7 files changed, 42 insertions, 19 deletions

diff --git a/configure b/configure
index 50abe97c2..fb8051518 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for firejail 0.9.28.
+# Generated by GNU Autoconf 2.69 for firejail 0.9.29-github.
 #
 # Report bugs to <netblue30@yahoo.com>.
 #
@@ -580,8 +580,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='firejail'
 PACKAGE_TARNAME='firejail'
-PACKAGE_VERSION='0.9.28'
-PACKAGE_STRING='firejail 0.9.28'
+PACKAGE_VERSION='0.9.29-github'
+PACKAGE_STRING='firejail 0.9.29-github'
 PACKAGE_BUGREPORT='netblue30@yahoo.com'
 PACKAGE_URL='http://firejail.sourceforge.net'
 
@@ -1236,7 +1236,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures firejail 0.9.28 to adapt to many kinds of systems.
+\`configure' configures firejail 0.9.29-github to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1297,7 +1297,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of firejail 0.9.28:";;
+     short | recursive ) echo "Configuration of firejail 0.9.29-github:";;
    esac
   cat <<\_ACEOF
 
@@ -1386,7 +1386,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-firejail configure 0.9.28
+firejail configure 0.9.29-github
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1688,7 +1688,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by firejail $as_me 0.9.28, which was
+It was created by firejail $as_me 0.9.29-github, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -4087,7 +4087,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by firejail $as_me 0.9.28, which was
+This file was extended by firejail $as_me 0.9.29-github, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -4141,7 +4141,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-firejail config.status 0.9.28
+firejail config.status 0.9.29-github
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff --git a/configure.ac b/configure.ac
index 9e34aec20..8c5a65397 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,5 +1,5 @@
 AC_PREREQ([2.68])
-AC_INIT(firejail, 0.9.28, netblue30@yahoo.com, , http://firejail.sourceforge.net)
+AC_INIT(firejail, 0.9.29-github, netblue30@yahoo.com, , http://firejail.sourceforge.net)
 AC_CONFIG_SRCDIR([src/firejail/main.c])
 #AC_CONFIG_HEADERS([config.h])
 
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 343907584..877428637 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -415,9 +415,18 @@ void profile_read(const char *fname, const char *skip1, const char *skip2) {
                                 p++;
                         }
                         
+                        // expand ${HOME}/ in front of the new profile file
+                        char *newprofile2 = NULL;
+                        if (strncmp(newprofile, "${HOME}", 7) == 0) {
+                                if (asprintf(&newprofile2, "%s%s", cfg.homedir, newprofile + 7) == -1)
+                                        errExit("asprintf");
+                        }                               
+                        
                         // recursivity
-                        profile_read(newprofile, newskip1, newskip2);
+                        profile_read((newprofile2)? newprofile2:newprofile, newskip1, newskip2);
                         include_level--;
+                        if (newprofile2)
+                                free(newprofile2);
                         free(ptr);
                         continue;
                 }
diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.txt
index 6613dc044..768896872 100644
--- a/src/man/firejail-login.txt
+++ b/src/man/firejail-login.txt
@@ -1,4 +1,4 @@
-.TH man 5 "MONTH YEAR" "VERSION" "firejail login.users man page"
+.TH FIREJAIL-LOGIN 5 "MONTH YEAR" "VERSION" "firejail login.users man page"
 .SH NAME
 login.users \- Login file syntax for Firejail
 
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 46da19ecd..f85e10171 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -1,4 +1,4 @@
-.TH man 5 "MONTH YEAR" "VERSION" "firejail profiles man page"
+.TH FIREJAIL-PROFILE 5 "MONTH YEAR" "VERSION" "firejail profiles man page"
 .SH NAME
 profile \- Profile file syntax for Firejail
 
@@ -15,8 +15,19 @@ directory and ~/.config/firejail directory.
 Include and comment support:
 
 .TP
-\f\include other.profile
-Include other.profile file.
+\f\include other.profile exclude-token
+Include other.profile file. exclued-token disables blacklist commands in other.profile
+if exclude-token word is found in the name section of blacklist command.
+exclude-tyoken is optional.
+
+Example: "include /etc/firejail/disable-common.inc .filezilla"
+loads disable-common.inc file disables "blacklist ${HOME}/.filezilla" command in this file.
+
+other.profile file name can be prefixed with ${HOME}. This will force Firejail to look for the
+file in user home directory.
+
+Example: "include ${HOME}/myprofiles/profile1" will load "~/myprofiles/profile1" file.
+
 .TP
 # this is a comment
 
@@ -81,14 +92,17 @@ Enable default Linux capabilities filter.
 caps.drop all
 Blacklist all Linux capabilities.
 .TP
-caps.drop capability,capability,capability
+caps.keep capability,capability,capability
 Blacklist Linux capabilities filter.
 .TP
 caps.drop capability,capability,capability
 Whitelist Linux capabilities filter.
 .TP
 \f\seccomp
-Enable default seccomp filter.
+Enable default seccomp filter.  The default list is as follows:
+mount, umount2, ptrace, kexec_load, open_by_handle_at, init_module, finit_module, delete_module,
+iopl, ioperm, swapon, swapoff, mknode, syslog, process_vm_readv and process_vm_writev,
+sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init and kcmp.
 .TP
 \f\seccomp syscall,syscall,syscall
 Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter.
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 51f21975e..4e8d96d31 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1,4 +1,4 @@
-.TH man 1 "MONTH YEAR" "VERSION" "firejail man page"
+.TH FIREJAIL 1 "MONTH YEAR" "VERSION" "firejail man page"
 .SH NAME
 Firejail \- Linux namespaces sandbox program
 .SH SYNOPSIS
diff --git a/src/man/firemon.txt b/src/man/firemon.txt
index b6010f46e..293547a3b 100644
--- a/src/man/firemon.txt
+++ b/src/man/firemon.txt
@@ -1,4 +1,4 @@
-.TH man 1 "MONTH YEAR" "VERSION" "firemon man page"
+.TH FIREMON 1 "MONTH YEAR" "VERSION" "firemon man page"
 .SH NAME
 Firemon \- Monitoring program for processes started in a Firejail sandbox.
 .SH SYNOPSIS