23 files changed, 193 insertions, 65 deletions
diff --git a/README b/README
index 25d1d728f..48086cca7 100644
--- a/README
+++ b/README
@@ -387,6 +387,7 @@ SpotComms (https://github.com/SpotComms)
        - fixed wget profile
        - fixed firecfg.config file
        - added novideo and disable-mnt support in all profile files
+    - added Peek and silent profiles
 SYN-cook (https://github.com/SYN-cook)
        - keepass/keepassx browser fixes
        - disable-common.inc fixes
diff --git a/README.md b/README.md
index 517aee81d..6ee336a09 100644
--- a/README.md
+++ b/README.md
@@ -107,5 +107,5 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir
 ## New profiles:
-curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite, Geary, Liferea
+curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite, Geary, Liferea, peek, silentarmy
diff --git a/RELNOTES b/RELNOTES
index 5310b0ae5..31de5c96d 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -2,7 +2,7 @@ firejail (0.9.49) baseline; urgency=low
  * work in progress!
  * feature: per-profile disable-mnt
  * new profiles: curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite,
-  * new profiles: Geary, Liferea
+  * new profiles: Geary, Liferea, peek, silentarmy
  * bugfixes
 -- netblue30 <netblue30@yahoo.com>  Mon, 12 Jun 2017 20:00:00 -0500
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 655a44a04..d7ad242bc 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -387,6 +387,7 @@ blacklist ${HOME}/.cache/netsurf
 blacklist ${HOME}/.cache/opera
 blacklist ${HOME}/.cache/opera-beta
 blacklist ${HOME}/.cache/org.gnome.Books
+blacklist ${HOME}/.cache/peek
 blacklist ${HOME}/.cache/qBittorrent
 blacklist ${HOME}/.cache/qutebrowser
 blacklist ${HOME}/.cache/simple-scan
diff --git a/etc/keepassxc.profile b/etc/keepassxc.profile
index deace7898..4a5503944 100644
--- a/etc/keepassxc.profile
+++ b/etc/keepassxc.profile
@@ -8,8 +8,8 @@ include /etc/firejail/keepassxc.local
 # Firejail profile for KeepassXC
 noblacklist ${HOME}/.config/keepassxc
 noblacklist ${HOME}/.keepassxc
-noblacklist ${HOME}/.*kdbx
+noblacklist ${HOME}/*.kdbx
-noblacklist ${HOME}/.*kdb
+noblacklist ${HOME}/*.kdb
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
@@ -25,6 +25,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/peek.profile b/etc/peek.profile
new file mode 100644
index 000000000..bac3e0a99
--- /dev/null
+++ b/etc/peek.profile
@@ -0,0 +1,33 @@
+# Persistent global definitions go here
+include /etc/firejail/globals.local
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/peek.local
+# Firejail profile for Peek
+noblacklist ${HOME}/.cache/peek
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+caps.drop all
+net none
+no3d
+nogroups
+nonewprivs
+noroot
+nosound
+novideo
+protocol unix
+seccomp
+shell none
+#private-bin peek,convert,ffmpeg
+private-dev
+private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/silentarmy.profile b/etc/silentarmy.profile
new file mode 100644
index 000000000..bcad82b5d
--- /dev/null
+++ b/etc/silentarmy.profile
@@ -0,0 +1,33 @@
+# Persistent global definitions go here
+include /etc/firejail/globals.local
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/silentarmy.local
+# Firejail profile for SILENTARMY
+include /etc/firejail/disable-common.inc
+#include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+nosound
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+disable-mnt
+private
+#private-bin silentarmy,sa-solver,python3
+private-dev
+private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/steam.profile b/etc/steam.profile
index e2dc6216b..b26726572 100644
--- a/etc/steam.profile
+++ b/etc/steam.profile
@@ -29,7 +29,9 @@ noroot
 protocol unix,inet,inet6,netlink
 seccomp
 shell none
-tracelog
+# tracelog disabled as it breaks integrated browser
+#tracelog
 private-dev
 private-tmp
diff --git a/platform/debian/conffiles b/platform/debian/conffiles
index 214f4f885..a5a2ca3ed 100644
--- a/platform/debian/conffiles
+++ b/platform/debian/conffiles
@@ -209,6 +209,7 @@
 /etc/firejail/pcmanfm.profile
 /etc/firejail/pdfsam.profile
 /etc/firejail/pdftotext.profile
+/etc/firejail/peek.profile
 /etc/firejail/pidgin.profile
 /etc/firejail/pithos.profile
 /etc/firejail/pix.profile
@@ -233,6 +234,7 @@
 /etc/firejail/seamonkey-bin.profile
 /etc/firejail/seamonkey.profile
 /etc/firejail/server.profile
+/etc/firejail/silentarmy.profile
 /etc/firejail/simple-scan.profile
 /etc/firejail/skanlite.profile
 /etc/firejail/skype.profile
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index c616f040c..3d3cc91ee 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -188,6 +188,7 @@ palemoon
 parole
 pdfsam
 pdftotext
+peek
 pidgin
 pithos
 pix
@@ -212,6 +213,7 @@ scribus
 seamonkey
 seamonkey-bin
 simple-scan
+silentarmy
 skanlite
 skype
 skypeforlinux
diff --git a/src/firejail/caps.c b/src/firejail/caps.c
index ff4d3a9d7..14f981a86 100644
--- a/src/firejail/caps.c
+++ b/src/firejail/caps.c
@@ -250,7 +250,7 @@ void caps_print(void) {
 // drop discretionary access control capabilities for root sandboxes
 void caps_drop_dac_override(void) {
-        if (getuid() == 0) {
+        if (getuid() == 0 && !arg_noprofile) {
                if (prctl(PR_CAPBSET_DROP, CAP_DAC_OVERRIDE, 0, 0, 0));
                else if (arg_debug)
                        printf("Drop CAP_DAC_OVERRIDE\n");
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 8aa80f274..6aa29f896 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -351,6 +351,7 @@ extern int arg_x11_xorg;	// use X11 security extention
 extern int arg_allusers;        // all user home directories visible
 extern int arg_machineid;       // preserve /etc/machine-id
 extern int arg_disable_mnt;     // disable /mnt and /media
+extern int arg_noprofile;       // use default.profile if none other found/specified
 extern int login_shell;
 extern int parent_to_child_fds[2];
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index e5e068583..9e3678c33 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -284,9 +284,13 @@ void fs_private(void) {
        // mask /home
        if (arg_debug)
                printf("Mounting a new /home directory\n");
-        if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+        if (u == 0 && arg_allusers) // allow --allusers when starting the sandbox as root
-                errExit("mounting home directory");
+                ;
-        fs_logger("tmpfs /home");
+        else {
+                if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                        errExit("mounting home directory");
+                fs_logger("tmpfs /home");
+        }
        // mask /root
        if (arg_debug)
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 1f714df58..7f3f0f248 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -109,6 +109,7 @@ int arg_machineid = 0;				// preserve /etc/machine-id
 int arg_allow_private_blacklist = 0;            // blacklist things in private directories
 int arg_writable_var_log = 0;           // writable /var/log
 int arg_disable_mnt = 0;                        // disable /mnt and /media
+int arg_noprofile = 0; // use default.profile if none other found/specified
 int login_shell = 0;
@@ -818,7 +819,6 @@ int main(int argc, char **argv) {
        int option_force = 0;
        int custom_profile = 0; // custom profile loaded
        char *custom_profile_dir = NULL; // custom profile directory
-        int arg_noprofile = 0; // use default.profile if none other found/specified
        // get starting timestamp
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index af943581e..88f04f47f 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -81,8 +81,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                if (cfg.profile_ignore[i] == NULL)
                        break;
-                if (strncmp(ptr, cfg.profile_ignore[i], strlen(cfg.profile_ignore[i])) == 0)
+                int len = strlen(cfg.profile_ignore[i]);
-                        return 0;       // ignore line
+                if (strncmp(ptr, cfg.profile_ignore[i], len) == 0) {
+                        // full word match
+                        if (*(ptr + len) == '\0' || *(ptr + len) == ' ')
+                                return 0;       // ignore line
+                }
        }
        if (strncmp(ptr, "ignore ", 7) == 0) {
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 15379215c..29f928ee7 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -123,40 +123,47 @@ void seccomp_filter_64(void) {
 // drop filter for seccomp option
 int seccomp_filter_drop(int enforce_seccomp) {
-        // default seccomp
+        // if we have multiple seccomp commands, only one of them is executed
-        if (cfg.seccomp_list_drop == NULL && cfg.seccomp_list == NULL) {
+        // in the following order:
+        //      - seccomp.drop list
+        //      - seccomp list
+        //      - seccomp
+        if (cfg.seccomp_list_drop == NULL) {
+                // default seccomp
+                if (cfg.seccomp_list == NULL) {
 #if defined(__x86_64__)
-                seccomp_filter_32();
+                        seccomp_filter_32();
 #endif
 #if defined(__i386__)
-                seccomp_filter_64();
+                        seccomp_filter_64();
 #endif
-        }
+                }
-        // default seccomp filter with additional drop list
+                // default seccomp filter with additional drop list
-        else if (cfg.seccomp_list && cfg.seccomp_list_drop == NULL) {
+                else { // cfg.seccomp_list != NULL
 #if defined(__x86_64__)
-                seccomp_filter_32();
+                        seccomp_filter_32();
 #endif
 #if defined(__i386__)
-                seccomp_filter_64();
+                        seccomp_filter_64();
 #endif
-                if (arg_debug)
+                        if (arg_debug)
-                        printf("Build default+drop seccomp filter\n");
+                                printf("Build default+drop seccomp filter\n");
-                // build the seccomp filter as a regular user
+                        // build the seccomp filter as a regular user
-                int rv;
+                        int rv;
-                if (arg_allow_debuggers)
+                        if (arg_allow_debuggers)
-                        rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 6,
+                                rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 6,
-                                PATH_FSECCOMP, "default", "drop", RUN_SECCOMP_CFG, cfg.seccomp_list, "allow-debuggers");
+                                        PATH_FSECCOMP, "default", "drop", RUN_SECCOMP_CFG, cfg.seccomp_list, "allow-debuggers");
-                else
+                        else
-                        rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 5,
+                                rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 5,
-                                PATH_FSECCOMP, "default", "drop", RUN_SECCOMP_CFG, cfg.seccomp_list);
+                                        PATH_FSECCOMP, "default", "drop", RUN_SECCOMP_CFG, cfg.seccomp_list);
-                if (rv)
+                        if (rv)
-                        exit(rv);
+                                exit(rv);
+                }
        }
        // drop list without defaults - secondary filters are not installed
-        else if (cfg.seccomp_list == NULL && cfg.seccomp_list_drop) {
+        else { // cfg.seccomp_list_drop != NULL
                if (arg_debug)
                        printf("Build drop seccomp filter\n");
@@ -172,9 +179,6 @@ int seccomp_filter_drop(int enforce_seccomp) {
                if (rv)
                        exit(rv);
        }
-        else {
-                assert(0);
-        }
        // load the filter
        if (seccomp_load(RUN_SECCOMP_CFG) == 0) {
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 79ebc3b1b..77bf7749f 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -639,7 +639,7 @@ void x11_start_xpra(int argc, char **argv) {
        // build the start command
        char *server_argv[256] = {                // rest initialyzed to NULL
-                 "xpra", "start", display_str, "--no-daemon", "--use-display",
+                 "xpra", "start", display_str, "--no-daemon",
        };
        unsigned pos = 0;
        while (server_argv[pos] != NULL) pos++;
diff --git a/src/firemon/Makefile.in b/src/firemon/Makefile.in
index a7a97cf5a..83a6621fe 100644
--- a/src/firemon/Makefile.in
+++ b/src/firemon/Makefile.in
@@ -1,6 +1,6 @@
 all: firemon
-PREFIX=@prefix@
+prefix=@prefix@
 VERSION=@PACKAGE_VERSION@
 NAME=@PACKAGE_NAME@
 HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
@@ -11,7 +11,7 @@ H_FILE_LIST       = $(sort $(wildcard *.[h]))
 C_FILE_LIST       = $(sort $(wildcard *.c))
 OBJS = $(C_FILE_LIST:.c=.o)
 BINOBJS =  $(foreach file, $(OBJS), $file)
-CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
+CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' $(HAVE_GCOV) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
 LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now
 HAVE_GCOV=@HAVE_GCOV@
 EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
diff --git a/src/firemon/cgroup.c b/src/firemon/cgroup.c
index 41afa41fd..8cf8d14f7 100644
--- a/src/firemon/cgroup.c
+++ b/src/firemon/cgroup.c
@@ -48,6 +48,7 @@ void cgroup(pid_t pid, int print_procs) {
        pid_read(pid);
        // print processes
+        printf("  cgroup: ");
        int i;
        for (i = 0; i < max_pids; i++) {
                if (pids[i].level == 1) {
diff --git a/src/firemon/firemon.c b/src/firemon/firemon.c
index aaeffdbd2..268cc0b75 100644
--- a/src/firemon/firemon.c
+++ b/src/firemon/firemon.c
@@ -201,18 +201,32 @@ int main(int argc, char **argv) {
        }
        if (arg_top) {
-                top();
+                top();  // print all sandboxes, --name disregarded
                return 0;
        }
        if (arg_list) {
-                list();
+                list(); // print all sandboxes, --name disregarded
                return 0;
        }
        if (arg_netstats) {
-                netstats();
+                netstats();     // print all sandboxes, --name disregarded
                return 0;
        }
+        // if --name requested without other options, print all data
+        if (pid && !arg_tree &&  !arg_cpu && !arg_seccomp && !arg_caps &&
+            !arg_cgroup && !arg_x11 && !arg_interface && !arg_route && !arg_arp) {
+                arg_tree = 1;
+                arg_cpu = 1;
+                arg_seccomp = 1;
+                arg_caps = 1;
+                arg_cgroup = 1;
+                arg_x11 = 1;
+                arg_interface = 1;
+                arg_route = 1;
+                arg_arp = 1;
+        }
        // cumulative options
        int print_procs = 1;
        if (arg_tree) {
@@ -239,7 +253,7 @@ int main(int argc, char **argv) {
                x11((pid_t) pid, print_procs);
                print_procs = 0;
        }
-        if (arg_interface) {
+        if (arg_interface && getuid() == 0) {
                interface((pid_t) pid, print_procs);
                print_procs = 0;
        }
@@ -252,8 +266,11 @@ int main(int argc, char **argv) {
                print_procs = 0;
        }
-        if (print_procs)
+        if (getuid() == 0) {
+                if (!arg_tree)
+                        tree((pid_t) pid);
                procevent((pid_t) pid);
+        }
        return 0;
 }
diff --git a/src/firemon/netstats.c b/src/firemon/netstats.c
index c5e8a242c..f83be9823 100644
--- a/src/firemon/netstats.c
+++ b/src/firemon/netstats.c
@@ -29,6 +29,20 @@
 // ip -s link: device stats
 // ss -s: socket stats
+static uid_t cached_uid = 0;
+static char *cached_user_name = NULL;
+static char *get_user_name(uid_t uid) {
+        if (cached_user_name == NULL) {
+                cached_uid = uid;
+                cached_user_name = pid_get_user_name(uid);
+                return strdup(cached_user_name);
+        }
+        else if (uid == cached_uid)
+                return strdup(cached_user_name);
+        else
+                return pid_get_user_name(uid);
+}
 static char *get_header(void) {
        char *rv;
@@ -109,7 +123,17 @@ errexit:
 }
+static char *firejail_exec = NULL;
+static int firejail_exec_len = 0;
+static int firejail_exec_prefix_len = 0;
 static void print_proc(int index, int itv, int col) {
+        if (!firejail_exec) {
+                if (asprintf(&firejail_exec, "%s/bin/firejail", PREFIX) == -1)
+                        errExit("asprintf");
+                firejail_exec_len = strlen(firejail_exec);
+                firejail_exec_prefix_len = strlen(PREFIX) + 5;
+        }
        // command
        char *cmd = pid_proc_cmdline(index);
        char *ptrcmd;
@@ -119,6 +143,8 @@ static void print_proc(int index, int itv, int col) {
                else
                        ptrcmd = "";
        }
+        else if (strncmp(cmd, firejail_exec, firejail_exec_len) == 0)
+                ptrcmd = cmd + firejail_exec_prefix_len;
        else
                ptrcmd = cmd;
@@ -139,7 +165,7 @@ static void print_proc(int index, int itv, int col) {
        snprintf(pidstr, 10, "%u", index);
        // user
-        char *user = pid_get_user_name(pids[index].uid);
+        char *user = get_user_name(pids[index].uid);
        char *ptruser;
        if (user)
                ptruser = user;
@@ -178,7 +204,7 @@ void netstats(void) {
        while (1) {
                // set pid table
                int i;
-                int itv = 5;    // 5 second  interval
+                int itv = 1;    // 1 second  interval
                pid_read(0);
                // start rx/tx measurements
@@ -187,7 +213,7 @@ void netstats(void) {
                                get_stats(i);
                }
-                // wait 5 seconds
+                // wait 1 seconds
                firemon_sleep(itv);
                // grab screen size
diff --git a/src/firemon/procevent.c b/src/firemon/procevent.c
index d6afed93a..27c0e2b3f 100644
--- a/src/firemon/procevent.c
+++ b/src/firemon/procevent.c
@@ -449,16 +449,6 @@ static int procevent_monitor(const int sock, pid_t mypid) {
        return 0;
 }
-static void procevent_print_pids(void) {
-        // print files
-        int i;
-        for (i = 0; i < max_pids; i++) {
-                if (pids[i].level == 1)
-                        pid_print_tree(i, 0, 1);
-        }
-        printf("\n");
-}
 void procevent(pid_t pid) {
        // need to be root for this
        if (getuid() != 0) {
@@ -466,10 +456,6 @@ void procevent(pid_t pid) {
                exit(1);
        }
-        // read and print sandboxed processes
-        pid_read(pid);
-        procevent_print_pids();
        // monitor using netlink
        int sock = procevent_netlink_setup();
        if (sock < 0) {
diff --git a/src/firemon/top.c b/src/firemon/top.c
index 3a79a5260..3d657a6a6 100644
--- a/src/firemon/top.c
+++ b/src/firemon/top.c
@@ -54,6 +54,9 @@ static char *get_header(void) {
 }
+static char *firejail_exec = NULL;
+static int firejail_exec_len = 0;
+static int firejail_exec_prefix_len = 0;
 // recursivity!!!
 static char *print_top(unsigned index, unsigned parent, unsigned *utime, unsigned *stime, unsigned itv, float *cpu, int *cnt) {
        char *rv = NULL;
@@ -90,6 +93,13 @@ static char *print_top(unsigned index, unsigned parent, unsigned *utime, unsigne
                        print_top(i, index, utime, stime, itv, cpu, cnt);
        }
+        if (!firejail_exec) {
+                if (asprintf(&firejail_exec, "%s/bin/firejail", PREFIX) == -1)
+                        errExit("asprintf");
+                firejail_exec_len = strlen(firejail_exec);
+                firejail_exec_prefix_len = strlen(PREFIX) + 5;
+        }
        if (pids[index].level == 1) {
                // pid
                char pidstr[10];
@@ -104,8 +114,8 @@ static char *print_top(unsigned index, unsigned parent, unsigned *utime, unsigne
                        else
                                ptrcmd = "";
                }
-                else if (strncmp(cmd, "/usr/bin/firejail", 17) == 0)
+                else if (strncmp(cmd, firejail_exec, firejail_exec_len) == 0)
-                        ptrcmd = cmd + 9;
+                        ptrcmd = cmd + firejail_exec_prefix_len;
                else
                        ptrcmd = cmd;