61 if (fd < 0) 72 if (fd < 0)
62 return; 73 return;
63 if (fstat(fd, &st) < 0) 74 if (fstat(fd, &st) < 0)
@@ -68,8 +79,16 @@ void selinux_relabel_path(const char *path, const char *inside_path)
68 if (arg_debug) 79 if (arg_debug)
69 printf("Relabeling %s as %s (%s)\n", path, inside_path, fcon); 80 printf("Relabeling %s as %s (%s)\n", path, inside_path, fcon);
70 81
71 setfilecon_raw(procfs_path, fcon); 82 if (!called_as_root)
83 EUID_ROOT();
84
85 if (setfilecon_raw(procfs_path, fcon) != 0 && arg_debug)
86 printf("Cannot relabel %s: %s\n", path, strerror(errno));
87
88 if (!called_as_root)
89 EUID_USER();
72 } 90 }
91
73 freecon(fcon); 92 freecon(fcon);
74 close: 93 close:
75 close(fd); 94 close(fd);
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index d843c74ae..43f862b9d 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -28,7 +28,6 @@ static char *usage_str =
28 "\n" 28 "\n"
29 "Options:\n" 29 "Options:\n"
30 " -- - signal the end of options and disables further option processing.\n" 30 " -- - signal the end of options and disables further option processing.\n"
31 " --allow=filename - allow file system access.\n"
32 " --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n" 31 " --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n"
33 " --allusers - all user home directories are visible inside the sandbox.\n" 32 " --allusers - all user home directories are visible inside the sandbox.\n"
34 " --apparmor - enable AppArmor confinement.\n" 33 " --apparmor - enable AppArmor confinement.\n"
@@ -39,12 +38,13 @@ static char *usage_str =
39#endif 38#endif
40 " --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n" 39 " --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n"
41 " --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n" 40 " --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n"
42 " --build - build a profile for the application.\n" 41 " --blacklist=filename - blacklist directory or file.\n"
43 " --build=filename - build a profile for the application.\n" 42 " --build - build a whitelisted profile for the application.\n"
43 " --build=filename - build a whitelisted profile for the application.\n"
44 " --caps - enable default Linux capabilities filter.\n" 44 " --caps - enable default Linux capabilities filter.\n"
45 " --caps.drop=all - drop all capabilities.\n" 45 " --caps.drop=all - drop all capabilities.\n"
46 " --caps.drop=capability,capability - drop capabilities.\n" 46 " --caps.drop=capability,capability - blacklist capabilities filter.\n"
47 " --caps.keep=capability,capability - allow capabilities.\n" 47 " --caps.keep=capability,capability - whitelist capabilities filter.\n"
48 " --caps.print=name|pid - print the caps filter.\n" 48 " --caps.print=name|pid - print the caps filter.\n"
49#ifdef HAVE_FILE_TRANSFER 49#ifdef HAVE_FILE_TRANSFER
50 " --cat=name|pid filename - print content of file from sandbox container.\n" 50 " --cat=name|pid filename - print content of file from sandbox container.\n"
@@ -75,18 +75,17 @@ static char *usage_str =
75 " --dbus-user.talk=name - allow talking to name on the session DBus.\n" 75 " --dbus-user.talk=name - allow talking to name on the session DBus.\n"
76#endif 76#endif
77 " --debug - print sandbox debug messages.\n" 77 " --debug - print sandbox debug messages.\n"
78 " --debug-allow - debug file system access.\n" 78 " --debug-blacklists - debug blacklisting.\n"
79 " --debug-deny - debug file system access.\n"
80 " --debug-caps - print all recognized capabilities.\n" 79 " --debug-caps - print all recognized capabilities.\n"
81 " --debug-errnos - print all recognized error numbers.\n" 80 " --debug-errnos - print all recognized error numbers.\n"
82 " --debug-private-lib - debug for --private-lib option.\n" 81 " --debug-private-lib - debug for --private-lib option.\n"
83 " --debug-protocols - print all recognized protocols.\n" 82 " --debug-protocols - print all recognized protocols.\n"
84 " --debug-syscalls - print all recognized system calls.\n" 83 " --debug-syscalls - print all recognized system calls.\n"
85 " --debug-syscalls32 - print all recognized 32 bit system calls.\n" 84 " --debug-syscalls32 - print all recognized 32 bit system calls.\n"
85 " --debug-whitelists - debug whitelisting.\n"
86#ifdef HAVE_NETWORK 86#ifdef HAVE_NETWORK
87 " --defaultgw=address - configure default gateway.\n" 87 " --defaultgw=address - configure default gateway.\n"
88#endif 88#endif
89 " --deny=filename - deny access to directory or file.\n"
90 " --deterministic-exit-code - always exit with first child's status code.\n" 89 " --deterministic-exit-code - always exit with first child's status code.\n"
91 " --dns=address - set DNS server.\n" 90 " --dns=address - set DNS server.\n"
92 " --dns.print=name|pid - print DNS configuration.\n" 91 " --dns.print=name|pid - print DNS configuration.\n"
@@ -147,14 +146,13 @@ static char *usage_str =
147 " --netfilter6=filename - enable IPv6 firewall.\n" 146 " --netfilter6=filename - enable IPv6 firewall.\n"
148 " --netfilter6.print=name|pid - print the IPv6 firewall.\n" 147 " --netfilter6.print=name|pid - print the IPv6 firewall.\n"
149 " --netmask=address - define a network mask when dealing with unconfigured\n" 148 " --netmask=address - define a network mask when dealing with unconfigured\n"
150 "\tparrent interfaces.\n" 149 "\tparent interfaces.\n"
151 " --netns=name - Run the program in a named, persistent network namespace.\n" 150 " --netns=name - Run the program in a named, persistent network namespace.\n"
152 " --netstats - monitor network statistics.\n" 151 " --netstats - monitor network statistics.\n"
153#endif 152#endif
154 " --nice=value - set nice value.\n" 153 " --nice=value - set nice value.\n"
155 " --no3d - disable 3D hardware acceleration.\n" 154 " --no3d - disable 3D hardware acceleration.\n"
156 " --noallow=filename - disable allow command for file or directory.\n" 155 " --noblacklist=filename - disable blacklist for file or directory.\n"
157 " --nodeny=filename - disable deny command for file or directory.\n"
158 " --nodbus - disable D-Bus access.\n" 156 " --nodbus - disable D-Bus access.\n"
159 " --nodvd - disable DVD and audio CD devices.\n" 157 " --nodvd - disable DVD and audio CD devices.\n"
160 " --noexec=filename - remount the file or directory noexec nosuid and nodev.\n" 158 " --noexec=filename - remount the file or directory noexec nosuid and nodev.\n"
@@ -169,6 +167,7 @@ static char *usage_str =
169 " --noautopulse - disable automatic ~/.config/pulse init.\n" 167 " --noautopulse - disable automatic ~/.config/pulse init.\n"
170 " --novideo - disable video devices.\n" 168 " --novideo - disable video devices.\n"
171 " --nou2f - disable U2F devices.\n" 169 " --nou2f - disable U2F devices.\n"
170 " --nowhitelist=filename - disable whitelist for file or directory.\n"
172#ifdef HAVE_OUTPUT 171#ifdef HAVE_OUTPUT
173 " --output=logfile - stdout logging and log rotation.\n" 172 " --output=logfile - stdout logging and log rotation.\n"
174 " --output-stderr=logfile - stdout and stderr logging and log rotation.\n" 173 " --output-stderr=logfile - stdout and stderr logging and log rotation.\n"
@@ -225,14 +224,14 @@ static char *usage_str =
225#ifdef HAVE_NETWORK 224#ifdef HAVE_NETWORK
226 " --scan - ARP-scan all the networks from inside a network namespace.\n" 225 " --scan - ARP-scan all the networks from inside a network namespace.\n"
227#endif 226#endif
228 " --seccomp - enable seccomp filter and drop the default syscalls.\n" 227 " --seccomp - enable seccomp filter and apply the default blacklist.\n"
229 " --seccomp=syscall,syscall,syscall - enable seccomp filter, drop the\n" 228 " --seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n"
230 "\tdefault syscall list and the syscalls specified by the command.\n" 229 "\tdefault syscall list and the syscalls specified by the command.\n"
231 " --seccomp.block-secondary - build only the native architecture filters.\n" 230 " --seccomp.block-secondary - build only the native architecture filters.\n"
232 " --seccomp.drop=syscall,syscall,syscall - enable seccomp filter, and\n" 231 " --seccomp.drop=syscall,syscall,syscall - enable seccomp filter, and\n"
233 "\tdrop the syscalls specified by the command.\n" 232 "\tblacklist the syscalls specified by the command.\n"
234 " --seccomp.keep=syscall,syscall,syscall - enable seccomp filter, and\n" 233 " --seccomp.keep=syscall,syscall,syscall - enable seccomp filter, and\n"
235 "\tallow the syscalls specified by the command.\n" 234 "\twhitelist the syscalls specified by the command.\n"
236 " --seccomp.print=name|pid - print the seccomp filter for the sandbox\n" 235 " --seccomp.print=name|pid - print the seccomp filter for the sandbox\n"
237 "\tidentified by name or PID.\n" 236 "\tidentified by name or PID.\n"
238 " --seccomp.32[.drop,.keep][=syscall] - like above but for 32 bit architecture.\n" 237 " --seccomp.32[.drop,.keep][=syscall] - like above but for 32 bit architecture.\n"
@@ -247,7 +246,7 @@ static char *usage_str =
247 " --top - monitor the most CPU-intensive sandboxes.\n" 246 " --top - monitor the most CPU-intensive sandboxes.\n"
248 " --trace - trace open, access and connect system calls.\n" 247 " --trace - trace open, access and connect system calls.\n"
249 " --tracelog - add a syslog message for every access to files or\n" 248 " --tracelog - add a syslog message for every access to files or\n"
250 "\tdirectories dropped by the security profile.\n" 249 "\tdirectories blacklisted by the security profile.\n"
251 " --tree - print a tree of all sandboxed processes.\n" 250 " --tree - print a tree of all sandboxed processes.\n"
252 " --tunnel[=devname] - connect the sandbox to a tunnel created by\n" 251 " --tunnel[=devname] - connect the sandbox to a tunnel created by\n"
253 "\tfiretunnel utility.\n" 252 "\tfiretunnel utility.\n"
@@ -255,6 +254,7 @@ static char *usage_str =
255#ifdef HAVE_NETWORK 254#ifdef HAVE_NETWORK
256 " --veth-name=name - use this name for the interface connected to the bridge.\n" 255 " --veth-name=name - use this name for the interface connected to the bridge.\n"
257#endif 256#endif
257 " --whitelist=filename - whitelist directory or file.\n"
258 " --writable-etc - /etc directory is mounted read-write.\n" 258 " --writable-etc - /etc directory is mounted read-write.\n"
259 " --writable-run-user - allow access to /run/user/$UID/systemd and\n" 259 " --writable-run-user - allow access to /run/user/$UID/systemd and\n"
260 "\t/run/user/$UID/gnupg.\n" 260 "\t/run/user/$UID/gnupg.\n"
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 094a68c60..55dcdc246 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -20,8 +20,6 @@
20#define _XOPEN_SOURCE 500 20#define _XOPEN_SOURCE 500
21#include "firejail.h" 21#include "firejail.h"
22#include "../include/gcov_wrapper.h" 22#include "../include/gcov_wrapper.h"
23#include <ftw.h>
24#include <sys/stat.h>
25#include <sys/mount.h> 23#include <sys/mount.h>
26#include <syslog.h> 24#include <syslog.h>
27#include <errno.h> 25#include <errno.h>
@@ -32,9 +30,6 @@
32#include <sys/wait.h> 30#include <sys/wait.h>
33#include <limits.h> 31#include <limits.h>
34 32
35#include <string.h>
36#include <ctype.h>
37
38#include <fcntl.h> 33#include <fcntl.h>
39#ifndef O_PATH 34#ifndef O_PATH
40#define O_PATH 010000000 35#define O_PATH 010000000
@@ -459,31 +454,21 @@ int is_dir(const char *fname) {
459 if (*fname == '\0') 454 if (*fname == '\0')
460 return 0; 455 return 0;
461 456
462 int called_as_root = 0;
463 if (geteuid() == 0)
464 called_as_root = 1;
465
466 if (called_as_root)
467 EUID_USER();
468
469 // if fname doesn't end in '/', add one 457 // if fname doesn't end in '/', add one
470 int rv; 458 int rv;
471 struct stat s; 459 struct stat s;
472 if (fname[strlen(fname) - 1] == '/') 460 if (fname[strlen(fname) - 1] == '/')
473 rv = stat(fname, &s); 461 rv = stat_as_user(fname, &s);
474 else { 462 else {
475 char *tmp; 463 char *tmp;
476 if (asprintf(&tmp, "%s/", fname) == -1) { 464 if (asprintf(&tmp, "%s/", fname) == -1) {
477 fprintf(stderr, "Error: cannot allocate memory, %s:%d\n", __FILE__, __LINE__); 465 fprintf(stderr, "Error: cannot allocate memory, %s:%d\n", __FILE__, __LINE__);
478 errExit("asprintf"); 466 errExit("asprintf");
479 } 467 }
480 rv = stat(tmp, &s); 468 rv = stat_as_user(tmp, &s);
481 free(tmp); 469 free(tmp);
482 } 470 }
483 471
484 if (called_as_root)
485 EUID_ROOT();
486
487 if (rv == -1) 472 if (rv == -1)
488 return 0; 473 return 0;
489 474
@@ -499,13 +484,6 @@ int is_link(const char *fname) {
499 if (*fname == '\0') 484 if (*fname == '\0')
500 return 0; 485 return 0;
501 486
502 int called_as_root = 0;
503 if (geteuid() == 0)
504 called_as_root = 1;
505
506 if (called_as_root)
507 EUID_USER();
508
509 // remove trailing '/' if any 487 // remove trailing '/' if any
510 char *tmp = strdup(fname); 488 char *tmp = strdup(fname);
511 if (!tmp) 489 if (!tmp)
@@ -513,12 +491,9 @@ int is_link(const char *fname) {
513 trim_trailing_slash_or_dot(tmp); 491 trim_trailing_slash_or_dot(tmp);
514 492
515 char c; 493 char c;
516 ssize_t rv = readlink(tmp, &c, 1); 494 ssize_t rv = readlink_as_user(tmp, &c, 1);
517 free(tmp); 495 free(tmp);
518 496
519 if (called_as_root)
520 EUID_ROOT();
521
522 return (rv != -1); 497 return (rv != -1);
523} 498}
524 499
@@ -540,6 +515,24 @@ char *realpath_as_user(const char *fname) {
540 return rv; 515 return rv;
541} 516}
542 517
518ssize_t readlink_as_user(const char *fname, char *buf, size_t sz) {
519 assert(fname && buf && sz);
520
521 int called_as_root = 0;
522 if (geteuid() == 0)
523 called_as_root = 1;
524
525 if (called_as_root)
526 EUID_USER();
527
528 ssize_t rv = readlink(fname, buf, sz);
529
530 if (called_as_root)
531 EUID_ROOT();
532
533 return rv;
534}
535
543int stat_as_user(const char *fname, struct stat *s) { 536int stat_as_user(const char *fname, struct stat *s) {
544 assert(fname); 537 assert(fname);
545 538
@@ -974,12 +967,9 @@ uid_t pid_get_uid(pid_t pid) {
974} 967}
975 968
976 969
977 970gid_t get_group_id(const char *groupname) {
978
979uid_t get_group_id(const char *group) {
980 // find tty group id
981 gid_t gid = 0; 971 gid_t gid = 0;
982 struct group *g = getgrnam(group); 972 struct group *g = getgrnam(groupname);
983 if (g) 973 if (g)
984 gid = g->gr_gid; 974 gid = g->gr_gid;
985 975
@@ -987,86 +977,6 @@ uid_t get_group_id(const char *group) {
987} 977}
988 978
989 979
990static int remove_callback(const char *fpath, const struct stat *sb, int typeflag, struct FTW *ftwbuf) {
991 (void) sb;
992 (void) typeflag;
993 (void) ftwbuf;
994 assert(fpath);
995
996 if (strcmp(fpath, ".") == 0)
997 return 0;
998
999 if (remove(fpath)) { // removes the link not the actual file
1000 perror("remove");
1001 fprintf(stderr, "Error: cannot remove file from user .firejail directory: %s\n", fpath);
1002 exit(1);
1003 }
1004
1005 return 0;
1006}
1007
1008
1009int remove_overlay_directory(void) {
1010 EUID_ASSERT();
1011 sleep(1);
1012
1013 char *path;
1014 if (asprintf(&path, "%s/.firejail", cfg.homedir) == -1)
1015 errExit("asprintf");
1016
1017 if (access(path, F_OK) == 0) {
1018 pid_t child = fork();
1019 if (child < 0)
1020 errExit("fork");
1021 if (child == 0) {
1022 // open ~/.firejail
1023 int fd = safer_openat(-1, path, O_PATH|O_NOFOLLOW|O_CLOEXEC);
1024 if (fd == -1) {
1025 fprintf(stderr, "Error: cannot open %s\n", path);
1026 exit(1);
1027 }
1028 struct stat s;
1029 if (fstat(fd, &s) == -1)
1030 errExit("fstat");
1031 if (!S_ISDIR(s.st_mode)) {
1032 if (S_ISLNK(s.st_mode))
1033 fprintf(stderr, "Error: %s is a symbolic link\n", path);
1034 else
1035 fprintf(stderr, "Error: %s is not a directory\n", path);
1036 exit(1);
1037 }
1038 if (s.st_uid != getuid()) {
1039 fprintf(stderr, "Error: %s is not owned by the current user\n", path);
1040 exit(1);
1041 }
1042 // chdir to ~/.firejail
1043 if (fchdir(fd) == -1)
1044 errExit("fchdir");
1045 close(fd);
1046
1047 EUID_ROOT();
1048 // FTW_PHYS - do not follow symbolic links
1049 if (nftw(".", remove_callback, 64, FTW_DEPTH | FTW_PHYS) == -1)
1050 errExit("nftw");
1051
1052 EUID_USER();
1053 // remove ~/.firejail
1054 if (rmdir(path) == -1)
1055 errExit("rmdir");
1056
1057 __gcov_flush();
1058
1059 _exit(0);
1060 }
1061 // wait for the child to finish
1062 waitpid(child, NULL, 0);
1063 // check if ~/.firejail was deleted
1064 if (access(path, F_OK) == 0)
1065 return 1;
1066 }
1067 return 0;
1068}
1069
1070// flush stdin if it is connected to a tty and has input 980// flush stdin if it is connected to a tty and has input
1071void flush_stdin(void) { 981void flush_stdin(void) {
1072 if (!isatty(STDIN_FILENO)) 982 if (!isatty(STDIN_FILENO))
@@ -1095,31 +1005,33 @@ int create_empty_dir_as_user(const char *dir, mode_t mode) {
1095 assert(dir); 1005 assert(dir);
1096 mode &= 07777; 1006 mode &= 07777;
1097 1007
1098 if (access(dir, F_OK) != 0) { 1008 if (access(dir, F_OK) == 0)
1009 return 0;
1010
1011 pid_t child = fork();
1012 if (child < 0)
1013 errExit("fork");
1014 if (child == 0) {
1015 // drop privileges
1016 drop_privs(0);
1017
1099 if (arg_debug) 1018 if (arg_debug)
1100 printf("Creating empty %s directory\n", dir); 1019 printf("Creating empty %s directory\n", dir);
1101 pid_t child = fork(); 1020 if (mkdir(dir, mode) == 0) {
1102 if (child < 0) 1021 int err = chmod(dir, mode);
1103 errExit("fork"); 1022 (void) err;
1104 if (child == 0) { 1023 }
1105 // drop privileges 1024 else if (arg_debug)
1106 drop_privs(0); 1025 printf("Directory %s not created: %s\n", dir, strerror(errno));
1107
1108 if (mkdir(dir, mode) == 0) {
1109 int err = chmod(dir, mode);
1110 (void) err;
1111 }
1112 else if (arg_debug)
1113 printf("Directory %s not created: %s\n", dir, strerror(errno));
1114 1026
1115 __gcov_flush(); 1027 __gcov_flush();
1116 1028
1117 _exit(0); 1029 _exit(0);
1118 }
1119 waitpid(child, NULL, 0);
1120 if (access(dir, F_OK) == 0)
1121 return 1;
1122 } 1030 }
1031 waitpid(child, NULL, 0);
1032
1033 if (access(dir, F_OK) == 0)
1034 return 1;
1123 return 0; 1035 return 0;
1124} 1036}
1125 1037
@@ -1509,7 +1421,7 @@ static int has_link(const char *dir) {
1509void check_homedir(const char *dir) { 1421void check_homedir(const char *dir) {
1510 assert(dir); 1422 assert(dir);
1511 if (dir[0] != '/') { 1423 if (dir[0] != '/') {
1512 fprintf(stderr, "Error: invalid user directory \"%s\"\n", cfg.homedir); 1424 fprintf(stderr, "Error: invalid user directory \"%s\"\n", dir);
1513 exit(1); 1425 exit(1);
1514 } 1426 }
1515 // symlinks are rejected in many places 1427 // symlinks are rejected in many places
diff --git a/src/jailcheck/jailcheck.h b/src/jailcheck/jailcheck.h
index be3104da3..3f8c89bfb 100644
--- a/src/jailcheck/jailcheck.h
+++ b/src/jailcheck/jailcheck.h
@@ -61,4 +61,4 @@ char *get_homedir(const char *user, uid_t *uid, gid_t *gid);
61int find_child(pid_t pid); 61int find_child(pid_t pid);
62pid_t switch_to_child(pid_t pid); 62pid_t switch_to_child(pid_t pid);
63 63
64#endif \ No newline at end of file 64#endif
diff --git a/src/jailcheck/noexec.c b/src/jailcheck/noexec.c
index 7f994d6a1..be18ac109 100644
--- a/src/jailcheck/noexec.c
+++ b/src/jailcheck/noexec.c
@@ -110,4 +110,4 @@ void noexec_test(const char *path) {
110 wait(&status); 110 wait(&status);
111 int rv = unlink(fname); 111 int rv = unlink(fname);
112 (void) rv; 112 (void) rv;
113} \ No newline at end of file 113}
diff --git a/src/libtrace/libtrace.c b/src/libtrace/libtrace.c
index d88512b0a..319902ff7 100644
--- a/src/libtrace/libtrace.c
+++ b/src/libtrace/libtrace.c
@@ -18,12 +18,12 @@
18 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 18 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
19*/ 19*/
20#define _GNU_SOURCE 20#define _GNU_SOURCE
21#include <errno.h>
21#include <stdio.h> 22#include <stdio.h>
22#include <stdlib.h> 23#include <stdlib.h>
23#include <string.h> 24#include <string.h>
24#include <dlfcn.h> 25#include <dlfcn.h>
25#include <sys/types.h> 26#include <sys/types.h>
26#include <limits.h>
27#include <unistd.h> 27#include <unistd.h>
28#include <sys/socket.h> 28#include <sys/socket.h>
29#include <netinet/in.h> 29#include <netinet/in.h>
@@ -706,10 +706,14 @@ __attribute__((constructor))
706static void log_exec(int argc, char** argv) { 706static void log_exec(int argc, char** argv) {
707 (void) argc; 707 (void) argc;
708 (void) argv; 708 (void) argv;
709 static char buf[PATH_MAX + 1]; 709 char *buf = realpath("/proc/self/exe", NULL);
710 int rv = readlink("/proc/self/exe", buf, PATH_MAX); 710 if (buf == NULL) {
711 if (rv != -1) { 711 if (errno == ENOMEM) {
712 buf[rv] = '\0'; // readlink does not add a '\0' at the end 712 tprintf(ftty, "realpath: %s\n", strerror(errno));
713 exit(1);
714 }
715 } else {
713 tprintf(ftty, "%u:%s:exec %s:0\n", mypid, myname, buf); 716 tprintf(ftty, "%u:%s:exec %s:0\n", mypid, myname, buf);
717 free(buf);
714 } 718 }
715} 719}
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 6280026e6..a1eccaa5e 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -78,7 +78,7 @@ in your desktop environment copy the profile file in ~/.config/firejail director
78Several command line options can be passed to the program using 78Several command line options can be passed to the program using
79profile files. Firejail chooses the profile file as follows: 79profile files. Firejail chooses the profile file as follows:
80 80
81\fB1.\fR If a profile file is provided by the user with \-\-profile option, the profile file is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in /etc/firejail directory. Profile names do not include the .profile suffix. 81\fB1.\fR If a profile file is provided by the user with \-\-profile option, the profile file is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in /etc/firejail directory. Profile names do not include the .profile suffix.
82Example: 82Example:
83.PP 83.PP
84.RS 84.RS
@@ -156,7 +156,7 @@ Scripting commands:
156\fBFile and directory names 156\fBFile and directory names
157File and directory names containing spaces are supported. The space character ' ' should not be escaped. 157File and directory names containing spaces are supported. The space character ' ' should not be escaped.
158 158
159Example: "deny ~/My Virtual Machines" 159Example: "blacklist ~/My Virtual Machines"
160 160
161.TP 161.TP
162\fB# this is a comment 162\fB# this is a comment
@@ -170,11 +170,11 @@ net none # this command creates an empty network namespace
170\fB?CONDITIONAL: profile line 170\fB?CONDITIONAL: profile line
171Conditionally add profile line. 171Conditionally add profile line.
172 172
173Example: "?HAS_APPIMAGE: allow ${HOME}/special/appimage/dir" 173Example: "?HAS_APPIMAGE: whitelist ${HOME}/special/appimage/dir"
174 174
175This example will load the profile line only if the \-\-appimage option has been specified on the command line. 175This example will load the whitelist profile line only if the \-\-appimage option has been specified on the command line.
176 176
177Currently the only conditionals supported this way are HAS_APPIMAGE, HAS_NET, HAS_NODBUS, HAS_NOSOUND, HAS_PRIVATE and HAS_X11. The conditionals BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM 177Currently the only conditionals supported this way are HAS_APPIMAGE, HAS_NET, HAS_NODBUS, HAS_NOSOUND, HAS_PRIVATE and HAS_X11. The conditionals ALLOW_TRAY, BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM
178can be enabled or disabled globally in Firejail's configuration file. 178can be enabled or disabled globally in Firejail's configuration file.
179 179
180The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines. 180The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines.
@@ -205,16 +205,16 @@ storing modifications to the persistent configuration. Persistent .local files
205are included at the start of regular profile files. 205are included at the start of regular profile files.
206 206
207.TP 207.TP
208\fBnoallow file_name 208\fBnoblacklist file_name
209If the file name matches file_name, the file will not be allowed in any allow commands that follow. 209If the file name matches file_name, the file will not be blacklisted in any blacklist commands that follow.
210 210
211Example: "nowhitelist ~/.config" 211Example: "noblacklist ${HOME}/.mozilla"
212 212
213.TP 213.TP
214\fBnodeny file_name 214\fBnowhitelist file_name
215If the file name matches file_name, the file will not be denied any deny commands that follow. 215If the file name matches file_name, the file will not be whitelisted in any whitelist commands that follow.
216 216
217Example: "nodeny ${HOME}/.mozilla" 217Example: "nowhitelist ~/.config"
218 218
219.TP 219.TP
220\fBignore 220\fBignore
@@ -242,17 +242,19 @@ HOME directories are searched, see the \fBfirejail\f(1) \fBFILE GLOBBING\fR sect
242for more details. 242for more details.
243Examples: 243Examples:
244.TP 244.TP
245\fBallow file_or_directory 245\fBblacklist file_or_directory
246Allow directory or file. A temporary file system is mounted on the top directory, and the 246Blacklist directory or file. Examples:
247allowed files are mount-binded inside. Modifications to allowd files are persistent,
248everything else is discarded when the sandbox is closed. The top directory can be
249all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and
250all directories in /usr.
251.br 247.br
252 248
253.br 249.br
254Symbolic link handling: with the exception of user home, both the link and the real file should be in 250blacklist /usr/bin
255the same top directory. For user home, both the link and the real file should be owned by the user. 251.br
252blacklist /usr/bin/gcc*
253.br
254blacklist ${PATH}/ifconfig
255.br
256blacklist ${HOME}/.ssh
257
256.TP 258.TP
257\fBblacklist-nolog file_or_directory 259\fBblacklist-nolog file_or_directory
258When --tracelog flag is set, blacklisting generates syslog messages if the sandbox tries to access the file or directory. 260When --tracelog flag is set, blacklisting generates syslog messages if the sandbox tries to access the file or directory.
@@ -271,20 +273,6 @@ Mount-bind directory1 on top of directory2. This option is only available when r
271\fBbind file1,file2 273\fBbind file1,file2
272Mount-bind file1 on top of file2. This option is only available when running as root. 274Mount-bind file1 on top of file2. This option is only available when running as root.
273.TP 275.TP
274\fBdeny file_or_directory
275Deny access to directory or file. Examples:
276.br
277
278.br
279deny /usr/bin
280.br
281deny /usr/bin/gcc*
282.br
283deny ${PATH}/ifconfig
284.br
285deny ${HOME}/.ssh
286
287.TP
288\fBdisable-mnt 276\fBdisable-mnt
289Disable /mnt, /media, /run/mount and /run/media access. 277Disable /mnt, /media, /run/mount and /run/media access.
290.TP 278.TP
@@ -304,7 +292,7 @@ The directory is created if it doesn't already exist.
304.br 292.br
305 293
306.br 294.br
307Use this command for allowed directories you need to preserve 295Use this command for whitelisted directories you need to preserve
308when the sandbox is closed. Without it, the application will create the directory, and the directory 296when the sandbox is closed. Without it, the application will create the directory, and the directory
309will be deleted when the sandbox is closed. Subdirectories are recursively created. Example from 297will be deleted when the sandbox is closed. Subdirectories are recursively created. Example from
310firefox profile: 298firefox profile:
@@ -317,7 +305,7 @@ whitelist ~/.mozilla
317.br 305.br
318mkdir ~/.cache/mozilla/firefox 306mkdir ~/.cache/mozilla/firefox
319.br 307.br
320allow ~/.cache/mozilla/firefox 308whitelist ~/.cache/mozilla/firefox
321.br 309.br
322 310
323.br 311.br
@@ -336,16 +324,16 @@ Remount the file or the directory noexec, nodev and nosuid.
336#ifdef HAVE_OVERLAYFS 324#ifdef HAVE_OVERLAYFS
337.TP 325.TP
338\fBoverlay 326\fBoverlay
339Mount a filesystem overlay on top of the current filesystem. 327Mount a filesystem overlay on top of the current filesystem.
340The overlay is stored in $HOME/.firejail/<PID> directory. 328The overlay is stored in $HOME/.firejail/<PID> directory.
341.TP 329.TP
342\fBoverlay-named name 330\fBoverlay-named name
343Mount a filesystem overlay on top of the current filesystem. 331Mount a filesystem overlay on top of the current filesystem.
344The overlay is stored in $HOME/.firejail/name directory. 332The overlay is stored in $HOME/.firejail/name directory.
345.TP 333.TP
346\fBoverlay-tmpfs 334\fBoverlay-tmpfs
347Mount a filesystem overlay on top of the current filesystem. 335Mount a filesystem overlay on top of the current filesystem.
348All filesystem modifications are discarded when the sandbox is closed. 336All filesystem modifications are discarded when the sandbox is closed.
349#endif 337#endif
350.TP 338.TP
351\fBprivate 339\fBprivate
@@ -423,7 +411,7 @@ expressed as foo/bar -- is disallowed).
423All modifications are discarded when the sandbox is closed. 411All modifications are discarded when the sandbox is closed.
424.TP 412.TP
425\fBprivate-tmp 413\fBprivate-tmp
426Mount an empty temporary filesystem on top of /tmp directory allowing /tmp/.X11-unix. 414Mount an empty temporary filesystem on top of /tmp directory whitelisting /tmp/.X11-unix.
427.TP 415.TP
428\fBread-only file_or_directory 416\fBread-only file_or_directory
429Make directory or file read-only. 417Make directory or file read-only.
@@ -435,13 +423,25 @@ Make directory or file read-write.
435Mount an empty tmpfs filesystem on top of directory. Directories outside user home or not owned by the user are not allowed. Sandboxes running as root are exempt from these restrictions. 423Mount an empty tmpfs filesystem on top of directory. Directories outside user home or not owned by the user are not allowed. Sandboxes running as root are exempt from these restrictions.
436.TP 424.TP
437\fBtracelog 425\fBtracelog
438File system deny violations logged to syslog. 426Blacklist violations logged to syslog.
427.TP
428\fBwhitelist file_or_directory
429Whitelist directory or file. A temporary file system is mounted on the top directory, and the
430whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent,
431everything else is discarded when the sandbox is closed. The top directory can be
432all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and
433all directories in /usr.
434.br
435
436.br
437Symbolic link handling: with the exception of user home, both the link and the real file should be in
438the same top directory. For user home, both the link and the real file should be owned by the user.
439.TP 439.TP
440\fBwritable-etc 440\fBwritable-etc
441Mount /etc directory read-write. 441Mount /etc directory read-write.
442.TP 442.TP
443\fBwritable-run-user 443\fBwritable-run-user
444Disable the default denying of run/user/$UID/systemd and /run/user/$UID/gnupg. 444Disable the default blacklisting of run/user/$UID/systemd and /run/user/$UID/gnupg.
445.TP 445.TP
446\fBwritable-var 446\fBwritable-var
447Mount /var directory read-write. 447Mount /var directory read-write.
@@ -455,7 +455,7 @@ The following security filters are currently implemented:
455 455
456.TP 456.TP
457\fBallow-debuggers 457\fBallow-debuggers
458Allow tools such as strace and gdb inside the sandbox by allowing system calls ptrace and process_vm_readv. 458Allow tools such as strace and gdb inside the sandbox by whitelisting system calls ptrace and process_vm_readv.
459#ifdef HAVE_APPARMOR 459#ifdef HAVE_APPARMOR
460.TP 460.TP
461\fBapparmor 461\fBapparmor
@@ -466,13 +466,13 @@ Enable AppArmor confinement.
466Enable default Linux capabilities filter. 466Enable default Linux capabilities filter.
467.TP 467.TP
468\fBcaps.drop capability,capability,capability 468\fBcaps.drop capability,capability,capability
469Deny given Linux capabilities. 469Blacklist given Linux capabilities.
470.TP 470.TP
471\fBcaps.drop all 471\fBcaps.drop all
472Deny all Linux capabilities. 472Blacklist all Linux capabilities.
473.TP 473.TP
474\fBcaps.keep capability,capability,capability 474\fBcaps.keep capability,capability,capability
475Allow given Linux capabilities. 475Whitelist given Linux capabilities.
476.TP 476.TP
477\fBmemory-deny-write-execute 477\fBmemory-deny-write-execute
478Install a seccomp filter to block attempts to create memory mappings 478Install a seccomp filter to block attempts to create memory mappings
@@ -487,42 +487,42 @@ does not result in an increase of privilege.
487#ifdef HAVE_USERNS 487#ifdef HAVE_USERNS
488.TP 488.TP
489\fBnoroot 489\fBnoroot
490Use this command to enable an user namespace. The namespace has only one user, the current user. 490Use this command to enable an user namespace. The namespace has only one user, the current user.
491There is no root account (uid 0) defined in the namespace. 491There is no root account (uid 0) defined in the namespace.
492#endif 492#endif
493.TP 493.TP
494\fBprotocol protocol1,protocol2,protocol3 494\fBprotocol protocol1,protocol2,protocol3
495Enable protocol filter. The filter is based on seccomp and checks the 495Enable protocol filter. The filter is based on seccomp and checks the
496first argument to socket system call. Recognized values: \fBunix\fR, 496first argument to socket system call. Recognized values: \fBunix\fR,
497\fBinet\fR, \fBinet6\fR, \fBnetlink\fR, \fBpacket\fR and \fBbluetooth\fR. 497\fBinet\fR, \fBinet6\fR, \fBnetlink\fR, \fBpacket\fR and \fBbluetooth\fR.
498.TP 498.TP
499\fBseccomp 499\fBseccomp
500Enable seccomp filter and deny the syscalls in the default list. See man 1 firejail for more details. 500Enable seccomp filter and blacklist the syscalls in the default list. See man 1 firejail for more details.
501.TP 501.TP
502\fBseccomp.32 502\fBseccomp.32
503Enable seccomp filter and deny the syscalls in the default list for 32 bit system calls on a 64 bit architecture system. 503Enable seccomp filter and blacklist the syscalls in the default list for 32 bit system calls on a 64 bit architecture system.
504.TP 504.TP
505\fBseccomp syscall,syscall,syscall 505\fBseccomp syscall,syscall,syscall
506Enable seccomp filter and deny the system calls in the list on top of default seccomp filter. 506Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter.
507.TP 507.TP
508\fBseccomp.32 syscall,syscall,syscall 508\fBseccomp.32 syscall,syscall,syscall
509Enable seccomp filter and deny the system calls in the list on top of default seccomp filter for 32 bit system calls on a 64 bit architecture system. 509Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter for 32 bit system calls on a 64 bit architecture system.
510.TP 510.TP
511\fBseccomp.block-secondary 511\fBseccomp.block-secondary
512Enable seccomp filter and filter system call architectures 512Enable seccomp filter and filter system call architectures
513so that only the native architecture is allowed. 513so that only the native architecture is allowed.
514.TP 514.TP
515\fBseccomp.drop syscall,syscall,syscall 515\fBseccomp.drop syscall,syscall,syscall
516Enable seccomp filter and deny the system calls in the list. 516Enable seccomp filter and blacklist the system calls in the list.
517.TP 517.TP
518\fBseccomp.32.drop syscall,syscall,syscall 518\fBseccomp.32.drop syscall,syscall,syscall
519Enable seccomp filter and deny the system calls in the list for 32 bit system calls on a 64 bit architecture system. 519Enable seccomp filter and blacklist the system calls in the list for 32 bit system calls on a 64 bit architecture system.
520.TP 520.TP
521\fBseccomp.keep syscall,syscall,syscall 521\fBseccomp.keep syscall,syscall,syscall
522Enable seccomp filter and allow the system calls in the list. 522Enable seccomp filter and whitelist the system calls in the list.
523.TP 523.TP
524\fBseccomp.32.keep syscall,syscall,syscall 524\fBseccomp.32.keep syscall,syscall,syscall
525Enable seccomp filter and allow the system calls in the list for 32 bit system calls on a 64 bit architecture system. 525Enable seccomp filter and whitelist the system calls in the list for 32 bit system calls on a 64 bit architecture system.
526.TP 526.TP
527\fBseccomp-error-action kill | log | ERRNO 527\fBseccomp-error-action kill | log | ERRNO
528Return a different error instead of EPERM to the process, kill it when 528Return a different error instead of EPERM to the process, kill it when
@@ -534,7 +534,7 @@ attempt.
534Enable X11 sandboxing. 534Enable X11 sandboxing.
535.TP 535.TP
536\fBx11 none 536\fBx11 none
537Deny access to /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} environment variable. 537Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} environment variable.
538Remove DISPLAY and XAUTHORITY environment variables. 538Remove DISPLAY and XAUTHORITY environment variables.
539Stop with error message if X11 abstract socket will be accessible in jail. 539Stop with error message if X11 abstract socket will be accessible in jail.
540.TP 540.TP
@@ -606,7 +606,7 @@ Allow the application to see but not talk to the name org.freedesktop.Notificati
606Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus. 606Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus.
607.TP 607.TP
608\fBdbus-system.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications 608\fBdbus-system.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
609Allow the application to receive broadcast signals from the the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus. 609Allow the application to receive broadcast signals from the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus.
610.TP 610.TP
611\fBdbus-user filter 611\fBdbus-user filter
612Enable filtered access to the session DBus. Filters can be specified with the dbus-user.talk and dbus-user.own commands. 612Enable filtered access to the session DBus. Filters can be specified with the dbus-user.talk and dbus-user.own commands.
@@ -873,8 +873,8 @@ a DHCP client and releasing the lease manually.
873 873
874.TP 874.TP
875\fBiprange address,address 875\fBiprange address,address
876Assign an IP address in the provided range to the last network 876Assign an IP address in the provided range to the last network
877interface defined by a net command. A default gateway is assigned by default. 877interface defined by a net command. A default gateway is assigned by default.
878.br 878.br
879 879
880.br 880.br
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 498ff9aa9..e724e4bb9 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -45,7 +45,7 @@ firejail {\-? | \-\-debug-caps | \-\-debug-errnos | \-\-debug-syscalls | \-\-deb
45#ifdef HAVE_LTS 45#ifdef HAVE_LTS
46This is Firejail long-term support (LTS), an enterprise focused version of the software, 46This is Firejail long-term support (LTS), an enterprise focused version of the software,
47LTS is usually supported for two or three years. 47LTS is usually supported for two or three years.
48During this time only bugs and the occasional documentation problems are fixed. 48During this time only bugs and the occasional documentation problems are fixed.
49The attack surface of the SUID executable was greatly reduced by removing some of the features. 49The attack surface of the SUID executable was greatly reduced by removing some of the features.
50.br 50.br
51 51
@@ -99,40 +99,6 @@ $ firejail [OPTIONS] firefox # starting Mozilla Firefox
99\fB\-\- 99\fB\-\-
100Signal the end of options and disables further option processing. 100Signal the end of options and disables further option processing.
101.TP 101.TP
102\fB\-\-allow=dirname_or_filename
103Allow access to a directory or file. A temporary file system is mounted on the top directory, and the
104allowed files are mount-binded inside. Modifications to allowed files are persistent,
105everything else is discarded when the sandbox is closed. The top directory can be
106all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and
107all directories in /usr.
108.br
109
110.br
111Symbolic link handling: with the exception of user home, both the link and the real file should be in
112the same top directory. For user home, both the link and the real file should be owned by the user.
113.br
114
115.br
116File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
117.br
118
119.br
120Example:
121.br
122$ firejail \-\-noprofile \-\-allow=~/.mozilla
123.br
124$ firejail \-\-allow=/tmp/.X11-unix --allow=/dev/null
125.br
126$ firejail "\-\-allow=/home/username/My Virtual Machines"
127.br
128$ firejail \-\-allow=~/work* \-\-allow=/var/backups*
129
130
131
132
133
134
135.TP
136\fB\-\-allow-debuggers 102\fB\-\-allow-debuggers
137Allow tools such as strace and gdb inside the sandbox by whitelisting 103Allow tools such as strace and gdb inside the sandbox by whitelisting
138system calls ptrace and process_vm_readv. This option is only 104system calls ptrace and process_vm_readv. This option is only
@@ -143,7 +109,7 @@ ptrace system call allows a full bypass of the seccomp filter.
143.br 109.br
144Example: 110Example:
145.br 111.br
146$ firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox 112$ firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox
147.TP 113.TP
148\fB\-\-allusers 114\fB\-\-allusers
149All directories under /home are visible inside the sandbox. By default, only current user home directory is visible. 115All directories under /home are visible inside the sandbox. By default, only current user home directory is visible.
@@ -203,6 +169,21 @@ Example:
203.br 169.br
204# firejail \-\-bind=/config/etc/passwd,/etc/passwd 170# firejail \-\-bind=/config/etc/passwd,/etc/passwd
205.TP 171.TP
172\fB\-\-blacklist=dirname_or_filename
173Blacklist directory or file. File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
174.br
175
176.br
177Example:
178.br
179$ firejail \-\-blacklist=/sbin \-\-blacklist=/usr/sbin
180.br
181$ firejail \-\-blacklist=~/.mozilla
182.br
183$ firejail "\-\-blacklist=/home/username/My Virtual Machines"
184.br
185$ firejail \-\-blacklist=/home/username/My\\ Virtual\\ Machines
186.TP
206\fB\-\-build 187\fB\-\-build
207The command builds a whitelisted profile. The profile is printed on the screen. If /usr/bin/strace is installed on the system, it also 188The command builds a whitelisted profile. The profile is printed on the screen. If /usr/bin/strace is installed on the system, it also
208builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox, 189builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox,
@@ -262,7 +243,7 @@ $ firejail \-\-caps.drop=all warzone2100
262 243
263.TP 244.TP
264\fB\-\-caps.drop=capability,capability,capability 245\fB\-\-caps.drop=capability,capability,capability
265Define a custom Linux capabilities filter. 246Define a custom blacklist Linux capabilities filter.
266.br 247.br
267 248
268.br 249.br
@@ -309,8 +290,8 @@ $ firejail \-\-caps.print=3272
309Print content of file from sandbox container, see FILE TRANSFER section for more details. 290Print content of file from sandbox container, see FILE TRANSFER section for more details.
310#endif 291#endif
311.TP 292.TP
312\fB\-\-cgroup=tasks-file 293\fB\-\-cgroup=file
313Place the sandbox in the specified control group. tasks-file is the full path of cgroup tasks file. 294Place the sandbox in the specified control group. file is the full path of a tasks or cgroup.procs file.
314.br 295.br
315 296
316.br 297.br
@@ -329,6 +310,11 @@ regular user, nonewprivs and a default capabilities filter are enabled.
329Example: 310Example:
330.br 311.br
331$ firejail \-\-chroot=/media/ubuntu warzone2100 312$ firejail \-\-chroot=/media/ubuntu warzone2100
313.br
314
315.br
316For automatic mounting of X11 and PulseAudio sockets set environment variables
317FIREJAIL_CHROOT_X11 and FIREJAIL_CHROOT_PULSE.
332#endif 318#endif
333.TP 319.TP
334\fB\-\-cpu=cpu-number,cpu-number,cpu-number 320\fB\-\-cpu=cpu-number,cpu-number,cpu-number
@@ -643,14 +629,14 @@ Example:
643$ firejail \-\-debug firefox 629$ firejail \-\-debug firefox
644 630
645.TP 631.TP
646\fB\-\-debug-allow\fR 632\fB\-\-debug-blacklists\fR
647Debug file system access. 633Debug blacklisting.
648.br 634.br
649 635
650.br 636.br
651Example: 637Example:
652.br 638.br
653$ firejail \-\-debug-allow firefox 639$ firejail \-\-debug-blacklists firefox
654 640
655.TP 641.TP
656\fB\-\-debug-caps 642\fB\-\-debug-caps
@@ -663,16 +649,6 @@ Example:
663$ firejail \-\-debug-caps 649$ firejail \-\-debug-caps
664 650
665.TP 651.TP
666\fB\-\-debug-deny\fR
667Debug file access.
668.br
669
670.br
671Example:
672.br
673$ firejail \-\-debug-deny firefox
674
675.TP
676\fB\-\-debug-errnos 652\fB\-\-debug-errnos
677Print all recognized error numbers in the current Firejail software build and exit. 653Print all recognized error numbers in the current Firejail software build and exit.
678.br 654.br
@@ -706,44 +682,33 @@ $ firejail \-\-debug-syscalls
706\fB\-\-debug-syscalls32 682\fB\-\-debug-syscalls32
707Print all recognized 32 bit system calls in the current Firejail software build and exit. 683Print all recognized 32 bit system calls in the current Firejail software build and exit.
708.br 684.br
709
710#ifdef HAVE_NETWORK
711.TP 685.TP
712\fB\-\-defaultgw=address 686\fB\-\-debug-whitelists\fR
713Use this address as default gateway in the new network namespace. 687Debug whitelisting.
714.br 688.br
715 689
716.br 690.br
717Example: 691Example:
718.br 692.br
719$ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox 693$ firejail \-\-debug-whitelists firefox
720#endif 694#ifdef HAVE_NETWORK
721
722.TP 695.TP
723\fB\-\-deny=dirname_or_filename 696\fB\-\-defaultgw=address
724Deny access to directory or file. File globbing is supported, see \fBFILE GLOBBING\fR section for more details. 697Use this address as default gateway in the new network namespace.
725.br 698.br
726 699
727.br 700.br
728Example: 701Example:
729.br 702.br
730$ firejail \-\-deny=/sbin \-\-deny=/usr/sbin 703$ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox
731.br 704#endif
732$ firejail \-\-deny=~/.mozilla
733.br
734$ firejail "\-\-deny=/home/username/My Virtual Machines"
735.br
736$ firejail \-\-deny=/home/username/My\\ Virtual\\ Machines
737
738
739
740.TP 705.TP
741\fB\-\-deterministic-exit-code 706\fB\-\-deterministic-exit-code
742Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic. 707Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic.
743.br 708.br
744.TP 709.TP
745\fB\-\-disable-mnt 710\fB\-\-disable-mnt
746Deny access to /mnt, /media, /run/mount and /run/media. 711Blacklist /mnt, /media, /run/mount and /run/media access.
747.br 712.br
748 713
749.br 714.br
@@ -987,7 +952,7 @@ $ firejail \-\-net=eth0 \-\-\iprange=192.168.1.100,192.168.1.150
987 952
988.TP 953.TP
989\fB\-\-ipc-namespace 954\fB\-\-ipc-namespace
990Enable a new IPC namespace if the sandbox was started as a regular user. IPC namespace is enabled by default 955Enable a new IPC namespace if the sandbox was started as a regular user. IPC namespace is enabled by default
991for sandboxes started as root. 956for sandboxes started as root.
992.br 957.br
993 958
@@ -1054,7 +1019,7 @@ $ sudo firejail --join-network=browser /sbin/iptables -vL
1054.br 1019.br
1055 1020
1056.br 1021.br
1057# verify IP addresses 1022# verify IP addresses
1058.br 1023.br
1059$ sudo firejail --join-network=browser ip addr 1024$ sudo firejail --join-network=browser ip addr
1060.br 1025.br
@@ -1511,16 +1476,12 @@ Example:
1511$ firejail --no3d firefox 1476$ firejail --no3d firefox
1512 1477
1513.TP 1478.TP
1514\fB\-\-noallow=dirname_or_filename
1515Disable \-\-allow for this directory or file.
1516
1517.TP
1518\fB\-\-noautopulse \fR(deprecated) 1479\fB\-\-noautopulse \fR(deprecated)
1519See --keep-config-pulse. 1480See --keep-config-pulse.
1520 1481
1521.TP 1482.TP
1522\fB\-\-nodeny=dirname_or_filename 1483\fB\-\-noblacklist=dirname_or_filename
1523Disable \-\-deny for this directory or file. 1484Disable blacklist for this directory or file.
1524.br 1485.br
1525 1486
1526.br 1487.br
@@ -1536,7 +1497,7 @@ $ exit
1536.br 1497.br
1537 1498
1538.br 1499.br
1539$ firejail --nodeny=/bin/nc 1500$ firejail --noblacklist=/bin/nc
1540.br 1501.br
1541$ nc dict.org 2628 1502$ nc dict.org 2628
1542.br 1503.br
@@ -1710,6 +1671,10 @@ $ firejail \-\-nou2f
1710Disable video devices. 1671Disable video devices.
1711.br 1672.br
1712 1673
1674.TP
1675\fB\-\-nowhitelist=dirname_or_filename
1676Disable whitelist for this directory or file.
1677
1713#ifdef HAVE_OUTPUT 1678#ifdef HAVE_OUTPUT
1714.TP 1679.TP
1715\fB\-\-output=logfile 1680\fB\-\-output=logfile
@@ -2174,7 +2139,7 @@ Use k(ilobyte), m(egabyte) or g(igabyte) for size suffix (base 1024).
2174.TP 2139.TP
2175\fB\-\-rlimit-cpu=number 2140\fB\-\-rlimit-cpu=number
2176Set the maximum limit, in seconds, for the amount of CPU time each 2141Set the maximum limit, in seconds, for the amount of CPU time each
2177sandboxed process can consume. When the limit is reached, the processes are killed. 2142sandboxed process can consume. When the limit is reached, the processes are killed.
2178 2143
2179The CPU limit is a limit on CPU seconds rather than elapsed time. CPU seconds is basically how many seconds 2144The CPU limit is a limit on CPU seconds rather than elapsed time. CPU seconds is basically how many seconds
2180the CPU has been in use and does not necessarily directly relate to the elapsed time. Linux kernel keeps 2145the CPU has been in use and does not necessarily directly relate to the elapsed time. Linux kernel keeps
@@ -2218,7 +2183,7 @@ $ firejail \-\-net=eth0 \-\-scan
2218.TP 2183.TP
2219\fB\-\-seccomp 2184\fB\-\-seccomp
2220Enable seccomp filter and blacklist the syscalls in the default list, 2185Enable seccomp filter and blacklist the syscalls in the default list,
2221which is @default-nodebuggers unless \-\-allow-debuggers is specified, 2186which is @default-nodebuggers unless \-\-allow-debuggers is specified,
2222then it is @default. 2187then it is @default.
2223 2188
2224.br 2189.br
@@ -2232,6 +2197,11 @@ More information about groups can be found in /usr/share/doc/firejail/syscalls.t
2232.br 2197.br
2233 2198
2234.br 2199.br
2200The default list can be customized, see \-\-seccomp= for a description.
2201It can be customized also globally in /etc/firejail/firejail.config file.
2202.br
2203
2204.br
2235System architecture is strictly imposed only if flag 2205System architecture is strictly imposed only if flag
2236\-\-seccomp.block-secondary is used. The filter is applied at run time 2206\-\-seccomp.block-secondary is used. The filter is applied at run time
2237only if the correct architecture was detected. For the case of I386 2207only if the correct architecture was detected. For the case of I386
@@ -2246,11 +2216,7 @@ Firejail will print seccomp violations to the audit log if the kernel was compil
2246Example: 2216Example:
2247.br 2217.br
2248$ firejail \-\-seccomp 2218$ firejail \-\-seccomp
2249.br
2250 2219
2251.br
2252The default list can be customized, see \-\-seccomp= for a description. It can be customized
2253also globally in /etc/firejail/firejail.config file.
2254 2220
2255.TP 2221.TP
2256\fB\-\-seccomp=syscall,@group,!syscall2 2222\fB\-\-seccomp=syscall,@group,!syscall2
@@ -2773,6 +2739,34 @@ Example:
2773.br 2739.br
2774$ firejail \-\-net=br0 --veth-name=if0 2740$ firejail \-\-net=br0 --veth-name=if0
2775#endif 2741#endif
2742.TP
2743\fB\-\-whitelist=dirname_or_filename
2744Whitelist directory or file. A temporary file system is mounted on the top directory, and the
2745whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent,
2746everything else is discarded when the sandbox is closed. The top directory can be
2747all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and
2748all directories in /usr.
2749.br
2750
2751.br
2752Symbolic link handling: with the exception of user home, both the link and the real file should be in
2753the same top directory. For user home, both the link and the real file should be owned by the user.
2754.br
2755
2756.br
2757File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
2758.br
2759
2760.br
2761Example:
2762.br
2763$ firejail \-\-noprofile \-\-whitelist=~/.mozilla
2764.br
2765$ firejail \-\-whitelist=/tmp/.X11-unix --whitelist=/dev/null
2766.br
2767$ firejail "\-\-whitelist=/home/username/My Virtual Machines"
2768.br
2769$ firejail \-\-whitelist=~/work* \-\-whitelist=/var/backups*
2776 2770
2777.TP 2771.TP
2778\fB\-\-writable-etc 2772\fB\-\-writable-etc
@@ -2877,7 +2871,7 @@ and it is installed by default on most Linux distributions. It provides support
2877connection model. Untrusted clients are restricted in certain ways to prevent them from reading window 2871connection model. Untrusted clients are restricted in certain ways to prevent them from reading window
2878contents of other clients, stealing input events, etc. 2872contents of other clients, stealing input events, etc.
2879 2873
2880The untrusted mode has several limitations. A lot of regular programs assume they are a trusted X11 clients 2874The untrusted mode has several limitations. A lot of regular programs assume they are a trusted X11 clients
2881and will crash or lock up when run in untrusted mode. Chromium browser and xterm are two examples. 2875and will crash or lock up when run in untrusted mode. Chromium browser and xterm are two examples.
2882Firefox and transmission-gtk seem to be working fine. 2876Firefox and transmission-gtk seem to be working fine.
2883A network namespace is not required for this option. 2877A network namespace is not required for this option.
@@ -3268,7 +3262,7 @@ The owner of the sandbox.
3268.SH RESTRICTED SHELL 3262.SH RESTRICTED SHELL
3269To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in 3263To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in
3270/etc/passwd file for each user that needs to be restricted. Alternatively, 3264/etc/passwd file for each user that needs to be restricted. Alternatively,
3271you can specify /usr/bin/firejail in adduser command: 3265you can specify /usr/bin/firejail in adduser command:
3272 3266
3273adduser \-\-shell /usr/bin/firejail username 3267adduser \-\-shell /usr/bin/firejail username
3274 3268
@@ -3278,7 +3272,7 @@ Additional arguments passed to firejail executable upon login are declared in /e
3278Several command line options can be passed to the program using 3272Several command line options can be passed to the program using
3279profile files. Firejail chooses the profile file as follows: 3273profile files. Firejail chooses the profile file as follows:
3280 3274
32811. If a profile file is provided by the user with --profile=FILE option, the profile FILE is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in /etc/firejail directory. Profile names do not include the .profile suffix. If there is a file with the same name as the given profile name, it will be used instead of doing the profile search. To force a profile search, prefix the profile name with a colon (:), eg. --profile=:PROFILE_NAME. 32751. If a profile file is provided by the user with --profile=FILE option, the profile FILE is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in /etc/firejail directory. Profile names do not include the .profile suffix. If there is a file with the same name as the given profile name, it will be used instead of doing the profile search. To force a profile search, prefix the profile name with a colon (:), eg. --profile=:PROFILE_NAME.
3282Example: 3276Example:
3283.PP 3277.PP
3284.RS 3278.RS
diff --git a/src/man/firemon.txt b/src/man/firemon.txt
index 76b2f7be2..c4e6e15b3 100644
--- a/src/man/firemon.txt
+++ b/src/man/firemon.txt
@@ -56,7 +56,7 @@ Print route table for each sandbox.
56Print seccomp configuration for each sandbox. 56Print seccomp configuration for each sandbox.
57.TP 57.TP
58\fB\-\-top 58\fB\-\-top
59Monitor the most CPU-intensive sandboxes. This command is similar to 59Monitor the most CPU-intensive sandboxes. This command is similar to
60the regular UNIX top command, however it applies only to sandboxes. 60the regular UNIX top command, however it applies only to sandboxes.
61.TP 61.TP
62\fB\-\-tree 62\fB\-\-tree
diff --git a/src/tools/profcleaner.c b/src/tools/profcleaner.c
index 93bb3f73d..beff93199 100644
--- a/src/tools/profcleaner.c
+++ b/src/tools/profcleaner.c
@@ -72,4 +72,4 @@ int main(int argc, char **argv) {
72 } 72 }
73 73
74 return 0; 74 return 0;
75} \ No newline at end of file 75}
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in
index 666dfd4c2..c7f6ee3f1 100644
--- a/src/zsh_completion/_firejail.in
+++ b/src/zsh_completion/_firejail.in
@@ -218,7 +218,7 @@ _firejail_args=(
218 '--netfilter.print=-[print the firewall name|pid]: :_all_firejails' 218 '--netfilter.print=-[print the firewall name|pid]: :_all_firejails'
219 '--netfilter6=-[enable IPv6 firewall]: :' 219 '--netfilter6=-[enable IPv6 firewall]: :'
220 '--netfilter6.print=-[print the IPv6 firewall name|pid]: :_all_firejails' 220 '--netfilter6.print=-[print the IPv6 firewall name|pid]: :_all_firejails'
221 '--netmask=-[define a network mask when dealing with unconfigured parrent interfaces]: :' 221 '--netmask=-[define a network mask when dealing with unconfigured parent interfaces]: :'
222 '--netns=-[Run the program in a named, persistent network namespace]: :' 222 '--netns=-[Run the program in a named, persistent network namespace]: :'
223 '--netstats[monitor network statistics]' 223 '--netstats[monitor network statistics]'
224 '--interface=-[move interface in sandbox]: :' 224 '--interface=-[move interface in sandbox]: :'
diff --git a/test/environment/environment.sh b/test/environment/environment.sh
index 152975c9d..1e1dd549b 100755
--- a/test/environment/environment.sh
+++ b/test/environment/environment.sh
@@ -112,14 +112,17 @@ echo "TESTING: rlimit (test/environment/rlimit.exp)"
112echo "TESTING: rlimit profile (test/environment/rlimit-profile.exp)" 112echo "TESTING: rlimit profile (test/environment/rlimit-profile.exp)"
113./rlimit-profile.exp 113./rlimit-profile.exp
114 114
115echo "TESTING: rlimit join (test/environment/rlimit-join.exp)"
116./rlimit-join.exp
117
115echo "TESTING: rlimit errors (test/environment/rlimit-bad.exp)" 118echo "TESTING: rlimit errors (test/environment/rlimit-bad.exp)"
116./rlimit-bad.exp 119./rlimit-bad.exp
117 120
118echo "TESTING: rlimit errors profile (test/environment/rlimit-bad-profile.exp)" 121echo "TESTING: rlimit errors profile (test/environment/rlimit-bad-profile.exp)"
119./rlimit-bad-profile.exp 122./rlimit-bad-profile.exp
120 123
121echo "TESTING: deterministic exit code (test/environment/deterministic-exit-code.exp" 124echo "TESTING: deterministic exit code (test/environment/deterministic-exit-code.exp)"
122./deterministic-exit-code.exp 125./deterministic-exit-code.exp
123 126
124echo "TESTING: retain umask (test/environment/umask.exp" 127echo "TESTING: retain umask (test/environment/umask.exp)"
125(umask 123 && ./umask.exp) 128(umask 123 && ./umask.exp)
diff --git a/test/environment/rlimit-join.exp b/test/environment/rlimit-join.exp
new file mode 100755
index 000000000..aa8a203c0
--- /dev/null
+++ b/test/environment/rlimit-join.exp
@@ -0,0 +1,36 @@
1#!/usr/bin/expect -f
2# This file is part of Firejail project
3# Copyright (C) 2014-2021 Firejail Authors
4# License GPL v2
5
6set timeout 10
7cd /home
8spawn $env(SHELL)
9match_max 100000
10
11send -- "firejail --noprofile --name=\"rlimit testing\"\r"
12expect {
13 timeout {puts "TESTING ERROR 0\n";exit}
14 "Child process initialized"
15}
16sleep 1
17
18spawn $env(SHELL)
19send -- "firejail --rlimit-nofile=1234 --join=\"rlimit testing\"\r"
20expect {
21 timeout {puts "TESTING ERROR 1\n";exit}
22 "Switching to pid"
23}
24sleep 1
25
26send -- "cat /proc/self/limits\r"
27expect {
28 timeout {puts "TESTING ERROR 2\n";exit}
29 "Max open files 1234 1234"
30}
31after 100
32
33send -- "exit\r"
34after 100
35
36puts "\nall done\n"
diff --git a/test/utils/build.exp b/test/utils/build.exp
index 104ac037c..b9733c137 100755
--- a/test/utils/build.exp
+++ b/test/utils/build.exp
@@ -13,7 +13,7 @@ after 100
13send -- "firejail --build cat ~/_firejail-test-file\r" 13send -- "firejail --build cat ~/_firejail-test-file\r"
14expect { 14expect {
15 timeout {puts "TESTING ERROR 0\n";exit} 15 timeout {puts "TESTING ERROR 0\n";exit}
16 "allow $\{HOME\}/_firejail-test-file" 16 "whitelist $\{HOME\}/_firejail-test-file"
17} 17}
18expect { 18expect {
19 timeout {puts "TESTING ERROR 1\n";exit} 19 timeout {puts "TESTING ERROR 1\n";exit}
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2024-09-02 10:15:25 +0000