22 files changed, 220 insertions, 32 deletions
diff --git a/README b/README
index f27a80a34..13c324a02 100644
--- a/README
+++ b/README
@@ -43,6 +43,9 @@ hamzadis (https://github.com/hamzadis)
        - added --overlay-named=name and --overlay-path=path    
 Gaman Gabriel (https://github.com/stelariusinfinitek)
        - inox profile
+greigdp (https://github.com/greigdp)
+        - fixed spotify profile
+        - added Slack profile
 Laurent Declercq (https://github.com/nuxwin)
        - fixed test for shell interpreter in chroots
 Franco (nextime) Lanza (https://github.com/nextime)
diff --git a/README.md b/README.md
index 04965a97a..13aeb51b0 100644
--- a/README.md
+++ b/README.md
@@ -57,19 +57,7 @@ TESTING: file
 TESTING: tar
 netblue@debian:~/work/github/firejail/test/sysutils$ TESTING ERROR 3.1
 [...]
-cd test/apps-x11; ./apps-x11.sh | grep TESTING
-TESTING: xterm x11
-netblue@debian:~/work/github/firejail/test/apps-x11$ TESTING ERROR 5.1
-TESTING: firefox x11
-netblue@debian:~/work/github/firejail/test/apps-x11$ TESTING ERROR 5.1
-TESTING: chromium x11
-TESTING: transmission-gtk x11
-netblue@debian:~/work/github/firejail/test/apps-x11$ TESTING ERROR 5.1
-TESTING: icedove x11
-netblue@debian:~/work/github/firejail/test/apps-x11$ TESTING ERROR 5.1
-[...]
 `````
-"firemon --seccomp" and "firemon --caps" are misbehaving at the moment.
 ## Deprecated --user
@@ -230,5 +218,5 @@ Browsers: Palemoon
 ## New security profiles
 Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, xz, xzdec, gzip, cpio, less, Atom Beta, Atom, jitsi, eom, uudeview
-tar (gtar), unzip, unrar, file, skypeforlinux, gnome-chess, inox
+tar (gtar), unzip, unrar, file, skypeforlinux, gnome-chess, inox, Slack
diff --git a/RELNOTES b/RELNOTES
index 4e2ad9b6c..eec3117ed 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -25,7 +25,8 @@ firejail (0.9.42~rc2) baseline; urgency=low
  * new profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice
  * new profiles: pix, audacity, xz, xzdec, gzip, cpio, less
  * new profiles: Atom Beta, Atom, jitsi, eom, uudeview
-  * new profiles: tar (gtar), unzip, unrar, file, skypeforlinux, inox
+  * new profiles: tar (gtar), unzip, unrar, file, skypeforlinux,
+  * new profiles: inox, Slack, gnome-chess
 -- netblue30 <netblue30@yahoo.com>  Thu, 21 Jul 2016 08:00:00 -0500
 firejail (0.9.40) baseline; urgency=low
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index d18ee0287..ed6ee315b 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -14,6 +14,7 @@ blacklist /etc/xdg/autostart
 blacklist ${HOME}/.kde4/Autostart
 blacklist ${HOME}/.kde4/share/autostart
 blacklist ${HOME}/.kde/Autostart
+blacklist ${HOME}/.kde/share/autostart
 blacklist ${HOME}/.config/plasma-workspace/shutdown
 blacklist ${HOME}/.config/plasma-workspace/env
 blacklist ${HOME}/.config/lxsession/LXDE/autostart
@@ -168,3 +169,5 @@ blacklist ${PATH}/roxterm-config
 blacklist ${PATH}/terminix
 blacklist ${PATH}/urxvtc
 blacklist ${PATH}/urxvtcd
+blacklist ${PATH}/konsole
+blacklist ${PATH}/yakuake
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 140417b01..26d9cf22b 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -78,6 +78,10 @@ blacklist ${HOME}/.TelegramDesktop
 blacklist ${HOME}/.config/Gitter
 blacklist ${HOME}/.config/Franz
 blacklist ${HOME}/.jitsi
+blacklist ${HOME}/.config/Slack
+blacklist ${HOME}/.cache/gajim
+blacklist ${HOME}/.local/share/gajim
+blacklist ${HOME}/.config/gajim
 # Games
 blacklist ${HOME}/.hedgewars
diff --git a/etc/gajim.profile b/etc/gajim.profile
new file mode 100644
index 000000000..04902a734
--- /dev/null
+++ b/etc/gajim.profile
@@ -0,0 +1,33 @@
+# Firejail profile for Gajim
+mkdir ${HOME}/.cache/gajim
+mkdir ${HOME}/.local/share/gajim
+mkdir ${HOME}/.config/gajim
+mkdir ${HOME}/Downloads
+# Allow the local python 2.7 site packages, in case any plugins are using these
+mkdir ${HOME}/.local/lib/python2.7/site-packages/
+whitelist ${HOME}/.local/lib/python2.7/site-packages/
+read-only ${HOME}/.local/lib/python2.7/site-packages/
+whitelist ${HOME}/.cache/gajim
+whitelist ${HOME}/.local/share/gajim
+whitelist ${HOME}/.config/gajim
+whitelist ${HOME}/Downloads
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+caps.drop all
+netfilter
+nonewprivs
+nogroups
+noroot
+protocol unix,inet,inet6
+seccomp
+shell none
+#private-bin python2.7 gajim
+private-dev
diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile
index 1caea177d..1b0fc9807 100644
--- a/etc/gnome-mplayer.profile
+++ b/etc/gnome-mplayer.profile
@@ -5,10 +5,13 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
+nogroups
 nonewprivs
 noroot
 protocol unix,inet,inet6
 seccomp
 shell none
 private-bin gnome-mplayer
+private-dev
+private-tmp
diff --git a/etc/gpredict.profile b/etc/gpredict.profile
index a8378a66e..353ecceae 100644
--- a/etc/gpredict.profile
+++ b/etc/gpredict.profile
@@ -15,10 +15,11 @@ nonewprivs
 nogroups
 noroot
 nosound
-protocol unix,inet,inet6,netlink
+protocol unix,inet,inet6
 seccomp
 shell none
 tracelog
 private-bin gpredict
 private-dev
+private-tmp
diff --git a/etc/gthumb.profile b/etc/gthumb.profile
index 3c02576aa..e043c7229 100644
--- a/etc/gthumb.profile
+++ b/etc/gthumb.profile
@@ -7,8 +7,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
-nonewprivs
 nogroups
+nonewprivs
 noroot
 nosound
 protocol unix
@@ -19,3 +19,4 @@ tracelog
 private-bin gthumb
 whitelist /tmp/.X11-unix
 private-dev
+private-tmp
diff --git a/etc/hedgewars.profile b/etc/hedgewars.profile
index c5d863bd5..7910b7eb0 100644
--- a/etc/hedgewars.profile
+++ b/etc/hedgewars.profile
@@ -7,12 +7,16 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
+netfilter
+nogroups
 nonewprivs
 noroot
-private-dev
 seccomp
 tracelog
+private-dev
+private-tmp
 mkdir     ~/.hedgewars
 whitelist ~/.hedgewars
 include /etc/firejail/whitelist-common.inc
diff --git a/etc/hexchat.profile b/etc/hexchat.profile
index 0d7ee6594..0ff64aef5 100644
--- a/etc/hexchat.profile
+++ b/etc/hexchat.profile
@@ -7,9 +7,11 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 caps.drop all
+netfilter
+nogroups
 nonewprivs
 noroot
-netfilter
+nosound
 protocol unix,inet,inet6
 seccomp
@@ -18,3 +20,5 @@ whitelist ~/.config/hexchat
 include /etc/firejail/whitelist-common.inc
 # private-bin requires perl, python, etc.
+private-dev
+private-tmp
diff --git a/etc/icecat.profile b/etc/icecat.profile
index 25d426ad2..2f8e2df7f 100644
--- a/etc/icecat.profile
+++ b/etc/icecat.profile
@@ -1,2 +1,51 @@
 # Firejail profile for GNU Icecat
-include /etc/firejail/firefox.profile
+noblacklist ~/.mozilla
+noblacklist ~/.cache/mozilla
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6,netlink
+seccomp
+tracelog
+whitelist ${DOWNLOADS}
+mkdir ~/.mozilla
+whitelist ~/.mozilla
+mkdir ~/.cache/mozilla/icecat
+whitelist ~/.cache/mozilla/icecat
+whitelist ~/dwhelper
+whitelist ~/.zotero
+whitelist ~/.vimperatorrc
+whitelist ~/.vimperator
+whitelist ~/.pentadactylrc
+whitelist ~/.pentadactyl
+whitelist ~/.keysnail.js
+whitelist ~/.config/gnome-mplayer
+whitelist ~/.cache/gnome-mplayer/plugin
+whitelist ~/.pki
+# lastpass, keepassx
+whitelist ~/.keepassx
+whitelist ~/.config/keepassx
+whitelist ~/keepassx.kdbx
+whitelist ~/.lastpass
+whitelist ~/.config/lastpass
+#silverlight
+whitelist ~/.wine-pipelight
+whitelist ~/.wine-pipelight64
+whitelist ~/.config/pipelight-widevine
+whitelist ~/.config/pipelight-silverlight5.1
+include /etc/firejail/whitelist-common.inc
+# experimental features
+#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
diff --git a/etc/jitsi.profile b/etc/jitsi.profile
index 8baf1ad94..c61158f8b 100644
--- a/etc/jitsi.profile
+++ b/etc/jitsi.profile
@@ -14,3 +14,4 @@ seccomp
 shell none
 tracelog
+private-tmp
diff --git a/etc/kmail.profile b/etc/kmail.profile
index 44a53e258..8c8fd18c4 100644
--- a/etc/kmail.profile
+++ b/etc/kmail.profile
@@ -9,7 +9,11 @@ include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
 netfilter
 nonewprivs
+nogroups
 noroot
 protocol unix,inet,inet6,netlink
 seccomp
 tracelog
+private-dev
+private-tmp
diff --git a/etc/konversation.profile b/etc/konversation.profile
index 190061618..e9546fd1b 100644
--- a/etc/konversation.profile
+++ b/etc/konversation.profile
@@ -7,6 +7,9 @@ include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
 netfilter
+nogroups
 noroot
 seccomp
 protocol unix,inet,inet6
+private-tmp
diff --git a/etc/slack.profile b/etc/slack.profile
new file mode 100644
index 000000000..ea7b715f9
--- /dev/null
+++ b/etc/slack.profile
@@ -0,0 +1,27 @@
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+mkdir ${HOME}/.config
+mkdir ${HOME}/.config/Slack
+whitelist ${HOME}/.config/Slack
+whitelist ~/Downloads
+protocol unix,inet,inet6,netlink
+private-dev
+private-tmp
+private-etc fonts,resolv.conf,ld.so.conf,ld.so.cache,localtime
+name slack
+blacklist /var
+include /etc/firejail/whitelist-common.inc
+caps.drop all
+seccomp
+netfilter
+nonewprivs
+nogroups
+noroot
+shell none
+private-bin slack
diff --git a/etc/spotify.profile b/etc/spotify.profile
index 6bcb99e0f..73d427db3 100644
--- a/etc/spotify.profile
+++ b/etc/spotify.profile
@@ -27,5 +27,5 @@ protocol unix,inet,inet6,netlink
 seccomp
 shell none
-private-bin spotify
+#private-bin spotify
 private-dev
diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc
index 2317133c5..abbb4a9fc 100644
--- a/etc/whitelist-common.inc
+++ b/etc/whitelist-common.inc
@@ -20,8 +20,11 @@ whitelist ~/.cache/fontconfig
 # gtk
 whitelist ~/.gtkrc
 whitelist ~/.gtkrc-2.0
+whitelist ~/.config/gtk-2.0
 whitelist ~/.config/gtk-3.0
 whitelist ~/.themes
+whitelist ~/.kde/share/config/gtkrc
+whitelist ~/.kde/share/config/gtkrc-2.0
 # dconf
 mkdir ~/.config/dconf
diff --git a/platform/debian/conffiles b/platform/debian/conffiles
index 59f0b35e7..fb19a135f 100644
--- a/platform/debian/conffiles
+++ b/platform/debian/conffiles
@@ -106,6 +106,7 @@
 /etc/firejail/server.profile
 /etc/firejail/skype.profile
 /etc/firejail/skypeforlinux.profile
+/etc/firejail/slack.profile
 /etc/firejail/snap.profile
 /etc/firejail/soffice.profile
 /etc/firejail/spotify.profile
diff --git a/src/include/common.h b/src/include/common.h
index cd4b9c874..762a0262a 100644
--- a/src/include/common.h
+++ b/src/include/common.h
@@ -113,4 +113,5 @@ int join_namespace(pid_t pid, char *type);
 int name2pid(const char *name, pid_t *pid);
 char *pid_proc_comm(const pid_t pid);
 char *pid_proc_cmdline(const pid_t pid);
+int pid_proc_cmdline_x11(const pid_t pid);
 #endif
diff --git a/src/lib/common.c b/src/lib/common.c
index 8ea926df1..fe5c62536 100644
--- a/src/lib/common.c
+++ b/src/lib/common.c
@@ -199,3 +199,63 @@ char *pid_proc_cmdline(const pid_t pid) {
        }
        return rv;
 }
+// return 1 if firejail --x11 on command line
+int pid_proc_cmdline_x11(const pid_t pid) {
+        // if comm is not firejail return 0
+        char *comm = pid_proc_comm(pid);
+        if (strcmp(comm, "firejail") != 0) {
+                free(comm);
+                return 0;
+        }
+        free(comm);
+        // open /proc/pid/cmdline file
+        char *fname;
+        int fd;
+        if (asprintf(&fname, "/proc/%d/cmdline", pid) == -1)
+                return 0;
+        if ((fd = open(fname, O_RDONLY)) < 0) {
+                free(fname);
+                return 0;
+        }
+        free(fname);
+        // read file
+        unsigned char buffer[BUFLEN];
+        ssize_t len;
+        if ((len = read(fd, buffer, sizeof(buffer) - 1)) <= 0) {
+                close(fd);
+                return 0;
+        }
+        buffer[len] = '\0';
+        close(fd);
+        // skip the first argument
+        int i;
+        for (i = 0; buffer[i] != '\0'; i++);
+        // parse remaining command line options
+        while (1) {
+                // extract argument
+                i++;
+                if (i >= len)
+                        break;
+                char *arg = buffer + i;
+                // detect the last command line option
+                if (strcmp(arg, "--") == 0)
+                        break;
+                if (strncmp(arg, "--", 2) != 0)
+                        break;
+                        
+                // check x11
+                if (strncmp(arg, "--x11", 5) == 0)
+                        return 1;
+                i += strlen(arg);
+        }
+        return 0;
+}
diff --git a/src/lib/pid.c b/src/lib/pid.c
index d1ade389e..bbb123b81 100644
--- a/src/lib/pid.c
+++ b/src/lib/pid.c
@@ -340,18 +340,12 @@ void pid_read(pid_t mon_pid) {
                                        exit(1);
                                }
-                                if (mon_pid == 0 && strncmp(ptr, "firejail", 8) == 0) {
+                                if ((strncmp(ptr, "firejail", 8) == 0) && (mon_pid == 0 || mon_pid == pid)) {
-                                        pids[pid].level = 1;
+                                        if (pid_proc_cmdline_x11(pid))
+                                                pids[pid].level = -1;
+                                        else
+                                                pids[pid].level = 1;
                                }
-                                else if (mon_pid == pid && strncmp(ptr, "firejail", 8) == 0) {
-                                        pids[pid].level = 1;
-                                }
-//                              else if (mon_pid == 0 && strncmp(ptr, "lxc-execute", 11) == 0) {
-//                                      pids[pid].level = 1;
-//                              }
-//                              else if (mon_pid == pid && strncmp(ptr, "lxc-execute", 11) == 0) {
-//                                      pids[pid].level = 1;
-//                              }
                                else
                                        pids[pid].level = -1;
                        }

diff --git a/README b/README index f27a80a34..13c324a02 100644 --- a/README +++ b/README
@@ -43,6 +43,9 @@ hamzadis (https://github.com/hamzadis)
43	- added --overlay-named=name and --overlay-path=path	43	- added --overlay-named=name and --overlay-path=path
44	Gaman Gabriel (https://github.com/stelariusinfinitek)	44	Gaman Gabriel (https://github.com/stelariusinfinitek)
45	- inox profile	45	- inox profile
		46	greigdp (https://github.com/greigdp)
		47	- fixed spotify profile
		48	- added Slack profile
46	Laurent Declercq (https://github.com/nuxwin)	49	Laurent Declercq (https://github.com/nuxwin)
47	- fixed test for shell interpreter in chroots	50	- fixed test for shell interpreter in chroots
48	Franco (nextime) Lanza (https://github.com/nextime)	51	Franco (nextime) Lanza (https://github.com/nextime)


diff --git a/README.md b/README.md index 04965a97a..13aeb51b0 100644 --- a/README.md +++ b/README.md
@@ -57,19 +57,7 @@ TESTING: file
57	TESTING: tar	57	TESTING: tar
58	netblue@debian:~/work/github/firejail/test/sysutils$ TESTING ERROR 3.1	58	netblue@debian:~/work/github/firejail/test/sysutils$ TESTING ERROR 3.1
59	[...]	59	[...]
60	cd test/apps-x11; ./apps-x11.sh \| grep TESTING
61	TESTING: xterm x11
62	netblue@debian:~/work/github/firejail/test/apps-x11$ TESTING ERROR 5.1
63	TESTING: firefox x11
64	netblue@debian:~/work/github/firejail/test/apps-x11$ TESTING ERROR 5.1
65	TESTING: chromium x11
66	TESTING: transmission-gtk x11
67	netblue@debian:~/work/github/firejail/test/apps-x11$ TESTING ERROR 5.1
68	TESTING: icedove x11
69	netblue@debian:~/work/github/firejail/test/apps-x11$ TESTING ERROR 5.1
70	[...]
71	`````	60	`````
72	"firemon --seccomp" and "firemon --caps" are misbehaving at the moment.
73		61
74	## Deprecated --user	62	## Deprecated --user
75		63
@@ -230,5 +218,5 @@ Browsers: Palemoon
230	## New security profiles	218	## New security profiles
231		219
232	Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, xz, xzdec, gzip, cpio, less, Atom Beta, Atom, jitsi, eom, uudeview	220	Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, xz, xzdec, gzip, cpio, less, Atom Beta, Atom, jitsi, eom, uudeview
233	tar (gtar), unzip, unrar, file, skypeforlinux, gnome-chess, inox	221	tar (gtar), unzip, unrar, file, skypeforlinux, gnome-chess, inox, Slack
234		222


diff --git a/RELNOTES b/RELNOTES index 4e2ad9b6c..eec3117ed 100644 --- a/RELNOTES +++ b/RELNOTES
@@ -25,7 +25,8 @@ firejail (0.9.42~rc2) baseline; urgency=low
25	* new profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice	25	* new profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice
26	* new profiles: pix, audacity, xz, xzdec, gzip, cpio, less	26	* new profiles: pix, audacity, xz, xzdec, gzip, cpio, less
27	* new profiles: Atom Beta, Atom, jitsi, eom, uudeview	27	* new profiles: Atom Beta, Atom, jitsi, eom, uudeview
28	* new profiles: tar (gtar), unzip, unrar, file, skypeforlinux, inox	28	* new profiles: tar (gtar), unzip, unrar, file, skypeforlinux,
		29	* new profiles: inox, Slack, gnome-chess
29	-- netblue30 <netblue30@yahoo.com> Thu, 21 Jul 2016 08:00:00 -0500	30	-- netblue30 <netblue30@yahoo.com> Thu, 21 Jul 2016 08:00:00 -0500
30		31
31	firejail (0.9.40) baseline; urgency=low	32	firejail (0.9.40) baseline; urgency=low


diff --git a/etc/disable-common.inc b/etc/disable-common.inc index d18ee0287..ed6ee315b 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc
@@ -14,6 +14,7 @@ blacklist /etc/xdg/autostart
14	blacklist ${HOME}/.kde4/Autostart	14	blacklist ${HOME}/.kde4/Autostart
15	blacklist ${HOME}/.kde4/share/autostart	15	blacklist ${HOME}/.kde4/share/autostart
16	blacklist ${HOME}/.kde/Autostart	16	blacklist ${HOME}/.kde/Autostart
		17	blacklist ${HOME}/.kde/share/autostart
17	blacklist ${HOME}/.config/plasma-workspace/shutdown	18	blacklist ${HOME}/.config/plasma-workspace/shutdown
18	blacklist ${HOME}/.config/plasma-workspace/env	19	blacklist ${HOME}/.config/plasma-workspace/env
19	blacklist ${HOME}/.config/lxsession/LXDE/autostart	20	blacklist ${HOME}/.config/lxsession/LXDE/autostart
@@ -168,3 +169,5 @@ blacklist ${PATH}/roxterm-config
168	blacklist ${PATH}/terminix	169	blacklist ${PATH}/terminix
169	blacklist ${PATH}/urxvtc	170	blacklist ${PATH}/urxvtc
170	blacklist ${PATH}/urxvtcd	171	blacklist ${PATH}/urxvtcd
		172	blacklist ${PATH}/konsole
		173	blacklist ${PATH}/yakuake


diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 140417b01..26d9cf22b 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc
@@ -78,6 +78,10 @@ blacklist ${HOME}/.TelegramDesktop
78	blacklist ${HOME}/.config/Gitter	78	blacklist ${HOME}/.config/Gitter
79	blacklist ${HOME}/.config/Franz	79	blacklist ${HOME}/.config/Franz
80	blacklist ${HOME}/.jitsi	80	blacklist ${HOME}/.jitsi
		81	blacklist ${HOME}/.config/Slack
		82	blacklist ${HOME}/.cache/gajim
		83	blacklist ${HOME}/.local/share/gajim
		84	blacklist ${HOME}/.config/gajim
81		85
82	# Games	86	# Games
83	blacklist ${HOME}/.hedgewars	87	blacklist ${HOME}/.hedgewars


diff --git a/etc/gajim.profile b/etc/gajim.profile new file mode 100644 index 000000000..04902a734 --- /dev/null +++ b/etc/gajim.profile
@@ -0,0 +1,33 @@
		1	# Firejail profile for Gajim
		2
		3	mkdir ${HOME}/.cache/gajim
		4	mkdir ${HOME}/.local/share/gajim
		5	mkdir ${HOME}/.config/gajim
		6	mkdir ${HOME}/Downloads
		7
		8	# Allow the local python 2.7 site packages, in case any plugins are using these
		9	mkdir ${HOME}/.local/lib/python2.7/site-packages/
		10	whitelist ${HOME}/.local/lib/python2.7/site-packages/
		11	read-only ${HOME}/.local/lib/python2.7/site-packages/
		12
		13	whitelist ${HOME}/.cache/gajim
		14	whitelist ${HOME}/.local/share/gajim
		15	whitelist ${HOME}/.config/gajim
		16	whitelist ${HOME}/Downloads
		17
		18	include /etc/firejail/disable-common.inc
		19	include /etc/firejail/disable-passwdmgr.inc
		20	include /etc/firejail/disable-programs.inc
		21	include /etc/firejail/disable-devel.inc
		22
		23	caps.drop all
		24	netfilter
		25	nonewprivs
		26	nogroups
		27	noroot
		28	protocol unix,inet,inet6
		29	seccomp
		30	shell none
		31
		32	#private-bin python2.7 gajim
		33	private-dev


diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile index 1caea177d..1b0fc9807 100644 --- a/etc/gnome-mplayer.profile +++ b/etc/gnome-mplayer.profile
@@ -5,10 +5,13 @@ include /etc/firejail/disable-devel.inc
5	include /etc/firejail/disable-passwdmgr.inc	5	include /etc/firejail/disable-passwdmgr.inc
6		6
7	caps.drop all	7	caps.drop all
		8	nogroups
8	nonewprivs	9	nonewprivs
9	noroot	10	noroot
10	protocol unix,inet,inet6	11	protocol unix,inet,inet6
11	seccomp	12	seccomp
12
13	shell none	13	shell none
		14
14	private-bin gnome-mplayer	15	private-bin gnome-mplayer
		16	private-dev
		17	private-tmp


diff --git a/etc/gpredict.profile b/etc/gpredict.profile index a8378a66e..353ecceae 100644 --- a/etc/gpredict.profile +++ b/etc/gpredict.profile
@@ -15,10 +15,11 @@ nonewprivs
15	nogroups	15	nogroups
16	noroot	16	noroot
17	nosound	17	nosound
18	protocol unix,inet,inet6,netlink	18	protocol unix,inet,inet6
19	seccomp	19	seccomp
20	shell none	20	shell none
21	tracelog	21	tracelog
22		22
23	private-bin gpredict	23	private-bin gpredict
24	private-dev	24	private-dev
		25	private-tmp


diff --git a/etc/gthumb.profile b/etc/gthumb.profile index 3c02576aa..e043c7229 100644 --- a/etc/gthumb.profile +++ b/etc/gthumb.profile
@@ -7,8 +7,8 @@ include /etc/firejail/disable-devel.inc
7	include /etc/firejail/disable-passwdmgr.inc	7	include /etc/firejail/disable-passwdmgr.inc
8		8
9	caps.drop all	9	caps.drop all
10	nonewprivs
11	nogroups	10	nogroups
		11	nonewprivs
12	noroot	12	noroot
13	nosound	13	nosound
14	protocol unix	14	protocol unix
@@ -19,3 +19,4 @@ tracelog
19	private-bin gthumb	19	private-bin gthumb
20	whitelist /tmp/.X11-unix	20	whitelist /tmp/.X11-unix
21	private-dev	21	private-dev
		22	private-tmp


diff --git a/etc/hedgewars.profile b/etc/hedgewars.profile index c5d863bd5..7910b7eb0 100644 --- a/etc/hedgewars.profile +++ b/etc/hedgewars.profile
@@ -7,12 +7,16 @@ include /etc/firejail/disable-devel.inc
7	include /etc/firejail/disable-passwdmgr.inc	7	include /etc/firejail/disable-passwdmgr.inc
8		8
9	caps.drop all	9	caps.drop all
		10	netfilter
		11	nogroups
10	nonewprivs	12	nonewprivs
11	noroot	13	noroot
12	private-dev
13	seccomp	14	seccomp
14	tracelog	15	tracelog
15		16
		17	private-dev
		18	private-tmp
		19
16	mkdir ~/.hedgewars	20	mkdir ~/.hedgewars
17	whitelist ~/.hedgewars	21	whitelist ~/.hedgewars
18	include /etc/firejail/whitelist-common.inc	22	include /etc/firejail/whitelist-common.inc


diff --git a/etc/hexchat.profile b/etc/hexchat.profile index 0d7ee6594..0ff64aef5 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile
@@ -7,9 +7,11 @@ include /etc/firejail/disable-programs.inc
7	include /etc/firejail/disable-devel.inc	7	include /etc/firejail/disable-devel.inc
8		8
9	caps.drop all	9	caps.drop all
		10	netfilter
		11	nogroups
10	nonewprivs	12	nonewprivs
11	noroot	13	noroot
12	netfilter	14	nosound
13	protocol unix,inet,inet6	15	protocol unix,inet,inet6
14	seccomp	16	seccomp
15		17
@@ -18,3 +20,5 @@ whitelist ~/.config/hexchat
18	include /etc/firejail/whitelist-common.inc	20	include /etc/firejail/whitelist-common.inc
19		21
20	# private-bin requires perl, python, etc.	22	# private-bin requires perl, python, etc.
		23	private-dev
		24	private-tmp


diff --git a/etc/icecat.profile b/etc/icecat.profile index 25d426ad2..2f8e2df7f 100644 --- a/etc/icecat.profile +++ b/etc/icecat.profile
@@ -1,2 +1,51 @@
1	# Firejail profile for GNU Icecat	1	# Firejail profile for GNU Icecat
2	include /etc/firejail/firefox.profile	2
		3	noblacklist ~/.mozilla
		4	noblacklist ~/.cache/mozilla
		5	include /etc/firejail/disable-common.inc
		6	include /etc/firejail/disable-programs.inc
		7	include /etc/firejail/disable-devel.inc
		8
		9	caps.drop all
		10	netfilter
		11	nonewprivs
		12	noroot
		13	protocol unix,inet,inet6,netlink
		14	seccomp
		15	tracelog
		16
		17	whitelist ${DOWNLOADS}
		18	mkdir ~/.mozilla
		19	whitelist ~/.mozilla
		20	mkdir ~/.cache/mozilla/icecat
		21	whitelist ~/.cache/mozilla/icecat
		22	whitelist ~/dwhelper
		23	whitelist ~/.zotero
		24	whitelist ~/.vimperatorrc
		25	whitelist ~/.vimperator
		26	whitelist ~/.pentadactylrc
		27	whitelist ~/.pentadactyl
		28	whitelist ~/.keysnail.js
		29	whitelist ~/.config/gnome-mplayer
		30	whitelist ~/.cache/gnome-mplayer/plugin
		31	whitelist ~/.pki
		32
		33	# lastpass, keepassx
		34	whitelist ~/.keepassx
		35	whitelist ~/.config/keepassx
		36	whitelist ~/keepassx.kdbx
		37	whitelist ~/.lastpass
		38	whitelist ~/.config/lastpass
		39
		40
		41	#silverlight
		42	whitelist ~/.wine-pipelight
		43	whitelist ~/.wine-pipelight64
		44	whitelist ~/.config/pipelight-widevine
		45	whitelist ~/.config/pipelight-silverlight5.1
		46
		47	include /etc/firejail/whitelist-common.inc
		48
		49	# experimental features
		50	#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
		51


diff --git a/etc/jitsi.profile b/etc/jitsi.profile index 8baf1ad94..c61158f8b 100644 --- a/etc/jitsi.profile +++ b/etc/jitsi.profile
@@ -14,3 +14,4 @@ seccomp
14	shell none	14	shell none
15	tracelog	15	tracelog
16		16
		17	private-tmp


diff --git a/etc/kmail.profile b/etc/kmail.profile index 44a53e258..8c8fd18c4 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile
@@ -9,7 +9,11 @@ include /etc/firejail/disable-passwdmgr.inc
9	caps.drop all	9	caps.drop all
10	netfilter	10	netfilter
11	nonewprivs	11	nonewprivs
		12	nogroups
12	noroot	13	noroot
13	protocol unix,inet,inet6,netlink	14	protocol unix,inet,inet6,netlink
14	seccomp	15	seccomp
15	tracelog	16	tracelog
		17
		18	private-dev
		19	private-tmp


diff --git a/etc/konversation.profile b/etc/konversation.profile index 190061618..e9546fd1b 100644 --- a/etc/konversation.profile +++ b/etc/konversation.profile
@@ -7,6 +7,9 @@ include /etc/firejail/disable-passwdmgr.inc
7		7
8	caps.drop all	8	caps.drop all
9	netfilter	9	netfilter
		10	nogroups
10	noroot	11	noroot
11	seccomp	12	seccomp
12	protocol unix,inet,inet6	13	protocol unix,inet,inet6
		14
		15	private-tmp


diff --git a/etc/slack.profile b/etc/slack.profile new file mode 100644 index 000000000..ea7b715f9 --- /dev/null +++ b/etc/slack.profile
@@ -0,0 +1,27 @@
		1	include /etc/firejail/disable-common.inc
		2	include /etc/firejail/disable-programs.inc
		3	include /etc/firejail/disable-devel.inc
		4	include /etc/firejail/disable-passwdmgr.inc
		5
		6	mkdir ${HOME}/.config
		7	mkdir ${HOME}/.config/Slack
		8	whitelist ${HOME}/.config/Slack
		9	whitelist ~/Downloads
		10
		11	protocol unix,inet,inet6,netlink
		12	private-dev
		13	private-tmp
		14	private-etc fonts,resolv.conf,ld.so.conf,ld.so.cache,localtime
		15	name slack
		16	blacklist /var
		17
		18	include /etc/firejail/whitelist-common.inc
		19
		20	caps.drop all
		21	seccomp
		22	netfilter
		23	nonewprivs
		24	nogroups
		25	noroot
		26	shell none
		27	private-bin slack


diff --git a/etc/spotify.profile b/etc/spotify.profile index 6bcb99e0f..73d427db3 100644 --- a/etc/spotify.profile +++ b/etc/spotify.profile
@@ -27,5 +27,5 @@ protocol unix,inet,inet6,netlink
27	seccomp	27	seccomp
28	shell none	28	shell none
29		29
30	private-bin spotify	30	#private-bin spotify
31	private-dev	31	private-dev


diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc index 2317133c5..abbb4a9fc 100644 --- a/etc/whitelist-common.inc +++ b/etc/whitelist-common.inc
@@ -20,8 +20,11 @@ whitelist ~/.cache/fontconfig
20	# gtk	20	# gtk
21	whitelist ~/.gtkrc	21	whitelist ~/.gtkrc
22	whitelist ~/.gtkrc-2.0	22	whitelist ~/.gtkrc-2.0
		23	whitelist ~/.config/gtk-2.0
23	whitelist ~/.config/gtk-3.0	24	whitelist ~/.config/gtk-3.0
24	whitelist ~/.themes	25	whitelist ~/.themes
		26	whitelist ~/.kde/share/config/gtkrc
		27	whitelist ~/.kde/share/config/gtkrc-2.0
25		28
26	# dconf	29	# dconf
27	mkdir ~/.config/dconf	30	mkdir ~/.config/dconf


diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 59f0b35e7..fb19a135f 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles
@@ -106,6 +106,7 @@
106	/etc/firejail/server.profile	106	/etc/firejail/server.profile
107	/etc/firejail/skype.profile	107	/etc/firejail/skype.profile
108	/etc/firejail/skypeforlinux.profile	108	/etc/firejail/skypeforlinux.profile
		109	/etc/firejail/slack.profile
109	/etc/firejail/snap.profile	110	/etc/firejail/snap.profile
110	/etc/firejail/soffice.profile	111	/etc/firejail/soffice.profile
111	/etc/firejail/spotify.profile	112	/etc/firejail/spotify.profile


diff --git a/src/include/common.h b/src/include/common.h index cd4b9c874..762a0262a 100644 --- a/src/include/common.h +++ b/src/include/common.h
@@ -113,4 +113,5 @@ int join_namespace(pid_t pid, char *type);
113	int name2pid(const char name, pid_t pid);	113	int name2pid(const char name, pid_t pid);
114	char *pid_proc_comm(const pid_t pid);	114	char *pid_proc_comm(const pid_t pid);
115	char *pid_proc_cmdline(const pid_t pid);	115	char *pid_proc_cmdline(const pid_t pid);
		116	int pid_proc_cmdline_x11(const pid_t pid);
116	#endif	117	#endif


diff --git a/src/lib/common.c b/src/lib/common.c index 8ea926df1..fe5c62536 100644 --- a/src/lib/common.c +++ b/src/lib/common.c
@@ -199,3 +199,63 @@ char *pid_proc_cmdline(const pid_t pid) {
199	}	199	}
200	return rv;	200	return rv;
201	}	201	}
		202
		203	// return 1 if firejail --x11 on command line
		204	int pid_proc_cmdline_x11(const pid_t pid) {
		205	// if comm is not firejail return 0
		206	char *comm = pid_proc_comm(pid);
		207	if (strcmp(comm, "firejail") != 0) {
		208	free(comm);
		209	return 0;
		210	}
		211	free(comm);
		212
		213	// open /proc/pid/cmdline file
		214	char *fname;
		215	int fd;
		216	if (asprintf(&fname, "/proc/%d/cmdline", pid) == -1)
		217	return 0;
		218	if ((fd = open(fname, O_RDONLY)) < 0) {
		219	free(fname);
		220	return 0;
		221	}
		222	free(fname);
		223
		224	// read file
		225	unsigned char buffer[BUFLEN];
		226	ssize_t len;
		227	if ((len = read(fd, buffer, sizeof(buffer) - 1)) <= 0) {
		228	close(fd);
		229	return 0;
		230	}
		231	buffer[len] = '\0';
		232	close(fd);
		233
		234	// skip the first argument
		235	int i;
		236	for (i = 0; buffer[i] != '\0'; i++);
		237
		238	// parse remaining command line options
		239	while (1) {
		240	// extract argument
		241	i++;
		242	if (i >= len)
		243	break;
		244	char *arg = buffer + i;
		245
		246	// detect the last command line option
		247	if (strcmp(arg, "--") == 0)
		248	break;
		249	if (strncmp(arg, "--", 2) != 0)
		250	break;
		251
		252	// check x11
		253	if (strncmp(arg, "--x11", 5) == 0)
		254	return 1;
		255	i += strlen(arg);
		256	}
		257	return 0;
		258	}
		259
		260
		261


diff --git a/src/lib/pid.c b/src/lib/pid.c index d1ade389e..bbb123b81 100644 --- a/src/lib/pid.c +++ b/src/lib/pid.c
@@ -340,18 +340,12 @@ void pid_read(pid_t mon_pid) {
340	exit(1);	340	exit(1);
341	}	341	}
342		342
343	if (mon_pid == 0 && strncmp(ptr, "firejail", 8) == 0) {	343	if ((strncmp(ptr, "firejail", 8) == 0) && (mon_pid == 0 \|\| mon_pid == pid)) {
344	pids[pid].level = 1;	344	if (pid_proc_cmdline_x11(pid))
		345	pids[pid].level = -1;
		346	else
		347	pids[pid].level = 1;
345	}	348	}
346	else if (mon_pid == pid && strncmp(ptr, "firejail", 8) == 0) {
347	pids[pid].level = 1;
348	}
349	// else if (mon_pid == 0 && strncmp(ptr, "lxc-execute", 11) == 0) {
350	// pids[pid].level = 1;
351	// }
352	// else if (mon_pid == pid && strncmp(ptr, "lxc-execute", 11) == 0) {
353	// pids[pid].level = 1;
354	// }
355	else	349	else
356	pids[pid].level = -1;	350	pids[pid].level = -1;
357	}	351	}