13 files changed, 134 insertions, 55 deletions
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
index 71791c000..57ac2e9c4 100644
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -1,10 +1,10 @@
 If your PR isn't about profiles or you have no idea how to do one of these, skip the following and go ahead with this PR.
-If you make a PR for new profiles or changeing profiles please do the following:
+If you submit a PR for new profiles or changing profiles, please do the following:
- - The ordering of options follow the rules descripted in [/usr/share/doc/firejail/profile.template](https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template).  
+ - The ordering of options follow the rules described in [/usr/share/doc/firejail/profile.template](https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template).  
-   > Hint: The profile-template is very new, if you install firejail with your package-manager, it maybe missing, therefore, and to follow the latest rules, it is recommended to use the template from the repository.
+   > Hint: The profile-template is very new. If you install firejail with your package manager, it may be missing. In order to follow the latest rules, it is recommended to use the template from the repository.
- - Order the arguments of options alphabetical, you can easy do this with the [sort.py](https://github.com/netblue30/firejail/tree/master/contrib/sort.py).  
+ - Order the arguments of options alphabetically. You can easily do this with [sort.py](https://github.com/netblue30/firejail/tree/master/contrib/sort.py).  
 The path to it depends on your distro:
   | Distro | Path |
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 06b8cfb6d..7a37c9fb4 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -334,6 +334,7 @@ blacklist ${HOME}/.config/nemo
 blacklist ${HOME}/.config/neomutt
 blacklist ${HOME}/.config/netsurf
 blacklist ${HOME}/.config/newsbeuter
+blacklist ${HOME}/.config/newsboat
 blacklist ${HOME}/.config/newsflash
 blacklist ${HOME}/.config/nheko
 blacklist ${HOME}/.config/NitroShare
@@ -437,6 +438,7 @@ blacklist ${HOME}/.config/yandex-browser
 blacklist ${HOME}/.config/yandex-browser-beta
 blacklist ${HOME}/.config/yelp
 blacklist ${HOME}/.config/youtube-dl
+blacklist ${HOME}/.config/youtube-dlg
 blacklist ${HOME}/.config/youtubemusic-nativefier-040164
 blacklist ${HOME}/.config/youtube-music-desktop-app
 blacklist ${HOME}/.config/youtube-viewer
@@ -702,6 +704,8 @@ blacklist ${HOME}/.local/share/nautilus-python
 blacklist ${HOME}/.local/share/nemo
 blacklist ${HOME}/.local/share/nemo-python
 blacklist ${HOME}/.local/share/news-flash
+blacklist ${HOME}/.local/share/newsbeuter
+blacklist ${HOME}/.local/share/newsboat
 blacklist ${HOME}/.local/share/nomacs
 blacklist ${HOME}/.local/share/notes
 blacklist ${HOME}/.local/share/ocenaudio
diff --git a/etc/profile-m-z/newsbeuter.profile b/etc/profile-m-z/newsbeuter.profile
index 85581a2f0..6efb19502 100644
--- a/etc/profile-m-z/newsbeuter.profile
+++ b/etc/profile-m-z/newsbeuter.profile
@@ -7,13 +7,23 @@ include newsbeuter.local
 # added by included profile
 #include globals.local
-noblacklist ${HOME}/.config/newsbeuter
+ignore include newsboat.local
-noblacklist ${HOME}/.newsbeuter
+ignore mkdir ${HOME}/.config/newsboat
+ignore mkdir ${HOME}/.local/share/newsboat
+ignore mkdir ${HOME}/.newsboat
+blacklist ${PATH}/newsboat
+blacklist ${HOME}/.config/newsboat
+blacklist ${HOME}/.local/share/newsboat
+blacklist ${HOME}/.newsboat
+nowhitelist ${HOME}/.config/newsboat
+nowhitelist ${HOME}/.local/share/newsboat
+nowhitelist ${HOME}/.newsboat
 mkdir ${HOME}/.config/newsbeuter
+mkdir ${HOME}/.local/share/newsbeuter
 mkdir ${HOME}/.newsbeuter
-whitelist ${HOME}/.config/newsbeuter
-whitelist ${HOME}/.newsbeuter
 private-bin newsbeuter
diff --git a/etc/profile-m-z/newsboat.profile b/etc/profile-m-z/newsboat.profile
index 85b780ced..23c2de43c 100644
--- a/etc/profile-m-z/newsboat.profile
+++ b/etc/profile-m-z/newsboat.profile
@@ -6,6 +6,11 @@ include newsboat.local
 # Persistent global definitions
 include globals.local
+noblacklist ${HOME}/.config/newsbeuter
+noblacklist ${HOME}/.config/newsboat
+noblacklist ${HOME}/.local/share/newsbeuter
+noblacklist ${HOME}/.local/share/newsboat
+noblacklist ${HOME}/.newsbeuter
 noblacklist ${HOME}/.newsboat
 include disable-common.inc
@@ -16,7 +21,14 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
+mkdir ${HOME}/.config/newsboat
+mkdir ${HOME}/.local/share/newsboat
 mkdir ${HOME}/.newsboat
+whitelist ${HOME}/.config/newsbeuter
+whitelist ${HOME}/.config/newsboat
+whitelist ${HOME}/.local/share/newsbeuter
+whitelist ${HOME}/.local/share/newsboat
+whitelist ${HOME}/.newsbeuter
 whitelist ${HOME}/.newsboat
 include whitelist-common.inc
 include whitelist-runuser-common.inc
@@ -38,7 +50,7 @@ seccomp
 shell none
 disable-mnt
-private-bin gzip,lynx,newsboat,sh
+private-bin gzip,lynx,newsboat,sh,w3m
 private-cache
 private-dev
 private-etc alternatives,ca-certificates,crypto-policies,lynx.cfg,lynx.lss,pki,resolv.conf,ssl,terminfo
diff --git a/etc/profile-m-z/telegram.profile b/etc/profile-m-z/telegram.profile
index fce7dc461..38d291324 100644
--- a/etc/profile-m-z/telegram.profile
+++ b/etc/profile-m-z/telegram.profile
@@ -36,10 +36,20 @@ noroot
 notv
 protocol unix,inet,inet6,netlink
 seccomp
+seccomp.block-secondary
 shell none
+tracelog
 disable-mnt
+#private-bin telegram,Telegram,telegram-desktop
 private-cache
 private-dev
 private-etc alsa,alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,machine-id,os-release,passwd,pki,pulse,resolv.conf,ssl,xdg
 private-tmp
+dbus-user filter
+dbus-user.talk org.freedesktop.Notifications
+dbus-user.talk org.kde.StatusNotifierWatcher
+dbus-user.talk org.gnome.Mutter.IdleMonitor
+dbus-user.talk org.freedesktop.ScreenSaver
+dbus-system none
diff --git a/etc/profile-m-z/virtualbox.profile b/etc/profile-m-z/virtualbox.profile
index 232ff8ae4..64d787bfb 100644
--- a/etc/profile-m-z/virtualbox.profile
+++ b/etc/profile-m-z/virtualbox.profile
@@ -44,6 +44,7 @@ shell none
 tracelog
 #disable-mnt
+#private-bin basename,bash,env,gawk,grep,ps,readlink,sh,virtualbox,VirtualBox,VBox*,vbox*,whoami
 private-cache
 private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl
 private-tmp
diff --git a/etc/profile-m-z/youtube-dl-gui.profile b/etc/profile-m-z/youtube-dl-gui.profile
new file mode 100644
index 000000000..c072d6267
--- /dev/null
+++ b/etc/profile-m-z/youtube-dl-gui.profile
@@ -0,0 +1,56 @@
+# Firejail profile for youtube-dl-gui
+# Description: A cross platform front-end GUI of the popular youtube-dl media downloader
+include youtube-dl-gui.local
+# This file is overwritten after every install/update
+include globals.local
+#These are blacklisted by disable-interpreters.inc
+include allow-python2.inc
+include allow-python3.inc
+noblacklist ${HOME}/.config/youtube-dlg
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+mkdir ${HOME}/.config/youtube-dlg
+whitelist ${HOME}/.config/youtube-dlg
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+disable-mnt
+private-bin atomicparsley,ffmpeg,ffprobe,python*,youtube-dl-gui
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,locale,locale.conf,passwd,pki,resolv.conf,ssl
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index af5497757..065245a63 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -203,7 +203,7 @@ include globals.local
 #  - Some features like native notifications are implemented as portal too.
 #  - In order to make dconf work (when used by the app) you need to allow
 #    'ca.desrt.dconf' even when not allowed by flatpak.
-# Notes and Policiy about addresses can be found at
+# Notes and policies about addresses can be found at
 # <https://github.com/netblue30/firejail/wiki/Restrict-D-Bus>
 #dbus-user filter
 #dbus-user.own com.github.netblue30.firejail
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 85a5b0453..3da415b70 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -875,6 +875,7 @@ yandex-browser
 yelp
 youtube
 youtube-dl
+youtube-dl-gui
 youtube-viewer
 youtubemusic-nativefier
 ytmdesktop
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index fe79daa70..8b7e49611 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -170,6 +170,7 @@ static void disable_file(OPERATION op, const char *filename) {
                                }
                        }
                        fs_tmpfs(fname, getuid());
+                        selinux_relabel_path(fname, fname);
                        last_disable = SUCCESSFUL;
                }
                else
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index 2c5ea8be0..46f32d7ad 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -31,7 +31,7 @@
 #include <fcntl.h>
 #ifndef O_PATH
-# define O_PATH 010000000
+#define O_PATH 010000000
 #endif
 static void skel(const char *homedir, uid_t u, gid_t g) {
@@ -384,7 +384,6 @@ void fs_private(void) {
                        if (chown(homedir, u, g) < 0)
                                errExit("chown");
-                        selinux_relabel_path(homedir, homedir);
                        fs_logger2("mkdir", homedir);
                        fs_logger2("tmpfs", homedir);
                }
@@ -392,6 +391,8 @@ void fs_private(void) {
                        // mask user home directory
                        // the directory should be owned by the current user
                        fs_tmpfs(homedir, 1);
+                selinux_relabel_path(homedir, homedir);
        }
        skel(homedir, u, g);
@@ -549,7 +550,7 @@ void fs_private_home_list(void) {
        // create /run/firejail/mnt/home directory
        mkdir_attr(RUN_HOME_DIR, 0755, uid, gid);
-        selinux_relabel_path(RUN_HOME_DIR, "/home");
+        selinux_relabel_path(RUN_HOME_DIR, homedir);
        fs_logger_print();      // save the current log
        if (arg_debug)
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c
index 0dfd9ca1c..a0ca4c02c 100644
--- a/src/firejail/restrict_users.c
+++ b/src/firejail/restrict_users.c
@@ -72,7 +72,7 @@ static void sanitize_home(void) {
        if (arg_debug)
                printf("Cleaning /home directory\n");
-        // keep a copy of the user home directory
+        // open user home directory in order to keep it around
        int fd = safe_fd(cfg.homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
        if (fd == -1)
                goto errout;
@@ -82,47 +82,38 @@ static void sanitize_home(void) {
                close(fd);
                goto errout;
        }
-        char *proc;
-        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
-                errExit("asprintf");
-        if (mkdir(RUN_WHITELIST_HOME_DIR, 0755) == -1)
-                errExit("mkdir");
-        if (mount(proc, RUN_WHITELIST_HOME_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
-                errExit("mount bind");
-        free(proc);
-        close(fd);
-        // mount tmpfs in the new home
+        // mount tmpfs on /home
        if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
                errExit("mount tmpfs");
        selinux_relabel_path("/home", "/home");
        fs_logger("tmpfs /home");
-        // create user home directory
+        // create new user home directory
        if (mkdir(cfg.homedir, 0755) == -1) {
-                if (mkpath_as_root(cfg.homedir))
+                if (mkpath_as_root(cfg.homedir) == -1)
                        errExit("mkpath");
                if (mkdir(cfg.homedir, 0755) == -1)
                        errExit("mkdir");
-                selinux_relabel_path(cfg.homedir, cfg.homedir);
        }
        fs_logger2("mkdir", cfg.homedir);
        // set mode and ownership
        if (set_perms(cfg.homedir, s.st_uid, s.st_gid, s.st_mode))
                errExit("set_perms");
+        selinux_relabel_path(cfg.homedir, cfg.homedir);
-        // mount user home directory
+        // bring back real user home directory
-        if (mount(RUN_WHITELIST_HOME_DIR, cfg.homedir, NULL, MS_BIND|MS_REC, NULL) < 0)
+        char *proc;
+        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
+                errExit("asprintf");
+        if (mount(proc, cfg.homedir, NULL, MS_BIND|MS_REC, NULL) < 0)
                errExit("mount bind");
+        free(proc);
+        close(fd);
-        // mask home dir under /run
-        if (mount("tmpfs", RUN_WHITELIST_HOME_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
-                errExit("mount tmpfs");
-        fs_logger2("tmpfs", RUN_WHITELIST_HOME_DIR);
        if (!arg_private)
                fs_logger2("whitelist", cfg.homedir);
        return;
 errout:
@@ -137,22 +128,15 @@ static void sanitize_run(void) {
        if (asprintf(&runuser, "/run/user/%u", getuid()) == -1)
                errExit("asprintf");
-        struct stat s;
+        // open /run/user/$UID directory in order to keep it around
-        if (stat(runuser, &s) == -1) {
+        int fd = open(runuser, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
-                // cannot find /user/run/$UID directory, just return
+        if (fd == -1) {
                if (arg_debug)
-                        printf("Cannot find %s directory\n", runuser);
+                        printf("Cannot open %s directory\n", runuser);
                free(runuser);
                return;
        }
-        if (mkdir(RUN_WHITELIST_RUN_DIR, 0755) == -1)
-                errExit("mkdir");
-        // keep a copy of the /run/user/$UID directory
-        if (mount(runuser, RUN_WHITELIST_RUN_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
-                errExit("mount bind");
        // mount tmpfs on /run/user
        if (mount("tmpfs", "/run/user", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
                errExit("mount tmpfs");
@@ -162,22 +146,23 @@ static void sanitize_run(void) {
        // create new user directory
        if (mkdir(runuser, 0700) == -1)
                errExit("mkdir");
-        selinux_relabel_path(runuser, runuser);
        fs_logger2("mkdir", runuser);
        // set mode and ownership
        if (set_perms(runuser, getuid(), getgid(), 0700))
                errExit("set_perms");
+        selinux_relabel_path(runuser, runuser);
-        // mount /run/user/$UID directory
+        // bring back real run/user/$UID directory
-        if (mount(RUN_WHITELIST_RUN_DIR, runuser, NULL, MS_BIND|MS_REC, NULL) < 0)
+        char *proc;
+        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
+                errExit("asprintf");
+        if (mount(proc, runuser, NULL, MS_BIND|MS_REC, NULL) < 0)
                errExit("mount bind");
+        free(proc);
+        close(fd);
-        // mask mirrored /run/user/$UID directory
+        fs_logger2("whitelist", runuser);
-        if (mount("tmpfs", RUN_WHITELIST_RUN_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
-                errExit("mount tmpfs");
-        fs_logger2("tmpfs", RUN_WHITELIST_RUN_DIR);
        free(runuser);
 }
diff --git a/src/include/rundefs.h b/src/include/rundefs.h
index 5749c66e4..d14f6782f 100644
--- a/src/include/rundefs.h
+++ b/src/include/rundefs.h
@@ -84,8 +84,6 @@
 #define RUN_DEVLOG_FILE                 RUN_MNT_DIR "/devlog"
 #define RUN_WHITELIST_X11_DIR           RUN_MNT_DIR "/orig-x11"
-#define RUN_WHITELIST_HOME_DIR          RUN_MNT_DIR "/orig-home"                // default home directory masking
-#define RUN_WHITELIST_RUN_DIR           RUN_MNT_DIR "/orig-run"         // default run directory masking
 #define RUN_WHITELIST_HOME_USER_DIR     RUN_MNT_DIR "/orig-home-user"           // home directory whitelisting
 #define RUN_WHITELIST_RUN_USER_DIR      RUN_MNT_DIR "/orig-run-user"            // run directory whitelisting
 #define RUN_WHITELIST_TMP_DIR           RUN_MNT_DIR "/orig-tmp"