6 files changed, 36 insertions, 11 deletions

diff --git a/.github/workflows/check-c.yml b/.github/workflows/check-c.yml
index 349f92525..307b0c37c 100644
--- a/.github/workflows/check-c.yml
+++ b/.github/workflows/check-c.yml
@@ -161,7 +161,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@1b1aada464948af03b950897e5eb522f92603cc2
+      uses: github/codeql-action/init@4355270be187e1b672a7a1c7c7bae5afdc1ab94a
       with:
         languages: cpp
 
@@ -172,4 +172,4 @@ jobs:
       run: make -j "$(nproc)"
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@1b1aada464948af03b950897e5eb522f92603cc2
+      uses: github/codeql-action/analyze@4355270be187e1b672a7a1c7c7bae5afdc1ab94a
diff --git a/.github/workflows/check-python.yml b/.github/workflows/check-python.yml
index 507b975af..43d139c9f 100644
--- a/.github/workflows/check-python.yml
+++ b/.github/workflows/check-python.yml
@@ -51,9 +51,9 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@1b1aada464948af03b950897e5eb522f92603cc2
+      uses: github/codeql-action/init@4355270be187e1b672a7a1c7c7bae5afdc1ab94a
       with:
         languages: python
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@1b1aada464948af03b950897e5eb522f92603cc2
+      uses: github/codeql-action/analyze@4355270be187e1b672a7a1c7c7bae5afdc1ab94a
diff --git a/etc/profile-m-z/mov-cli.profile b/etc/profile-m-z/mov-cli.profile
index 1efd1e8f9..85f72f478 100644
--- a/etc/profile-m-z/mov-cli.profile
+++ b/etc/profile-m-z/mov-cli.profile
@@ -10,11 +10,16 @@ include mov-cli.local
 
 noblacklist ${HOME}/.config/mov-cli
 
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
 include disable-proc.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/mov-cli
 whitelist ${HOME}/.config/mov-cli
+whitelist ${DOWNLOADS}
+whitelist /usr/share/nano
 include whitelist-run-common.inc
 include whitelist-runuser-common.inc
 
@@ -24,9 +29,9 @@ noprinters
 notv
 
 disable-mnt
-private-bin ffmpeg,fzf,mov-cli
+private-bin fzf,mov-cli,nano,sh,uname
 #private-cache
-private-etc X11,alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,magic,magic.mgc,mime.types,nsswitch.conf,pango,passwd,pki,protocols,pulse,resolv.conf,rpc,services,ssl,xdg
+private-etc X11,alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,magic,magic.mgc,mime.types,nanorc,nsswitch.conf,pango,passwd,pki,protocols,pulse,resolv.conf,rpc,services,ssl,xdg
 private-tmp
 
 # Redirect
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 4e018476e..b8ec4d474 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -966,10 +966,8 @@ void run_ids(int argc, char **argv);
 void oom_set(const char *oom_string);
 
 // landlock.c
-#ifdef HAVE_LANDLOCK
 int ll_get_fd(void);
 int ll_restrict(uint32_t flags);
 void ll_add_profile(int type, const char *data);
-#endif /* HAVE_LANDLOCK */
 
 #endif
diff --git a/src/firejail/landlock.c b/src/firejail/landlock.c
index 453ad8f10..a360f155b 100644
--- a/src/firejail/landlock.c
+++ b/src/firejail/landlock.c
@@ -18,7 +18,6 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 
-#ifdef HAVE_LANDLOCK
 #include "firejail.h"
 #include <linux/landlock.h>
 #include <sys/prctl.h>
@@ -27,6 +26,8 @@
 #include <errno.h>
 #include <fcntl.h>
 
+#ifdef HAVE_LANDLOCK
+
 static int ll_ruleset_fd = -1;
 static int ll_abi = -1;
 
@@ -294,4 +295,21 @@ void ll_add_profile(int type, const char *data) {
         ptr->next = entry;
 }
 
+#else
+
+int ll_get_fd(void) {
+        return -1;
+}
+
+int ll_restrict(uint32_t flags) {
+        (void) flags;
+
+        return 0;
+}
+
+void ll_add_profile(int type, const char *data) {
+        (void) type;
+        (void) data;
+}
+
 #endif /* HAVE_LANDLOCK */
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 4e0b17a8c..4c6830250 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -1073,7 +1073,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 return 0;
         }
 
-#ifdef HAVE_LANDLOCK
+//#ifdef HAVE_LANDLOCK
+// landlock-common.inc is included by default.profile, so the entries of the
+// former should be processed or ignored instead of aborting.
+// Note that all landlock functions are empty when building without landlock
+// support.
         if (strncmp(ptr, "landlock.enforce", 16) == 0) {
                 arg_landlock_enforce = 1;
                 return 0;
@@ -1098,7 +1102,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 ll_add_profile(LL_FS_EXEC, ptr + 20);
                 return 0;
         }
-#endif
+//#endif
 
         // memory deny write&execute
         if (strcmp(ptr, "memory-deny-write-execute") == 0) {