18 files changed, 106 insertions, 6 deletions

diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index 55aabbc73..14f7d8cf7 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -167,6 +167,10 @@ blacklist ${RUNUSER}/gnome-session-leader-fifo
 blacklist ${RUNUSER}/gnome-shell
 blacklist ${RUNUSER}/gsconnect
 
+# i3 IPC socket (allows arbitrary shell script execution)
+blacklist ${RUNUSER}/i3/ipc-socket.*
+blacklist /tmp/i3-*/ipc-socket.*
+
 # systemd
 blacklist ${HOME}/.config/systemd
 blacklist ${HOME}/.local/share/systemd
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index f638e1d97..d2f8b8cfa 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -259,6 +259,7 @@ blacklist ${HOME}/.clonk
 blacklist ${HOME}/.config/0ad
 blacklist ${HOME}/.config/1Password
 blacklist ${HOME}/.config/2048-qt
+blacklist ${HOME}/.config/ArmCord
 blacklist ${HOME}/.config/Atom
 blacklist ${HOME}/.config/Audaciousrc
 blacklist ${HOME}/.config/Authenticator
@@ -1250,11 +1251,13 @@ blacklist ${HOME}/yt-dlp.conf
 blacklist ${HOME}/yt-dlp.conf.txt
 blacklist ${RUNUSER}/*firefox*
 blacklist ${RUNUSER}/akonadi
+blacklist ${RUNUSER}/i3
 blacklist ${RUNUSER}/psd/*firefox*
 blacklist ${RUNUSER}/qutebrowser
 blacklist /etc/ssmtp
 blacklist /tmp/.wine-*
 blacklist /tmp/akonadi-*
+blacklist /tmp/i3-*
 blacklist /tmp/lwjgl_*
 blacklist /var/games/nethack
 blacklist /var/games/slashem
diff --git a/etc/profile-a-l/armcord.profile b/etc/profile-a-l/armcord.profile
new file mode 100644
index 000000000..470e0dee0
--- /dev/null
+++ b/etc/profile-a-l/armcord.profile
@@ -0,0 +1,40 @@
+# Firejail profile for armcord
+# Description: Standalone Discord client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include armcord.local
+# Persistent global definitions
+include globals.local
+
+# Modules might depend on nodejs.
+# Add the below lines to your armcord.local if you need this.
+# Allow node (disabled by disable-interpreters.inc)
+#include allow-nodejs.inc
+#private-bin node
+
+# The lines below are needed to find the default Firefox profile name, to allow
+# opening links in an existing instance of Firefox (note that it still fails if
+# there isn't a Firefox instance running with the default profile; see #5352)
+noblacklist ${HOME}/.mozilla
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+
+noblacklist ${HOME}/.config/ArmCord
+
+mkdir ${HOME}/.config/ArmCord
+whitelist ${HOME}/.config/ArmCord
+whitelist /opt/armcord
+whitelist /usr/share/armcord
+
+ignore novideo
+private-bin armcord
+
+dbus-user filter
+dbus-user.talk org.freedesktop.Notifications
+# Allow D-Bus communication with Firefox for opening links
+dbus-user.talk org.mozilla.*
+ignore dbus-user none
+
+join-or-start armcord
+
+# Redirect
+include electron-common.profile
diff --git a/etc/profile-a-l/i3.profile b/etc/profile-a-l/i3.profile
index 2268072ef..412e31762 100644
--- a/etc/profile-a-l/i3.profile
+++ b/etc/profile-a-l/i3.profile
@@ -8,6 +8,10 @@ include globals.local
 
 # all applications started in i3 will run in this profile
 noblacklist ${HOME}/.config/i3
+noblacklist ${RUNUSER}/i3
+noblacklist ${RUNUSER}/i3/ipc-socket.*
+noblacklist /tmp/i3-*
+noblacklist /tmp/i3-*/ipc-socket.*
 include disable-common.inc
 
 caps.drop all
diff --git a/src/fids/main.c b/src/fids/main.c
index 92b6468f3..415694f1e 100644
--- a/src/fids/main.c
+++ b/src/fids/main.c
@@ -106,9 +106,9 @@ static void file_checksum(const char *fname) {
         }
         else {
                 content = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0);
-                close(fd);
                 mmapped = 1;
         }
+        close(fd);
 
         unsigned char checksum[KEY_SIZE / 8];
         blake2b(checksum, sizeof(checksum), content, size);
diff --git a/src/firecfg/desktop_files.c b/src/firecfg/desktop_files.c
index 1895e437b..8c21757ab 100644
--- a/src/firecfg/desktop_files.c
+++ b/src/firecfg/desktop_files.c
@@ -300,6 +300,7 @@ void fix_desktop_files(const char *homedir) {
 
                 if (stat(outname, &sb) == 0) {
                         printf("   %s skipped: file exists\n", filename);
+                        free(outname);
                         if (change_exec)
                                 free(change_exec);
                         continue;
@@ -308,6 +309,7 @@ void fix_desktop_files(const char *homedir) {
                 FILE *fpin = fopen(filename, "r");
                 if (!fpin) {
                         fprintf(stderr, "Warning: cannot open /usr/share/applications/%s\n", filename);
+                        free(outname);
                         if (change_exec)
                                 free(change_exec);
                         continue;
@@ -317,6 +319,7 @@ void fix_desktop_files(const char *homedir) {
                 if (!fpout) {
                         fprintf(stderr, "Warning: cannot open ~/.local/share/applications/%s\n", outname);
                         fclose(fpin);
+                        free(outname);
                         if (change_exec)
                                 free(change_exec);
                         continue;
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index b6eb06d65..8d0a30521 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -63,6 +63,7 @@ arduino
 aria2c
 ark
 arm
+armcord
 artha
 assogiate
 asunder
diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c
index db130afd3..cbfcc90ed 100644
--- a/src/firejail/bandwidth.c
+++ b/src/firejail/bandwidth.c
@@ -198,6 +198,8 @@ static void read_bandwidth_file(pid_t pid) {
 
                 fclose(fp);
         }
+
+        free(fname);
 }
 
 static void write_bandwidth_file(pid_t pid) {
@@ -217,6 +219,7 @@ static void write_bandwidth_file(pid_t pid) {
                         ptr = ptr->next;
                 }
                 fclose(fp);
+                free(fname);
         }
         else
                 goto errout;
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index 7c3f3835b..9d9832c15 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -67,8 +67,10 @@ static void skel(const char *homedir) {
                 if (asprintf(&fname, "%s/.zshrc", homedir) == -1)
                         errExit("asprintf");
                 // don't copy it if we already have the file
-                if (access(fname, F_OK) == 0)
+                if (access(fname, F_OK) == 0) {
+                        free(fname);
                         return;
+                }
                 if (is_link(fname)) { // access(3) on dangling symlinks fails, try again using lstat
                         fprintf(stderr, "Error: invalid %s file\n", fname);
                         exit(1);
@@ -91,8 +93,10 @@ static void skel(const char *homedir) {
                 if (asprintf(&fname, "%s/.cshrc", homedir) == -1)
                         errExit("asprintf");
                 // don't copy it if we already have the file
-                if (access(fname, F_OK) == 0)
+                if (access(fname, F_OK) == 0) {
+                        free(fname);
                         return;
+                }
                 if (is_link(fname)) { // access(3) on dangling symlinks fails, try again using lstat
                         fprintf(stderr, "Error: invalid %s file\n", fname);
                         exit(1);
@@ -115,8 +119,10 @@ static void skel(const char *homedir) {
                 if (asprintf(&fname, "%s/.bashrc", homedir) == -1)
                         errExit("asprintf");
                 // don't copy it if we already have the file
-                if (access(fname, F_OK) == 0)
+                if (access(fname, F_OK) == 0) {
+                        free(fname);
                         return;
+                }
                 if (is_link(fname)) { // access(3) on dangling symlinks fails, try again using lstat
                         fprintf(stderr, "Error: invalid %s file\n", fname);
                         exit(1);
diff --git a/src/firejail/ids.c b/src/firejail/ids.c
index 40bbe6d02..0759a205d 100644
--- a/src/firejail/ids.c
+++ b/src/firejail/ids.c
@@ -42,6 +42,7 @@ static void ids_init(void) {
         if (dup(fd) != STDOUT_FILENO)
                 errExit("dup");
         close(fd);
+        free(fname);
 
         sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3, PATH_FIDS, "--init", cfg.homedir);
 }
@@ -63,6 +64,7 @@ static void ids_check(void) {
         if (dup(fd) != STDIN_FILENO)
                 errExit("dup");
         close(fd);
+        free(fname);
 
         sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP| SBOX_ALLOW_STDIN, 3, PATH_FIDS, "--check", cfg.homedir);
 }
diff --git a/src/firejail/run_files.c b/src/firejail/run_files.c
index cb078b580..4bd0ba459 100644
--- a/src/firejail/run_files.c
+++ b/src/firejail/run_files.c
@@ -122,6 +122,7 @@ void set_name_run_file(pid_t pid) {
         // mode and ownership
         SET_PERMS_STREAM(fp, 0, 0, 0644);
         fclose(fp);
+        free(fname);
 }
 
 
@@ -141,6 +142,7 @@ void set_x11_run_file(pid_t pid, int display) {
         // mode and ownership
         SET_PERMS_STREAM(fp, 0, 0, 0644);
         fclose(fp);
+        free(fname);
 }
 
 void set_profile_run_file(pid_t pid, const char *fname) {
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 323133f8d..5d7c244b1 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -1392,6 +1392,7 @@ void enter_network_namespace(pid_t pid) {
                 fprintf(stderr, "Error: the sandbox doesn't use a new network namespace\n");
                 exit(1);
         }
+        free(name);
 
         // join the namespace
         EUID_ROOT();
diff --git a/src/firemon/netstats.c b/src/firemon/netstats.c
index 39dc38ec9..e70174b1e 100644
--- a/src/firemon/netstats.c
+++ b/src/firemon/netstats.c
@@ -152,10 +152,12 @@ static void print_proc(int index, int itv, int col) {
         struct stat s;
         if (stat(name, &s) == -1) {
                 // the sandbox doesn't have a --net= option, don't print
+                free(name);
                 if (cmd)
                         free(cmd);
                 return;
         }
+        free(name);
 
         // pid
         char pidstr[11];
diff --git a/src/jailcheck/access.c b/src/jailcheck/access.c
index 50c51839b..5fbcb5a15 100644
--- a/src/jailcheck/access.c
+++ b/src/jailcheck/access.c
@@ -80,10 +80,13 @@ void access_setup(const char *directory) {
         FILE *fp = fopen(test_file, "w");
         if (!fp) {
                 printf("Warning: I cannot create test file in directory %s, skipping...\n", directory);
+                free(test_file);
+                free(path);
                 return;
         }
         fprintf(fp, "this file was created by firetest utility, you can safely delete it\n");
         fclose(fp);
+        free(path);
         int rv = chown(test_file, user_uid, user_gid);
         if (rv)
                 errExit("chown");
diff --git a/src/jailcheck/noexec.c b/src/jailcheck/noexec.c
index 37234c648..e5657135d 100644
--- a/src/jailcheck/noexec.c
+++ b/src/jailcheck/noexec.c
@@ -55,6 +55,7 @@ void noexec_setup(void) {
                         execfile_len = s.st_size;
                         close(fd);
                 }
+                free(self);
         }
 }
 
@@ -110,4 +111,5 @@ void noexec_test(const char *path) {
         wait(&status);
         int rv = unlink(fname);
         (void) rv;
+        free(fname);
 }
diff --git a/src/jailcheck/virtual.c b/src/jailcheck/virtual.c
index d4bfd1923..348efc784 100644
--- a/src/jailcheck/virtual.c
+++ b/src/jailcheck/virtual.c
@@ -49,6 +49,7 @@ void virtual_setup(const char *directory) {
         FILE *fp = fopen(test_file, "w");
         if (!fp) {
                 printf("Warning: I cannot create test file in directory %s, skipping...\n", directory);
+                free(test_file);
                 return;
         }
         fprintf(fp, "this file was created by firetest utility, you can safely delete it\n");
diff --git a/src/man/firejail.1.in b/src/man/firejail.1.in
index 87bd6fcc2..fa2329d67 100644
--- a/src/man/firejail.1.in
+++ b/src/man/firejail.1.in
@@ -95,7 +95,12 @@ $ firejail [OPTIONS]                # starting the program specified in $SHELL,
 $ firejail [OPTIONS] firefox        # starting Mozilla Firefox
 .PP
 # sudo firejail [OPTIONS] /etc/init.d/nginx start
-
+.PP
+When an option is specified multiple times (whether in a profile, on the
+command line, or both) or conflicts with a related option, the
+precedence/behavior is option-specific and usually documented in the
+\fBOPTIONS\fR section below. Note that an option specified in a profile can
+generally be disabled on the command line using \fB--ignore\fR.
 .SH OPTIONS
 .TP
 \fB\-\-
@@ -1729,6 +1734,16 @@ See --keep-config-pulse.
 Disable blacklist for this directory or file.
 .br
 
+Note that blacklist entries containing ${PATH} can not currently be partially
+disabled for individual expanded paths. Only the whole unexpanded path
+including ${PATH} can be disabled, which then applies to all expansions.
+This limitation does not apply to expansions of other variables or wildcards.
+For details, see
+.UR https://github.com/netblue30/firejail/issues/6360
+#6360
+.UE
+.br
+
 .br
 Example:
 .br
@@ -1744,6 +1759,14 @@ $ exit
 .br
 $ firejail --noblacklist=/bin/nc
 .br
+bash: /bin/nc: Permission denied
+.br
+$ exit
+.br
+
+.br
+$ firejail --noblacklist='${PATH}/nc'
+.br
 $ nc dict.org 2628
 .br
 220 pan.alephnull.com dictd 1.12.1/rf on Linux 3.14-1-amd64
diff --git a/src/profstats/main.c b/src/profstats/main.c
index ad27bfe79..10eee3c4b 100644
--- a/src/profstats/main.c
+++ b/src/profstats/main.c
@@ -344,7 +344,7 @@ int main(int argc, char **argv) {
                 if (cnt_seccomp > (seccomp + 1))
                         cnt_seccomp = seccomp + 1;
                 if (cnt_restrict_namespaces > (restrict_namespaces + 1))
-                        cnt_seccomp = restrict_namespaces + 1;
+                        cnt_restrict_namespaces = restrict_namespaces + 1;
                 if (cnt_dbus_user_none > (dbususernone + 1))
                         cnt_dbus_user_none = dbususernone + 1;
                 if (cnt_dbus_user_filter > (dbususerfilter + 1))