5 files changed, 26 insertions, 6 deletions

diff --git a/etc/cin.profile b/etc/cin.profile
index 356509da0..e2410e3a5 100644
--- a/etc/cin.profile
+++ b/etc/cin.profile
@@ -19,7 +19,7 @@ net none
 nodbus
 nodvd
 #nogroups
-#nonewprivs
+nonewprivs
 notv
 noroot
 protocol unix
diff --git a/etc/natron.profile b/etc/natron.profile
index e7c597fe2..76e909f83 100644
--- a/etc/natron.profile
+++ b/etc/natron.profile
@@ -18,7 +18,7 @@ noblacklist /opt/natron
 
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
-#include /etc/firejail/disable-interpreters.inc
+include /etc/firejail/disable-interpreters.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
diff --git a/etc/vlc.profile b/etc/vlc.profile
index 9ccbb7310..bda027aaa 100644
--- a/etc/vlc.profile
+++ b/etc/vlc.profile
@@ -20,8 +20,8 @@ include /etc/firejail/whitelist-var-common.inc
 #apparmor - on Ubuntu 18.04 it refuses to start without dbus access
 caps.drop all
 netfilter
-# nodbus - problems with KDE
-# nogroups
+#nodbus
+#nogroups
 nonewprivs
 noroot
 protocol unix,inet,inet6,netlink
@@ -33,6 +33,6 @@ private-dev
 private-tmp
 
 # mdwe is disabled due to breaking hardware accelerated decoding
-# memory-deny-write-execute
+#memory-deny-write-execute
 noexec ${HOME}
 noexec /tmp
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c
index 9109a6865..ad93efe3c 100644
--- a/src/firejail/pulseaudio.c
+++ b/src/firejail/pulseaudio.c
@@ -162,22 +162,34 @@ void pulseaudio_init(void) {
         }
         free(dir1);
 
-
         // if we have ~/.config/pulse mount the new directory, else set environment variable
         char *homeusercfg;
         if (asprintf(&homeusercfg, "%s/.config/pulse", cfg.homedir) == -1)
                 errExit("asprintf");
         if (stat(homeusercfg, &s) == 0) {
+                if (is_link(homeusercfg)) {
+                        fprintf(stderr, "Error: user .config/pulse is a symbolic link\n");
+                        exit(1);
+                }
                 if (mount(RUN_PULSE_DIR, homeusercfg, "none", MS_BIND, NULL) < 0 ||
                     mount(NULL, homeusercfg, NULL, MS_NOEXEC|MS_NODEV|MS_NOSUID|MS_BIND|MS_REMOUNT, NULL) < 0)
                         errExit("mount pulseaudio");
                 fs_logger2("tmpfs", homeusercfg);
+
+                // check /proc/self/mounts to confirm the mount is ok
+                MountData *mptr = get_last_mount();
+                if (strncmp(mptr->dir,homeusercfg,strlen(homeusercfg)) != 0) {
+                        fprintf(stderr, "Error: invalid mount on top of %s (should be %s)\n", mptr->dir, homeusercfg);
+                        exit(1);
+                }
+
                 char *p;
                 if (asprintf(&p, "%s/client.conf", homeusercfg) == -1)
                         errExit("asprintf");
                 fs_logger2("create", p);
                 free(p);
         }
+
         else {
                 // set environment
                 if (setenv("PULSE_CLIENTCONFIG", pulsecfg, 1) < 0)
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 8cf4fccf3..d8b5961a2 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -1193,6 +1193,14 @@ void x11_xorg(void) {
         // just  in case...
         if (set_perms(dest, getuid(), getgid(), 0600))
                 errExit("set_perms");
+
+        // check /proc/self/mounts to confirm the mount is ok
+        MountData *mptr = get_last_mount();
+        if (strncmp(mptr->dir,dest,strlen(dest)) != 0) {
+                fprintf(stderr, "Error: invalid mount on top of %s (should be %s)\n", mptr->dir, dest);
+                exit(1);
+        }
+
         free(dest);
 #endif
 }