12 files changed, 345 insertions, 27 deletions

diff --git a/README b/README
index a690a9b65..6ea10c901 100644
--- a/README
+++ b/README
@@ -127,6 +127,7 @@ Vasya Novikov (https://github.com/vn971)
         - Hedegewars profile
         - manpage fixes
         - fixed firecfg clean/clear issue
+        - found the ugliest bug so far
 curiosity-seeker (https://github.com/curiosity-seeker)
         - tightening unbound and dnscrypt-proxy profiles
         - dnsmasq profile
diff --git a/RELNOTES b/RELNOTES
index b0d93c141..0eb9db370 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -8,6 +8,7 @@ firejail (0.9.42~rc2) baseline; urgency=low
   * Sandbox auditing support (--audit)
   * remove environment variable (--rmenv)
   * noexec support (--noexec)
+  * --overlay-clean option
   * Ubuntu snap support
   * include /dev/snd in --private-dev
   * added mkfile profile command
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index 105092036..c1e983c16 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -340,7 +340,8 @@ int fs_copydir(const char *path, const struct stat *st, int ftype, struct FTW *s
 
 int fs_copydir(const char *path, const struct stat *st, int ftype, struct FTW *sftw)
 {
-
+(void) st;
+(void) sftw;
    char *homedir = cfg.homedir;
    char *dest;
         int  srcbaselen = 0;
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 9f6fa5142..acae7c3dd 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -263,6 +263,23 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                 printf("\n");
                 exit(0);
         }
+        else if (strcmp(argv[i], "--overlay-clean") == 0) {
+                char *path;
+                if (asprintf(&path, "%s/.firejail", cfg.homedir) == -1)
+                        errExit("asprintf");
+                EUID_ROOT();
+                if (setreuid(0, 0) < 0)
+                        errExit("setreuid");
+                if (setregid(0, 0) < 0)
+                        errExit("setregid");
+                errno = 0;
+                int rv = remove_directory(path);
+                if (rv) {
+                        fprintf(stderr, "Error: cannot removed overlays stored in ~/.firejail directory, errno %d\n", errno);
+                        exit(1);
+                }
+                exit(0);
+        }
 #ifdef HAVE_X11
         else if (strcmp(argv[i], "--x11") == 0) {
                 if (checkcfg(CFG_X11)) {
@@ -744,6 +761,7 @@ int main(int argc, char **argv) {
                                     strcmp(argv[i], "--debug-protocols") == 0 ||
                                     strcmp(argv[i], "--help") == 0 ||
                                     strcmp(argv[i], "--version") == 0 ||
+                                    strcmp(argv[i], "--overlay-clean") == 0 ||
                                     strncmp(argv[i], "--dns.print=", 12) == 0 ||
                                     strncmp(argv[i], "--bandwidth=", 12) == 0 ||
                                     strncmp(argv[i], "--caps.print=", 13) == 0 ||
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index baba93791..03558cca7 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -179,11 +179,13 @@ void usage(void) {
         printf("\t$HOME/.firejail directory. (OverlayFS support is required in\n");
         printf("\tLinux kernel for this option to work). \n\n");   
 
+        printf("    --overlay-clean - clean all overlays stored in $HOME/.firejail directory.\n\n");
+        
         printf("    --overlay-tmpfs - mount a filesystem overlay on top of the current\n");
         printf("\tfilesystem. The upper layer is stored in a tmpfs filesystem,\n");
         printf("\tand it is discarded when the sandbox is closed. (OverlayFS\n");
         printf("\tsupport is required in Linux kernel for this option to work).\n\n");   
-
+        
         printf("    --private - mount new /root and /home/user directories in temporary\n");
         printf("\tfilesystems. All modifications are discarded when the sandbox is\n");
         printf("\tclosed.\n\n");
diff --git a/src/firejail/util.c b/src/firejail/util.c
index dc906532f..24bb71e4c 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -17,7 +17,9 @@
  * with this program; if not, write to the Free Software Foundation, Inc.,
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
+#define _XOPEN_SOURCE 500
 #include "firejail.h"
+#include <ftw.h>
 #include <sys/stat.h>
 #include <fcntl.h>
 #include <syslog.h>
@@ -78,7 +80,7 @@ void drop_privs(int nogroups) {
 
 int mkpath_as_root(const char* path) {
         assert(path && *path);
-        
+
         // work on a copy of the path
         char *file_path = strdup(path);
         if (!file_path)
@@ -101,19 +103,18 @@ int mkpath_as_root(const char* path) {
                         if (chown(file_path, 0, 0) == -1)
                                 errExit("chown");
                         done = 1;
-                }                       
+                }
 
                 *p='/';
         }
         if (done)
                 fs_logger2("mkpath", path);
-                
+
         free(file_path);
         return 0;
 }
 
 
-
 void logsignal(int s) {
         if (!arg_debug)
                 return;
@@ -211,12 +212,13 @@ int copy_file(const char *srcname, const char *destname) {
         return 0;
 }
 
+
 // return 1 if the file is a directory
 int is_dir(const char *fname) {
         assert(fname);
         if (*fname == '\0')
                 return 0;
-        
+
         // if fname doesn't end in '/', add one
         int rv;
         struct stat s;
@@ -227,20 +229,21 @@ int is_dir(const char *fname) {
                 if (asprintf(&tmp, "%s/", fname) == -1) {
                         fprintf(stderr, "Error: cannot allocate memory, %s:%d\n", __FILE__, __LINE__);
                         errExit("asprintf");
-                }               
+                }
                 rv = stat(tmp, &s);
                 free(tmp);
         }
-        
+
         if (rv == -1)
                 return 0;
-                
+
         if (S_ISDIR(s.st_mode))
                 return 1;
 
         return 0;
 }
 
+
 // return 1 if the file is a link
 int is_link(const char *fname) {
         assert(fname);
@@ -325,7 +328,7 @@ char *split_comma(char *str) {
 
 int not_unsigned(const char *str) {
         EUID_ASSERT();
-        
+
         int rv = 0;
         const char *ptr = str;
         while (*ptr != ' ' && *ptr != '\t' && *ptr != '\0') {
@@ -347,7 +350,7 @@ int find_child(pid_t parent, pid_t *child) {
         *child = 0;                               // use it to flag a found child
 
         DIR *dir;
-        EUID_ROOT(); // grsecurity fix
+        EUID_ROOT();                              // grsecurity fix
         if (!(dir = opendir("/proc"))) {
                 // sleep 2 seconds and try again
                 sleep(2);
@@ -404,13 +407,11 @@ int find_child(pid_t parent, pid_t *child) {
 }
 
 
-
 void extract_command_name(int index, char **argv) {
         EUID_ASSERT();
         assert(argv);
         assert(argv[index]);
 
-
         // configure command index
         cfg.original_program_index = index;
 
@@ -447,7 +448,6 @@ void extract_command_name(int index, char **argv) {
                         exit(1);
                 }
 
-
                 char *tmp = strdup(ptr);
                 if (!tmp)
                         errExit("strdup");
@@ -533,6 +533,7 @@ void notify_other(int fd) {
         fclose(stream);
 }
 
+
 // This function takes a pathname supplied by the user and expands '~' and
 // '${HOME}' at the start, to refer to a path relative to the user's home
 // directory (supplied).
@@ -541,7 +542,7 @@ void notify_other(int fd) {
 char *expand_home(const char *path, const char* homedir) {
         assert(path);
         assert(homedir);
-        
+
         // Replace home macro
         char *new_name = NULL;
         if (strncmp(path, "${HOME}", 7) == 0) {
@@ -554,10 +555,11 @@ char *expand_home(const char *path, const char* homedir) {
                         errExit("asprintf");
                 return new_name;
         }
-        
+
         return strdup(path);
 }
 
+
 // Equivalent to the GNU version of basename, which is incompatible with
 // the POSIX basename. A few lines of code saves any portability pain.
 // https://www.gnu.org/software/libc/manual/html_node/Finding-Tokens-in-a-String.html#index-basename
@@ -568,17 +570,18 @@ const char *gnu_basename(const char *path) {
         return last_slash+1;
 }
 
+
 uid_t pid_get_uid(pid_t pid) {
         EUID_ASSERT();
         uid_t rv = 0;
-        
+
         // open status file
         char *file;
         if (asprintf(&file, "/proc/%u/status", pid) == -1) {
                 perror("asprintf");
                 exit(1);
         }
-        EUID_ROOT();    // grsecurity fix
+        EUID_ROOT();                              // grsecurity fix
         FILE *fp = fopen(file, "r");
         if (!fp) {
                 free(file);
@@ -597,16 +600,16 @@ uid_t pid_get_uid(pid_t pid) {
                         }
                         if (*ptr == '\0')
                                 break;
-                                
+
                         rv = atoi(ptr);
-                        break; // break regardless!
+                        break;                    // break regardless!
                 }
         }
 
         fclose(fp);
         free(file);
-        EUID_USER();    // grsecurity fix
-        
+        EUID_USER();                              // grsecurity fix
+
         if (rv == 0) {
                 fprintf(stderr, "Error: cannot read /proc file\n");
                 exit(1);
@@ -614,14 +617,15 @@ uid_t pid_get_uid(pid_t pid) {
         return rv;
 }
 
+
 void invalid_filename(const char *fname) {
         EUID_ASSERT();
         assert(fname);
         const char *ptr = fname;
-        
+
         if (arg_debug_check_filename)
                 printf("Checking filename %s\n", fname);
-        
+
         if (strncmp(ptr, "${HOME}", 7) == 0)
                 ptr = fname + 7;
         else if (strncmp(ptr, "${PATH}", 7) == 0)
@@ -637,6 +641,7 @@ void invalid_filename(const char *fname) {
         }
 }
 
+
 uid_t get_tty_gid(void) {
         // find tty group id
         gid_t ttygid = 0;
@@ -647,6 +652,7 @@ uid_t get_tty_gid(void) {
         return ttygid;
 }
 
+
 uid_t get_audio_gid(void) {
         // find tty group id
         gid_t audiogid = 0;
@@ -656,3 +662,22 @@ uid_t get_audio_gid(void) {
 
         return audiogid;
 }
+
+
+static int remove_callback(const char *fpath, const struct stat *sb, int typeflag, struct FTW *ftwbuf) {
+        (void) sb;
+        (void) typeflag;
+        (void) ftwbuf;
+        
+        int rv = remove(fpath);
+        if (rv)
+                perror(fpath);
+
+        return rv;
+}
+
+
+int remove_directory(const char *path) {
+        // FTW_PHYS - do not follow symbolic links
+        return nftw(path, remove_callback, 64, FTW_DEPTH | FTW_PHYS);
+}
diff --git a/src/firemon/procevent.c b/src/firemon/procevent.c
index 7c961adde..188c10183 100644
--- a/src/firemon/procevent.c
+++ b/src/firemon/procevent.c
@@ -90,7 +90,7 @@ static int pid_is_firejail(pid_t pid) {
                 // list of firejail arguments that don't trigger sandbox creation
                 // the initial -- is not included 
                 char *firejail_args = "ls list tree x11 help version top netstats debug-syscalls debug-errnos debug-protocols "
-                        "protocol.print debug.caps shutdown bandwidth caps.print cpu.print debug-caps fs.print get ";
+                        "protocol.print debug.caps shutdown bandwidth caps.print cpu.print debug-caps fs.print get overlay-clean ";
                 
                 int i;
                 char *start;
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index c6b73f428..fb8cb630b 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1008,6 +1008,16 @@ Example:
 $ firejail \-\-overlay firefox
 
 .TP
+\fB\-\-overlay-clean
+Clean all overlays stored in $HOME/.firejail directory.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-overlay-clean
+
+.TP
 \fB\-\-overlay-tmpfs
 Mount a filesystem overlay on top of the current filesystem. All filesystem modifications go into the overlay,
 and are discarded when the sandbox is closed. This option is not available on Grsecurity systems.
diff --git a/test/dist-compile/compile.sh b/test/dist-compile/compile.sh
index 6332bee9a..b33f0660a 100755
--- a/test/dist-compile/compile.sh
+++ b/test/dist-compile/compile.sh
@@ -11,6 +11,7 @@ arr[8]="TEST 8: compile network restricted"
 arr[9]="TEST 9: compile file transfer disabled"
 arr[10]="TEST 10: compile disable whitelist"
 arr[11]="TEST 11: compile disable global config"
+arr[12]="TEST 12: compile apparmor"
 
 # remove previous reports and output file
 cleanup() {
@@ -261,6 +262,25 @@ cp output-configure oc11
 cp output-make om11
 rm output-configure output-make
 
+#*****************************************************************
+# TEST 12
+#*****************************************************************
+# - enable apparmor
+# - check compilation
+#*****************************************************************
+print_title "${arr[11]}"
+# seccomp
+cd firejail
+make distclean
+./configure --prefix=/usr --enable-apparmor  --enable-fatal-warnings 2>&1 | tee ../output-configure
+make -j4 2>&1 | tee ../output-make
+cd ..
+grep Warning output-configure output-make > ./report-test12
+grep Error output-configure output-make >> ./report-test12
+cp output-configure oc12
+cp output-make om12
+rm output-configure output-make
+
 
 #*****************************************************************
 # PRINT REPORTS
@@ -287,3 +307,4 @@ echo ${arr[8]}
 echo ${arr[9]}
 echo ${arr[10]}
 echo ${arr[11]}
+echo ${arr[12]}
diff --git a/test/fs/fs.sh b/test/fs/fs.sh
index ee6351e2e..d45ef48bd 100755
--- a/test/fs/fs.sh
+++ b/test/fs/fs.sh
@@ -56,3 +56,16 @@ echo "TESTING: recursive mkdir (test/fs/mkdir.exp)"
 
 echo "TESTING: double whitelist (test/fs/whitelist-double.exp)"
 ./whitelist-double.exp
+
+
+echo "TESTING: whitelist (test/fs/whitelist.exp)"
+./whitelist.exp
+rm -fr ~/fjtest-dir
+rm -fr ~/fjtest-dir-lnk
+rm -f ~/fjtest-file
+rm -f ~/fjtest-file-lnk
+rm -f /tmp/fjtest-file
+rm -fr /tmp/fjtest-dir
+
+
+
diff --git a/test/fs/whitelist-double.exp b/test/fs/whitelist-double.exp
index 08b15e04b..34463dbe4 100755
--- a/test/fs/whitelist-double.exp
+++ b/test/fs/whitelist-double.exp
@@ -3,7 +3,7 @@
 # Copyright (C) 2014-2016 Firejail Authors
 # License GPL v2
 
-set timeout 30
+set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
diff --git a/test/fs/whitelist.exp b/test/fs/whitelist.exp
new file mode 100755
index 000000000..9a9a0f353
--- /dev/null
+++ b/test/fs/whitelist.exp
@@ -0,0 +1,226 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+# cleanup
+send -- "rm -fr ~/fjtest-dir\r"
+after 200
+send -- "rm -fr ~/fjtest-dir-lnk\r"
+after 200
+send -- "rm ~/fjtest-file\r"
+after 200
+send -- "rm ~/fjtest-file-lnk\r"
+after 200
+send -- "rm /tmp/fjtest-file\r"
+after 200
+send -- "rm -fr /tmp/fjtest-dir\r"
+after 200
+
+
+# simple files and directories
+send -- "mkdir -p ~/fjtest-dir/fjtest-dir\r"
+after 200
+send -- "echo 123 > ~/fjtest-file\r"
+after 200
+send -- "echo 123 > ~/fjtest-dir/fjtest-file\r"
+after 200
+send -- "echo 123 > ~/fjtest-dir/fjtest-dir/fjtest-file\r"
+after 200
+send -- "ln -s ~/fjtest-file ~/fjtest-file-lnk\r"
+after 200
+send -- "ln -s ~/fjtest-dir ~/fjtest-dir-lnk\r"
+after 200
+
+send -- "firejail --whitelist=~/fjtest-file --whitelist=~/fjtest-dir\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "ls -l ~/ | grep -v total | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "2"
+}
+
+send -- "cat fjtest-file\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "123"
+}
+
+send -- "cat fjtest-dir/fjtest-file\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "123"
+}
+
+send -- "cat fjtest-dir/fjtest-dir/fjtest-file\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "123"
+}
+
+send -- "exit\r"
+sleep 1
+
+
+
+# simple files and directories
+send -- "firejail --whitelist=~/fjtest-dir/fjtest-dir/fjtest-file\r"
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "ls -l ~/ | grep -v total | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "1"
+}
+
+send -- "cat fjtest-dir/fjtest-dir/fjtest-file\r"
+expect {
+        timeout {puts "TESTING ERROR 12\n";exit}
+        "123"
+}
+
+send -- "exit\r"
+sleep 1
+
+
+
+# symlinks
+send -- "firejail --whitelist=~/fjtest-file-lnk --whitelist=~/fjtest-dir-lnk\r"
+expect {
+        timeout {puts "TESTING ERROR 20\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "ls -l ~/ | grep -v total | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 21\n";exit}
+        "4"
+}
+
+send -- "cat fjtest-file\r"
+expect {
+        timeout {puts "TESTING ERROR 22\n";exit}
+        "123"
+}
+
+send -- "cat fjtest-dir/fjtest-file\r"
+expect {
+        timeout {puts "TESTING ERROR 23\n";exit}
+        "123"
+}
+
+send -- "cat fjtest-dir/fjtest-dir/fjtest-file\r"
+expect {
+        timeout {puts "TESTING ERROR 24\n";exit}
+        "123"
+}
+
+send -- "cat fjtest-file-lnk\r"
+expect {
+        timeout {puts "TESTING ERROR 25\n";exit}
+        "123"
+}
+
+send -- "cat fjtest-dir-lnk/fjtest-file\r"
+expect {
+        timeout {puts "TESTING ERROR 26\n";exit}
+        "123"
+}
+
+send -- "cat fjtest-dir-lnk/fjtest-dir/fjtest-file\r"
+expect {
+        timeout {puts "TESTING ERROR 27\n";exit}
+        "123"
+}
+send -- "exit\r"
+sleep 1
+
+# symlinks outside home to a file we don't own
+send -- "rm ~/fjtest-file-lnk\r"
+after 200
+send -- "ln -s /etc/passwd ~/fjtest-file-lnk\r"
+after 200
+send -- "firejail --whitelist=~/fjtest-file-lnk --whitelist=~/fjtest-dir-lnk\r"
+expect {
+        timeout {puts "TESTING ERROR 30\n";exit}
+        "invalid whitelist path"
+}
+expect {
+        timeout {puts "TESTING ERROR 31\n";exit}
+        "exiting"
+}
+sleep 1
+
+# symlinks outside home to a file we own
+send -- "rm -fr ~/fjtest-dir-lnk\r"
+after 200
+send -- "rm ~/fjtest-file-lnk\r"
+after 200
+send -- "echo 123 > /tmp/fjtest-file\r"
+after 200
+send -- "mkdir /tmp/fjtest-dir\r"
+after 200
+send -- "echo 123 > /tmp/fjtest-dir/fjtest-file\r"
+after 200
+send -- "ln -s /tmp/fjtest-file ~/fjtest-file-lnk\r"
+after 200
+send -- "ln -s /tmp/fjtest-dir ~/fjtest-dir-lnk\r"
+after 200
+send -- "firejail --whitelist=~/fjtest-file-lnk --whitelist=~/fjtest-dir-lnk\r"
+expect {
+        timeout {puts "TESTING ERROR 40\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "ls -l ~/ | grep -v total | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 41\n";exit}
+        "2"
+}
+
+send -- "cat fjtest-file-lnk\r"
+expect {
+        timeout {puts "TESTING ERROR 42\n";exit}
+        "123"
+}
+
+send -- "cat fjtest-dir-lnk/fjtest-file\r"
+expect {
+        timeout {puts "TESTING ERROR 43\n";exit}
+        "123"
+}
+send -- "exit\r"
+sleep 1
+
+# cleanup
+send -- "rm -fr ~/fjtest-dir\r"
+after 200
+send -- "rm -fr ~/fjtest-dir-lnk\r"
+after 200
+send -- "rm ~/fjtest-file\r"
+after 200
+send -- "rm ~/fjtest-file-lnk\r"
+after 200
+send -- "rm /tmp/fjtest-file\r"
+after 200
+send -- "rm -fr /tmp/fjtest-dir\r"
+after 200
+
+
+puts "\nall done\n"
+