8 files changed, 75 insertions, 24 deletions

diff --git a/configure b/configure
index 460224ad2..5770c0729 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for firejail 0.9.36-rc1.
+# Generated by GNU Autoconf 2.69 for firejail 0.9.36-rc2.
 #
 # Report bugs to <netblue30@yahoo.com>.
 #
@@ -580,8 +580,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='firejail'
 PACKAGE_TARNAME='firejail'
-PACKAGE_VERSION='0.9.36-rc1'
-PACKAGE_STRING='firejail 0.9.36-rc1'
+PACKAGE_VERSION='0.9.36-rc2'
+PACKAGE_STRING='firejail 0.9.36-rc2'
 PACKAGE_BUGREPORT='netblue30@yahoo.com'
 PACKAGE_URL='http://github.com/netblue30/firejail'
 
@@ -1238,7 +1238,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures firejail 0.9.36-rc1 to adapt to many kinds of systems.
+\`configure' configures firejail 0.9.36-rc2 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1299,7 +1299,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of firejail 0.9.36-rc1:";;
+     short | recursive ) echo "Configuration of firejail 0.9.36-rc2:";;
    esac
   cat <<\_ACEOF
 
@@ -1389,7 +1389,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-firejail configure 0.9.36-rc1
+firejail configure 0.9.36-rc2
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1691,7 +1691,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by firejail $as_me 0.9.36-rc1, which was
+It was created by firejail $as_me 0.9.36-rc2, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -4107,7 +4107,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by firejail $as_me 0.9.36-rc1, which was
+This file was extended by firejail $as_me 0.9.36-rc2, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -4161,7 +4161,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-firejail config.status 0.9.36-rc1
+firejail config.status 0.9.36-rc2
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff --git a/configure.ac b/configure.ac
index d9f7ad22a..eec6481a8 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,5 +1,5 @@
 AC_PREREQ([2.68])
-AC_INIT(firejail, 0.9.36-rc1, netblue30@yahoo.com, , http://github.com/netblue30/firejail)
+AC_INIT(firejail, 0.9.36-rc2, netblue30@yahoo.com, , http://github.com/netblue30/firejail)
 AC_CONFIG_SRCDIR([src/firejail/main.c])
 #AC_CONFIG_HEADERS([config.h])
 
diff --git a/etc/firefox.profile b/etc/firefox.profile
index bc30b61d2..40ddd7920 100644
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@@ -24,3 +24,9 @@ whitelist ~/.keysnail.js
 whitelist ~/.config/gnome-mplayer
 whitelist ~/.cache/gnome-mplayer/plugin
 include /etc/firejail/whitelist-common.inc
+whitelist /tmp/.X11-unix
+
+# experimental features
+#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
+
+
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c
index df0e92203..b82baf1ad 100644
--- a/src/firejail/fs_etc.c
+++ b/src/firejail/fs_etc.c
@@ -24,7 +24,8 @@
 #include <sys/wait.h>
 #include <unistd.h>
 
-static void check_dir_or_file(const char *name) {
+// return 0 if file not found, 1 if found
+static int check_dir_or_file(const char *name) {
         assert(name);
         invalid_filename(name);
         
@@ -35,19 +36,20 @@ static void check_dir_or_file(const char *name) {
         if (arg_debug)
                 printf("Checking %s\n", fname);         
         if (stat(fname, &s) == -1) {
-                fprintf(stderr, "Error: file %s not found.\n", fname);
-                exit(1);
+                if (arg_debug)
+                        printf("Warning: file %s not found.\n", fname);
+                return 0;
         }
         
         // dir or regular file
         if (S_ISDIR(s.st_mode) || S_ISREG(s.st_mode)) {
                 free(fname);
-                return;
+                return 1;
         }
 
         if (!is_link(fname)) {
                 free(fname);
-                return;
+                return 1;
         }
         
         fprintf(stderr, "Error: invalid file type, %s.\n", fname);
@@ -63,11 +65,23 @@ void fs_check_etc_list(void) {
         char *dlist = strdup(cfg.etc_private_keep);
         if (!dlist)
                 errExit("strdup");
+        
+        // build a new list only with the files found
+        char *newlist = malloc(strlen(cfg.etc_private_keep) + 1);
+        if (!newlist)
+                errExit("malloc");
+        *newlist = '\0';
 
         char *ptr = strtok(dlist, ",");
-        check_dir_or_file(ptr);
-        while ((ptr = strtok(NULL, ",")) != NULL)
-                check_dir_or_file(ptr);
+        if (check_dir_or_file(ptr))
+                strcat(newlist, ptr);
+        while ((ptr = strtok(NULL, ",")) != NULL) {
+                if (check_dir_or_file(ptr)) {
+                        strcat(newlist, ",");
+                        strcat(newlist, ptr);
+                }
+        }
+        cfg.etc_private_keep = newlist;
         
         free(dlist);
 }
diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c
index 55a1b9c7a..eec51c3f9 100644
--- a/src/firejail/fs_trace.c
+++ b/src/firejail/fs_trace.c
@@ -42,7 +42,7 @@ void fs_trace_preload(void) {
                         errExit("chown");
                 if (chmod("/etc/ld.so.preload", S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0)
                         errExit("chmod");
-                fs_logger("touch /etc/ls.so.preload");
+                fs_logger("touch /etc/ld.so.preload");
         }
 }
 
@@ -77,8 +77,8 @@ void fs_trace(void) {
         if (arg_debug)
                 printf("Mount the new ld.so.preload file\n");
         if (mount(RUN_LDPRELOAD_FILE, "/etc/ld.so.preload", NULL, MS_BIND|MS_REC, NULL) < 0)
-                errExit("mount bind ls.so.preload");
-        fs_logger("create /etc/ls.so.preload");
+                errExit("mount bind ld.so.preload");
+        fs_logger("create /etc/ld.so.preload");
 }
 
                 
diff --git a/src/firejail/main.c b/src/firejail/main.c
index aad0af3e4..75b90ae81 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -831,6 +831,10 @@ int main(int argc, char **argv) {
                         
                         // extract private home dirname
                         cfg.home_private = argv[i] + 10;
+                        if (*cfg.home_private == '\0') {
+                                fprintf(stderr, "Error: invalid private option\n");
+                                exit(1);
+                        }
                         fs_check_private_dir();
                         arg_private = 1;
                 }
@@ -842,6 +846,10 @@ int main(int argc, char **argv) {
                         
                         // extract private home dirname
                         cfg.home_private_keep = argv[i] + 15;
+                        if (*cfg.home_private_keep == '\0') {
+                                fprintf(stderr, "Error: invalid private-home option\n");
+                                exit(1);
+                        }
                         fs_check_home_list();
                         arg_private = 1;
                 }
@@ -851,12 +859,25 @@ int main(int argc, char **argv) {
                 else if (strncmp(argv[i], "--private-etc=", 14) == 0) {
                         // extract private etc dirname
                         cfg.etc_private_keep = argv[i] + 14;
+                        if (*cfg.etc_private_keep == '\0') {
+                                fprintf(stderr, "Error: invalid private-etc option\n");
+                                exit(1);
+                        }
                         fs_check_etc_list();
-                        arg_private_etc = 1;
+                        if (*cfg.etc_private_keep != '\0')
+                                arg_private_etc = 1;
+                        else {
+                                arg_private_etc = 0;
+                                fprintf(stderr, "Warning: private-etc disabled, no file found\n");
+                        }
                 }
                 else if (strncmp(argv[i], "--private-bin=", 14) == 0) {
                         // extract private etc dirname
                         cfg.bin_private_keep = argv[i] + 14;
+                        if (*cfg.bin_private_keep == '\0') {
+                                fprintf(stderr, "Error: invalid private-bin option\n");
+                                exit(1);
+                        }
                         fs_check_bin_list();
                         arg_private_bin = 1;
                 }
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 366a56e13..244370b98 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -285,7 +285,13 @@ int profile_check_line(char *ptr, int lineno) {
         if (strncmp(ptr, "private-etc ", 12) == 0) {
                 cfg.etc_private_keep = ptr + 12;
                 fs_check_etc_list();
-                arg_private_etc = 1;
+                if (*cfg.etc_private_keep != '\0')
+                        arg_private_etc = 1;
+                else {
+                        arg_private_etc = 0;
+                        fprintf(stderr, "Warning: private-etc disabled, no file found\n");
+                }
+                
                 return 0;
         }
 
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 39f95a43a..4a1990382 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -380,8 +380,12 @@ int sandbox(void* sandbox_arg) {
         
         if (arg_private_dev)
                 fs_private_dev();
-        if (arg_private_etc)
+        if (arg_private_etc) {
                 fs_private_etc_list();
+                // create /etc/ld.so.preload file again
+                if (arg_trace || arg_tracelog)
+                        fs_trace_preload();
+        }
         if (arg_private_bin)
                 fs_private_bin_list();