16 files changed, 106 insertions, 12 deletions

diff --git a/Makefile.in b/Makefile.in
index 34daed387..edcf09225 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -184,6 +184,9 @@ realinstall:
         install -c -m 0644 .etc/xreader.profile $(DESTDIR)/$(sysconfdir)/firejail/.
         install -c -m 0644 .etc/xviewer.profile $(DESTDIR)/$(sysconfdir)/firejail/.
         install -c -m 0644 .etc/mcabber.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/corebird.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/konversation.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/psi-plus.profile $(DESTDIR)/$(sysconfdir)/firejail/.
         sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;"
         sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/firejail.config ]; then install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/.; fi;"
         rm -fr .etc
diff --git a/README b/README
index dd0c5a5b1..390fbb84f 100644
--- a/README
+++ b/README
@@ -25,6 +25,11 @@ Reiner Herrmann
         - clang-analyzer fixes
         - Debian reproducible build
         - unit testing framework
+KellerFuchs (https://github.com/KellerFuchs)
+        - nonewpriv support
+ValdikSS (https://github.com/ValdikSS)
+        - Psi+, Corebird, Konversation profiles
+        - various profile fixes
 avoidr (https://github.com/avoidr)
         - whitelist fix
         - recently-used.xbel fix
diff --git a/README.md b/README.md
index 6f05a010f..2d5f472ea 100644
--- a/README.md
+++ b/README.md
@@ -197,9 +197,9 @@ The following features can be enabled or disabled:
        restricted-network
               Enable  or disable restricted network support, default disabled.
               If enabled, networking features should also be enabled  (network
-              yes).   Restricted  networking  grants access to --interface and
-              --net=ethXXX only to root user. Regular users are  only  allowed
-              --net=none.
+              yes).  Restricted networking  grants access to --interface,
+              --net=ethXXX and --netfilter only to root user.  Regular users
+                          are only allowed --net=none.  Default disabled
 
        secomp Enable or disable seccomp support, default enabled.
 
@@ -290,6 +290,6 @@ $ man firejail-profile
 lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril, qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars, qTox,
 OpenSSH client, OpenBox window manager, Dillo, cmus, dnsmasq, PaleMoon, Icedove, abrowser, 0ad, netsurf,
 Warzone2100, okular, gwenview, Gpredict, Aweather, Stellarium, Google-Play-Music-Desktop-Player, quiterss,
-cyberfox, generic Ubuntu snap application profile, xplayer, xreader, xviewer, mcabber
+cyberfox, generic Ubuntu snap application profile, xplayer, xreader, xviewer, mcabber, Psi+, Corebird, Konversation
 
 
diff --git a/RELNOTES b/RELNOTES
index e87cc9637..b791048e7 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -24,7 +24,7 @@ firejail (0.9.40) baseline; urgency=low
   * new profiles: okular, gwenview, Google-Play-Music-Desktop-Player
   * new profiles: Aweather, Stellarium, gpredict, quiterss, cyberfox
   * new profiles: generic Ubuntu snap application profile, xplayer
-  * new profiles: xreader, xviewer, mcabber
+  * new profiles: xreader, xviewer, mcabber, Psi+, Corebird, Konversation
   * generic.profile renamed default.profile
   * build rpm packages using "make rpms"
   * bugfixes
diff --git a/etc/corebird.profile b/etc/corebird.profile
new file mode 100644
index 000000000..f3f73a44f
--- /dev/null
+++ b/etc/corebird.profile
@@ -0,0 +1,12 @@
+# Firejail corebird profile
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+caps.drop all
+seccomp
+protocol unix,inet,inet6
+netfilter
+noroot
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index 479f32cb1..a61f1b210 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -93,6 +93,7 @@ read-only ${HOME}/bin
 
 # top secret
 blacklist ${HOME}/.ssh
+blacklist ${HOME}/.cert
 blacklist ${HOME}/.gnome2/keyrings
 blacklist ${HOME}/kde4/share/apps/kwallet
 blacklist ${HOME}/kde/share/apps/kwallet
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 307ccaf6c..3474a6592 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -112,3 +112,4 @@ blacklist ${HOME}/.local/share/wesnoth
 blacklist ${HOME}/.local/share/0ad
 blacklist ${HOME}/.local/share/xplayer
 blacklist ${HOME}/.local/share/totem
+blacklist ${HOME}/.local/share/psi+
diff --git a/etc/firejail.config b/etc/firejail.config
index caaeb6792..55d2faa9f 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -17,8 +17,8 @@
 
 # Enable or disable restricted network support, default disabled. If enabled,
 # networking features should also be enabled (network yes).
-# Restricted networking grants access to --interface and --net=ethXXX
-# only to root user. Regular users are only allowed --net=none.
+# Restricted networking grants access to --interface, --net=ethXXX and
+# --netfilter only to root user. Regular users are only allowed --net=none.
 # restricted-network no
 
 # Enable or disable seccomp support, default enabled.
diff --git a/etc/konversation.profile b/etc/konversation.profile
new file mode 100644
index 000000000..d10decb8f
--- /dev/null
+++ b/etc/konversation.profile
@@ -0,0 +1,12 @@
+# Firejail konversation profile
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+caps.drop all
+seccomp
+protocol unix,inet,inet6
+netfilter
+noroot
diff --git a/etc/psi-plus.profile b/etc/psi-plus.profile
new file mode 100644
index 000000000..8194da74f
--- /dev/null
+++ b/etc/psi-plus.profile
@@ -0,0 +1,27 @@
+# Firejail profile for Psi+
+
+noblacklist ${HOME}/.config/psi+
+noblacklist ${HOME}/.local/share/psi+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+whitelist ${DOWNLOADS}
+mkdir ~/.config
+mkdir ~/.config/psi+
+whitelist ~/.config/psi+
+mkdir ~/.local
+mkdir ~/.local/share
+mkdir ~/.local/share/psi+
+whitelist ~/.local/share/psi+
+mkdir ~/.cache
+mkdir ~/.cache/psi+
+whitelist ~/.cache/psi+
+
+include /etc/firejail/whitelist-common.inc
+
+caps.drop all
+seccomp
+protocol unix,inet,inet6
+netfilter
+noroot
diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc
index 9d5ef3d96..b3a1a1d30 100644
--- a/etc/whitelist-common.inc
+++ b/etc/whitelist-common.inc
@@ -1,5 +1,6 @@
 # common whitelist for all profiles
 
+whitelist ~/.XCompose
 whitelist ~/.config/mimeapps.list
 whitelist ~/.icons
 whitelist ~/.config/user-dirs.dirs
diff --git a/platform/debian/conffiles b/platform/debian/conffiles
index 8cf8f165c..eff859cc5 100644
--- a/platform/debian/conffiles
+++ b/platform/debian/conffiles
@@ -98,3 +98,6 @@
 /etc/firejail/xreader.profile
 /etc/firejail/xviewer.profile
 /etc/firejail/mcabber.profile
+/etc/firejail/corebird.profile
+/etc/firejail/konversation.profile
+/etc/firejail/psi-plus.profile
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 4fdbe1897..3ea8caf5b 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -47,7 +47,7 @@ int checkcfg(int val) {
 
                 FILE *fp = fopen(fname, "r");
                 if (!fp) {
-                        fprintf(stderr, "Error: Firejail configuration file %s not found\n", fname);
+                        fprintf(stderr, "Warning: Firejail configuration file %s not found\n", fname);
                         exit(1);
                 }
                 
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 2f4a78d4b..955bd36bf 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -806,7 +806,7 @@ int main(int argc, char **argv) {
                 }
         }
         
-        // is this a login shell, or a command passed by sshd insert command line options from /etc/firejail/login.users
+        // is this a login shell, or a command passed by sshd, insert command line options from /etc/firejail/login.users
         if (*argv[0] == '-' || parent_sshd) {
                 fullargc = restricted_shell(cfg.username);
                 if (fullargc) {
@@ -825,6 +825,11 @@ int main(int argc, char **argv) {
                 check_user(argc, argv); // the function will not return if --user option was found
         }
         
+        
+        // check for force-nonewprivs in /etc/firejail/firejail.config file
+        if (!option_force && checkcfg(CFG_FORCE_NONEWPRIVS))
+                arg_nonewprivs = 1;
+        
         // parse arguments
         for (i = 1; i < argc; i++) {
                 run_cmd_and_exit(i, argc, argv); // will exit if the command is recognized
@@ -1679,6 +1684,18 @@ int main(int argc, char **argv) {
 
 #ifdef HAVE_NETWORK
                 else if (strcmp(argv[i], "--netfilter") == 0) {
+#ifdef HAVE_NETWORK_RESTRICTED
+                        // compile time restricted networking
+                        if (getuid() != 0) {
+                                fprintf(stderr, "Error: --netfilter is only allowed for root\n");
+                                exit(1);
+                        }
+#endif
+                        // run time restricted networking
+                        if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) {
+                                fprintf(stderr, "Error: --netfilter is only allowed for root\n");
+                                exit(1);
+                        }
                         if (checkcfg(CFG_NETWORK)) {
                                 arg_netfilter = 1;
                         }
@@ -1689,6 +1706,18 @@ int main(int argc, char **argv) {
                 }
 
                 else if (strncmp(argv[i], "--netfilter=", 12) == 0) {
+#ifdef HAVE_NETWORK_RESTRICTED
+                        // compile time restricted networking
+                        if (getuid() != 0) {
+                                fprintf(stderr, "Error: --netfilter is only allowed for root\n");
+                                exit(1);
+                        }
+#endif
+                        // run time restricted networking
+                        if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) {
+                                fprintf(stderr, "Error: --netfilter is only allowed for root\n");
+                                exit(1);
+                        }
                         if (checkcfg(CFG_NETWORK)) {
                                 arg_netfilter = 1;
                                 arg_netfilter_file = argv[i] + 12;
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 6133a610d..843c1efe5 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -750,7 +750,7 @@ int sandbox(void* sandbox_arg) {
         //****************************************
         // Set NO_NEW_PRIVS if desired
         //****************************************
-        if (arg_nonewprivs || checkcfg(CFG_FORCE_NONEWPRIVS)) {
+        if (arg_nonewprivs) {
                 int no_new_privs = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
 
                 if(no_new_privs != 0)
diff --git a/src/man/firejail-config.txt b/src/man/firejail-config.txt
index dcede2ec6..026765f1a 100644
--- a/src/man/firejail-config.txt
+++ b/src/man/firejail-config.txt
@@ -33,8 +33,8 @@ Enable or disable networking features, default enabled.
 \fBrestricted-network
 Enable or disable restricted network support, default disabled. If enabled,
 networking features should also be enabled (network yes).
-Restricted networking grants access to --interface and --net=ethXXX
-only to root user. Regular users are only allowed --net=none.
+Restricted networking grants access to --interface, --net=ethXXX and
+\-\-netfilter only to root user. Regular users are only allowed --net=none.
 
 .TP
 \fBsecomp