9 files changed, 187 insertions, 2 deletions

diff --git a/README b/README
index 8ed485ab9..d7f87d20e 100644
--- a/README
+++ b/README
@@ -259,6 +259,8 @@ Loïc Damien (https://github.com/dzamlo)
         - small fixes
 maces (https://github.com/maces)
         - Franz messenger profile
+Madura A (https://github.com/manushanga)
+        - floader
 mahdi1234 (https://github.com/mahdi1234)
         - cherrytree profile
         - Seamonkey profiles
@@ -388,6 +390,7 @@ SYN-cook (https://github.com/SYN-cook)
         - added baloo_file profile
         - k3b profile update
         - noexec changes
+        - gnome-calculator changes
 startx2017 (https://github.com/startx2017)
         - syscall list update
         - updated default seccomp filters - added  bpf, clock_settime, personality, process_vm_writev, query_module,
diff --git a/etc/chromium.profile b/etc/chromium.profile
index 071c8a18a..ff51f6976 100644
--- a/etc/chromium.profile
+++ b/etc/chromium.profile
@@ -24,6 +24,7 @@ whitelist ~/.config/chromium-flags.conf
 
 include /etc/firejail/whitelist-common.inc
 
+caps.keep sys_chroot,sys_admin
 ipc-namespace
 netfilter
 nogroups
diff --git a/etc/clementine.profile b/etc/clementine.profile
index f92413a36..d9ce4c9c8 100644
--- a/etc/clementine.profile
+++ b/etc/clementine.profile
@@ -12,4 +12,5 @@ caps.drop all
 nonewprivs
 noroot
 protocol unix,inet,inet6
-seccomp
+# Clementine makes ioprio_set system calls, which are blacklisted by default.
+seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,name_to_handle_at,open_by_handle_at,create_module,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,chroot,tuxcall,reboot,mfsservctl,get_kernel_syms,bpf,clock_settime,personality,process_vm_writev,query_module,settimeofday,stime,umount,userfaultfd,ustat,vm86,vm86old
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index 7a5e8bf5b..c78640cd7 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -6,6 +6,7 @@ include /etc/firejail/disable-common.local
 blacklist-nolog ${HOME}/.history
 blacklist-nolog ${HOME}/.*_history
 blacklist-nolog ${HOME}/.bash_history
+blacklist-nolog ${HOME}/.local/share/fish/fish_history
 blacklist-nolog ${HOME}/.adobe
 blacklist-nolog ${HOME}/.macromedia
 
@@ -142,6 +143,8 @@ read-only ${HOME}/.zsh_files
 read-only ${HOME}/.tcshrc
 read-only ${HOME}/.cshrc
 read-only ${HOME}/.csh_files
+read-only ${HOME}/.config/fish
+read-only ${HOME}/.local/share/fish
 read-only ${HOME}/.profile
 read-only ${HOME}/.forward
 read-only ${HOME}/.login
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile
index eb9027ca4..67610abea 100644
--- a/etc/gnome-calculator.profile
+++ b/etc/gnome-calculator.profile
@@ -16,7 +16,6 @@ include /etc/firejail/whitelist-common.inc
 
 #Options
 caps.drop all
-ipc-namespace
 netfilter
 #net none                                     
 no3d
diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile
index 38feb12a5..9cfafdb82 100644
--- a/etc/google-chrome.profile
+++ b/etc/google-chrome.profile
@@ -13,6 +13,7 @@ include /etc/firejail/disable-programs.inc
 # include /etc/firejail/disable-devel.inc
 #
 
+caps.keep sys_chroot,sys_admin
 netfilter
 
 whitelist ${DOWNLOADS}
diff --git a/src/floader/README.md b/src/floader/README.md
new file mode 100644
index 000000000..d437763a7
--- /dev/null
+++ b/src/floader/README.md
@@ -0,0 +1,9 @@
+READ ME
+-------
+
+* Run 'make'
+* Add comma separated process names to ~/.loader.conf
+* export LD_PRELOAD=<path>./loader.so (ideally to .bashrc)
+* Run any application within shell
+
+
diff --git a/src/floader/loader.c b/src/floader/loader.c
new file mode 100644
index 000000000..0970794e9
--- /dev/null
+++ b/src/floader/loader.c
@@ -0,0 +1,161 @@
+/*
+ * Copyright (C) 2017 Madura A. (madura.x86@gmail.com)
+ * 
+ */
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/mman.h>
+#include <fcntl.h>
+#include <unistd.h>
+    
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <ctype.h>
+
+#define MAX_MATCHES 32
+#define MAX_ARGS 1024
+#define MAX_ARGS_LEN 4096
+static void loader_main() __attribute__((constructor));
+
+char cmdline[MAX_ARGS_LEN];
+char *args[MAX_ARGS];
+char loader[] = "firejail";
+char confFile[256];
+char *names[MAX_MATCHES];
+
+#ifdef DEBUG
+#define DBG printf
+#else
+#define DBG
+#endif
+void remove_trailing_spaces(char *str)
+{
+    while (!isspace(*str))
+    {
+        str++;
+    }
+    
+    while (*str != '\0')
+    {
+        *str = '\0';
+        str++;
+    }
+}
+
+void read_cmdline()
+{
+    int fd = open("/proc/self/cmdline", O_RDONLY);
+    ssize_t ret = 0, total = 0;
+    char* wcmdbuf = cmdline;
+    while ((ret = read(fd, wcmdbuf, 1)) != 0)
+    {
+        wcmdbuf++;
+        total += ret;
+        if (total > MAX_ARGS_LEN)
+        {
+            printf("Not enough memory\n");
+            close(fd);
+            return ;
+        }
+    }
+    close(fd);
+}
+
+void make_args()
+{
+    int cI = 0, argI=0;
+    char* argstart = &cmdline[0];
+    for (;cI<MAX_ARGS_LEN;cI++)
+    {
+        if (cmdline[cI] == '\0')
+        {
+            args[argI]= argstart; 
+            argstart = &cmdline[cI+1];
+            argI++;
+            if (*argstart  == '\0')
+            {
+                break;
+            }
+        }
+    }
+    args[argI] = argstart;
+    argI++;
+    args[argI] = NULL;
+}
+
+void loader_main()
+{
+    snprintf(confFile, 255, "%s/.loader.conf", getenv("HOME"));
+
+    struct stat confFileStat;
+    
+    stat(confFile, &confFileStat);
+    
+    int confFd = open(confFile, O_RDONLY);
+    
+    if (confFd == -1)
+    {
+        close(confFd);
+        return;
+    }
+    char* conf = (char*) malloc(confFileStat.st_size);
+    if (conf == NULL)
+    {
+        close(confFd);
+        return;
+    }
+    ssize_t ret  = read(confFd, conf, confFileStat.st_size);
+    if (ret == -1)
+    {
+        close(confFd);
+        return;
+    }
+    
+    close(confFd);
+    size_t fI = 0;
+    int matchId = 0;
+    names[matchId] = conf;
+    matchId++;
+    for (;fI < confFileStat.st_size-1;fI++)
+    {
+        if (conf[fI] == ',')
+        {
+            names[matchId] = &conf[fI+1];
+            conf[fI] = '\0';
+            
+            matchId++;
+        }
+    }
+       
+    remove_trailing_spaces(names[matchId-1]);
+   
+    read_cmdline();
+    
+    make_args();
+    
+#ifdef DEBUG
+    int xarg=0;
+    while (args[xarg] != NULL)
+    {
+        DBG(".%s\n", args[xarg]);
+        xarg++;
+    }
+#endif
+
+    int x;
+       
+    for (x = 0;x<matchId;x++)
+    {
+        DBG("%s\n",names[x]);
+        if (strstr(args[0], names[x]) != NULL)
+        {
+            DBG("highjack!\n");
+            
+            free(conf);
+            
+            execvp(loader, args );
+        }
+    }
+    
+}
diff --git a/src/floader/makefile b/src/floader/makefile
new file mode 100644
index 000000000..0de6a3138
--- /dev/null
+++ b/src/floader/makefile
@@ -0,0 +1,7 @@
+all:
+        gcc -ggdb -shared -fPIC loader.c -o loader.so
+
+debug:
+        gcc -ggdb -shared -DDEBUG -fPIC loader.c -o loader.so
+
+