19 files changed, 113 insertions, 70 deletions
diff --git a/README.md b/README.md
index dd616f8a4..6f1c892aa 100644
--- a/README.md
+++ b/README.md
@@ -214,4 +214,4 @@ IntelliJ IDEA, Android Studio, electron, riot-web,
 Extreme Tux Racer, Frozen Bubble, Open Invaders, Pingus, Simutrans, SuperTux,
 telegram-desktop, arm, rambox, apktool, baobab, dex2jar, gitg, hashcat, obs, picard,
 remmina, sdat2img, soundconverter, sqlitebrowse, truecraft, gnome-twitch, tuxguitar,
-musescore
+musescore, neverball
diff --git a/RELNOTES b/RELNOTES
index 7b0f13737..b50904b4e 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -25,7 +25,7 @@ firejail (0.9.49) baseline; urgency=low
  * new profiles: Frozen Bubble, Open Invaders, Pingus, Simutrans, SuperTux
  * new profiles: telegram-desktop, arm, rambox, apktool, baobab, dex2jar, gitg,
  * new profiles: hashcat, obs, picard, remmina, sdat2img, soundconverter, sqlitebrowse,
-  * new profiles: truecraft, gnome-twitch, tuxguitar, musescore
+  * new profiles: truecraft, gnome-twitch, tuxguitar, musescore, neverball
  * bugfixes
 -- netblue30 <netblue30@yahoo.com>  Mon, 12 Jun 2017 20:00:00 -0500
diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile
index 0b61e7b9f..1b7b2c258 100644
--- a/etc/bitlbee.profile
+++ b/etc/bitlbee.profile
@@ -7,6 +7,7 @@ include /etc/firejail/globals.local
 noblacklist /sbin
 noblacklist /usr/sbin
+noblacklist /var/log
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index c220b9c50..294ff6bcb 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -107,15 +107,27 @@ blacklist ${PATH}/zuluCrypt-cli
 blacklist ${PATH}/zuluMount-cli
 # var
+blacklist /var/cache/apt
+blacklist /var/cache/pacman
+blacklist /var/lib/apt
+blacklist /var/lib/clamav
+blacklist /var/lib/dkms
 blacklist /var/lib/mysql/mysql.sock
 blacklist /var/lib/mysqld/mysql.sock
+blacklist /var/lib/pacman
+blacklist /var/lib/systemd
+blacklist /var/lib/upower
+blacklist /var/log
 blacklist /var/mail
+blacklist /var/opt
 blacklist /var/run/acpid.socket
 blacklist /var/run/docker.sock
 blacklist /var/run/minissdpd.sock
 blacklist /var/run/mysql/mysqld.sock
 blacklist /var/run/mysqld/mysqld.sock
 blacklist /var/run/rpcbind.sock
+blacklist /var/run/screens
+blacklist /var/run/systemd
 blacklist /var/spool/anacron
 blacklist /var/spool/cron
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 7b0e6e9eb..d02377036 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -334,6 +334,7 @@ blacklist ${HOME}/.multimc5
 blacklist ${HOME}/.mutt
 blacklist ${HOME}/.mutt/muttrc
 blacklist ${HOME}/.muttrc
+blacklist ${HOME}/.neverball
 blacklist ${HOME}/.nv
 blacklist ${HOME}/.nylas-mail
 blacklist ${HOME}/.openinvaders
diff --git a/etc/neverball.profile b/etc/neverball.profile
new file mode 100644
index 000000000..6a9a3a577
--- /dev/null
+++ b/etc/neverball.profile
@@ -0,0 +1,37 @@
+# Firejail profile for neverball
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/neverball.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+noblacklist ${HOME}/.neverball
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+mkdir ${HOME}/.neverball
+whitelist ${HOME}/.neverball
+include /etc/firejail/whitelist-common.inc
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+novideo
+protocol unix,netlink
+seccomp
+shell none
+disable-mnt
+private-bin neverball
+private-dev
+private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/server.profile b/etc/server.profile
index 04ef555de..edd4666e1 100644
--- a/etc/server.profile
+++ b/etc/server.profile
@@ -13,6 +13,8 @@ blacklist /tmp/.X11-unix
 noblacklist /sbin
 noblacklist /usr/sbin
+# noblacklist /var/log
+# noblacklist /var/opt
 include /etc/firejail/disable-common.inc
 # include /etc/firejail/disable-devel.inc
diff --git a/etc/steam.profile b/etc/steam.profile
index 96899038a..227162e1f 100644
--- a/etc/steam.profile
+++ b/etc/steam.profile
@@ -5,12 +5,17 @@ include /etc/firejail/steam.local
 # Persistent global definitions
 include /etc/firejail/globals.local
-noblacklist ${HOME}/.Steam
-noblacklist ${HOME}/.Steampath
-noblacklist ${HOME}/.Steampid
 noblacklist ${HOME}/.java
+noblacklist ${HOME}/.killingfloor
+noblacklist ${HOME}/.local/share/3909/PapersPlease
+noblacklist ${HOME}/.local/share/aspyr-media
+noblacklist ${HOME}/.local/share/cdprojektred
+noblacklist ${HOME}/.local/share/feral-interactive
 noblacklist ${HOME}/.local/share/Steam
-noblacklist ${HOME}/.local/share/steam
+noblacklist ${HOME}/.local/share/SuperHexagon
+noblacklist ${HOME}/.local/share/Terraria
+noblacklist ${HOME}/.local/share/vpltd
+noblacklist ${HOME}/.local/share/vulkan
 noblacklist ${HOME}/.steam
 noblacklist ${HOME}/.steampath
 noblacklist ${HOME}/.steampid
@@ -29,12 +34,15 @@ nogroups
 nonewprivs
 noroot
 notv
-# novideo
+# novideo should be commented for VR
+novideo
 protocol unix,inet,inet6,netlink
 seccomp
 shell none
 # tracelog disabled as it breaks integrated browser
 # tracelog
+# private-dev should be commented for controllers
 private-dev
+private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl
 private-tmp
diff --git a/etc/strings.profile b/etc/strings.profile
index 83561cae5..90bb35ecd 100644
--- a/etc/strings.profile
+++ b/etc/strings.profile
@@ -18,9 +18,8 @@ novideo
 shell none
 tracelog
-private-bin strings
+# private-bin strings - breaking on Debian
 private-dev
-private-lib
 memory-deny-write-execute
diff --git a/etc/xonotic.profile b/etc/xonotic.profile
index c7db00daf..fefeac76b 100644
--- a/etc/xonotic.profile
+++ b/etc/xonotic.profile
@@ -31,6 +31,7 @@ shell none
 disable-mnt
 private-bin xonotic-sdl,xonotic-glx,blind-id
 private-dev
+private-etc asound.conf,ca-certificates,drirc,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,pulse,resolv.conf,ssl
 private-tmp
 noexec ${HOME}
diff --git a/platform/debian/conffiles b/platform/debian/conffiles
index 6473c6fef..e7eab20a2 100644
--- a/platform/debian/conffiles
+++ b/platform/debian/conffiles
@@ -220,6 +220,7 @@
 /etc/firejail/mutt.profile
 /etc/firejail/nautilus.profile
 /etc/firejail/nemo.profile
+/etc/firejail/neverball.profile
 /etc/firejail/netsurf.profile
 /etc/firejail/nolocal.net
 /etc/firejail/nylas.profile
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 15e95b9a7..6bdeaab77 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -197,6 +197,7 @@ musescore
 mutt
 nautilus
 netsurf
+neverball
 nylas
 obs
 odt2txt
diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c
index 831b76e79..24d027d54 100644
--- a/src/firejail/bandwidth.c
+++ b/src/firejail/bandwidth.c
@@ -441,9 +441,6 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in
        arg[2] = cmd;
        arg[3] = NULL;
        clearenv();
-#ifdef HAVE_SECCOMP
-        seccomp_install_filters();
-#endif
        execvp(arg[0], arg);
        // it will never get here
diff --git a/src/firejail/output.c b/src/firejail/output.c
index d69f5f051..b99604ec4 100644
--- a/src/firejail/output.c
+++ b/src/firejail/output.c
@@ -102,10 +102,6 @@ void check_output(int argc, char **argv) {
        a[1] = "-c";
        a[2] = cmd;
        a[3] = NULL;
-#ifdef HAVE_SECCOMP
-        seccomp_install_filters();
-#endif
        execvp(a[0], a);
        perror("execvp");
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 30b55d7d0..150c23de7 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -269,19 +269,6 @@ static int monitor_application(pid_t app_pid) {
        return status;
 }
-void start_audit(void) {
-        char *audit_prog;
-        if (asprintf(&audit_prog, "%s/firejail/faudit", LIBDIR) == -1)
-                errExit("asprintf");
-        assert(getenv("LD_PRELOAD") == NULL);
-#ifdef HAVE_SECCOMP
-        seccomp_install_filters();
-#endif
-        execl(audit_prog, audit_prog, NULL);
-        perror("execl");
-        exit(1);
-}
 static void print_time(void) {
        if (start_timestamp) {
                unsigned long long end_timestamp = getticks();
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 4de33c83d..10e6ab687 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -106,6 +106,10 @@ void usage(void) {
        printf("    --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n");
 #endif
        printf("    --machine-id - preserve /etc/machine-id\n");
+#ifdef HAVE_SECCOMP
+        printf("    --memory-deny-write-execute - seccomp filter to block attempts to create\n");
+        printf("\tmemory mappings  that are both writable and executable.\n");
+#endif
 #ifdef HAVE_NETWORK
        printf("    --mtu=number - set interface MTU.\n");
 #endif
@@ -179,12 +183,11 @@ void usage(void) {
        printf("    --seccomp - enable seccomp filter and apply the default blacklist.\n");
        printf("    --seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n");
        printf("\tdefault syscall list and the syscalls specified by the command.\n");
+        printf("    --seccomp.block-secondary - build only the native architecture filters.\n");
        printf("    --seccomp.drop=syscall,syscall,syscall - enable seccomp filter, and\n");
        printf("\tblacklist the syscalls specified by the command.\n");
        printf("    --seccomp.keep=syscall,syscall,syscall - enable seccomp filter, and\n");
        printf("\twhitelist the syscalls specified by the command.\n");
-        printf("    --seccomp.<errno>=syscall,syscall,syscall - enable seccomp filter, and\n");
-        printf("\treturn errno for the syscalls specified by the command.\n");
        printf("    --seccomp.print=name|pid - print the seccomp filter for the sandbox\n");
        printf("\tidentified by name or PID.\n");
 #endif
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 26af8ad35..d41f46d93 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -321,9 +321,6 @@ void x11_start_xvfb(int argc, char **argv) {
                // running without privileges - see drop_privs call above
                assert(getenv("LD_PRELOAD") == NULL);
-#ifdef HAVE_SECCOMP
-                seccomp_install_filters();
-#endif
                execvp(server_argv[0], server_argv);
                perror("execvp");
                _exit(1);
@@ -368,9 +365,6 @@ void x11_start_xvfb(int argc, char **argv) {
                // running without privileges - see drop_privs call above
                assert(getenv("LD_PRELOAD") == NULL);
-#ifdef HAVE_SECCOMP
-                seccomp_install_filters();
-#endif
                execvp(jail_argv[0], jail_argv);
                perror("execvp");
                _exit(1);
@@ -563,9 +557,6 @@ void x11_start_xephyr(int argc, char **argv) {
                // running without privileges - see drop_privs call above
                assert(getenv("LD_PRELOAD") == NULL);
-#ifdef HAVE_SECCOMP
-                seccomp_install_filters();
-#endif
                execvp(server_argv[0], server_argv);
                perror("execvp");
                _exit(1);
@@ -610,9 +601,6 @@ void x11_start_xephyr(int argc, char **argv) {
                // running without privileges - see drop_privs call above
                assert(getenv("LD_PRELOAD") == NULL);
-#ifdef HAVE_SECCOMP
-                seccomp_install_filters();
-#endif
                execvp(jail_argv[0], jail_argv);
                perror("execvp");
                _exit(1);
@@ -742,9 +730,6 @@ void x11_start_xpra_old(int argc, char **argv, int display, char *display_str) {
                // running without privileges - see drop_privs call above
                assert(getenv("LD_PRELOAD") == NULL);
-#ifdef HAVE_SECCOMP
-                seccomp_install_filters();
-#endif
                execvp(server_argv[0], server_argv);
                perror("execvp");
                _exit(1);
@@ -796,9 +781,6 @@ void x11_start_xpra_old(int argc, char **argv, int display, char *display_str) {
                // running without privileges - see drop_privs call above
                assert(getenv("LD_PRELOAD") == NULL);
-#ifdef HAVE_SECCOMP
-                seccomp_install_filters();
-#endif
                execvp(attach_argv[0], attach_argv);
                perror("execvp");
                _exit(1);
@@ -828,9 +810,6 @@ void x11_start_xpra_old(int argc, char **argv, int display, char *display_str) {
        if (jail == 0) {
                // running without privileges - see drop_privs call above
                assert(getenv("LD_PRELOAD") == NULL);
-#ifdef HAVE_SECCOMP
-                seccomp_install_filters();
-#endif
                if (firejail_argv[0])             // shut up llvm scan-build
                        execvp(firejail_argv[0], firejail_argv);
                perror("execvp");
@@ -859,9 +838,6 @@ void x11_start_xpra_old(int argc, char **argv, int display, char *display_str) {
                                }
                                // running without privileges - see drop_privs call above
                                assert(getenv("LD_PRELOAD") == NULL);
-#ifdef HAVE_SECCOMP
-                                seccomp_install_filters();
-#endif
                                execvp(stop_argv[0], stop_argv);
                                perror("execvp");
                                _exit(1);
@@ -1028,9 +1004,6 @@ void x11_start_xpra_new(int argc, char **argv, char *display_str) {
                // running without privileges - see drop_privs call above
                assert(getenv("LD_PRELOAD") == NULL);
-#ifdef HAVE_SECCOMP
-                seccomp_install_filters();
-#endif
                execvp(server_argv[0], server_argv);
                perror("execvp");
                _exit(1);
@@ -1168,9 +1141,6 @@ void x11_xorg(void) {
 #ifdef HAVE_GCOV
                __gcov_flush();
 #endif
-#ifdef HAVE_SECCOMP
-                seccomp_install_filters();
-#endif
                execlp("/usr/bin/xauth", "/usr/bin/xauth", "-v", "-f", tmpfname,
                        "generate", display, "MIT-MAGIC-COOKIE-1", "untrusted", NULL);
diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c
index 08ae5953d..8c18b2d14 100644
--- a/src/fseccomp/syscall.c
+++ b/src/fseccomp/syscall.c
@@ -492,10 +492,15 @@ int syscall_check_list(const char *slist, void (*callback)(int fd, int syscall,
                                        fprintf(stderr, "Warning fseccomp: syscall \"%s\" not available on this platform\n", ptr);
                        }
                        else if (callback != NULL) {
-                                if (error_nr != -1)
+                                if (error_nr != -1 && fd != 0) {
                                        filter_add_errno(fd, syscall_nr, error_nr, ptrarg);
-                                else
+                                }
+                                else if (error_nr != -1 && fd == 0) {
+                                        callback(fd, syscall_nr, error_nr, ptrarg);
+                                }
+                                else {
                                        callback(fd, syscall_nr, arg, ptrarg);
+                                }
                        }
                }
                ptr = strtok_r(NULL, ",", &saveptr);
@@ -523,20 +528,34 @@ static void syscall_in_list(int fd, int syscall, int arg, void *ptrarg) {
        sl.syscall = syscall;
        syscall_check_list(ptr->slist, find_syscall, fd, 0, &sl);
        // if found in the problem list, add to post-exec list
-        if (sl.found)
+        if (sl.found) {
                if (ptr->postlist) {
                        if (asprintf(&ptr->postlist, "%s,%s", ptr->postlist, syscall_find_nr(syscall)) == -1)
                                errExit("asprintf");
                }
                else
                        ptr->postlist = strdup(syscall_find_nr(syscall));
-        else // no problem, add to pre-exec list
+        }
+        else { // no problem, add to pre-exec list
+                // build syscall:error_no
+                char *newcall;
+                if (arg != 0) {
+                        if (asprintf(&newcall, "%s:%s", syscall_find_nr(syscall), errno_find_nr(arg)) == -1)
+                                errExit("asprintf");
+                }
+                else {
+                        newcall = strdup(syscall_find_nr(syscall));
+                        if (!newcall)
+                                errExit("strdup");
+                }
                if (ptr->prelist) {
-                        if (asprintf(&ptr->prelist, "%s,%s", ptr->prelist, syscall_find_nr(syscall)) == -1)
+                        if (asprintf(&ptr->prelist, "%s,%s", ptr->prelist, newcall) == -1)
                                errExit("asprintf");
                }
                else
-                        ptr->prelist = strdup(syscall_find_nr(syscall));
+                        ptr->prelist = newcall;
+        }
 }
 // go through list and find matches for syscalls in list @default-keep
@@ -548,8 +567,16 @@ void syscalls_in_list(const char *list, const char *slist, int fd, char **prelis
        sl.prelist = NULL;
        sl.postlist = NULL;
        syscall_check_list(list, syscall_in_list, 0, 0, &sl);
-        if (!arg_quiet)
+        if (!arg_quiet) {
-                printf("list in: %s, check list: %s prelist: %s, postlist: %s\n", list, sl.slist, sl.prelist, sl.postlist);
+                printf("Seccomp list in: %s,", list);
+                if (sl.slist)
+                        printf(" check list: %s,", sl.slist);
+                if (sl.prelist)
+                        printf(" prelist: %s,", sl.prelist);
+                if (sl.postlist)
+                        printf(" postlist: %s", sl.postlist);
+                printf("\n");
+        }
        *prelist = sl.prelist;
        *postlist = sl.postlist;
 }
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index d1970c985..dd21951ec 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1573,7 +1573,7 @@ $, so for example $165 would be equal to mount on i386.
 .br
 System architecture is strictly imposed only if flag
-\-\-seccomp.block_secondary is used. The filter is applied at run time
+\-\-seccomp.block-secondary is used. The filter is applied at run time
 only if the correct architecture was detected. For the case of I386
 and AMD64 both 32-bit and 64-bit filters are installed.
 .br