15 files changed, 184 insertions, 9 deletions

diff --git a/README b/README
index 2e852c5c7..d1874227f 100644
--- a/README
+++ b/README
@@ -18,6 +18,8 @@ License: GPL v2
 Firejail Authors:
 
 netblue30 (netblue30@yahoo.com)
+curiosity-seeker (https://github.com/curiosity-seeker)
+        - tightening unbound and dnscrypt-proxy profiles
 sinkuu (https://github.com/sinkuu)
         - blacklisting kwalletd
 Bader Zaidan (https://github.com/BaderSZ)
diff --git a/RELNOTES b/RELNOTES
index 4e903eece..8281c71a9 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -6,6 +6,7 @@ firejail (0.9.37) baseline; urgency=low
   * added KMail, Seamonkey, Telegram profiles
   * --join command enhancement (--join-network, --join-filesystem)
   * symlink invocation
+  * --user command
  -- netblue30 <netblue30@yahoo.com>  Tue,  5 Jan 2016 08:00:00 -0500
 
 firejail (0.9.36) baseline; urgency=low
diff --git a/etc/conkeror.profile b/etc/conkeror.profile
index 7c1384523..e2e55a045 100644
--- a/etc/conkeror.profile
+++ b/etc/conkeror.profile
@@ -21,8 +21,4 @@ whitelist ~/.pentadactyl
 whitelist ~/.conkerorrc
 
 # common
-whitelist ~/.fonts
-whitelist ~/.fonts.d
-whitelist ~/.fontconfig
-whitelist ~/.fonts.conf
-whitelist ~/.fonts.conf.d
+include /etc/firejail/whitelist-common.inc
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index f04702618..e7974f02d 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -119,7 +119,3 @@ read-only ${HOME}/.xmonad
 # The user ~/bin directory can override commands such as ls
 read-only ${HOME}/bin
 
-# syslog
-blacklist /dev/kmsg
-blacklist /proc/kmsg
-
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile
index e0c5c93a3..d13bab06b 100644
--- a/etc/dnscrypt-proxy.profile
+++ b/etc/dnscrypt-proxy.profile
@@ -2,6 +2,9 @@
 noblacklist /sbin
 noblacklist /usr/sbin
 include /etc/firejail/disable-mgmt.inc
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-secret.inc
 private
 private-dev
 seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open
diff --git a/etc/unbound.profile b/etc/unbound.profile
index 4dd00178b..aba5a9ba1 100644
--- a/etc/unbound.profile
+++ b/etc/unbound.profile
@@ -2,6 +2,10 @@
 noblacklist /sbin
 noblacklist /usr/sbin
 include /etc/firejail/disable-mgmt.inc
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-secret.inc
+private
 private
 private-dev
 seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open
diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc
index 3c8318ff8..5a96c7fc4 100644
--- a/etc/whitelist-common.inc
+++ b/etc/whitelist-common.inc
@@ -13,6 +13,7 @@ whitelist ~/.fontconfig
 whitelist ~/.fonts.conf
 whitelist ~/.fonts.conf.d
 whitelist ~/.config/fontconfig
+whitelist ~/.cache/fontconfig
 
 # gtk
 whitelist ~/.gtkrc
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 21ca6c508..a2afd4a8d 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -505,5 +505,8 @@ void fs_logger_print_log(pid_t pid);
 // run_symlink.c
 void run_symlink(int argc, char **argv);
 
+// user.c
+void check_user(int argc, char **argv);
+
 #endif
 
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 50e55f868..f4c448024 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -604,6 +604,18 @@ void fs_proc_sys_dev_boot(void) {
         if (stat("/dev/port", &s) == 0) {
                 disable_file(BLACKLIST_FILE, "/dev/port");
         }
+        
+        if (getuid() != 0) {
+                // disable /dev/kmsg
+                if (stat("/dev/kmsg", &s) == 0) {
+                        disable_file(BLACKLIST_FILE, "/dev/kmsg");
+                }
+                
+                // disable /proc/kmsg
+                if (stat("/proc/kmsg", &s) == 0) {
+                        disable_file(BLACKLIST_FILE, "/proc/kmsg");
+                }
+        }
 }
 
 // disable firejail configuration in /etc/firejail and in ~/.config/firejail
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 2ae3213ee..7afbf9ce3 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -514,6 +514,7 @@ int main(int argc, char **argv) {
         else {
                 // check --output option and execute it;
                 check_output(argc, argv); // the function will not return if --output option was found
+                check_user(argc, argv); // the function will not return if --user option was found
         }
         
         // parse arguments
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 9197baae2..d3ebefaae 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -286,6 +286,7 @@ void usage(void) {
         printf("\t--tracelog - add a syslog message for every access to files or\n");
         printf("\t\tdirectoires blacklisted by the security profile.\n\n");
         printf("\t--tree - print a tree of all sandboxed processes.\n\n");
+        printf("\t--user=new_user - switch the user before starting the sandbox.\n\n");
         printf("\t--version - print program version and exit.\n\n");
         printf("\t--whitelist=dirname_or_filename - whitelist directory or file.\n\n");
         printf("\t--zsh - use /usr/bin/zsh as default shell.\n\n");
diff --git a/src/firejail/user.c b/src/firejail/user.c
new file mode 100644
index 000000000..e5f7848e8
--- /dev/null
+++ b/src/firejail/user.c
@@ -0,0 +1,114 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+#include "firejail.h"
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <unistd.h>
+#include <grp.h>
+#include <pwd.h>
+
+
+void check_user(int argc, char **argv) {
+        int i;
+        char *user = NULL;
+
+        int found = 0;
+        for (i = 1; i < argc; i++) {
+                // check options
+                if (strcmp(argv[i], "--") == 0)
+                        break;
+                if (strncmp(argv[i], "--", 2) != 0)
+                        break;
+                
+                // check user option            
+                if (strncmp(argv[i], "--user=", 7) == 0) {
+                        found = 1;
+                        user = argv[i] + 7;
+                        break;
+                }
+        }
+        if (!found)
+                return;
+
+        // check root
+        if (getuid() != 0) {
+                fprintf(stderr, "Error: you need to be root to use --user command line option\n");
+                exit(1);
+        }
+        
+        // switch user
+        struct passwd *pw = getpwnam(user);
+        if (!pw) {
+                fprintf(stderr, "Error: cannot find user %s\n", user);
+                exit(1);
+        }
+
+        printf("Switching to user %s, UID %d, GID %d\n", user, pw->pw_uid, pw->pw_gid);
+        int rv = initgroups(user, pw->pw_gid);
+        if (rv == -1) {
+                perror("initgroups");
+                fprintf(stderr, "Error: cannot switch to user %s\n", user);
+        }
+
+        rv = setgid(pw->pw_gid);
+        if (rv == -1) {
+                perror("setgid");
+                fprintf(stderr, "Error: cannot switch to user %s\n", user);
+        }
+
+        rv = setuid(pw->pw_uid);
+        if (rv == -1) {
+                perror("setuid");
+                fprintf(stderr, "Error: cannot switch to user %s\n", user);
+        }
+
+        // build the new command line
+        int len = 0;
+        for (i = 0; i < argc; i++) {
+                len += strlen(argv[i]) + 1; // + ' '
+        }
+        
+        char *cmd = malloc(len + 1); // + '\0'
+        if (!cmd)
+                errExit("malloc");
+        
+        char *ptr = cmd;
+        int first = 1;
+        for (i = 0; i < argc; i++) {
+                if (strncmp(argv[i], "--user=", 7) == 0 && first) {
+                        first = 0;
+                        continue;
+                }
+                
+                ptr += sprintf(ptr, "%s ", argv[i]);
+        }
+
+        // run command
+        char *a[4];
+        a[0] = "/bin/bash";
+        a[1] = "-c";
+        a[2] = cmd;
+        a[3] = NULL;
+
+        execvp(a[0], a); 
+
+        perror("execvp");
+        exit(1);
+}
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 13eccbdce..ef65530db 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1441,6 +1441,15 @@ $ firejail \-\-tree
 .br
   11970:netblue:transmission-gtk 
 .TP
+\fB\-\-user=new-user
+Switch the user before starting the sandbox. This command should be run as root.
+.br
+
+.br
+Example:
+.br
+# firejail \-\-user=www-data
+.TP
 \fB\-\-version
 Print program version and exit.
 .br
diff --git a/test/kmsg.exp b/test/kmsg.exp
new file mode 100755
index 000000000..096bdb708
--- /dev/null
+++ b/test/kmsg.exp
@@ -0,0 +1,29 @@
+#!/usr/bin/expect -f
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "cat /dev/kmsg\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Permission denied"
+}
+sleep 1
+
+send -- "cat /proc/kmsg\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Permission denied"
+}
+sleep 1
+
+puts "\nall done\n"
+
diff --git a/test/test.sh b/test/test.sh
index 44bb7ba99..2c051d13b 100755
--- a/test/test.sh
+++ b/test/test.sh
@@ -86,6 +86,9 @@ rm -f index.html*
 echo "TESTING: extract command"
 ./extract_command.exp
 
+echo "TESTING: kmsg access"
+./kmsg.exp
+
 echo "TESTING: rlimit"
 ./option_rlimit.exp