8 files changed, 28 insertions, 22 deletions
diff --git a/README b/README
index f6bc037c4..1cd24b0c4 100644
--- a/README
+++ b/README
@@ -147,6 +147,8 @@ Christian Stadelmann (https://github.com/genodeftest)
        - evolution profile fix
 Clayton Williams (https://github.com/gosre)
        - addition of RLIMIT_AS
+crass (https://github.com/crass)
+        - extract_command_name fixes
 curiosity-seeker (https://github.com/curiosity-seeker)
        - tightening unbound and dnscrypt-proxy profiles
        - correct and tighten QuiteRss profile
@@ -660,6 +662,7 @@ veloute (https://github.com/veloute)
        - added standardnotes profile
        - added flameshot profile
        - added jdownloader profile
+        - fixed discord profile
 Vincent43 (https://github.com/Vincent43)
        - apparmor enhancements
 vismir2 (https://github.com/vismir2)
diff --git a/configure b/configure
index 1efa588a5..a7ef3a392 100755
--- a/configure
+++ b/configure
@@ -3832,7 +3832,7 @@ fi
 # set sysconfdir
 if test "$prefix" = /usr; then
-        sysconfdir="/etc"
+        test "$sysconfdir" = '${prefix}/etc' && sysconfdir="/etc"
 fi
 ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile"
diff --git a/configure.ac b/configure.ac
index f01bf2199..d1b827fef 100644
--- a/configure.ac
+++ b/configure.ac
@@ -183,7 +183,7 @@ AC_SUBST(HAVE_SECCOMP_H)
 # set sysconfdir
 if test "$prefix" = /usr; then
-        sysconfdir="/etc"
+        test "$sysconfdir" = '${prefix}/etc' && sysconfdir="/etc"
 fi
 AC_OUTPUT(Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \
diff --git a/etc/discord-common.profile b/etc/discord-common.profile
index b835ce401..babef37b1 100644
--- a/etc/discord-common.profile
+++ b/etc/discord-common.profile
@@ -26,7 +26,7 @@ seccomp
 private-bin sh,xdg-mime,tr,sed,echo,head,cut,xdg-open,grep,egrep,bash,zsh
 private-dev
-private-etc fonts,machine-id,localtime,ld.so.cache,ca-certificates,ssl,pki,crypto-policies
+private-etc fonts,machine-id,localtime,ld.so.cache,ca-certificates,ssl,pki,crypto-policies,resolv.conf
 private-tmp
 noexec ${HOME}
diff --git a/etc/evince.profile b/etc/evince.profile
index 2ade9c6f6..ea46ccc40 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -40,7 +40,7 @@ private-bin evince,evince-previewer,evince-thumbnailer
 private-dev
 private-etc fonts
-private-lib evince,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libpoppler-glib.so.*,librsvg-2.so.*
+private-lib evince,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,gconv
 private-tmp
diff --git a/etc/firejail-default b/etc/firejail-default
index c4107270c..88bf9aa44 100644
--- a/etc/firejail-default
+++ b/etc/firejail-default
@@ -47,6 +47,9 @@ owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/orcexec.* w,
 owner /{,run/firejail/mnt/oroot/}{run,dev}/shm/** w,
+# Allow writing to removable media
+owner /{,var/}run/media/** w,
 # Allow logging Firejail blacklist violations to journal
 /{,var/}run/systemd/journal/socket w,
 /{,var/}run/systemd/journal/dev-log w,
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index 2d4640430..6dd4a7e2d 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -430,7 +430,7 @@ void fs_whitelist(void) {
                        // if 1 the file was not found; mount an empty directory
                        if (!nowhitelist_flag) {
-                                if (strncmp(new_name, cfg.homedir, strlen(cfg.homedir)) == 0) {
+                                if (strncmp(new_name, cfg.homedir, strlen(cfg.homedir)) == 0 && new_name[strlen(cfg.homedir)] == '/') {
                                        if(!arg_private)
                                                home_dir = 1;
                                }
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 4a164901d..ae07a42b0 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -636,33 +636,33 @@ void extract_command_name(int index, char **argv) {
        if (!cfg.command_name)
                errExit("strdup");
-        // restrict the command name to the first word
-        char *ptr = cfg.command_name;
-        while (*ptr != ' ' && *ptr != '\t' && *ptr != '\0')
-                ptr++;
-        *ptr = '\0';
        // remove the path: /usr/bin/firefox becomes firefox
-        ptr = strrchr(cfg.command_name, '/');
+        char *basename = cfg.command_name;
+        char *ptr = strrchr(cfg.command_name, '/');
        if (ptr) {
-                ptr++;
+                basename = ++ptr;
                if (*ptr == '\0') {
                        fprintf(stderr, "Error: invalid command name\n");
                        exit(1);
                }
+        }
+        else
+                ptr = basename;
-                char *tmp = strdup(ptr);
+        // restrict the command name to the first word
-                if (!tmp)
+        while (*ptr != ' ' && *ptr != '\t' && *ptr != '\0')
-                        errExit("strdup");
+                ptr++;
-                // limit the command to the first ' '
+        // command name is a substring of cfg.command_name
-                char *ptr2 = tmp;
+        if (basename != cfg.command_name || *ptr != '\0') {
-                while (*ptr2 != ' ' && *ptr2 != '\0')
+                *ptr = '\0';
-                        ptr2++;
+                
-                *ptr2 = '\0';
+                basename = strdup(basename);
+                if (!basename)
+                        errExit("strdup");
                free(cfg.command_name);
-                cfg.command_name = tmp;
+                cfg.command_name = basename;
        }
 }

diff --git a/README b/README index f6bc037c4..1cd24b0c4 100644 --- a/README +++ b/README
@@ -147,6 +147,8 @@ Christian Stadelmann (https://github.com/genodeftest)
147	- evolution profile fix	147	- evolution profile fix
148	Clayton Williams (https://github.com/gosre)	148	Clayton Williams (https://github.com/gosre)
149	- addition of RLIMIT_AS	149	- addition of RLIMIT_AS
		150	crass (https://github.com/crass)
		151	- extract_command_name fixes
150	curiosity-seeker (https://github.com/curiosity-seeker)	152	curiosity-seeker (https://github.com/curiosity-seeker)
151	- tightening unbound and dnscrypt-proxy profiles	153	- tightening unbound and dnscrypt-proxy profiles
152	- correct and tighten QuiteRss profile	154	- correct and tighten QuiteRss profile
@@ -660,6 +662,7 @@ veloute (https://github.com/veloute)
660	- added standardnotes profile	662	- added standardnotes profile
661	- added flameshot profile	663	- added flameshot profile
662	- added jdownloader profile	664	- added jdownloader profile
		665	- fixed discord profile
663	Vincent43 (https://github.com/Vincent43)	666	Vincent43 (https://github.com/Vincent43)
664	- apparmor enhancements	667	- apparmor enhancements
665	vismir2 (https://github.com/vismir2)	668	vismir2 (https://github.com/vismir2)


diff --git a/configure b/configure index 1efa588a5..a7ef3a392 100755 --- a/configure +++ b/configure
@@ -3832,7 +3832,7 @@ fi
3832		3832
3833	# set sysconfdir	3833	# set sysconfdir
3834	if test "$prefix" = /usr; then	3834	if test "$prefix" = /usr; then
3835	sysconfdir="/etc"	3835	test "$sysconfdir" = '${prefix}/etc' && sysconfdir="/etc"
3836	fi	3836	fi
3837		3837
3838	ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile"	3838	ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile"


diff --git a/configure.ac b/configure.ac index f01bf2199..d1b827fef 100644 --- a/configure.ac +++ b/configure.ac
@@ -183,7 +183,7 @@ AC_SUBST(HAVE_SECCOMP_H)
183		183
184	# set sysconfdir	184	# set sysconfdir
185	if test "$prefix" = /usr; then	185	if test "$prefix" = /usr; then
186	sysconfdir="/etc"	186	test "$sysconfdir" = '${prefix}/etc' && sysconfdir="/etc"
187	fi	187	fi
188		188
189	AC_OUTPUT(Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \	189	AC_OUTPUT(Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \


diff --git a/etc/discord-common.profile b/etc/discord-common.profile index b835ce401..babef37b1 100644 --- a/etc/discord-common.profile +++ b/etc/discord-common.profile
@@ -26,7 +26,7 @@ seccomp
26		26
27	private-bin sh,xdg-mime,tr,sed,echo,head,cut,xdg-open,grep,egrep,bash,zsh	27	private-bin sh,xdg-mime,tr,sed,echo,head,cut,xdg-open,grep,egrep,bash,zsh
28	private-dev	28	private-dev
29	private-etc fonts,machine-id,localtime,ld.so.cache,ca-certificates,ssl,pki,crypto-policies	29	private-etc fonts,machine-id,localtime,ld.so.cache,ca-certificates,ssl,pki,crypto-policies,resolv.conf
30	private-tmp	30	private-tmp
31		31
32	noexec ${HOME}	32	noexec ${HOME}


diff --git a/etc/evince.profile b/etc/evince.profile index 2ade9c6f6..ea46ccc40 100644 --- a/etc/evince.profile +++ b/etc/evince.profile
@@ -40,7 +40,7 @@ private-bin evince,evince-previewer,evince-thumbnailer
40	private-dev	40	private-dev
41	private-etc fonts	41	private-etc fonts
42		42
43	private-lib evince,gdk-pixbuf-2.,gio,gvfs/libgvfscommon.so,libdjvulibre.so.,libgconf-2.so.,libpoppler-glib.so.,librsvg-2.so.*	43	private-lib evince,gdk-pixbuf-2.,gio,gvfs/libgvfscommon.so,libdjvulibre.so.,libgconf-2.so.,libpoppler-glib.so.,librsvg-2.so.*,gconv
44		44
45	private-tmp	45	private-tmp
46		46


diff --git a/etc/firejail-default b/etc/firejail-default index c4107270c..88bf9aa44 100644 --- a/etc/firejail-default +++ b/etc/firejail-default
@@ -47,6 +47,9 @@ owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]/orcexec. w,
47		47
48	owner /{,run/firejail/mnt/oroot/}{run,dev}/shm/** w,	48	owner /{,run/firejail/mnt/oroot/}{run,dev}/shm/** w,
49		49
		50	# Allow writing to removable media
		51	owner /{,var/}run/media/** w,
		52
50	# Allow logging Firejail blacklist violations to journal	53	# Allow logging Firejail blacklist violations to journal
51	/{,var/}run/systemd/journal/socket w,	54	/{,var/}run/systemd/journal/socket w,
52	/{,var/}run/systemd/journal/dev-log w,	55	/{,var/}run/systemd/journal/dev-log w,


diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 2d4640430..6dd4a7e2d 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c
@@ -430,7 +430,7 @@ void fs_whitelist(void) {
430		430
431	// if 1 the file was not found; mount an empty directory	431	// if 1 the file was not found; mount an empty directory
432	if (!nowhitelist_flag) {	432	if (!nowhitelist_flag) {
433	if (strncmp(new_name, cfg.homedir, strlen(cfg.homedir)) == 0) {	433	if (strncmp(new_name, cfg.homedir, strlen(cfg.homedir)) == 0 && new_name[strlen(cfg.homedir)] == '/') {
434	if(!arg_private)	434	if(!arg_private)
435	home_dir = 1;	435	home_dir = 1;
436	}	436	}


diff --git a/src/firejail/util.c b/src/firejail/util.c index 4a164901d..ae07a42b0 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c
@@ -636,33 +636,33 @@ void extract_command_name(int index, char **argv) {
636	if (!cfg.command_name)	636	if (!cfg.command_name)
637	errExit("strdup");	637	errExit("strdup");
638		638
639	// restrict the command name to the first word
640	char *ptr = cfg.command_name;
641	while (ptr != ' ' && ptr != '\t' && *ptr != '\0')
642	ptr++;
643	*ptr = '\0';
644
645	// remove the path: /usr/bin/firefox becomes firefox	639	// remove the path: /usr/bin/firefox becomes firefox
646	ptr = strrchr(cfg.command_name, '/');	640	char *basename = cfg.command_name;
		641	char *ptr = strrchr(cfg.command_name, '/');
647	if (ptr) {	642	if (ptr) {
648	ptr++;	643	basename = ++ptr;
649	if (*ptr == '\0') {	644	if (*ptr == '\0') {
650	fprintf(stderr, "Error: invalid command name\n");	645	fprintf(stderr, "Error: invalid command name\n");
651	exit(1);	646	exit(1);
652	}	647	}
		648	}
		649	else
		650	ptr = basename;
653		651
654	char *tmp = strdup(ptr);	652	// restrict the command name to the first word
655	if (!tmp)	653	while (ptr != ' ' && ptr != '\t' && *ptr != '\0')
656	errExit("strdup");	654	ptr++;
657		655
658	// limit the command to the first ' '	656	// command name is a substring of cfg.command_name
659	char *ptr2 = tmp;	657	if (basename != cfg.command_name \|\| *ptr != '\0') {
660	while (ptr2 != ' ' && ptr2 != '\0')	658	*ptr = '\0';
661	ptr2++;	659
662	*ptr2 = '\0';	660	basename = strdup(basename);
		661	if (!basename)
		662	errExit("strdup");
663		663
664	free(cfg.command_name);	664	free(cfg.command_name);
665	cfg.command_name = tmp;	665	cfg.command_name = basename;
666	}	666	}
667	}	667	}
668		668