8 files changed, 188 insertions, 36 deletions
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 214f39923..71cb7f0b4 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -47,3 +47,9 @@ jobs:
      run: sudo apt-get install cppcheck
    - name: cppcheck
      run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance .
+  profile-sort:
+    runs-on: ubuntu-20.04
+    steps:
+    - uses: actions/checkout@v2
+    - name: check profiles
+      run: ./contrib/sort.py etc/*/{*.inc,*.net,*.profile}
diff --git a/README b/README
index 330e2c60d..9bb98b2bf 100644
--- a/README
+++ b/README
@@ -525,6 +525,7 @@ KOLANICH (https://github.com/KOLANICH)
        - fix meld
 kortewegdevries (https://github.com/kortewegdevries)
        - a whole bunch of new profiles and fixes
+        - whitelisting evolution, kmail
 Kristóf Marussy (https://github.com/kris7t)
        - dns support
 Kunal Mehta (https://github.com/legoktm)
diff --git a/README.md b/README.md
index 6bc24cfbb..5259bb1b1 100644
--- a/README.md
+++ b/README.md
@@ -158,36 +158,42 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
 ## Current development version: 0.9.65
+Milestone page: https://github.com/netblue30/firejail/milestone/1
+Release discussion: https://github.com/netblue30/firejail/issues/3696
 ### Profile Statistics
 A small tool to print profile statistics. Compile as usual and run in /etc/profiles:
 `````
+$ sudo cp src/prfostats/profstats /etc/firejail/.
+$ cd /etc/firejail
 $ ./profstats *.profile
 Warning: multiple caps in transmission-daemon.profile
 Stats:
-    profiles                    1029
+    profiles                    1031
-    include local profile       1029   (include profile-name.local)
+    include local profile       1031   (include profile-name.local)
-    include globals             1029   (include globals.local)
+    include globals             1031   (include globals.local)
-    blacklist ~/.ssh            1005   (include disable-common.inc)
+    blacklist ~/.ssh            1007   (include disable-common.inc)
-    seccomp                     975
+    seccomp                     976
-    capabilities                1028
+    capabilities                1030
-    noexec                      899   (include disable-exec.inc)
+    noexec                      901   (include disable-exec.inc)
-    memory-deny-write-execute   220
+    memory-deny-write-execute   221
-    apparmor                    549
+    apparmor                    555
-    private-bin                 542
+    private-bin                 544
    private-dev                 897
-    private-etc                 431
+    private-etc                 435
-    private-tmp                 784
+    private-tmp                 785
-    whitelist home directory    469
+    whitelist home directory    474
-    whitelist var               695   (include whitelist-var-common.inc)
+    whitelist var               699   (include whitelist-var-common.inc)
-    whitelist run/user          334   (include whitelist-runuser-common.inc
+    whitelist run/user          336   (include whitelist-runuser-common.inc
                                        or blacklist ${RUNUSER})
-    whitelist usr/share         354   (include whitelist-usr-share-common.inc
+    whitelist usr/share         359   (include whitelist-usr-share-common.inc
-    net none                    332
+    net none                    333
    dbus-user none              523
-    dbus-system none            627
+    dbus-system none            632
-`````
 ### New profiles:
diff --git a/RELNOTES b/RELNOTES
index f38b42c4b..d9036898f 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,3 +1,6 @@
+firejail (0.9.65) baseline; urgency=low
+  * allow --tmpfs inside $HOME for unprivileged users
 firejail (0.9.64) baseline; urgency=low
  * replaced --nowrap option with --wrap in firemon
  * The blocking action of seccomp filters has been changed from
diff --git a/etc/profile-a-l/evolution.profile b/etc/profile-a-l/evolution.profile
index 422200ffe..1355c4337 100644
--- a/etc/profile-a-l/evolution.profile
+++ b/etc/profile-a-l/evolution.profile
@@ -6,15 +6,16 @@ include evolution.local
 # Persistent global definitions
 include globals.local
-noblacklist /var/mail
-noblacklist /var/spool/mail
 noblacklist ${HOME}/.bogofilter
+noblacklist ${HOME}/.gnupg
+noblacklist ${HOME}/.mozilla
+noblacklist ${HOME}/.pki
 noblacklist ${HOME}/.cache/evolution
 noblacklist ${HOME}/.config/evolution
-noblacklist ${HOME}/.gnupg
 noblacklist ${HOME}/.local/share/evolution
-noblacklist ${HOME}/.pki
 noblacklist ${HOME}/.local/share/pki
+noblacklist /var/mail
+noblacklist /var/spool/mail
 include disable-common.inc
 include disable-devel.inc
@@ -22,13 +23,42 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+mkdir ${HOME}/.bogofilter
+mkdir ${HOME}/.gnupg
+mkdir ${HOME}/.pki
+mkdir ${HOME}/.cache/evolution
+mkdir ${HOME}/.config/evolution
+mkdir ${HOME}/.local/share/evolution
+mkdir ${HOME}/.local/share/pki
+whitelist ${HOME}/.bogofilter
+whitelist ${HOME}/.gnupg
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+whitelist ${HOME}/.pki
+whitelist ${HOME}/.cache/evolution
+whitelist ${HOME}/.config/evolution
+whitelist ${HOME}/.local/share/evolution
+whitelist ${HOME}/.local/share/pki
+whitelist ${DOCUMENTS}
+whitelist ${DOWNLOADS}
+whitelist ${RUNUSER}/gnupg
+whitelist /usr/share/evolution
+whitelist /usr/share/gnupg
+whitelist /usr/share/gnupg2
+whitelist /var/mail
+whitelist /var/spool/mail
+include whitelist-common.inc
 include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
 caps.drop all
 netfilter
 # no3d breaks under wayland
-#no3d
+# no3d
 nodvd
 nogroups
 nonewprivs
@@ -40,7 +70,27 @@ novideo
 protocol unix,inet,inet6
 seccomp
 shell none
+tracelog
+# disable-mnt
+# Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg
+# To use private-bin add all evolution,gpg,pinentry binaries and follow firefox.profile for hyperlink support
+# private-bin evolution
+private-cache
 private-dev
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg
 private-tmp
+writable-run-user
 writable-var
+dbus-user filter
+dbus-user.own org.gnome.Evolution
+dbus-user.talk ca.desrt.dconf
+# Uncomment to have keyring access
+# dbus-user.talk org.freedesktop.secrets
+dbus-user.talk org.gnome.keyring.SystemPrompter
+dbus-user.talk org.gnome.OnlineAccounts
+dbus-user.talk org.freedesktop.Notifications
+dbus-system none
+read-only ${HOME}/.mozilla/firefox/profiles.ini
diff --git a/etc/profile-a-l/kmail.profile b/etc/profile-a-l/kmail.profile
index ab4ff10b9..8d99da3cf 100644
--- a/etc/profile-a-l/kmail.profile
+++ b/etc/profile-a-l/kmail.profile
@@ -9,6 +9,10 @@ include globals.local
 # kmail has problems launching akonadi in debian and ubuntu.
 # one solution is to have akonadi already running when kmail is started
+noblacklist ${HOME}/.gnupg
+# noblacklist ${HOME}/.kde/
+# noblacklist ${HOME}/.kde4/
+noblacklist ${HOME}/.mozilla
 noblacklist ${HOME}/.cache/akonadi*
 noblacklist ${HOME}/.cache/kmail2
 noblacklist ${HOME}/.config/akonadi*
@@ -19,7 +23,6 @@ noblacklist ${HOME}/.config/kmail2rc
 noblacklist ${HOME}/.config/kmailsearchindexingrc
 noblacklist ${HOME}/.config/mailtransports
 noblacklist ${HOME}/.config/specialmailcollectionsrc
-noblacklist ${HOME}/.gnupg
 noblacklist ${HOME}/.local/share/akonadi*
 noblacklist ${HOME}/.local/share/apps/korganizer
 noblacklist ${HOME}/.local/share/contacts
@@ -30,6 +33,8 @@ noblacklist ${HOME}/.local/share/kxmlgui5/kmail2
 noblacklist ${HOME}/.local/share/local-mail
 noblacklist ${HOME}/.local/share/notes
 noblacklist /tmp/akonadi-*
+noblacklist /var/mail
+noblacklist /var/spool/mail
 include disable-common.inc
 include disable-devel.inc
@@ -37,10 +42,73 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.gnupg
+# mkdir ${HOME}/.kde/
+# mkdir ${HOME}/.kde4/
+mkdir ${HOME}/.cache/akonadi*
+mkdir ${HOME}/.cache/kmail2
+mkdir ${HOME}/.config/akonadi*
+mkdir ${HOME}/.config/baloorc
+mkdir ${HOME}/.config/emaildefaults
+mkdir ${HOME}/.config/emailidentities
+mkdir ${HOME}/.config/kmail2rc
+mkdir ${HOME}/.config/kmailsearchindexingrc
+mkdir ${HOME}/.config/mailtransports
+mkdir ${HOME}/.config/specialmailcollectionsrc
+mkdir ${HOME}/.local/share/akonadi*
+mkdir ${HOME}/.local/share/apps/korganizer
+mkdir ${HOME}/.local/share/contacts
+mkdir ${HOME}/.local/share/emailidentities
+mkdir ${HOME}/.local/share/kmail2
+mkdir ${HOME}/.local/share/kxmlgui5/kmail
+mkdir ${HOME}/.local/share/kxmlgui5/kmail2
+mkdir ${HOME}/.local/share/local-mail
+mkdir ${HOME}/.local/share/notes
+mkdir /tmp/akonadi-*
+whitelist ${HOME}/.gnupg
+# whitelist ${HOME}/.kde/
+# whitelist ${HOME}/.kde4/
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+whitelist ${HOME}/.cache/akonadi*
+whitelist ${HOME}/.cache/kmail2
+whitelist ${HOME}/.config/akonadi*
+whitelist ${HOME}/.config/baloorc
+whitelist ${HOME}/.config/emaildefaults
+whitelist ${HOME}/.config/emailidentities
+whitelist ${HOME}/.config/kmail2rc
+whitelist ${HOME}/.config/kmailsearchindexingrc
+whitelist ${HOME}/.config/mailtransports
+whitelist ${HOME}/.config/specialmailcollectionsrc
+whitelist ${HOME}/.local/share/akonadi*
+whitelist ${HOME}/.local/share/apps/korganizer
+whitelist ${HOME}/.local/share/contacts
+whitelist ${HOME}/.local/share/emailidentities
+whitelist ${HOME}/.local/share/kmail2
+whitelist ${HOME}/.local/share/kxmlgui5/kmail
+whitelist ${HOME}/.local/share/kxmlgui5/kmail2
+whitelist ${HOME}/.local/share/local-mail
+whitelist ${HOME}/.local/share/notes
+whitelist ${DOWNLOADS}
+whitelist ${DOCUMENTS}
+whitelist ${RUNUSER}/gnupg
+whitelist /tmp/akonadi-*
+whitelist /usr/share/akonadi
+whitelist /usr/share/gnupg
+whitelist /usr/share/gnupg2
+whitelist /usr/share/kconf_update
+whitelist /usr/share/kf5
+whitelist /usr/share/kservices5
+whitelist /usr/share/qlogging-categories5
+whitelist /var/mail
+whitelist /var/spool/mail
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
-# apparmor
+apparmor
 caps.drop all
 netfilter
 nodvd
@@ -56,7 +124,14 @@ protocol unix,inet,inet6,netlink
 seccomp !chroot,!io_getevents,!io_setup,!io_submit,!ioprio_set
 # tracelog
+private-cache
 private-dev
+private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,xdg
 # private-tmp - interrupts connection to akonadi, breaks opening of email attachments
-# writable-run-user is needed for signing and encrypting emails
 writable-run-user
+writable-var
+# dbus-user none
+dbus-system none
+read-only ${HOME}/.mozilla/firefox/profiles.ini
+\ No newline at end of file
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 2000ffc62..2f2bfdc79 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -366,6 +366,14 @@ void fs_blacklist(void) {
                else if (strncmp(entry->data, "tmpfs ", 6) == 0) {
                        ptr = entry->data + 6;
                        op = MOUNT_TMPFS;
+                        char *resolved_path = realpath(ptr, NULL);
+                        if (!resolved_path || strncmp(cfg.homedir, resolved_path, strlen(cfg.homedir)) != 0) {
+                                if (getuid() != 0) {
+                                        fprintf(stderr, "Error: tmpfs outside $HOME is only available for root\n");
+                                        exit(1);
+                                }
+                        }
+                        free(resolved_path);
                }
                else if (strncmp(entry->data, "mkdir ", 6) == 0) {
                        EUID_USER();
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 5d83e6a73..869183e2f 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -1412,11 +1412,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
        // filesystem bind
        if (strncmp(ptr, "bind ", 5) == 0) {
                if (checkcfg(CFG_BIND)) {
-                        if (getuid() != 0) {
-                                fprintf(stderr, "Error: --bind option is available only if running as root\n");
-                                exit(1);
-                        }
                        // extract two directories
                        char *dname1 = ptr + 5;
                        char *dname2 = split_comma(dname1); // this inserts a '0 to separate the two dierctories
@@ -1432,6 +1427,18 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                                fprintf(stderr, "Error: invalid file name.\n");
                                exit(1);
                        }
+                        if (getuid() != 0) {
+                                char *resolved_path1 = realpath(dname1, NULL);
+                                char *resolved_path2 = realpath(dname2, NULL);
+                                assert(resolved_path1 && resolved_path2);
+                                        if (strncmp(cfg.homedir, resolved_path1, strlen(cfg.homedir)) != 0
+                                        || strncmp(cfg.homedir, resolved_path2, strlen(cfg.homedir)) != 0) {
+                                                fprintf(stderr, "Error: bind outside $HOME is only available for root\n");
+                                                exit(1);
+                                        }
+                                free(resolved_path1);
+                                free(resolved_path2);
+                        }
                        if (is_link(dname1) || is_link(dname2)) {
                                fprintf(stderr, "Symbolic links are not allowed for bind command\n");
                                exit(1);
@@ -1563,10 +1570,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
        else if (strncmp(ptr, "noexec ", 7) == 0)
                ptr += 7;
        else if (strncmp(ptr, "tmpfs ", 6) == 0) {
-                if (getuid() != 0) {
-                        fprintf(stderr, "Error: tmpfs available only when running the sandbox as root\n");
-                        exit(1);
-                }
                ptr += 6;
        }
        else {

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 214f39923..71cb7f0b4 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml
@@ -47,3 +47,9 @@ jobs:
47	run: sudo apt-get install cppcheck	47	run: sudo apt-get install cppcheck
48	- name: cppcheck	48	- name: cppcheck
49	run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance .	49	run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance .
		50	profile-sort:
		51	runs-on: ubuntu-20.04
		52	steps:
		53	- uses: actions/checkout@v2
		54	- name: check profiles
		55	run: ./contrib/sort.py etc//{.inc,.net,.profile}


diff --git a/README b/README index 330e2c60d..9bb98b2bf 100644 --- a/README +++ b/README
@@ -525,6 +525,7 @@ KOLANICH (https://github.com/KOLANICH)
525	- fix meld	525	- fix meld
526	kortewegdevries (https://github.com/kortewegdevries)	526	kortewegdevries (https://github.com/kortewegdevries)
527	- a whole bunch of new profiles and fixes	527	- a whole bunch of new profiles and fixes
		528	- whitelisting evolution, kmail
528	Kristóf Marussy (https://github.com/kris7t)	529	Kristóf Marussy (https://github.com/kris7t)
529	- dns support	530	- dns support
530	Kunal Mehta (https://github.com/legoktm)	531	Kunal Mehta (https://github.com/legoktm)


diff --git a/README.md b/README.md index 6bc24cfbb..5259bb1b1 100644 --- a/README.md +++ b/README.md
@@ -158,36 +158,42 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
158		158
159	## Current development version: 0.9.65	159	## Current development version: 0.9.65
160		160
		161	Milestone page: https://github.com/netblue30/firejail/milestone/1
		162	Release discussion: https://github.com/netblue30/firejail/issues/3696
		163
		164
		165
161	### Profile Statistics	166	### Profile Statistics
162		167
163	A small tool to print profile statistics. Compile as usual and run in /etc/profiles:	168	A small tool to print profile statistics. Compile as usual and run in /etc/profiles:
164	`````	169	`````
		170	$ sudo cp src/prfostats/profstats /etc/firejail/.
		171	$ cd /etc/firejail
165	$ ./profstats *.profile	172	$ ./profstats *.profile
166	Warning: multiple caps in transmission-daemon.profile	173	Warning: multiple caps in transmission-daemon.profile
167		174
168	Stats:	175	Stats:
169	profiles 1029	176	profiles 1031
170	include local profile 1029 (include profile-name.local)	177	include local profile 1031 (include profile-name.local)
171	include globals 1029 (include globals.local)	178	include globals 1031 (include globals.local)
172	blacklist ~/.ssh 1005 (include disable-common.inc)	179	blacklist ~/.ssh 1007 (include disable-common.inc)
173	seccomp 975	180	seccomp 976
174	capabilities 1028	181	capabilities 1030
175	noexec 899 (include disable-exec.inc)	182	noexec 901 (include disable-exec.inc)
176	memory-deny-write-execute 220	183	memory-deny-write-execute 221
177	apparmor 549	184	apparmor 555
178	private-bin 542	185	private-bin 544
179	private-dev 897	186	private-dev 897
180	private-etc 431	187	private-etc 435
181	private-tmp 784	188	private-tmp 785
182	whitelist home directory 469	189	whitelist home directory 474
183	whitelist var 695 (include whitelist-var-common.inc)	190	whitelist var 699 (include whitelist-var-common.inc)
184	whitelist run/user 334 (include whitelist-runuser-common.inc	191	whitelist run/user 336 (include whitelist-runuser-common.inc
185	or blacklist ${RUNUSER})	192	or blacklist ${RUNUSER})
186	whitelist usr/share 354 (include whitelist-usr-share-common.inc	193	whitelist usr/share 359 (include whitelist-usr-share-common.inc
187	net none 332	194	net none 333
188	dbus-user none 523	195	dbus-user none 523
189	dbus-system none 627	196	dbus-system none 632
190	`````
191		197
192	### New profiles:	198	### New profiles:
193		199


diff --git a/RELNOTES b/RELNOTES index f38b42c4b..d9036898f 100644 --- a/RELNOTES +++ b/RELNOTES
@@ -1,3 +1,6 @@
		1	firejail (0.9.65) baseline; urgency=low
		2	* allow --tmpfs inside $HOME for unprivileged users
		3
1	firejail (0.9.64) baseline; urgency=low	4	firejail (0.9.64) baseline; urgency=low
2	* replaced --nowrap option with --wrap in firemon	5	* replaced --nowrap option with --wrap in firemon
3	* The blocking action of seccomp filters has been changed from	6	* The blocking action of seccomp filters has been changed from


diff --git a/etc/profile-a-l/evolution.profile b/etc/profile-a-l/evolution.profile index 422200ffe..1355c4337 100644 --- a/etc/profile-a-l/evolution.profile +++ b/etc/profile-a-l/evolution.profile
@@ -6,15 +6,16 @@ include evolution.local
6	# Persistent global definitions	6	# Persistent global definitions
7	include globals.local	7	include globals.local
8		8
9	noblacklist /var/mail
10	noblacklist /var/spool/mail
11	noblacklist ${HOME}/.bogofilter	9	noblacklist ${HOME}/.bogofilter
		10	noblacklist ${HOME}/.gnupg
		11	noblacklist ${HOME}/.mozilla
		12	noblacklist ${HOME}/.pki
12	noblacklist ${HOME}/.cache/evolution	13	noblacklist ${HOME}/.cache/evolution
13	noblacklist ${HOME}/.config/evolution	14	noblacklist ${HOME}/.config/evolution
14	noblacklist ${HOME}/.gnupg
15	noblacklist ${HOME}/.local/share/evolution	15	noblacklist ${HOME}/.local/share/evolution
16	noblacklist ${HOME}/.pki
17	noblacklist ${HOME}/.local/share/pki	16	noblacklist ${HOME}/.local/share/pki
		17	noblacklist /var/mail
		18	noblacklist /var/spool/mail
18		19
19	include disable-common.inc	20	include disable-common.inc
20	include disable-devel.inc	21	include disable-devel.inc
@@ -22,13 +23,42 @@ include disable-exec.inc
22	include disable-interpreters.inc	23	include disable-interpreters.inc
23	include disable-passwdmgr.inc	24	include disable-passwdmgr.inc
24	include disable-programs.inc	25	include disable-programs.inc
		26	include disable-shell.inc
		27	include disable-xdg.inc
25		28
		29	mkdir ${HOME}/.bogofilter
		30	mkdir ${HOME}/.gnupg
		31	mkdir ${HOME}/.pki
		32	mkdir ${HOME}/.cache/evolution
		33	mkdir ${HOME}/.config/evolution
		34	mkdir ${HOME}/.local/share/evolution
		35	mkdir ${HOME}/.local/share/pki
		36	whitelist ${HOME}/.bogofilter
		37	whitelist ${HOME}/.gnupg
		38	whitelist ${HOME}/.mozilla/firefox/profiles.ini
		39	whitelist ${HOME}/.pki
		40	whitelist ${HOME}/.cache/evolution
		41	whitelist ${HOME}/.config/evolution
		42	whitelist ${HOME}/.local/share/evolution
		43	whitelist ${HOME}/.local/share/pki
		44	whitelist ${DOCUMENTS}
		45	whitelist ${DOWNLOADS}
		46	whitelist ${RUNUSER}/gnupg
		47	whitelist /usr/share/evolution
		48	whitelist /usr/share/gnupg
		49	whitelist /usr/share/gnupg2
		50	whitelist /var/mail
		51	whitelist /var/spool/mail
		52	include whitelist-common.inc
26	include whitelist-runuser-common.inc	53	include whitelist-runuser-common.inc
		54	include whitelist-usr-share-common.inc
		55	include whitelist-var-common.inc
27		56
		57	apparmor
28	caps.drop all	58	caps.drop all
29	netfilter	59	netfilter
30	# no3d breaks under wayland	60	# no3d breaks under wayland
31	#no3d	61	# no3d
32	nodvd	62	nodvd
33	nogroups	63	nogroups
34	nonewprivs	64	nonewprivs
@@ -40,7 +70,27 @@ novideo
40	protocol unix,inet,inet6	70	protocol unix,inet,inet6
41	seccomp	71	seccomp
42	shell none	72	shell none
		73	tracelog
43		74
		75	# disable-mnt
		76	# Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg
		77	# To use private-bin add all evolution,gpg,pinentry binaries and follow firefox.profile for hyperlink support
		78	# private-bin evolution
		79	private-cache
44	private-dev	80	private-dev
		81	private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg
45	private-tmp	82	private-tmp
		83	writable-run-user
46	writable-var	84	writable-var
		85
		86	dbus-user filter
		87	dbus-user.own org.gnome.Evolution
		88	dbus-user.talk ca.desrt.dconf
		89	# Uncomment to have keyring access
		90	# dbus-user.talk org.freedesktop.secrets
		91	dbus-user.talk org.gnome.keyring.SystemPrompter
		92	dbus-user.talk org.gnome.OnlineAccounts
		93	dbus-user.talk org.freedesktop.Notifications
		94	dbus-system none
		95
		96	read-only ${HOME}/.mozilla/firefox/profiles.ini


diff --git a/etc/profile-a-l/kmail.profile b/etc/profile-a-l/kmail.profile index ab4ff10b9..8d99da3cf 100644 --- a/etc/profile-a-l/kmail.profile +++ b/etc/profile-a-l/kmail.profile
@@ -9,6 +9,10 @@ include globals.local
9	# kmail has problems launching akonadi in debian and ubuntu.	9	# kmail has problems launching akonadi in debian and ubuntu.
10	# one solution is to have akonadi already running when kmail is started	10	# one solution is to have akonadi already running when kmail is started
11		11
		12	noblacklist ${HOME}/.gnupg
		13	# noblacklist ${HOME}/.kde/
		14	# noblacklist ${HOME}/.kde4/
		15	noblacklist ${HOME}/.mozilla
12	noblacklist ${HOME}/.cache/akonadi*	16	noblacklist ${HOME}/.cache/akonadi*
13	noblacklist ${HOME}/.cache/kmail2	17	noblacklist ${HOME}/.cache/kmail2
14	noblacklist ${HOME}/.config/akonadi*	18	noblacklist ${HOME}/.config/akonadi*
@@ -19,7 +23,6 @@ noblacklist ${HOME}/.config/kmail2rc
19	noblacklist ${HOME}/.config/kmailsearchindexingrc	23	noblacklist ${HOME}/.config/kmailsearchindexingrc
20	noblacklist ${HOME}/.config/mailtransports	24	noblacklist ${HOME}/.config/mailtransports
21	noblacklist ${HOME}/.config/specialmailcollectionsrc	25	noblacklist ${HOME}/.config/specialmailcollectionsrc
22	noblacklist ${HOME}/.gnupg
23	noblacklist ${HOME}/.local/share/akonadi*	26	noblacklist ${HOME}/.local/share/akonadi*
24	noblacklist ${HOME}/.local/share/apps/korganizer	27	noblacklist ${HOME}/.local/share/apps/korganizer
25	noblacklist ${HOME}/.local/share/contacts	28	noblacklist ${HOME}/.local/share/contacts
@@ -30,6 +33,8 @@ noblacklist ${HOME}/.local/share/kxmlgui5/kmail2
30	noblacklist ${HOME}/.local/share/local-mail	33	noblacklist ${HOME}/.local/share/local-mail
31	noblacklist ${HOME}/.local/share/notes	34	noblacklist ${HOME}/.local/share/notes
32	noblacklist /tmp/akonadi-*	35	noblacklist /tmp/akonadi-*
		36	noblacklist /var/mail
		37	noblacklist /var/spool/mail
33		38
34	include disable-common.inc	39	include disable-common.inc
35	include disable-devel.inc	40	include disable-devel.inc
@@ -37,10 +42,73 @@ include disable-exec.inc
37	include disable-interpreters.inc	42	include disable-interpreters.inc
38	include disable-passwdmgr.inc	43	include disable-passwdmgr.inc
39	include disable-programs.inc	44	include disable-programs.inc
		45	include disable-xdg.inc
40		46
		47	mkdir ${HOME}/.gnupg
		48	# mkdir ${HOME}/.kde/
		49	# mkdir ${HOME}/.kde4/
		50	mkdir ${HOME}/.cache/akonadi*
		51	mkdir ${HOME}/.cache/kmail2
		52	mkdir ${HOME}/.config/akonadi*
		53	mkdir ${HOME}/.config/baloorc
		54	mkdir ${HOME}/.config/emaildefaults
		55	mkdir ${HOME}/.config/emailidentities
		56	mkdir ${HOME}/.config/kmail2rc
		57	mkdir ${HOME}/.config/kmailsearchindexingrc
		58	mkdir ${HOME}/.config/mailtransports
		59	mkdir ${HOME}/.config/specialmailcollectionsrc
		60	mkdir ${HOME}/.local/share/akonadi*
		61	mkdir ${HOME}/.local/share/apps/korganizer
		62	mkdir ${HOME}/.local/share/contacts
		63	mkdir ${HOME}/.local/share/emailidentities
		64	mkdir ${HOME}/.local/share/kmail2
		65	mkdir ${HOME}/.local/share/kxmlgui5/kmail
		66	mkdir ${HOME}/.local/share/kxmlgui5/kmail2
		67	mkdir ${HOME}/.local/share/local-mail
		68	mkdir ${HOME}/.local/share/notes
		69	mkdir /tmp/akonadi-*
		70	whitelist ${HOME}/.gnupg
		71	# whitelist ${HOME}/.kde/
		72	# whitelist ${HOME}/.kde4/
		73	whitelist ${HOME}/.mozilla/firefox/profiles.ini
		74	whitelist ${HOME}/.cache/akonadi*
		75	whitelist ${HOME}/.cache/kmail2
		76	whitelist ${HOME}/.config/akonadi*
		77	whitelist ${HOME}/.config/baloorc
		78	whitelist ${HOME}/.config/emaildefaults
		79	whitelist ${HOME}/.config/emailidentities
		80	whitelist ${HOME}/.config/kmail2rc
		81	whitelist ${HOME}/.config/kmailsearchindexingrc
		82	whitelist ${HOME}/.config/mailtransports
		83	whitelist ${HOME}/.config/specialmailcollectionsrc
		84	whitelist ${HOME}/.local/share/akonadi*
		85	whitelist ${HOME}/.local/share/apps/korganizer
		86	whitelist ${HOME}/.local/share/contacts
		87	whitelist ${HOME}/.local/share/emailidentities
		88	whitelist ${HOME}/.local/share/kmail2
		89	whitelist ${HOME}/.local/share/kxmlgui5/kmail
		90	whitelist ${HOME}/.local/share/kxmlgui5/kmail2
		91	whitelist ${HOME}/.local/share/local-mail
		92	whitelist ${HOME}/.local/share/notes
		93	whitelist ${DOWNLOADS}
		94	whitelist ${DOCUMENTS}
		95	whitelist ${RUNUSER}/gnupg
		96	whitelist /tmp/akonadi-*
		97	whitelist /usr/share/akonadi
		98	whitelist /usr/share/gnupg
		99	whitelist /usr/share/gnupg2
		100	whitelist /usr/share/kconf_update
		101	whitelist /usr/share/kf5
		102	whitelist /usr/share/kservices5
		103	whitelist /usr/share/qlogging-categories5
		104	whitelist /var/mail
		105	whitelist /var/spool/mail
		106	include whitelist-common.inc
		107	include whitelist-runuser-common.inc
		108	include whitelist-usr-share-common.inc
41	include whitelist-var-common.inc	109	include whitelist-var-common.inc
42		110
43	# apparmor	111	apparmor
44	caps.drop all	112	caps.drop all
45	netfilter	113	netfilter
46	nodvd	114	nodvd
@@ -56,7 +124,14 @@ protocol unix,inet,inet6,netlink
56	seccomp !chroot,!io_getevents,!io_setup,!io_submit,!ioprio_set	124	seccomp !chroot,!io_getevents,!io_setup,!io_submit,!ioprio_set
57	# tracelog	125	# tracelog
58		126
		127	private-cache
59	private-dev	128	private-dev
		129	private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,xdg
60	# private-tmp - interrupts connection to akonadi, breaks opening of email attachments	130	# private-tmp - interrupts connection to akonadi, breaks opening of email attachments
61	# writable-run-user is needed for signing and encrypting emails
62	writable-run-user	131	writable-run-user
		132	writable-var
		133
		134	# dbus-user none
		135	dbus-system none
		136
		137	read-only ${HOME}/.mozilla/firefox/profiles.ini \ No newline at end of file


diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 2000ffc62..2f2bfdc79 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c
@@ -366,6 +366,14 @@ void fs_blacklist(void) {
366	else if (strncmp(entry->data, "tmpfs ", 6) == 0) {	366	else if (strncmp(entry->data, "tmpfs ", 6) == 0) {
367	ptr = entry->data + 6;	367	ptr = entry->data + 6;
368	op = MOUNT_TMPFS;	368	op = MOUNT_TMPFS;
		369	char *resolved_path = realpath(ptr, NULL);
		370	if (!resolved_path \|\| strncmp(cfg.homedir, resolved_path, strlen(cfg.homedir)) != 0) {
		371	if (getuid() != 0) {
		372	fprintf(stderr, "Error: tmpfs outside $HOME is only available for root\n");
		373	exit(1);
		374	}
		375	}
		376	free(resolved_path);
369	}	377	}
370	else if (strncmp(entry->data, "mkdir ", 6) == 0) {	378	else if (strncmp(entry->data, "mkdir ", 6) == 0) {
371	EUID_USER();	379	EUID_USER();


diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 5d83e6a73..869183e2f 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c
@@ -1412,11 +1412,6 @@ int profile_check_line(char ptr, int lineno, const char fname) {
1412	// filesystem bind	1412	// filesystem bind
1413	if (strncmp(ptr, "bind ", 5) == 0) {	1413	if (strncmp(ptr, "bind ", 5) == 0) {
1414	if (checkcfg(CFG_BIND)) {	1414	if (checkcfg(CFG_BIND)) {
1415	if (getuid() != 0) {
1416	fprintf(stderr, "Error: --bind option is available only if running as root\n");
1417	exit(1);
1418	}
1419
1420	// extract two directories	1415	// extract two directories
1421	char *dname1 = ptr + 5;	1416	char *dname1 = ptr + 5;
1422	char *dname2 = split_comma(dname1); // this inserts a '0 to separate the two dierctories	1417	char *dname2 = split_comma(dname1); // this inserts a '0 to separate the two dierctories
@@ -1432,6 +1427,18 @@ int profile_check_line(char ptr, int lineno, const char fname) {
1432	fprintf(stderr, "Error: invalid file name.\n");	1427	fprintf(stderr, "Error: invalid file name.\n");
1433	exit(1);	1428	exit(1);
1434	}	1429	}
		1430	if (getuid() != 0) {
		1431	char *resolved_path1 = realpath(dname1, NULL);
		1432	char *resolved_path2 = realpath(dname2, NULL);
		1433	assert(resolved_path1 && resolved_path2);
		1434	if (strncmp(cfg.homedir, resolved_path1, strlen(cfg.homedir)) != 0
		1435	\|\| strncmp(cfg.homedir, resolved_path2, strlen(cfg.homedir)) != 0) {
		1436	fprintf(stderr, "Error: bind outside $HOME is only available for root\n");
		1437	exit(1);
		1438	}
		1439	free(resolved_path1);
		1440	free(resolved_path2);
		1441	}
1435	if (is_link(dname1) \|\| is_link(dname2)) {	1442	if (is_link(dname1) \|\| is_link(dname2)) {
1436	fprintf(stderr, "Symbolic links are not allowed for bind command\n");	1443	fprintf(stderr, "Symbolic links are not allowed for bind command\n");
1437	exit(1);	1444	exit(1);
@@ -1563,10 +1570,6 @@ int profile_check_line(char ptr, int lineno, const char fname) {
1563	else if (strncmp(ptr, "noexec ", 7) == 0)	1570	else if (strncmp(ptr, "noexec ", 7) == 0)
1564	ptr += 7;	1571	ptr += 7;
1565	else if (strncmp(ptr, "tmpfs ", 6) == 0) {	1572	else if (strncmp(ptr, "tmpfs ", 6) == 0) {
1566	if (getuid() != 0) {
1567	fprintf(stderr, "Error: tmpfs available only when running the sandbox as root\n");
1568	exit(1);
1569	}
1570	ptr += 6;	1573	ptr += 6;
1571	}	1574	}
1572	else {	1575	else {