2 files changed, 79 insertions, 4 deletions
diff --git a/etc/k3b.profile b/etc/k3b.profile
index 68b825c5e..35b27a183 100644
--- a/etc/k3b.profile
+++ b/etc/k3b.profile
@@ -3,23 +3,24 @@
 include /etc/firejail/k3b.local
 # k3b profile
+noblacklist ~/.kde4/share/config/k3brc
+noblacklist ~/.kde/share/config/k3brc
+noblacklist ~/.config/k3brc
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
-netfilter
+no3d
-nogroups
 nonewprivs
 noroot
 nosound
 shell none
 seccomp
 protocol unix
+tracelog
 # private-bin 
-# private-dev
 # private-tmp
 # private-etc
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 172aff121..c515accc0 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -830,6 +830,80 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                return 0;
        }
+#ifdef HAVE_OVERLAYFS
+        if (strncmp(ptr, "overlay-named ", 14) == 0) {
+                if (checkcfg(CFG_OVERLAYFS)) {
+                        if (cfg.chrootdir) {
+                                fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
+                                exit(1);
+                        }
+                        struct stat s;
+                        if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {
+                                fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n");
+                                exit(1);
+                        }
+                        arg_overlay = 1;
+                        arg_overlay_keep = 1;
+                        arg_overlay_reuse = 1;
+                        char *subdirname = ptr + 14;
+                        if (subdirname == '\0') {
+                                fprintf(stderr, "Error: invalid overlay option\n");
+                                exit(1);
+                        }
+                        // check name
+                        invalid_filename(subdirname);
+                        if (strstr(subdirname, "..") || strstr(subdirname, "/")) {
+                                fprintf(stderr, "Error: invalid overlay name\n");
+                                exit(1);
+                        }
+                        cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse);
+                }
+                return 0;
+        } else if (strcmp(ptr, "overlay-tmpfs") == 0) {
+                if (checkcfg(CFG_OVERLAYFS)) {
+                        if (cfg.chrootdir) {
+                                fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
+                                exit(1);
+                        }
+                        struct stat s;
+                        if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {
+                                fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n");
+                                exit(1);
+                        }
+                        arg_overlay = 1;
+                        return 0;
+                }
+        } else if (strcmp(ptr, "overlay") == 0) {
+                if (checkcfg(CFG_OVERLAYFS)) {
+                        if (cfg.chrootdir) {
+                                fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
+                                exit(1);
+                        }
+                        struct stat s;
+                        if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {
+                                fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n");
+                                exit(1);
+                        }
+                        arg_overlay = 1;
+                        arg_overlay_keep = 1;
+                        char *subdirname;
+                        if (asprintf(&subdirname, "%d", getpid()) == -1)
+                                errExit("asprintf");
+                        cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse);
+                        free(subdirname);
+                        return 0;
+                }
+        }
+#endif
        // filesystem bind
        if (strncmp(ptr, "bind ", 5) == 0) {
 #ifdef HAVE_BIND

diff --git a/etc/k3b.profile b/etc/k3b.profile index 68b825c5e..35b27a183 100644 --- a/etc/k3b.profile +++ b/etc/k3b.profile
@@ -3,23 +3,24 @@
3	include /etc/firejail/k3b.local	3	include /etc/firejail/k3b.local
4		4
5	# k3b profile	5	# k3b profile
		6	noblacklist ~/.kde4/share/config/k3brc
		7	noblacklist ~/.kde/share/config/k3brc
		8	noblacklist ~/.config/k3brc
6	include /etc/firejail/disable-common.inc	9	include /etc/firejail/disable-common.inc
7	include /etc/firejail/disable-programs.inc	10	include /etc/firejail/disable-programs.inc
8	include /etc/firejail/disable-devel.inc	11	include /etc/firejail/disable-devel.inc
9	include /etc/firejail/disable-passwdmgr.inc	12	include /etc/firejail/disable-passwdmgr.inc
10		13
11	caps.drop all	14	caps.drop all
12	netfilter	15	no3d
13	nogroups
14	nonewprivs	16	nonewprivs
15	noroot	17	noroot
16	nosound	18	nosound
17	shell none	19	shell none
18	seccomp	20	seccomp
19	protocol unix	21	protocol unix
		22	tracelog
20		23
21	# private-bin	24	# private-bin
22	# private-dev
23	# private-tmp	25	# private-tmp
24	# private-etc	26	# private-etc
25


diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 172aff121..c515accc0 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c
@@ -830,6 +830,80 @@ int profile_check_line(char ptr, int lineno, const char fname) {
830	return 0;	830	return 0;
831	}	831	}
832		832
		833
		834	#ifdef HAVE_OVERLAYFS
		835	if (strncmp(ptr, "overlay-named ", 14) == 0) {
		836	if (checkcfg(CFG_OVERLAYFS)) {
		837	if (cfg.chrootdir) {
		838	fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
		839	exit(1);
		840	}
		841	struct stat s;
		842	if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {
		843	fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n");
		844	exit(1);
		845	}
		846	arg_overlay = 1;
		847	arg_overlay_keep = 1;
		848	arg_overlay_reuse = 1;
		849
		850	char *subdirname = ptr + 14;
		851	if (subdirname == '\0') {
		852	fprintf(stderr, "Error: invalid overlay option\n");
		853	exit(1);
		854	}
		855
		856	// check name
		857	invalid_filename(subdirname);
		858	if (strstr(subdirname, "..") \|\| strstr(subdirname, "/")) {
		859	fprintf(stderr, "Error: invalid overlay name\n");
		860	exit(1);
		861	}
		862	cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse);
		863	}
		864
		865	return 0;
		866	} else if (strcmp(ptr, "overlay-tmpfs") == 0) {
		867	if (checkcfg(CFG_OVERLAYFS)) {
		868	if (cfg.chrootdir) {
		869	fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
		870	exit(1);
		871	}
		872	struct stat s;
		873	if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {
		874	fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n");
		875	exit(1);
		876	}
		877	arg_overlay = 1;
		878
		879	return 0;
		880	}
		881	} else if (strcmp(ptr, "overlay") == 0) {
		882	if (checkcfg(CFG_OVERLAYFS)) {
		883	if (cfg.chrootdir) {
		884	fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
		885	exit(1);
		886	}
		887	struct stat s;
		888	if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {
		889	fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n");
		890	exit(1);
		891	}
		892	arg_overlay = 1;
		893	arg_overlay_keep = 1;
		894
		895	char *subdirname;
		896	if (asprintf(&subdirname, "%d", getpid()) == -1)
		897	errExit("asprintf");
		898	cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse);
		899
		900	free(subdirname);
		901
		902	return 0;
		903	}
		904	}
		905	#endif
		906
833	// filesystem bind	907	// filesystem bind
834	if (strncmp(ptr, "bind ", 5) == 0) {	908	if (strncmp(ptr, "bind ", 5) == 0) {
835	#ifdef HAVE_BIND	909	#ifdef HAVE_BIND