14 files changed, 53 insertions, 278 deletions

diff --git a/Makefile.in b/Makefile.in
index 6c98742b7..1142059a5 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -160,9 +160,6 @@ snap: all
 install-snap: snap
         sudo snap remove faudit; sudo snap install faudit*.snap
 
-github-compile:
-        cd test/compile; ./compile.sh
-
 dist-compile: dist
         cd test/dist-compile; ./compile.sh $(NAME)-$(VERSION)
         
diff --git a/README b/README
index 6e6411619..4145d5165 100644
--- a/README
+++ b/README
@@ -158,6 +158,7 @@ yumkam (https://github.com/yumkam)
         - man page fixes
 mahdi1234 (https://github.com/mahdi1234)
         - cherrytree profile
+        - Seamonkey profiles
 jrabe (https://github.com/jrabe)
         - disallow access to kdbx files
         - Epiphany profile
@@ -176,6 +177,7 @@ pszxzsd (https://github.com/pszxzsd)
 Rahiel Kasim (https://github.com/rahiel)
         - Mathematica profile
         - whitelisted Dropbox profile
+        - whitelisted keysnail config for firefox
 creideiki (https://github.com/creideiki)
         - make the sandbox process reap all children
 sinkuu (https://github.com/sinkuu)
@@ -187,8 +189,7 @@ Holger Heinz (https://github.com/hheinz)
         - manpage work
 Andrey Alekseenko (https://github.com/al42and)
         - fixing lintian warnings
-mahdi1234 (https://github.com/mahdi1234)
-        - Seamonkey profiles
+        - fixed Skype profile
 Ivan Kozik (https://github.com/ivan)
         - speed up sandbox exit
 Christian Stadelmann (https://github.com/genodeftest)
@@ -199,8 +200,6 @@ Kaan Genç (https://github.com/SeriousBug)
         - dynamic allocation of noblacklist buffer
 Veeti Paananen (https://github.com/veeti)
         - fixed Spotify profile
-Rahiel Kasim (https://github.com/rahiel)
-        - whitelist keysnail config for firefox
 rogshdo (https://github.com/rogshdo)
         - BitlBee profile
 Bruno Nova (https://github.com/brunonova)
@@ -208,8 +207,6 @@ Bruno Nova (https://github.com/brunonova)
         - bash arguments fix
 Matt Parnell (https://github.com/ilikenwf)
         - whitelisting for core firefox related functionality
-Andrey Alekseenko (https://github.com/al42and)
-        - fixed Skype profile
 Ondra Nekola (https://github.com/satai)
         - allow firefox theming with non-global themes
 emacsomancer (https://github.com/emacsomancer)
diff --git a/README.md b/README.md
index 67dd017a7..3047bf908 100644
--- a/README.md
+++ b/README.md
@@ -196,6 +196,6 @@ Browsers: Palemoon
 
 ## New security profiles
 
-Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, strings, xz, xzdec, gzip, cpio, less, Atom Beta, Atom, jitsi, eom, uudeview
+Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, xz, xzdec, gzip, cpio, less, Atom Beta, Atom, jitsi, eom, uudeview
 tar (gtar), unzip, unrar, file, skypeforlinux, gnome-chess
 
diff --git a/RELNOTES b/RELNOTES
index 77270987e..79f634dcd 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -18,9 +18,10 @@ firejail (0.9.42~rc2) baseline; urgency=low
   * seccomp filter updated
   * compile time and run time support to disable whitelists
   * compile time support to disable global configuration file
+  * added quiet-by-default config option in /etc/firejail/firejail.config
   * added netfilter-default config option in /etc/firejail/firejail.config
   * new profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice
-  * new profiles: pix, audacity, strings, xz, xzdec, gzip, cpio, less
+  * new profiles: pix, audacity, xz, xzdec, gzip, cpio, less
   * new profiles: Atom Beta, Atom, jitsi, eom, uudeview
   * new profiles: tar (gtar), unzip, unrar, file, skypeforlinux
  -- netblue30 <netblue30@yahoo.com>  Thu, 21 Jul 2016 08:00:00 -0500
diff --git a/etc/firejail.config b/etc/firejail.config
index 20c4d7a5f..82fe65ac7 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -15,12 +15,16 @@
 # Force use of nonewprivs.  This mitigates the possibility of
 # a user abusing firejail's features to trick a privileged (suid
 # or file capabilities) process into loading code or configuration
-# that is partially under their control.  Default disabled
+# that is partially under their control.  Default disabled.
 # force-nonewprivs no
 
 # Enable or disable networking features, default enabled.
 # network yes
 
+# Enable --quiet as default every time the sandbox is started. Default disabled.
+# quiet-by-default no
+
+
 # Enable or disable restricted network support, default disabled. If enabled,
 # networking features should also be enabled (network yes).
 # Restricted networking grants access to --interface, --net=ethXXX and
diff --git a/etc/gnome-chess.profile b/etc/gnome-chess.profile
index e93970f7d..297f7e6a9 100644
--- a/etc/gnome-chess.profile
+++ b/etc/gnome-chess.profile
@@ -7,14 +7,16 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
-net none
 nogroups
 nonewprivs
 noroot
 nosound
+protocol unix
 seccomp
 shell none
 tracelog
 
-private-bin gnome-chess
+private-bin fairymax,gnome-chess,hoichess
 private-dev
+private-etc fonts,gnome-chess
+private-tmp
diff --git a/etc/strings.profile b/etc/strings.profile
deleted file mode 100644
index 6ebe81d09..000000000
--- a/etc/strings.profile
+++ /dev/null
@@ -1,10 +0,0 @@
-# strings profile
-quiet
-ignore noroot
-include /etc/firejail/default.profile
-tracelog
-net none
-shell none
-private-dev
-private-tmp
-nosound
diff --git a/platform/debian/conffiles b/platform/debian/conffiles
index d2ee3a83e..633123e92 100644
--- a/platform/debian/conffiles
+++ b/platform/debian/conffiles
@@ -111,7 +111,6 @@
 /etc/firejail/ssh.profile
 /etc/firejail/steam.profile
 /etc/firejail/stellarium.profile
-/etc/firejail/strings.profile
 /etc/firejail/tar.profile
 /etc/firejail/telegram.profile
 /etc/firejail/thunderbird.profile
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 12921e294..3b60dafb6 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -220,7 +220,12 @@ int checkcfg(int val) {
                                 if (!xephyr_extra_params)
                                         errExit("strdup");
                         }
-
+                        
+                        // quiet by default
+                        else if (strncmp(ptr, "quiet-by-default ", 17) == 0) {
+                                if (strcmp(ptr + 17, "yes") == 0)
+                                        arg_quiet = 1;
+                        }
                         else
                                 goto errout;
 
diff --git a/src/firejail/env.c b/src/firejail/env.c
index a5b3ccfb3..79d6b81e3 100644
--- a/src/firejail/env.c
+++ b/src/firejail/env.c
@@ -133,7 +133,7 @@ void env_defaults(void) {
                 errExit("setenv");
 
         // set the window title
-        printf("\033]0;firejail %s\007\n", cfg.window_title);
+        printf("\033]0;firejail %s\007", cfg.window_title);fflush(0);
 }
 
 // parse and store the environment setting 
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 5bcfa6066..86126672e 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -1064,6 +1064,16 @@ int fs_check_chroot_dir(const char *rootdir) {
         struct stat s;
         char *name;
 
+        // rootdir has to be owned by root
+        if (stat(rootdir, &s) != 0) {
+                fprintf(stderr, "Error: cannot find chroot directory\n");
+                return 1;
+        }
+        if (s.st_uid != 0) {
+                fprintf(stderr, "Error: chroot directory should be owned by root\n");
+                return 1;
+        }
+
         // check /dev
         if (asprintf(&name, "%s/dev", rootdir) == -1)
                 errExit("asprintf");
diff --git a/test/compile/compile.sh b/test/compile/compile.sh
deleted file mode 100755
index 1207ef518..000000000
--- a/test/compile/compile.sh
+++ /dev/null
@@ -1,243 +0,0 @@
-#!/bin/bash
-
-arr[1]="TEST 1: standard compilation"
-arr[2]="TEST 2: compile seccomp disabled"
-arr[3]="TEST 3: compile chroot disabled"
-arr[4]="TEST 4: compile bind disabled"
-arr[5]="TEST 5: compile user namespace disabled"
-arr[6]="TEST 6: compile network disabled"
-arr[7]="TEST 7: compile X11 disabled"
-arr[8]="TEST 8: compile network restricted"
-arr[9]="TEST 9: compile file transfer disabled"
-
-
-# remove previous reports and output file
-cleanup() {
-        rm -f report*
-        rm -fr firejail
-        rm -f oc* om*
-}
-
-print_title() {
-        echo
-        echo
-        echo
-        echo "**************************************************"
-        echo $1
-        echo "**************************************************"
-}
-
-while [ $# -gt 0 ]; do    # Until you run out of parameters . . .
-    case "$1" in
-    --clean)
-        cleanup
-        exit
-        ;;
-    --help)
-        echo "./compile.sh [--clean|--help]"
-        exit
-        ;;
-    esac
-    shift       # Check next set of parameters.
-done
-
-cleanup
-
-#*****************************************************************
-# TEST 1
-#*****************************************************************
-# - checkout source code
-# - check compilation
-# - install
-#*****************************************************************
-print_title "${arr[1]}"
-git clone https://github.com/netblue30/firejail.git
-cd firejail
-./configure --prefix=/usr --enable-fatal-warnings 2>&1 | tee ../output-configure
-make -j4 2>&1 | tee ../output-make
-cd ..
-grep Warning output-configure output-make > ./report-test1
-grep Error output-configure output-make >> ./report-test1
-cp output-configure oc1
-cp output-make om1
-rm output-configure output-make
-
-
-#*****************************************************************
-# TEST 2
-#*****************************************************************
-# - disable seccomp configuration
-# - check compilation
-#*****************************************************************
-print_title "${arr[2]}"
-# seccomp
-cd firejail
-make distclean
-./configure --prefix=/usr --disable-seccomp  --enable-fatal-warnings 2>&1 | tee ../output-configure
-make -j4 2>&1 | tee ../output-make
-cd ..
-grep Warning output-configure output-make > ./report-test2
-grep Error output-configure output-make >> ./report-test2
-cp output-configure oc2
-cp output-make om2
-rm output-configure output-make
-
-#*****************************************************************
-# TEST 3
-#*****************************************************************
-# - disable chroot configuration
-# - check compilation
-#*****************************************************************
-print_title "${arr[3]}"
-# seccomp
-cd firejail
-make distclean
-./configure --prefix=/usr --disable-chroot  --enable-fatal-warnings 2>&1 | tee ../output-configure
-make -j4 2>&1 | tee ../output-make
-cd ..
-grep Warning output-configure output-make > ./report-test3
-grep Error output-configure output-make >> ./report-test3
-cp output-configure oc3
-cp output-make om3
-rm output-configure output-make
-
-#*****************************************************************
-# TEST 4
-#*****************************************************************
-# - disable bind configuration
-# - check compilation
-#*****************************************************************
-print_title "${arr[4]}"
-# seccomp
-cd firejail
-make distclean
-./configure --prefix=/usr --disable-bind  --enable-fatal-warnings 2>&1 | tee ../output-configure
-make -j4 2>&1 | tee ../output-make
-cd ..
-grep Warning output-configure output-make > ./report-test4
-grep Error output-configure output-make >> ./report-test4
-cp output-configure oc4
-cp output-make om4
-rm output-configure output-make
-
-#*****************************************************************
-# TEST 5
-#*****************************************************************
-# - disable user namespace configuration
-# - check compilation
-#*****************************************************************
-print_title "${arr[5]}"
-# seccomp
-cd firejail
-make distclean
-./configure --prefix=/usr --disable-userns  --enable-fatal-warnings 2>&1 | tee ../output-configure
-make -j4 2>&1 | tee ../output-make
-cd ..
-grep Warning output-configure output-make > ./report-test5
-grep Error output-configure output-make >> ./report-test5
-cp output-configure oc5
-cp output-make om5
-rm output-configure output-make
-
-#*****************************************************************
-# TEST 6
-#*****************************************************************
-# - disable user namespace configuration
-# - check compilation
-#*****************************************************************
-print_title "${arr[6]}"
-# seccomp
-cd firejail
-make distclean
-./configure --prefix=/usr --disable-network  --enable-fatal-warnings 2>&1 | tee ../output-configure
-make -j4 2>&1 | tee ../output-make
-cd ..
-grep Warning output-configure output-make > ./report-test6
-grep Error output-configure output-make >> ./report-test6
-cp output-configure oc6
-cp output-make om6
-rm output-configure output-make
-
-#*****************************************************************
-# TEST 7
-#*****************************************************************
-# - disable X11 support
-# - check compilation
-#*****************************************************************
-print_title "${arr[7]}"
-# seccomp
-cd firejail
-make distclean
-./configure --prefix=/usr --disable-x11  --enable-fatal-warnings 2>&1 | tee ../output-configure
-make -j4 2>&1 | tee ../output-make
-cd ..
-grep Warning output-configure output-make > ./report-test7
-grep Error output-configure output-make >> ./report-test7
-cp output-configure oc7
-cp output-make om7
-rm output-configure output-make
-
-
-#*****************************************************************
-# TEST 8
-#*****************************************************************
-# - enable network restricted
-# - check compilation
-#*****************************************************************
-print_title "${arr[8]}"
-# seccomp
-cd firejail
-make distclean
-./configure --prefix=/usr --enable-network=restricted  --enable-fatal-warnings 2>&1 | tee ../output-configure
-make -j4 2>&1 | tee ../output-make
-cd ..
-grep Warning output-configure output-make > ./report-test8
-grep Error output-configure output-make >> ./report-test8
-cp output-configure oc8
-cp output-make om8
-rm output-configure output-make
-
-
-#*****************************************************************
-# TEST 9
-#*****************************************************************
-# - disable file transfer
-# - check compilation
-#*****************************************************************
-print_title "${arr[9]}"
-# seccomp
-cd firejail
-make distclean
-./configure --prefix=/usr --enable-network=restricted  --enable-fatal-warnings 2>&1 | tee ../output-configure
-make -j4 2>&1 | tee ../output-make
-cd ..
-grep Warning output-configure output-make > ./report-test9
-grep Error output-configure output-make >> ./report-test9
-cp output-configure oc9
-cp output-make om9
-rm output-configure output-make
-
-
-#*****************************************************************
-# PRINT REPORTS
-#*****************************************************************
-echo
-echo
-echo
-echo
-echo "**********************************************************"
-echo "TEST RESULTS"
-echo "**********************************************************"
-
-wc -l report-test*
-echo
-echo  "Legend:"
-echo ${arr[1]}
-echo ${arr[2]}
-echo ${arr[3]}
-echo ${arr[4]}
-echo ${arr[5]}
-echo ${arr[6]}
-echo ${arr[7]}
-echo ${arr[8]}
-echo ${arr[9]}
diff --git a/test/sysutils/sysutils.sh b/test/sysutils/sysutils.sh
index 315b73c9d..99939133d 100755
--- a/test/sysutils/sysutils.sh
+++ b/test/sysutils/sysutils.sh
@@ -15,14 +15,14 @@ else
         echo "TESTING SKIP: cpio not found"
 fi
 
-which strings
-if [ "$?" -eq 0 ];
-then
-        echo "TESTING: strings"
-        ./strings.exp
-else
-        echo "TESTING SKIP: strings not found"
-fi
+#which strings
+#if [ "$?" -eq 0 ];
+#then
+#       echo "TESTING: strings"
+#       ./strings.exp
+#else
+#       echo "TESTING SKIP: strings not found"
+#fi
 
 which gzip
 if [ "$?" -eq 0 ];
diff --git a/todo b/todo
index 323374525..8fe3904da 100644
--- a/todo
+++ b/todo
@@ -266,3 +266,16 @@ $ sudo aa-notify -p -f /var/log/audit/audit.log
 24. check monitor proc behaviour for sandboxes with --blacklist=/proc
 also check --apparmor in this case
 
+25. bring back strings.profile
+
+# strings profile
+quiet
+ignore noroot
+include /etc/firejail/default.profile
+tracelog
+net none
+shell none
+private-dev
+private-tmp
+nosound
+