12 files changed, 116 insertions, 26 deletions

diff --git a/Makefile.in b/Makefile.in
index 4d00e3aef..14fbaa0bf 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -8,7 +8,9 @@ bindir=@bindir@
 libdir=@libdir@
 datarootdir=@datarootdir@
 mandir=@mandir@
-sysconfdir=@sysconfdir@
+# todo: fix sysconfdir
+# sysconfdir=@sysconfdir@ 
+sysconfdir=/etc
 
 VERSION=@PACKAGE_VERSION@
 NAME=@PACKAGE_NAME@
diff --git a/etc/firefox.profile b/etc/firefox.profile
index b31f25fc6..fae7d7ad4 100644
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@@ -8,6 +8,5 @@ caps.drop all
 seccomp
 netfilter
 noroot
-shell none
 
 
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 64cf3ccef..cbc4086fb 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -407,5 +407,9 @@ void errno_print(void);
 // pulseaudio.c
 void pulseaudio_init(void);
 
+// fs_bin.c
+void fs_check_bin_list(void);
+void fs_private_bin_list(void);
+
 #endif
 
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 54086e0bb..b3748de51 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -435,23 +435,23 @@ void fs_proc_sys_dev_boot(void) {
         if (arg_debug)
                 printf("Disable /sys/firmware directory\n");
         if (mount("tmpfs", "/sys/firmware", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
-                errExit("disable /sys/firmware directory");
+                fprintf(stderr, "Warning: cannot disable /sys/firmware directory\n");
         if (arg_debug)
                 printf("Disable /sys/hypervisor directory\n");
         if (mount("tmpfs", "/sys/hypervisor", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
-                errExit("disable /sys/hypervisor directory");
+                fprintf(stderr, "Warning: cannot disable /sys/hypervisor directory\n");
         if (arg_debug)
                 printf("Disable /sys/fs directory\n");
         if (mount("tmpfs", "/sys/fs", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
-                errExit("disable /sys/fs directory");
+                fprintf(stderr, "Warning: cannot disable /sys/fs directory\n");
         if (arg_debug)
                 printf("Disable /sys/module directory\n");
         if (mount("tmpfs", "/sys/module", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
-                errExit("disable /sys/module directory");
+                fprintf(stderr, "Warning: cannot disable /sys/module directory\n");
         if (arg_debug)
                 printf("Disable /sys/power directory\n");
         if (mount("tmpfs", "/sys/power", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
-                errExit("disable /sys/power directory");
+                fprintf(stderr, "Warning: cannot disable /sys/power directory\n");
 
 
 
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c
index 4b3292b6c..dcfdadb6b 100644
--- a/src/firejail/fs_bin.c
+++ b/src/firejail/fs_bin.c
@@ -44,9 +44,9 @@ static char *check_dir_or_file(const char *name) {
                         errExit("asprintf");
                 if (arg_debug)
                         printf("Checking %s/%s\n", paths[i], name);             
-                if (stat(fname, &s) == 0)
+                if (stat(fname, &s) == 0 && !S_ISDIR(s.st_mode)) // do not allow directories
                         break; // file found
-                        
+                
                 free(fname);
                 fname = NULL;
                 i++;
@@ -99,7 +99,6 @@ void fs_check_bin_list(void) {
                 else
                         notfound = 1;
         }
-printf("here %d: newlist #%s#\n", __LINE__, newlist);
         
         if (*newlist == '\0') {
                 fprintf(stderr, "Warning: no --private-bin list executable found, option disabled\n");
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c
index 3200c5282..93625633a 100644
--- a/src/firejail/fs_var.c
+++ b/src/firejail/fs_var.c
@@ -146,7 +146,7 @@ void fs_var_log(void) {
                         errExit("chmod");
         }
         else
-                fprintf(stderr, "Warning: cannot mount tmpfs in top of /var/log\n");
+                fprintf(stderr, "Warning: cannot mount tmpfs on top of /var/log\n");
 }
 
 void fs_var_lib(void) {
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 2863b454e..5b18cc179 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -257,6 +257,14 @@ int profile_check_line(char *ptr, int lineno) {
                 return 0;
         }
 
+        // private /bin list of files
+        if (strncmp(ptr, "private-bin ", 12) == 0) {
+                cfg.bin_private_keep = ptr + 12;
+                fs_check_bin_list();
+                arg_private_bin = 1;
+                return 0;
+        }
+
         // filesystem bind
         if (strncmp(ptr, "bind ", 5) == 0) {
                 if (getuid() != 0) {
diff --git a/test/chromium.exp b/test/chromium.exp
index 020826f3d..77325d070 100755
--- a/test/chromium.exp
+++ b/test/chromium.exp
@@ -4,10 +4,10 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail chromium-browser www.gentoo.org\r"
+send -- "firejail chromium www.gentoo.org\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Reading profile /etc/firejail/chromium-browser.profile"
+        "Reading profile /etc/firejail/chromium.profile"
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
@@ -23,7 +23,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 3.1\n";exit}
-        "chromium-browser"
+        "chromium"
 }
 sleep 1
 
@@ -38,7 +38,7 @@ spawn $env(SHELL)
 send -- "firemon --seccomp\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
-        ":firejail chromium-browser"
+        ":firejail chromium"
 }
 expect {
         timeout {puts "TESTING ERROR 5.1\n";exit}
@@ -52,7 +52,7 @@ sleep 1
 send -- "firemon --caps\r"
 expect {
         timeout {puts "TESTING ERROR 6\n";exit}
-        ":firejail chromium-browser"
+        ":firejail chromium"
 }
 expect {
         timeout {puts "TESTING ERROR 6.1\n";exit}
diff --git a/test/fscheck-shell.exp b/test/fscheck-shell.exp
index d2320a4c3..548955e60 100755
--- a/test/fscheck-shell.exp
+++ b/test/fscheck-shell.exp
@@ -15,7 +15,7 @@ after 100
 # ..
 send -- "firejail --net=br0 --shell=../test/fscheck-dir\r"
 expect {
-        timeout {puts "TESTING ERROR 0.1\n";exit}
+        timeout {puts "TESTING ERROR 1\n";exit}
         "Error"
 }
 after 100
@@ -23,7 +23,7 @@ after 100
 # dir link
 send -- "firejail --net=br0 --shell=fscheck-dir-link\r"
 expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
+        timeout {puts "TESTING ERROR 2\n";exit}
         "Error"
 }
 after 100
@@ -31,7 +31,7 @@ after 100
 # ..
 send -- "firejail --net=br0 --shell=../test/fscheck-dir-link\r"
 expect {
-        timeout {puts "TESTING ERROR 1.1\n";exit}
+        timeout {puts "TESTING ERROR 3\n";exit}
         "Error"
 }
 after 100
@@ -39,7 +39,7 @@ after 100
 # file link
 send -- "firejail --net=br0 --shell=fscheck-file-link\r"
 expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
+        timeout {puts "TESTING ERROR 4\n";exit}
         "Error"
 }
 after 100
@@ -47,7 +47,7 @@ after 100
 # ..
 send -- "firejail --net=br0 --shell=../test/fscheck-file-link\r"
 expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
+        timeout {puts "TESTING ERROR 5\n";exit}
         "Error"
 }
 after 100
@@ -55,7 +55,7 @@ after 100
 # no file
 send -- "firejail --net=br0 --shell=../test/nofile\r"
 expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
+        timeout {puts "TESTING ERROR 6\n";exit}
         "Error"
 }
 after 100
@@ -63,7 +63,7 @@ after 100
 # real GID/UID
 send -- "firejail --net=br0 --shell=/etc/shadow\r"
 expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
+        timeout {puts "TESTING ERROR 7\n";exit}
         "Error"
 }
 after 100
diff --git a/test/private-bin.exp b/test/private-bin.exp
new file mode 100755
index 000000000..cc5ea99c7
--- /dev/null
+++ b/test/private-bin.exp
@@ -0,0 +1,71 @@
+#!/usr/bin/expect -f
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --private-bin=bash,ls,sh\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "ls -al /bin\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "bash"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "ls"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "sh"
+}
+
+send -- "ls -al /bin\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "ping" {puts "TESTING ERROR 6\n";exit}
+        "sh"
+}
+send -- "exit\r"
+sleep 1
+
+send -- "firejail --profile=private-bin.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "ls -al /bin\r"
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "bash"
+}
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "ls"
+}
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "sh"
+}
+
+send -- "ls -al /bin\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "ping" {puts "TESTING ERROR 6\n";exit}
+        "sh"
+}
+send -- "exit\r"
+
+
+
+
+sleep 1
+puts "\nall done\n"
+
diff --git a/test/private-bin.profile b/test/private-bin.profile
new file mode 100644
index 000000000..24cf5929a
--- /dev/null
+++ b/test/private-bin.profile
@@ -0,0 +1 @@
+private-bin bash,ls,sh
diff --git a/test/test.sh b/test/test.sh
index 6f198cd52..2e7b1e2bc 100755
--- a/test/test.sh
+++ b/test/test.sh
@@ -18,9 +18,15 @@ echo "TESTING: environment variables"
 echo "TESTING: private-etc"
 ./private-etc.exp
 
+echo "TESTING: private-bin"
+./private-bin.exp
+
+sleep 1
+rm -fr dir\ with\ space
 mkdir dir\ with\ space
 echo "TESTING: blacklist"
 ./blacklist.exp
+sleep 1
 rm -fr dir\ with\ space
 
 ln -s auto auto2
@@ -155,7 +161,7 @@ else
         echo "TESTING: midori not found"
 fi
 
-which chromium-browser
+which chromium
 if [ "$?" -eq 0 ];
 then
         echo "TESTING: chromium"
@@ -278,10 +284,10 @@ echo "TESTING: seccomp su"
 echo "TESTING: seccomp ptrace"
 ./seccomp-ptrace.exp
 
-echo "TESTING: seccomp chmod (seccomp lists)"
+echo "TESTING: seccomp chmod - seccomp lists"
 ./seccomp-chmod.exp
 
-echo "TESTING: seccomp chmod profile (seccomp lists)"
+echo "TESTING: seccomp chmod profile - seccomp lists"
 ./seccomp-chmod-profile.exp
 
 echo "TESTING: seccomp empty"