9 files changed, 68 insertions, 58 deletions
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
index 71791c000..57ac2e9c4 100644
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -1,10 +1,10 @@
 If your PR isn't about profiles or you have no idea how to do one of these, skip the following and go ahead with this PR.
-If you make a PR for new profiles or changeing profiles please do the following:
+If you submit a PR for new profiles or changing profiles, please do the following:
- - The ordering of options follow the rules descripted in [/usr/share/doc/firejail/profile.template](https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template).  
+ - The ordering of options follow the rules described in [/usr/share/doc/firejail/profile.template](https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template).  
-   > Hint: The profile-template is very new, if you install firejail with your package-manager, it maybe missing, therefore, and to follow the latest rules, it is recommended to use the template from the repository.
+   > Hint: The profile-template is very new. If you install firejail with your package manager, it may be missing. In order to follow the latest rules, it is recommended to use the template from the repository.
- - Order the arguments of options alphabetical, you can easy do this with the [sort.py](https://github.com/netblue30/firejail/tree/master/contrib/sort.py).  
+ - Order the arguments of options alphabetically. You can easily do this with [sort.py](https://github.com/netblue30/firejail/tree/master/contrib/sort.py).  
 The path to it depends on your distro:
   | Distro | Path |
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 5fe043b14..7a37c9fb4 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -334,6 +334,7 @@ blacklist ${HOME}/.config/nemo
 blacklist ${HOME}/.config/neomutt
 blacklist ${HOME}/.config/netsurf
 blacklist ${HOME}/.config/newsbeuter
+blacklist ${HOME}/.config/newsboat
 blacklist ${HOME}/.config/newsflash
 blacklist ${HOME}/.config/nheko
 blacklist ${HOME}/.config/NitroShare
@@ -703,6 +704,8 @@ blacklist ${HOME}/.local/share/nautilus-python
 blacklist ${HOME}/.local/share/nemo
 blacklist ${HOME}/.local/share/nemo-python
 blacklist ${HOME}/.local/share/news-flash
+blacklist ${HOME}/.local/share/newsbeuter
+blacklist ${HOME}/.local/share/newsboat
 blacklist ${HOME}/.local/share/nomacs
 blacklist ${HOME}/.local/share/notes
 blacklist ${HOME}/.local/share/ocenaudio
diff --git a/etc/profile-m-z/newsbeuter.profile b/etc/profile-m-z/newsbeuter.profile
index 85581a2f0..6efb19502 100644
--- a/etc/profile-m-z/newsbeuter.profile
+++ b/etc/profile-m-z/newsbeuter.profile
@@ -7,13 +7,23 @@ include newsbeuter.local
 # added by included profile
 #include globals.local
-noblacklist ${HOME}/.config/newsbeuter
+ignore include newsboat.local
-noblacklist ${HOME}/.newsbeuter
+ignore mkdir ${HOME}/.config/newsboat
+ignore mkdir ${HOME}/.local/share/newsboat
+ignore mkdir ${HOME}/.newsboat
+blacklist ${PATH}/newsboat
+blacklist ${HOME}/.config/newsboat
+blacklist ${HOME}/.local/share/newsboat
+blacklist ${HOME}/.newsboat
+nowhitelist ${HOME}/.config/newsboat
+nowhitelist ${HOME}/.local/share/newsboat
+nowhitelist ${HOME}/.newsboat
 mkdir ${HOME}/.config/newsbeuter
+mkdir ${HOME}/.local/share/newsbeuter
 mkdir ${HOME}/.newsbeuter
-whitelist ${HOME}/.config/newsbeuter
-whitelist ${HOME}/.newsbeuter
 private-bin newsbeuter
diff --git a/etc/profile-m-z/newsboat.profile b/etc/profile-m-z/newsboat.profile
index 85b780ced..23c2de43c 100644
--- a/etc/profile-m-z/newsboat.profile
+++ b/etc/profile-m-z/newsboat.profile
@@ -6,6 +6,11 @@ include newsboat.local
 # Persistent global definitions
 include globals.local
+noblacklist ${HOME}/.config/newsbeuter
+noblacklist ${HOME}/.config/newsboat
+noblacklist ${HOME}/.local/share/newsbeuter
+noblacklist ${HOME}/.local/share/newsboat
+noblacklist ${HOME}/.newsbeuter
 noblacklist ${HOME}/.newsboat
 include disable-common.inc
@@ -16,7 +21,14 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
+mkdir ${HOME}/.config/newsboat
+mkdir ${HOME}/.local/share/newsboat
 mkdir ${HOME}/.newsboat
+whitelist ${HOME}/.config/newsbeuter
+whitelist ${HOME}/.config/newsboat
+whitelist ${HOME}/.local/share/newsbeuter
+whitelist ${HOME}/.local/share/newsboat
+whitelist ${HOME}/.newsbeuter
 whitelist ${HOME}/.newsboat
 include whitelist-common.inc
 include whitelist-runuser-common.inc
@@ -38,7 +50,7 @@ seccomp
 shell none
 disable-mnt
-private-bin gzip,lynx,newsboat,sh
+private-bin gzip,lynx,newsboat,sh,w3m
 private-cache
 private-dev
 private-etc alternatives,ca-certificates,crypto-policies,lynx.cfg,lynx.lss,pki,resolv.conf,ssl,terminfo
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index 17d7f55b2..065245a63 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -1,5 +1,5 @@
 # Firejail profile for PROGRAM_NAME
-# Description: DESCRIPTION
+# Description: DESCRIPTION OF THE PROGRAM
 # This file is overwritten after every install/update
 # --- CUT HERE ---
 # This is a generic template to help you create profiles.
@@ -10,8 +10,8 @@
 #  - lines with two ## are only needed in special situations
 #  - make the profile as restrictive as possible while still keeping the program useful
 #    (e.g. a program that is unable to save user's work is considered bad practice)
-#  - dedicate ample time (based on the complexity of the application) to profile testing before raising
+#  - dedicate ample time (based on the complexity of the application) to profile testing before
-#    a pull request
+#    submitting a pull request
 #  - keep the sections structure, use a single empty line as separator
 #  - entries within sections are alphabetically sorted
 #  - consider putting binary into src/firecfg/firecfg.config (keep list sorted) but beware
@@ -203,7 +203,7 @@ include globals.local
 #  - Some features like native notifications are implemented as portal too.
 #  - In order to make dconf work (when used by the app) you need to allow
 #    'ca.desrt.dconf' even when not allowed by flatpak.
-# Notes and Policiy about addresses can be found at
+# Notes and policies about addresses can be found at
 # <https://github.com/netblue30/firejail/wiki/Restrict-D-Bus>
 #dbus-user filter
 #dbus-user.own com.github.netblue30.firejail
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index fe79daa70..8b7e49611 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -170,6 +170,7 @@ static void disable_file(OPERATION op, const char *filename) {
                                }
                        }
                        fs_tmpfs(fname, getuid());
+                        selinux_relabel_path(fname, fname);
                        last_disable = SUCCESSFUL;
                }
                else
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index 2c5ea8be0..46f32d7ad 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -31,7 +31,7 @@
 #include <fcntl.h>
 #ifndef O_PATH
-# define O_PATH 010000000
+#define O_PATH 010000000
 #endif
 static void skel(const char *homedir, uid_t u, gid_t g) {
@@ -384,7 +384,6 @@ void fs_private(void) {
                        if (chown(homedir, u, g) < 0)
                                errExit("chown");
-                        selinux_relabel_path(homedir, homedir);
                        fs_logger2("mkdir", homedir);
                        fs_logger2("tmpfs", homedir);
                }
@@ -392,6 +391,8 @@ void fs_private(void) {
                        // mask user home directory
                        // the directory should be owned by the current user
                        fs_tmpfs(homedir, 1);
+                selinux_relabel_path(homedir, homedir);
        }
        skel(homedir, u, g);
@@ -549,7 +550,7 @@ void fs_private_home_list(void) {
        // create /run/firejail/mnt/home directory
        mkdir_attr(RUN_HOME_DIR, 0755, uid, gid);
-        selinux_relabel_path(RUN_HOME_DIR, "/home");
+        selinux_relabel_path(RUN_HOME_DIR, homedir);
        fs_logger_print();      // save the current log
        if (arg_debug)
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c
index 0dfd9ca1c..a0ca4c02c 100644
--- a/src/firejail/restrict_users.c
+++ b/src/firejail/restrict_users.c
@@ -72,7 +72,7 @@ static void sanitize_home(void) {
        if (arg_debug)
                printf("Cleaning /home directory\n");
-        // keep a copy of the user home directory
+        // open user home directory in order to keep it around
        int fd = safe_fd(cfg.homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
        if (fd == -1)
                goto errout;
@@ -82,47 +82,38 @@ static void sanitize_home(void) {
                close(fd);
                goto errout;
        }
-        char *proc;
-        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
-                errExit("asprintf");
-        if (mkdir(RUN_WHITELIST_HOME_DIR, 0755) == -1)
-                errExit("mkdir");
-        if (mount(proc, RUN_WHITELIST_HOME_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
-                errExit("mount bind");
-        free(proc);
-        close(fd);
-        // mount tmpfs in the new home
+        // mount tmpfs on /home
        if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
                errExit("mount tmpfs");
        selinux_relabel_path("/home", "/home");
        fs_logger("tmpfs /home");
-        // create user home directory
+        // create new user home directory
        if (mkdir(cfg.homedir, 0755) == -1) {
-                if (mkpath_as_root(cfg.homedir))
+                if (mkpath_as_root(cfg.homedir) == -1)
                        errExit("mkpath");
                if (mkdir(cfg.homedir, 0755) == -1)
                        errExit("mkdir");
-                selinux_relabel_path(cfg.homedir, cfg.homedir);
        }
        fs_logger2("mkdir", cfg.homedir);
        // set mode and ownership
        if (set_perms(cfg.homedir, s.st_uid, s.st_gid, s.st_mode))
                errExit("set_perms");
+        selinux_relabel_path(cfg.homedir, cfg.homedir);
-        // mount user home directory
+        // bring back real user home directory
-        if (mount(RUN_WHITELIST_HOME_DIR, cfg.homedir, NULL, MS_BIND|MS_REC, NULL) < 0)
+        char *proc;
+        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
+                errExit("asprintf");
+        if (mount(proc, cfg.homedir, NULL, MS_BIND|MS_REC, NULL) < 0)
                errExit("mount bind");
+        free(proc);
+        close(fd);
-        // mask home dir under /run
-        if (mount("tmpfs", RUN_WHITELIST_HOME_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
-                errExit("mount tmpfs");
-        fs_logger2("tmpfs", RUN_WHITELIST_HOME_DIR);
        if (!arg_private)
                fs_logger2("whitelist", cfg.homedir);
        return;
 errout:
@@ -137,22 +128,15 @@ static void sanitize_run(void) {
        if (asprintf(&runuser, "/run/user/%u", getuid()) == -1)
                errExit("asprintf");
-        struct stat s;
+        // open /run/user/$UID directory in order to keep it around
-        if (stat(runuser, &s) == -1) {
+        int fd = open(runuser, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
-                // cannot find /user/run/$UID directory, just return
+        if (fd == -1) {
                if (arg_debug)
-                        printf("Cannot find %s directory\n", runuser);
+                        printf("Cannot open %s directory\n", runuser);
                free(runuser);
                return;
        }
-        if (mkdir(RUN_WHITELIST_RUN_DIR, 0755) == -1)
-                errExit("mkdir");
-        // keep a copy of the /run/user/$UID directory
-        if (mount(runuser, RUN_WHITELIST_RUN_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
-                errExit("mount bind");
        // mount tmpfs on /run/user
        if (mount("tmpfs", "/run/user", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
                errExit("mount tmpfs");
@@ -162,22 +146,23 @@ static void sanitize_run(void) {
        // create new user directory
        if (mkdir(runuser, 0700) == -1)
                errExit("mkdir");
-        selinux_relabel_path(runuser, runuser);
        fs_logger2("mkdir", runuser);
        // set mode and ownership
        if (set_perms(runuser, getuid(), getgid(), 0700))
                errExit("set_perms");
+        selinux_relabel_path(runuser, runuser);
-        // mount /run/user/$UID directory
+        // bring back real run/user/$UID directory
-        if (mount(RUN_WHITELIST_RUN_DIR, runuser, NULL, MS_BIND|MS_REC, NULL) < 0)
+        char *proc;
+        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
+                errExit("asprintf");
+        if (mount(proc, runuser, NULL, MS_BIND|MS_REC, NULL) < 0)
                errExit("mount bind");
+        free(proc);
+        close(fd);
-        // mask mirrored /run/user/$UID directory
+        fs_logger2("whitelist", runuser);
-        if (mount("tmpfs", RUN_WHITELIST_RUN_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
-                errExit("mount tmpfs");
-        fs_logger2("tmpfs", RUN_WHITELIST_RUN_DIR);
        free(runuser);
 }
diff --git a/src/include/rundefs.h b/src/include/rundefs.h
index 5749c66e4..d14f6782f 100644
--- a/src/include/rundefs.h
+++ b/src/include/rundefs.h
@@ -84,8 +84,6 @@
 #define RUN_DEVLOG_FILE                 RUN_MNT_DIR "/devlog"
 #define RUN_WHITELIST_X11_DIR           RUN_MNT_DIR "/orig-x11"
-#define RUN_WHITELIST_HOME_DIR          RUN_MNT_DIR "/orig-home"                // default home directory masking
-#define RUN_WHITELIST_RUN_DIR           RUN_MNT_DIR "/orig-run"         // default run directory masking
 #define RUN_WHITELIST_HOME_USER_DIR     RUN_MNT_DIR "/orig-home-user"           // home directory whitelisting
 #define RUN_WHITELIST_RUN_USER_DIR      RUN_MNT_DIR "/orig-run-user"            // run directory whitelisting
 #define RUN_WHITELIST_TMP_DIR           RUN_MNT_DIR "/orig-tmp"