14 files changed, 124 insertions, 53 deletions

diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index cc0c69df2..cbc8ef6d2 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -139,6 +139,7 @@ blacklist ${HOME}/.config/Rambox
 blacklist ${HOME}/.config/Riot
 blacklist ${HOME}/.config/Rocket.Chat
 blacklist ${HOME}/.config/RogueLegacy
+blacklist ${HOME}/.config/RogueLegacyStorageContainer
 blacklist ${HOME}/.config/Signal
 blacklist ${HOME}/.config/Sinew Software Systems
 blacklist ${HOME}/.config/Slack
@@ -616,7 +617,8 @@ blacklist ${HOME}/.local/share/QGIS
 blacklist ${HOME}/.local/share/QMediathekView
 blacklist ${HOME}/.local/share/QuiteRss
 blacklist ${HOME}/.local/share/Ricochet
-blacklist ${HOME}/.local/share/RogueLegacy*
+blacklist ${HOME}/.local/share/RogueLegacy
+blacklist ${HOME}/.local/share/RogueLegacyStorageContainer
 blacklist ${HOME}/.local/share/Shortwave
 blacklist ${HOME}/.local/share/Steam
 blacklist ${HOME}/.local/share/SteamWorldDig
diff --git a/etc/profile-a-l/audio-recorder.profile b/etc/profile-a-l/audio-recorder.profile
index b2ed3b030..2c7fdc812 100644
--- a/etc/profile-a-l/audio-recorder.profile
+++ b/etc/profile-a-l/audio-recorder.profile
@@ -20,6 +20,7 @@ include disable-xdg.inc
 whitelist ${MUSIC}
 whitelist ${DOWNLOADS}
 whitelist /usr/share/audio-recorder
+whitelist /usr/share/gstreamer-1.0
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -44,7 +45,11 @@ tracelog
 disable-mnt
 # private-bin audio-recorder
 private-cache
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload
 private-tmp
 
+dbus-user filter
+dbus-user.talk ca.desrt.dconf
+dbus-system none
+
 # memory-deny-write-execute - breaks on Arch
diff --git a/etc/profile-a-l/discord-common.profile b/etc/profile-a-l/discord-common.profile
index b583f1a1d..b83e626d9 100644
--- a/etc/profile-a-l/discord-common.profile
+++ b/etc/profile-a-l/discord-common.profile
@@ -18,6 +18,7 @@ ignore dbus-user none
 ignore dbus-system none
 
 ignore noexec ${HOME}
+ignore novideo
 
 whitelist ${HOME}/.config/BetterDiscord
 whitelist ${HOME}/.local/share/betterdiscordctl
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile
index cefba93d4..b22a78458 100644
--- a/etc/profile-a-l/firefox.profile
+++ b/etc/profile-a-l/firefox.profile
@@ -6,6 +6,14 @@ include firefox.local
 # Persistent global definitions
 include globals.local
 
+# NOTE: sandboxing web browsers is as important as it is complex. Users might be
+# interested in creating custom profiles depending on use case (e.g. one for
+# general browsing, another for banking, ...). Consult our FAQ/issue tracker for more
+# info. Here are a few links to get you going.
+# https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#firefox-doesnt-open-in-a-new-sandbox-instead-it-opens-a-new-tab-in-an-existing-firefox-instance
+# https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#how-do-i-run-two-instances-of-firefox
+# https://github.com/netblue30/firejail/issues/4206#issuecomment-824806968
+
 noblacklist ${HOME}/.cache/mozilla
 noblacklist ${HOME}/.mozilla
 
diff --git a/etc/profile-m-z/regextester.profile b/etc/profile-m-z/regextester.profile
index 6fb0d4b5f..bab2badb5 100644
--- a/etc/profile-m-z/regextester.profile
+++ b/etc/profile-m-z/regextester.profile
@@ -16,9 +16,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 whitelist /usr/share/com.github.artemanufrij.regextester
-include whitelist-usr-share-common.inc
-
 include whitelist-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 apparmor
@@ -48,11 +47,9 @@ private-etc alternatives,fonts
 private-lib libgranite.so.*
 private-tmp
 
-# makes settings immutable
-# dbus-user none
-# dbus-system none
-
-memory-deny-write-execute
+dbus-user filter
+dbus-user.talk ca.desrt.dconf
+dbus-system none
 
 # never write anything
 read-only ${HOME}
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile
index 0bcbe6da2..922823f98 100644
--- a/etc/profile-m-z/steam.profile
+++ b/etc/profile-m-z/steam.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/Epic
 noblacklist ${HOME}/.config/Loop_Hero
 noblacklist ${HOME}/.config/ModTheSpire
 noblacklist ${HOME}/.config/RogueLegacy
+noblacklist ${HOME}/.config/RogueLegacyStorageContainer
 noblacklist ${HOME}/.killingfloor
 noblacklist ${HOME}/.klei
 noblacklist ${HOME}/.local/share/3909/PapersPlease
@@ -22,7 +23,8 @@ noblacklist ${HOME}/.local/share/feral-interactive
 noblacklist ${HOME}/.local/share/IntoTheBreach
 noblacklist ${HOME}/.local/share/Paradox Interactive
 noblacklist ${HOME}/.local/share/PillarsOfEternity
-noblacklist ${HOME}/.local/share/RogueLegacy*
+noblacklist ${HOME}/.local/share/RogueLegacy
+noblacklist ${HOME}/.local/share/RogueLegacyStorageContainer
 noblacklist ${HOME}/.local/share/Steam
 noblacklist ${HOME}/.local/share/SteamWorldDig
 noblacklist ${HOME}/.local/share/SteamWorld Dig 2
@@ -69,7 +71,7 @@ mkdir ${HOME}/.local/share/feral-interactive
 mkdir ${HOME}/.local/share/IntoTheBreach
 mkdir ${HOME}/.local/share/Paradox Interactive
 mkdir ${HOME}/.local/share/PillarsOfEternity
-mkdir ${HOME}/.local/share/RogueLegacy*
+mkdir ${HOME}/.local/share/RogueLegacy
 mkdir ${HOME}/.local/share/Steam
 mkdir ${HOME}/.local/share/SteamWorldDig
 mkdir ${HOME}/.local/share/SteamWorld Dig 2
@@ -86,6 +88,7 @@ whitelist ${HOME}/.config/Epic
 whitelist ${HOME}/.config/Loop_Hero
 whitelist ${HOME}/.config/ModTheSpire
 whitelist ${HOME}/.config/RogueLegacy
+whitelist ${HOME}/.config/RogueLegacyStorageContainer
 whitelist ${HOME}/.config/unity3d
 whitelist ${HOME}/.killingfloor
 whitelist ${HOME}/.klei
@@ -99,7 +102,8 @@ whitelist ${HOME}/.local/share/feral-interactive
 whitelist ${HOME}/.local/share/IntoTheBreach
 whitelist ${HOME}/.local/share/Paradox Interactive
 whitelist ${HOME}/.local/share/PillarsOfEternity
-whitelist ${HOME}/.local/share/RogueLegacy*
+whitelist ${HOME}/.local/share/RogueLegacy
+whitelist ${HOME}/.local/share/RogueLegacyStorageContainer
 whitelist ${HOME}/.local/share/Steam
 whitelist ${HOME}/.local/share/SteamWorldDig
 whitelist ${HOME}/.local/share/SteamWorld Dig 2
@@ -115,6 +119,14 @@ whitelist ${HOME}/.steampid
 include whitelist-common.inc
 include whitelist-var-common.inc
 
+# Note: The following were intentionally left out as they are alternative
+# (i.e.: unnecessary and/or legacy) paths whose existence may potentially
+# clobber other paths (see #4225).  If you use any, either add the entry to
+# steam.local or move the contents to a path listed above (or open an issue if
+# it's missing above).
+#mkdir ${HOME}/.config/RogueLegacyStorageContainer
+#mkdir ${HOME}/.local/share/RogueLegacyStorageContainer
+
 caps.drop all
 #ipc-namespace
 netfilter
diff --git a/etc/profile-m-z/xfce4-mixer.profile b/etc/profile-m-z/xfce4-mixer.profile
index 78cb2862c..d9d1cd393 100644
--- a/etc/profile-m-z/xfce4-mixer.profile
+++ b/etc/profile-m-z/xfce4-mixer.profile
@@ -19,7 +19,7 @@ include disable-xdg.inc
 
 mkfile ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml
 whitelist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml
-whitelist /usr/share/gstreamer
+whitelist /usr/share/gstreamer-*
 whitelist /usr/share/xfce4
 whitelist /usr/share/xfce4-mixer
 include whitelist-common.inc
diff --git a/src/fbuilder/build_bin.c b/src/fbuilder/build_bin.c
index 96bd351f3..431aebee6 100644
--- a/src/fbuilder/build_bin.c
+++ b/src/fbuilder/build_bin.c
@@ -121,6 +121,6 @@ void build_bin(const char *fname, FILE *fp) {
                         ptr = ptr->next;
                 }
                 fprintf(fp, "\n");
-                fprintf(fp, "# private-lib\n");
+                fprintf(fp, "#private-lib\n");
         }
 }
diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c
index 495f71ab8..ac0cd455a 100644
--- a/src/fbuilder/build_fs.c
+++ b/src/fbuilder/build_fs.c
@@ -220,6 +220,10 @@ static void tmp_callback(char *ptr) {
         // skip strace file
         if (strncmp(ptr, "/tmp/firejail-strace", 20) == 0)
                 return;
+        if (strncmp(ptr, "/tmp/runtime-", 13) == 0)
+                return;
+        if (strcmp(ptr, "/tmp") == 0)
+                return;
 
         tmp_out = filedb_add(tmp_out, ptr);
 }
@@ -232,8 +236,7 @@ void build_tmp(const char *fname, FILE *fp) {
         if (tmp_out == NULL)
                 fprintf(fp, "private-tmp\n");
         else {
-                fprintf(fp, "\n");
-                fprintf(fp, "# private-tmp\n");
+                fprintf(fp, "#private-tmp\n");
                 fprintf(fp, "# File accessed in /tmp directory:\n");
                 fprintf(fp, "# ");
                 FileDB *ptr = tmp_out;
@@ -310,9 +313,8 @@ void build_dev(const char *fname, FILE *fp) {
         if (dev_out == NULL)
                 fprintf(fp, "private-dev\n");
         else {
-                fprintf(fp, "\n");
-                fprintf(fp, "# private-dev\n");
-                fprintf(fp, "# This is the list of devices accessed (on top of regular private-dev devices:\n");
+                fprintf(fp, "#private-dev\n");
+                fprintf(fp, "# This is the list of devices accessed on top of regular private-dev devices:\n");
                 fprintf(fp, "# ");
                 FileDB *ptr = dev_out;
                 while (ptr) {
diff --git a/src/fbuilder/build_home.c b/src/fbuilder/build_home.c
index 683009b71..d7706282a 100644
--- a/src/fbuilder/build_home.c
+++ b/src/fbuilder/build_home.c
@@ -141,7 +141,7 @@ void process_home(const char *fname, char *home, int home_len) {
                 }
 
                 // skip files and directories in whitelist-common.inc
-                if (filedb_find(db_skip, toadd)) {
+                if (strlen(toadd) == 0 || filedb_find(db_skip, toadd)) {
                         if (dir)
                                 free(dir);
                         continue;
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c
index 96a83954d..0c1b57384 100644
--- a/src/fbuilder/build_profile.c
+++ b/src/fbuilder/build_profile.c
@@ -150,12 +150,12 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
 
                 fprintf(fp, "### basic blacklisting\n");
                 fprintf(fp, "include disable-common.inc\n");
-                fprintf(fp, "# include disable-devel.inc\n");
-                fprintf(fp, "# include disable-exec.inc\n");
-                fprintf(fp, "# include disable-interpreters.inc\n");
+                fprintf(fp, "#include disable-devel.inc\n");
+                fprintf(fp, "#include disable-exec.inc\n");
+                fprintf(fp, "#include disable-interpreters.inc\n");
                 fprintf(fp, "include disable-passwdmgr.inc\n");
-                fprintf(fp, "# include disable-programs.inc\n");
-                fprintf(fp, "# include disable-xdg.inc\n");
+                fprintf(fp, "#include disable-programs.inc\n");
+                fprintf(fp, "#include disable-xdg.inc\n");
                 fprintf(fp, "\n");
 
                 fprintf(fp, "### home directory whitelisting\n");
@@ -163,18 +163,17 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
                 fprintf(fp, "\n");
 
                 fprintf(fp, "### filesystem\n");
-                fprintf(fp, "# /usr/share:\n");
+                fprintf(fp, "### /usr/share:\n");
                 build_share(trace_output, fp);
-                fprintf(fp, "# /var:\n");
+                fprintf(fp, "### /var:\n");
                 build_var(trace_output, fp);
-                fprintf(fp, "\n");
-                fprintf(fp, "# $PATH:\n");
+                fprintf(fp, "### /bin:\n");
                 build_bin(trace_output, fp);
-                fprintf(fp, "# /dev:\n");
+                fprintf(fp, "### /dev:\n");
                 build_dev(trace_output, fp);
-                fprintf(fp, "# /etc:\n");
+                fprintf(fp, "### /etc:\n");
                 build_etc(trace_output, fp);
-                fprintf(fp, "# /tmp:\n");
+                fprintf(fp, "### /tmp:\n");
                 build_tmp(trace_output, fp);
                 fprintf(fp, "\n");
 
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c
index abec25d45..8cb25a1ff 100644
--- a/src/firejail/fs_etc.c
+++ b/src/firejail/fs_etc.c
@@ -76,6 +76,44 @@ void fs_machineid(void) {
         }
 }
 
+// Duplicate directory structure from src to dst by creating empty directories.
+// The paths _must_ be identical after their respective prefixes.
+// When finished, dst will point to the target directory. That is, if
+// it starts out pointing to a file, it will instead be truncated so
+// that it contains the parent directory instead.
+static void build_dirs(char *src, char *dst, size_t src_prefix_len, size_t dst_prefix_len) {
+        char *p = src + src_prefix_len + 1;
+        char *q = dst + dst_prefix_len + 1;
+        char *r = dst + dst_prefix_len;
+        struct stat s;
+        bool last = false;
+        *r = '\0';
+        for (; !last; p++, q++) {
+                if (*p == '\0') {
+                        last = true;
+                }
+                if (*p == '\0' || (*p == '/' && *(p - 1) != '/')) {
+                        // We found a new component of our src path.
+                        // Null-terminate it temporarily here so that we can work
+                        // with it.
+                        *p = '\0';
+                        if (stat(src, &s) == 0 && S_ISDIR(s.st_mode)) {
+                                // Null-terminate the dst path and undo its previous
+                                // termination.
+                                *q = '\0';
+                                *r = '/';
+                                r = q;
+                                create_empty_dir_as_root(dst, s.st_mode);
+                        }
+                        if (!last) {
+                                // If we're not at the final terminating null, restore
+                                // the slash so that we can continue our traversal.
+                                *p = '/';
+                        }
+                }
+        }
+}
+
 // return 0 if file not found, 1 if found
 static int check_dir_or_file(const char *fname) {
         assert(fname);
@@ -103,7 +141,7 @@ errexit:
 static void duplicate(const char *fname, const char *private_dir, const char *private_run_dir) {
         assert(fname);
 
-        if (*fname == '~' || strchr(fname, '/') || strcmp(fname, "..") == 0) {
+        if (*fname == '~' || *fname == '/' || strncmp(fname, "..", 2) == 0) {
                 fprintf(stderr, "Error: \"%s\" is an invalid filename\n", fname);
                 exit(1);
         }
@@ -119,21 +157,16 @@ static void duplicate(const char *fname, const char *private_dir, const char *pr
         }
 
         if (arg_debug)
-                printf("copying %s to private %s\n", src, private_dir);
+                printf("Copying %s to private %s\n", src, private_dir);
 
-        struct stat s;
-        if (stat(src, &s) == 0 && S_ISDIR(s.st_mode)) {
-                // create the directory in RUN_ETC_DIR
-                char *dirname;
-                if (asprintf(&dirname, "%s/%s", private_run_dir, fname) == -1)
-                        errExit("asprintf");
-                create_empty_dir_as_root(dirname, s.st_mode);
-                sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, src, dirname);
-                free(dirname);
-        }
-        else
-                sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, src, private_run_dir);
+        char *dst;
+        if (asprintf(&dst, "%s/%s", private_run_dir, fname) == -1)
+                errExit("asprintf");
+
+        build_dirs(src, dst, strlen(private_dir), strlen(private_run_dir));
+        sbox_run(SBOX_ROOT | SBOX_SECCOMP, 3, PATH_FCOPY, src, dst);
 
+        free(dst);
         fs_logger2("clone", src);
         free(src);
 }
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index ee685da73..2bb57cee2 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -295,7 +295,9 @@ Use the options no3d, nodvd, nosound, notv, nou2f and novideo for additional res
 Build a new /etc in a temporary
 filesystem, and copy the files and directories in the list.
 The files and directories in the list must be expressed as relative to
-the /etc directory.
+the /etc directory, and must not contain the / character
+(e.g., /etc/foo must be expressed as foo, but /etc/foo/bar --
+expressed as foo/bar -- is disallowed).
 All modifications are discarded when the sandbox is closed.
 #ifdef HAVE_PRIVATE_HOME
 .TP
@@ -319,14 +321,18 @@ This feature is still under development, see \fBman 1 firejail\fR for some examp
 Build a new /opt in a temporary
 filesystem, and copy the files and directories in the list.
 The files and directories in the list must be expressed as relative to
-the /opt directory.
+the /opt directory, and must not contain the / character
+(e.g., /opt/foo must be expressed as foo, but /opt/foo/bar --
+expressed as foo/bar -- is disallowed).
 All modifications are discarded when the sandbox is closed.
 .TP
 \fBprivate-srv file,directory
 Build a new /srv in a temporary
 filesystem, and copy the files and directories in the list.
 The files and directories in the list must be expressed as relative to
-the /srv directory.
+the /srv directory, and must not contain the / character
+(e.g., /srv/foo must be expressed as foo, but /srv/foo/bar --
+expressed as foo/bar -- is disallowed).
 All modifications are discarded when the sandbox is closed.
 .TP
 \fBprivate-tmp
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index f27379a2d..1ee7ab1f1 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1883,7 +1883,9 @@ $
 Build a new /etc in a temporary
 filesystem, and copy the files and directories in the list.
 The files and directories in the list must be expressed as relative to
-the /etc directory.
+the /etc directory, and must not contain the / character
+(e.g., /etc/foo must be expressed as foo, but /etc/foo/bar --
+expressed as foo/bar -- is disallowed).
 If no listed file is found, /etc directory will be empty.
 All modifications are discarded when the sandbox is closed.
 .br
@@ -1893,7 +1895,7 @@ Example:
 .br
 $ firejail --private-etc=group,hostname,localtime, \\
 .br
-nsswitch.conf,passwd,resolv.conf,default/motd-news
+nsswitch.conf,passwd,resolv.conf
 #ifdef HAVE_PRIVATE_HOME
 .TP
 \fB\-\-private-home=file,directory
@@ -1968,7 +1970,9 @@ $
 Build a new /opt in a temporary
 filesystem, and copy the files and directories in the list.
 The files and directories in the list must be expressed as relative to
-the /opt directory.
+the /opt directory, and must not contain the / character
+(e.g., /opt/foo must be expressed as foo, but /opt/foo/bar --
+expressed as foo/bar -- is disallowed).
 If no listed file is found, /opt directory will be empty.
 All modifications are discarded when the sandbox is closed.
 .br
@@ -1983,7 +1987,9 @@ $ firejail --private-opt=firefox /opt/firefox/firefox
 Build a new /srv in a temporary
 filesystem, and copy the files and directories in the list.
 The files and directories in the list must be expressed as relative to
-the /srv directory.
+the /srv directory, and must not contain the / character
+(e.g., /opt/srv must be expressed as foo, but /srv/foo/bar --
+expressed as srv/bar -- is disallowed).
 If no listed file is found, /srv directory will be empty.
 All modifications are discarded when the sandbox is closed.
 .br