14 files changed, 123 insertions, 33 deletions
diff --git a/Makefile.in b/Makefile.in
index 0a0715023..4eee3c073 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -28,12 +28,12 @@ SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary secco
 endif
 ALL_ITEMS = $(APPS) $(SBOX_APPS) $(MYLIBS)
-.PHONY: apps filters man mylibs
+.PHONY: all_items $(ALL_ITEMS)
 all_items: $(ALL_ITEMS)
-$(ALL_ITEMS):
+$(ALL_ITEMS): $(MYDIRS)
        $(MAKE) -C $(dir $@)
-.PHONY: mydirs
+.PHONY: mydirs $(MYDIRS)
 mydirs: $(MYDIRS)
 $(MYDIRS):
        $(MAKE) -C $@
@@ -94,12 +94,8 @@ endif
        install -c -m 0755 src/firecfg/firecfg $(DESTDIR)/$(bindir)/.
        # libraries and plugins
        install -m 0755 -d $(DESTDIR)/$(libdir)/firejail
-        for file in $(MYLIBS) $(SECCOMP_FILTERS); do \
+        install -m 0644 -t $(DESTDIR)/$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS) src/firecfg/firecfg.config
-                install -c -m 0644 $$file $(DESTDIR)/$(libdir)/firejail/; \
+        install -m 0755 -t $(DESTDIR)/$(libdir)/firejail $(SBOX_APPS)
-        done
-        for app in $(SBOX_APPS); do \
-                install -c -m 0755 $$app $(DESTDIR)/$(libdir)/firejail/; \
-        done
 ifeq ($(HAVE_CONTRIB_INSTALL),yes)
        install -c -m 0755 contrib/fix_private-bin.py $(DESTDIR)/$(libdir)/firejail/.
        install -c -m 0755 contrib/fjclip.py $(DESTDIR)/$(libdir)/firejail/.
@@ -121,9 +117,6 @@ ifeq ($(BUSYBOX_WORKAROUND),yes)
 endif
        install -m 0755 -d $(DESTDIR)/$(sysconfdir)/firejail
        install -m 0644 -t $(DESTDIR)/$(sysconfdir)/firejail etc/*.profile etc/*.inc etc/*.net etc/firejail.config
-#       for file in etc/*.profile etc/*.inc etc/*.net etc/firejail.config; do \
-#               install -c -m 0644 $$file $(DESTDIR)/$(sysconfdir)/firejail; \
-#       done
        sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;"
 ifeq ($(HAVE_APPARMOR),-DHAVE_APPARMOR)
        # install apparmor profile
diff --git a/README b/README
index 06680e0b4..3ea3e8d1f 100644
--- a/README
+++ b/README
@@ -37,6 +37,7 @@ Maintainer:
 Committers
 - chiraag-nataraj (https://github.com/chiraag-nataraj)
 - crass (https://github.com/crass)
+- curiosityseeker (https://github.com/curiosityseeker)
 - glitsj16 (https://github.com/glitsj16)
 - Fred-Barclay (https://github.com/Fred-Barclay)
 - Kristóf Marussy (https://github.com/kris7t)
diff --git a/README.md b/README.md
index eb576d5f3..a947a8e7e 100644
--- a/README.md
+++ b/README.md
@@ -187,4 +187,4 @@ gnome-screenshot, ripperX, sound-juicer, iagno, com.github.dahenson.agenda, gnom
 penguin-command, x2goclient, frogatto, gnome-mines, gnome-nibbles, lightsoff, ts3client_runscript.sh, warmux, ferdi, abiword,
 four-in-a-row, gnome-mahjongg, gnome-robots, gnome-sudoku, gnome-taquin, gnome-tetravex, blobwars, gravity-beams-and-evaporating-stars,
 hyperrogue, jumpnbump-menu, jumpnbump, magicor, mindless, mirrormagic, mrrescue, scorched3d-wrapper, scorchwentbonkers,
-seahorse-adventures, wordwarvi, xbill, gnome-klotski, five-or-more, swell-foop,,fdns
+seahorse-adventures, wordwarvi, xbill, gnome-klotski, five-or-more, swell-foop, fdns
diff --git a/RELNOTES b/RELNOTES
index 7cad9c257..cae2518bc 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -7,9 +7,10 @@ firejail (0.9.63) baseline; urgency=low
    /etc/firejail/firejail.config file.
  * DHCP client support
  * SELinux labeling support
-  * 32-bit seccomp filter
+  * custom 32-bit seccomp filter support
  * restrict ${RUNUSER} in serveral profiles
  * whitelist globbing
+  * mkdir and mkfile support for /run/user directory
  * new condition: HAS_NOSOUND
  * new profiles: gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, muraster
  * new profiles: gnome-passwordsafe, bibtex, gummi, latex, mupdf-x11-curl
diff --git a/etc/allow-gjs.inc b/etc/allow-gjs.inc
index f552ede9d..f4f9926cd 100644
--- a/etc/allow-gjs.inc
+++ b/etc/allow-gjs.inc
@@ -8,3 +8,4 @@ noblacklist /usr/lib/gjs
 noblacklist /usr/lib64/gjs
 noblacklist /usr/lib/libgjs*
 noblacklist /usr/lib64/libgjs*
+noblacklist /usr/lib64/libmozjs-*
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 59eac1ee8..ffe60e283 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -501,6 +501,7 @@ blacklist ${HOME}/.local/share/QGIS
 blacklist ${HOME}/.local/share/QMediathekView
 blacklist ${HOME}/.local/share/QuiteRss
 blacklist ${HOME}/.local/share/Ricochet
+blacklist ${HOME}/.local/share/Shortwave
 blacklist ${HOME}/.local/share/Steam
 blacklist ${HOME}/.local/share/SuperHexagon
 blacklist ${HOME}/.local/share/TelegramDesktop
@@ -759,6 +760,7 @@ blacklist ${HOME}/.cache/Franz
 blacklist ${HOME}/.cache/INRIA
 blacklist ${HOME}/.cache/MusicBrainz
 blacklist ${HOME}/.cache/QuiteRss
+blacklist ${HOME}/.cache/Shortwave
 blacklist ${HOME}/.cache/Tox
 blacklist ${HOME}/.cache/Zeal
 blacklist ${HOME}/.cache/agenda
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile
index bc64a5abf..7c343c26d 100644
--- a/etc/firefox-common.profile
+++ b/etc/firefox-common.profile
@@ -44,8 +44,7 @@ notv
 protocol unix,inet,inet6,netlink
 # The below seccomp configuration still permits chroot syscall. See https://github.com/netblue30/firejail/issues/2506 for possible workarounds.
 seccomp !chroot
-# Uncomment the next line (or put it into your firefox-common.local) if your firefox doesn't require a shell to lauch.
+shell none
-#shell none
 # Disable tracelog, it breaks or causes major issues with many firefox based browsers, see https://github.com/netblue30/firejail/issues/1930.
 #tracelog
diff --git a/etc/shortwave.profile b/etc/shortwave.profile
new file mode 100644
index 000000000..ee2314833
--- /dev/null
+++ b/etc/shortwave.profile
@@ -0,0 +1,50 @@
+# Firejail profile for shortwave
+# Description: Listen to internet radio
+# This file is overwritten after every install/update
+# Persistent local customizations
+include shortwave.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/Shortwave
+noblacklist ${HOME}/.local/share/Shortwave
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.cache/Shortwave
+mkdir ${HOME}/.local/share/Shortwave
+whitelist ${HOME}/.cache/Shortwave
+whitelist ${HOME}/.local/share/Shortwave
+whitelist /usr/share/shortwave
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin shortwave
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gconf,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,ssl,X11,xdg
+private-tmp
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index b3ebd4996..d339ce476 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -119,7 +119,7 @@ include globals.local
 ##mkfile PATH
 #whitelist PATH
 #include whitelist-common.inc
-#GTK3 only: include whitelist-runuser-common.inc
+#include whitelist-runuser-common.inc
 #include whitelist-usr-share-common.inc
 #include whitelist-var-common.inc
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index cd5f2a1d4..809ab3129 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -258,7 +258,7 @@ gist-paste
 gitg
 github-desktop
 gitter
-gjs
+# gjs -- https://github.com/netblue30/firejail/issues/3333#issuecomment-612601102
 globaltime
 gmpc
 gnome-2048
@@ -602,6 +602,7 @@ seamonkey
 seamonkey-bin
 secret-tool
 shellcheck
+shortwave
 shotcut
 signal-cli
 signal-desktop
diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c
index eb660df90..0e213f2f8 100644
--- a/src/firejail/fs_mkdir.c
+++ b/src/firejail/fs_mkdir.c
@@ -25,6 +25,22 @@
 #include <sys/wait.h>
 #include <string.h>
+static void check(const char *fname) {
+        // manufacture /run/user directory
+        char *runuser;
+        if (asprintf(&runuser, "/run/user/%d/", getuid()) == -1)
+                errExit("asprintf");
+        if (strncmp(fname, cfg.homedir, strlen(cfg.homedir)) != 0 &&
+            strncmp(fname, "/tmp", 4) != 0 &&
+            strncmp(fname, runuser, strlen(runuser)) != 0) {
+                fprintf(stderr, "Error: only files or directories in user home, /tmp, or /run/user/<UID> are supported by mkdir\n");
+                exit(1);
+        }
+        free(runuser);
+}
 static void mkdir_recursive(char *path) {
        char *subdir = NULL;
        struct stat s;
@@ -61,11 +77,7 @@ void fs_mkdir(const char *name) {
        // check directory name
        invalid_filename(name, 0); // no globbing
        char *expanded = expand_macros(name);
-        if (strncmp(expanded, cfg.homedir, strlen(cfg.homedir)) != 0 &&
+        check(expanded); // will exit if wrong path
-            strncmp(expanded, "/tmp", 4) != 0) {
-                fprintf(stderr, "Error: only directories in user home or /tmp are supported by mkdir\n");
-                exit(1);
-        }
        struct stat s;
        if (stat(expanded, &s) == 0) {
@@ -101,11 +113,7 @@ void fs_mkfile(const char *name) {
        // check file name
        invalid_filename(name, 0); // no globbing
        char *expanded = expand_macros(name);
-        if (strncmp(expanded, cfg.homedir, strlen(cfg.homedir)) != 0 &&
+        check(expanded); // will exit if wrong path
-            strncmp(expanded, "/tmp", 4) != 0) {
-                fprintf(stderr, "Error: only files in user home or /tmp are supported by mkfile\n");
-                exit(1);
-        }
        struct stat s;
        if (stat(expanded, &s) == 0) {
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 6405fd301..df2d2a2e8 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -211,7 +211,7 @@ Disable /mnt, /media, /run/mount and /run/media access.
 /var/tmp directory is untouched.
 .TP
 \fBmkdir directory
-Create a directory in user home or under /tmp before the sandbox is started.
+Create a directory in user home, under /tmp, or under /run/user/<UID> before the sandbox is started.
 The directory is created if it doesn't already exist.
 .br
@@ -230,10 +230,18 @@ whitelist ~/.mozilla
 mkdir ~/.cache/mozilla/firefox
 .br
 whitelist ~/.cache/mozilla/firefox
+.br
+.br
+For files in /run/user/<PID> use ${RUNUSER} macro:
+.br
+.br
+mkdir ${RUNUSER}/firejail-testing
 .TP
 \fBmkfile file
-Similar to mkdir, this command creates a file in user home or under /tmp before the sandbox is started.
+Similar to mkdir, this command creates an empty file in user home, or /tmp, or under /run/user/<UID>
-The file is created if it doesn't already exist.
+before the sandbox is started. The file is created if it doesn't already exist.
 .TP
 \fBnoexec file_or_directory
 Remount the file or the directory noexec, nodev and nosuid.
diff --git a/test/fs/mkdir.exp b/test/fs/mkdir.exp
index 8a7ac9d97..59005e1a2 100755
--- a/test/fs/mkdir.exp
+++ b/test/fs/mkdir.exp
@@ -17,10 +17,32 @@ expect {
 send -- "rm -rf ~/.firejail_test\r"
 after 100
+send -- "firejail --profile=mkdir.profile find /tmp/.firejail_test\r"
+expect {
+        timeout {puts "TESTING ERROR 2.1\n";exit}
+        "Warning: cannot create" { puts "TESTING ERROR 2.2\n";exit}
+        "No such file or directory" { puts "TESTING ERROR 2.3\n";exit}
+        "/tmp/.firejail_test/a/b/c/d.txt"
+}
+send -- "rm -rf /tmp/.firejail_test\r"
+after 100
+set UID [exec id -u]
+send -- "firejail --profile=mkdir.profile find /run/user/$UID/.firejail_test\r"
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "Warning: cannot create" { puts "TESTING ERROR 3.2\n";exit}
+        "No such file or directory" { puts "TESTING ERROR 3.3\n";exit}
+        "/run/user/$UID/.firejail_test/a/b/c/d.txt"
+}
+send -- "rm -rf /run/user/$UID/.firejail_test\r"
+after 100
 send -- "firejail --profile=mkdir2.profile\r"
 expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
+        timeout {puts "TESTING ERROR 4\n";exit}
-        "only directories in user home or /tmp"
+        "only files or directories in user home, /tmp, or /run/user/<UID>"
 }
 after 100
diff --git a/test/fs/mkdir.profile b/test/fs/mkdir.profile
index 61b44c9ac..35c27c872 100644
--- a/test/fs/mkdir.profile
+++ b/test/fs/mkdir.profile
@@ -1,2 +1,6 @@
 mkdir ~/.firejail_test/a/b/c
 mkfile ~/.firejail_test/a/b/c/d.txt
+mkdir /tmp/.firejail_test/a/b/c
+mkfile /tmp/.firejail_test/a/b/c/d.txt
+mkdir ${RUNUSER}/.firejail_test/a/b/c
+mkfile ${RUNUSER}/.firejail_test/a/b/c/d.txt