20 files changed, 175 insertions, 29 deletions

diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
index f0e4dd416..71791c000 100644
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -1,17 +1,18 @@
+
+If your PR isn't about profiles or you have no idea how to do one of these, skip the following and go ahead with this PR.
+
 If you make a PR for new profiles or changeing profiles please do the following:
  - The ordering of options follow the rules descripted in [/usr/share/doc/firejail/profile.template](https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template).  
-   Hint: The profile-template is very new, if you install firejail with your package-manager, it maybe missing, therefore, and to follow the latest rules, it is recommended to use the template from the repository.
+   > Hint: The profile-template is very new, if you install firejail with your package-manager, it maybe missing, therefore, and to follow the latest rules, it is recommended to use the template from the repository.
  - Order the arguments of options alphabetical, you can easy do this with the [sort.py](https://github.com/netblue30/firejail/tree/master/contrib/sort.py).  
  The path to it depends on your distro:
 
    | Distro | Path |
    | ------ | ---- |
-   | Arch/Fedora | `/lib64/firejail/sort.py` |
+   | Arch/Fedora | `/usr/lib64/firejail/sort.py` |
    | Debian/Ubuntu/Mint | `/usr/lib/x86_64-linux-gnu/firejail/sort.py` |
    | local git clone | `contrib/sort.py` |
 
    Note also that the sort.py script exists only since firejail `0.9.61`.
 
-If you have no idea how to do one of these, you can open the PR anyway.
-
 See also [CONTRIBUTING.md](/CONTRIBUTING.md).
diff --git a/SECURITY.md b/SECURITY.md
index 8a45fd163..558b6870a 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -4,7 +4,7 @@
 
 | Version | Supported by us    | EOL  | Supported by distribution |
 | ------- | ------------------ | ---- | ---------------------------
-| 0.9.60  | :heavy_check_mark: |      | :white_check_mark: Debian 11 (testing/unstable), Ubuntu 19.10
+| 0.9.60  | :heavy_check_mark: |      | :white_check_mark: Debian 11 (testing/unstable), 10 **backports**; Ubuntu 19.10
 | 0.9.58  | :x:                |      | :white_check_mark: Ubuntu 19.04; Debian 9 **backports**, 10
 | 0.9.56  | :x:                | 27 Jan 2019 |
 | 0.9.54  | :x:                |      | :white_check_mark: Ubuntu 18.10
diff --git a/etc/akonadi_control.profile b/etc/akonadi_control.profile
index 1c16f940e..904c784c6 100644
--- a/etc/akonadi_control.profile
+++ b/etc/akonadi_control.profile
@@ -17,6 +17,7 @@ noblacklist ${HOME}/.local/share/apps/korganizer
 noblacklist ${HOME}/.local/share/contacts
 noblacklist ${HOME}/.local/share/local-mail
 noblacklist ${HOME}/.local/share/notes
+noblacklist /sbin
 noblacklist /tmp/akonadi-*
 noblacklist /usr/sbin
 
@@ -45,7 +46,7 @@ nosound
 notv
 nou2f
 novideo
-# protocol unix,inet,inet6
+# protocol unix,inet,inet6,netlink
 # seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice
 tracelog
 
diff --git a/etc/checkbashisms.profile b/etc/checkbashisms.profile
index fe3202cea..7b2d344e5 100644
--- a/etc/checkbashisms.profile
+++ b/etc/checkbashisms.profile
@@ -44,7 +44,7 @@ x11 none
 
 private-cache
 private-dev
-private-lib perl*
+private-lib libfreebl3.so,perl*
 private-tmp
 
 memory-deny-write-execute
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index 7ca5a6b89..e1762719f 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -67,6 +67,7 @@ blacklist ${HOME}/.config/khotkeysrc
 blacklist ${HOME}/.config/krunnerrc
 blacklist ${HOME}/.config/kscreenlockerrc
 blacklist ${HOME}/.config/ksslcertificatemanager
+blacklist ${HOME}/.config/kwalletrc
 blacklist ${HOME}/.config/kwinrc
 blacklist ${HOME}/.config/kwinrulesrc
 blacklist ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc
@@ -79,6 +80,7 @@ blacklist ${HOME}/.kde/share/config/khotkeysrc
 blacklist ${HOME}/.kde/share/config/krunnerrc
 blacklist ${HOME}/.kde/share/config/kscreensaverrc
 blacklist ${HOME}/.kde/share/config/ksslcertificatemanager
+blacklist ${HOME}/.kde/share/config/kwalletrc
 blacklist ${HOME}/.kde/share/config/kwinrc
 blacklist ${HOME}/.kde/share/config/kwinrulesrc
 blacklist ${HOME}/.kde/share/config/plasma-desktop-appletsrc
@@ -89,6 +91,7 @@ blacklist ${HOME}/.kde4/share/config/khotkeysrc
 blacklist ${HOME}/.kde4/share/config/krunnerrc
 blacklist ${HOME}/.kde4/share/config/kscreensaverrc
 blacklist ${HOME}/.kde4/share/config/ksslcertificatemanager
+blacklist ${HOME}/.kde4/share/config/kwalletrc
 blacklist ${HOME}/.kde4/share/config/kwinrc
 blacklist ${HOME}/.kde4/share/config/kwinrulesrc
 blacklist ${HOME}/.kde4/share/config/plasma-desktop-appletsrc
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index c061e94a2..c0bf1f8d4 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -302,6 +302,7 @@ blacklist ${HOME}/.config/vivaldi
 blacklist ${HOME}/.config/vivaldi-snapshot
 blacklist ${HOME}/.config/vlc
 blacklist ${HOME}/.config/wesnoth
+blacklist ${HOME}/.config/Whalebird
 blacklist ${HOME}/.config/wireshark
 blacklist ${HOME}/.config/xchat
 blacklist ${HOME}/.config/xed
@@ -322,6 +323,7 @@ blacklist ${HOME}/.config/yelp
 blacklist ${HOME}/.config/youtube-dl
 blacklist ${HOME}/.config/zathura
 blacklist ${HOME}/.config/zoomus.conf
+blacklist ${HOME}/.config/Zulip
 blacklist ${HOME}/.conkeror.mozdev.org
 blacklist ${HOME}/.crawl
 blacklist ${HOME}/.curlrc
@@ -367,6 +369,7 @@ blacklist ${HOME}/.hugin
 blacklist ${HOME}/.icedove
 blacklist ${HOME}/.imagej
 blacklist ${HOME}/.inkscape
+blacklist ${HOME}/.itch
 blacklist ${HOME}/.jack-server
 blacklist ${HOME}/.jack-settings
 blacklist ${HOME}/.jak
@@ -620,11 +623,13 @@ blacklist ${HOME}/.sword
 blacklist ${HOME}/.sylpheed-2.0
 blacklist ${HOME}/.synfig
 blacklist ${HOME}/.config/teams-for-linux
+blacklist ${HOME}/.tb
 blacklist ${HOME}/.tconn
 blacklist ${HOME}/.teeworlds
 blacklist ${HOME}/.thunderbird
 blacklist ${HOME}/.tilp
 blacklist ${HOME}/.tooling
+blacklist ${HOME}/.tor-browser
 blacklist ${HOME}/.tor-browser-*
 blacklist ${HOME}/.tor-browser_*
 blacklist ${HOME}/.torcs
diff --git a/etc/firefox.profile b/etc/firefox.profile
index 84c647cb9..0c143f569 100644
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@@ -16,6 +16,8 @@ whitelist ${HOME}/.mozilla
 
 # firefox requires a shell to launch on Arch.
 #private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which
+# Fedora use shell scripts to launch firefox, at least this is required
+#private-bin awk,basename,bash,cat,dirname,env,expr,false,firefox,firefox-wayland,ln,mkdir,pidof,rm,rmdir,sed,sh,tclsh,true,uname,which
 # private-etc must first be enabled in firefox-common.profile
 #private-etc firefox
 
diff --git a/etc/ghostwriter.profile b/etc/ghostwriter.profile
index 48c02f195..cb7e7c513 100644
--- a/etc/ghostwriter.profile
+++ b/etc/ghostwriter.profile
@@ -18,20 +18,10 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-#mkdir ${HOME}/.config/ghostwriter
-#whitelist ${HOME}/.config/ghostwriter
-#whitelist ${DESKTOP}
-#whitelist ${DOCUMENTS}
-#whitelist ${DOWNLOADS}
-#whitelist ${PICTURES}
-#include whitelist-common.inc
-
 apparmor
 caps.drop all
 machine-id
 netfilter
-#no3d
-#nodbus
 nodvd
 nogroups
 nonewprivs
@@ -40,17 +30,15 @@ nosound
 notv
 nou2f
 novideo
-protocol unix,inet,netlink
-seccomp
+protocol unix,inet,inet6,netlink
+#seccomp -- breaks
 shell none
-tracelog
+#tracelog -- breaks
 
 # Breaks Translation
 #private-bin ghostwriter,pandoc
 private-cache
 private-dev
-private-etc alternatives,crypto-policies,cups,dconf,drirc,fonts,gtk-3.0,localtime,machine-id
-# Breaks Translation
-#private-lib
+# passwd,login.defs,firejail are a temporary workaround for #2877 and can be removed once it is fixed
+private-etc alternatives,ca-certificates,crypto-policies,dbus-1,dconf,firejail,fonts,gconf,groups,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,protocols,resolv.conf,rpc,services,ssl,Trolltech.conf,X11,xdg
 private-tmp
-
diff --git a/etc/itch.profile b/etc/itch.profile
index c0b4fe6ce..b3c78c810 100644
--- a/etc/itch.profile
+++ b/etc/itch.profile
@@ -8,6 +8,7 @@ include globals.local
 # itch.io has native firejail/sandboxing support bundled in
 # See https://itch.io/docs/itch/using/sandbox/linux.html
 
+noblacklist ${HOME}/.itch
 noblacklist ${HOME}/.config/itch
 
 include disable-common.inc
@@ -16,7 +17,9 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+mkdir ${HOME}/.itch
 mkdir ${HOME}/.config/itch
+whitelist ${HOME}/.itch
 whitelist ${HOME}/.config/itch
 include whitelist-common.inc
 
diff --git a/etc/kwin_x11.profile b/etc/kwin_x11.profile
index ee07636d3..d512dd100 100644
--- a/etc/kwin_x11.profile
+++ b/etc/kwin_x11.profile
@@ -5,6 +5,9 @@ include kwin_x11.local
 # Persistent global definitions
 include globals.local
 
+# fix automatical kwin_x11 sandboxing:
+# echo KDEWM=kwin_x11 >> ~/.pam_environment
+
 noblacklist ${HOME}/.cache/kwin
 noblacklist ${HOME}/.config/kwinrc
 noblacklist ${HOME}/.config/kwinrulesrc
diff --git a/etc/pluma.profile b/etc/pluma.profile
index 81b2b1481..1e0512fd8 100644
--- a/etc/pluma.profile
+++ b/etc/pluma.profile
@@ -6,6 +6,7 @@ include pluma.local
 # Persistent global definitions
 include globals.local
 
+noblacklist ${HOME}/.config/enchant
 noblacklist ${HOME}/.config/pluma
 noblacklist ${HOME}/.python-history
 noblacklist ${HOME}/.python_history
@@ -42,7 +43,7 @@ tracelog
 
 private-bin pluma
 private-dev
-private-lib pluma
+private-lib aspell,gconv,libgspell-1.so.*,libreadline.so.*,libtinfo.so.*,pluma
 private-tmp
 
 memory-deny-write-execute
diff --git a/etc/slack.profile b/etc/slack.profile
index 5c10ef0ba..f71ae9584 100644
--- a/etc/slack.profile
+++ b/etc/slack.profile
@@ -20,7 +20,6 @@ include whitelist-common.inc
 include whitelist-var-common.inc
 
 caps.drop all
-name slack
 netfilter
 nodvd
 nogroups
@@ -35,5 +34,5 @@ shell none
 disable-mnt
 private-bin locale,slack
 private-dev
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.conf,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,debian_version,fonts,group,ld.so.cache,ld.so.conf,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl
 private-tmp
diff --git a/etc/tb-starter-wrapper.profile b/etc/tb-starter-wrapper.profile
new file mode 100644
index 000000000..8a7d45449
--- /dev/null
+++ b/etc/tb-starter-wrapper.profile
@@ -0,0 +1,19 @@
+# Firejail profile for tb-starter-wrapper
+# Description: wrapper-script used by whonix to start the tor browser
+quiet
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tb-starter-wrapper.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tb
+
+mkdir ${HOME}/.tb
+whitelist ${HOME}/.tb
+
+x11 xorg
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser.profile b/etc/tor-browser.profile
new file mode 100644
index 000000000..0cd84abf5
--- /dev/null
+++ b/etc/tor-browser.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser
+
+mkdir ${HOME}/.tor-browser
+whitelist ${HOME}/.tor-browser
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile
index 75bcb04b4..00b82e852 100644
--- a/etc/torbrowser-launcher.profile
+++ b/etc/torbrowser-launcher.profile
@@ -48,7 +48,7 @@ shell none
 #tracelog
 
 disable-mnt
-private-bin bash,cat,cp,cut,dirname,env,expr,file,getconf,gpg,grep,gxmessage,id,kdialog,ln,mkdir,pwd,python*,readlink,realpath,rm,sed,sh,tail,tar,tclsh,test,tor-browser-en,torbrowser-launcher,update-desktop-database,xmessage,xz,zenity
+private-bin bash,cat,cp,cut,dirname,env,expr,file,getconf,gpg,grep,gxmessage,id,kdialog,ln,mkdir,mv,pwd,python*,readlink,realpath,rm,sed,sh,tail,tar,tclsh,test,tor-browser,tor-browser-en,torbrowser-launcher,update-desktop-database,xmessage,xz,zenity
 private-dev
 private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,machine-id,pki,pulse,resolv.conf,ssl
 private-tmp
diff --git a/etc/unzip.profile b/etc/unzip.profile
index 94aee724d..60e447049 100644
--- a/etc/unzip.profile
+++ b/etc/unzip.profile
@@ -39,6 +39,5 @@ tracelog
 x11 none
 
 private-bin unzip
-private-cache
 private-dev
 private-etc alternatives,group,localtime,passwd
diff --git a/etc/whalebird.profile b/etc/whalebird.profile
new file mode 100644
index 000000000..26932b6b3
--- /dev/null
+++ b/etc/whalebird.profile
@@ -0,0 +1,45 @@
+# Firejail profile for whalebird
+# Description: Electron-based Mastodon/Pleroma client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include whalebird.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/Whalebird
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/Whalebird
+whitelist ${HOME}/.config/Whalebird
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+disable-mnt
+private-bin whalebird
+private-cache
+private-dev
+private-etc fonts,machine-id
+private-tmp
diff --git a/etc/zulip.profile b/etc/zulip.profile
new file mode 100644
index 000000000..999c2f77a
--- /dev/null
+++ b/etc/zulip.profile
@@ -0,0 +1,47 @@
+# Firejail profile for zulip
+# Description: Real-time team chat based on the email threading model
+# This file is overwritten after every install/update
+# Persistent local customizations
+include zulip.local
+# Persistent global definitions
+include globals.local
+
+ignore noexec /tmp
+
+noblacklist ${HOME}/.config/Zulip
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/Zulip
+whitelist ${HOME}/.config/Zulip
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+disable-mnt
+private-bin locale,zulip
+private-cache
+private-dev
+private-etc asound.conf,fonts,machine-id
+private-tmp
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 72fac1893..a6f259466 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -550,6 +550,7 @@ sylpheed
 synfigstudio
 sysprof
 sysprof-cli
+tb-starter-wrapper
 teams-for-linux
 teamspeak3
 teeworlds
@@ -560,6 +561,7 @@ thunderbird
 thunderbird-beta
 thunderbird-wayland
 tilp
+tor-browser
 tor-browser-ar
 tor-browser-ca
 tor-browser-cs
@@ -639,6 +641,7 @@ weechat
 weechat-curses
 wesnoth
 wget
+whalebird
 whois
 widelands
 wine
@@ -678,3 +681,4 @@ zathura
 zeal
 zoom
 zpaq
+zulip
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index 666f02e4d..fa93751cc 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -735,6 +735,22 @@ void fs_whitelist(void) {
                                 errExit("mounting tmpfs on /tmp");
                         fs_logger("tmpfs /tmp");
 
+                        // pam-tmpdir - issue #2685
+                        char *env = getenv("TMP");
+                        if (env) {
+                                char *pamtmpdir;
+                                if (asprintf(&pamtmpdir, "/tmp/user/%u", getuid()) == -1)
+                                        errExit("asprintf");
+                                if (strcmp(env, pamtmpdir) == 0) {
+                                        // create empty user-owned /tmp/user/$uid directory
+                                        mkdir_attr("/tmp/user", 0711, 0, 0);
+                                        fs_logger("mkdir /tmp/user");
+                                        mkdir_attr(pamtmpdir, 0700, getuid(), 0);
+                                        fs_logger2("mkdir", pamtmpdir);
+                                }
+                                free(pamtmpdir);
+                        }
+
                         // autowhitelist home directory if it is masked by the tmpfs
                         if (strncmp(cfg.homedir, "/tmp/", 5) == 0)
                                 whitelist_home(WLDIR_TMP);