21 files changed, 157 insertions, 38 deletions
diff --git a/README.md b/README.md
index f90cdb7d4..bc2708041 100644
--- a/README.md
+++ b/README.md
@@ -151,4 +151,4 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
 ### New profiles:
-gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, gnome-passwordsafe, bibtex, gummi, latex, pdflatex, tex, wpp, wpspdf, wps, et, multimc, gnome-hexgl, com.github.johnfactotum.Foliate, desktopeditors, impressive, mupdf-gl, mupdf-x11, mupdf-x11-curl, muraster, mutool, planmaker18, planmaker18free, presentations18, presentations18free, textmaker18, textmaker18free, teams
+gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, gnome-passwordsafe, bibtex, gummi, latex, pdflatex, tex, wpp, wpspdf, wps, et, multimc, gnome-hexgl, com.github.johnfactotum.Foliate, desktopeditors, impressive, mupdf-gl, mupdf-x11, mupdf-x11-curl, muraster, mutool, planmaker18, planmaker18free, presentations18, presentations18free, textmaker18, textmaker18free, teams, xournal
diff --git a/RELNOTES b/RELNOTES
index ab0dc481d..df0e3ec85 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -8,7 +8,7 @@ firejail (0.9.63) baseline; urgency=low
  * new profiles: gnome-hexgl, com.github.johnfactotum.Foliate, mupdf-gl, mutool
  * new profiles: desktopeditors, impressive, planmaker18, planmaker18free
  * new profiles: presentations18, presentations18free, textmaker18, teams
-  * new profiles: textmaker18free
+  * new profiles: textmaker18free, xournal
 firejail (0.9.62) baseline; urgency=low
  * added file-copy-limit in /etc/firejail/firejail.config
diff --git a/etc/allow-lua.inc b/etc/allow-lua.inc
index fbdee22ee..9df8e8d32 100644
--- a/etc/allow-lua.inc
+++ b/etc/allow-lua.inc
@@ -3,6 +3,8 @@
 include allow-lua.local
 noblacklist ${PATH}/lua*
-noblacklist /usr/include/lua*
+noblacklist /usr/include
+noblacklist /usr/lib/liblua*
 noblacklist /usr/lib/lua
 noblacklist /usr/share/lua
+noblacklist /usr/share/lua*
diff --git a/etc/conky.profile b/etc/conky.profile
index 10a243cd3..e5cd7085a 100644
--- a/etc/conky.profile
+++ b/etc/conky.profile
@@ -8,6 +8,9 @@ include globals.local
 noblacklist ${PICTURES}
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/disable-interpreters.inc b/etc/disable-interpreters.inc
index ae539e1bc..495a75a54 100644
--- a/etc/disable-interpreters.inc
+++ b/etc/disable-interpreters.inc
@@ -13,8 +13,9 @@ blacklist /usr/lib64/libgjs*
 # Lua
 blacklist ${PATH}/lua*
 blacklist /usr/include/lua*
+blacklist /usr/lib/liblua*
 blacklist /usr/lib/lua
-blacklist /usr/share/lua
+blacklist /usr/share/lua*
 # Node.js
 blacklist ${PATH}/node
diff --git a/etc/discord-common.profile b/etc/discord-common.profile
index a6e730937..43e8d5cd7 100644
--- a/etc/discord-common.profile
+++ b/etc/discord-common.profile
@@ -6,8 +6,11 @@ include discord-common.local
 # added by caller profile
 #include globals.local
+ignore noexec ${HOME}
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -25,11 +28,9 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6,netlink
-seccomp
+seccomp !chroot
-private-bin bash,cut,echo,egrep,grep,head,sed,sh,tr,xdg-mime,xdg-open,zsh
+private-bin bash,cut,echo,egrep,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh
 private-dev
 private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,resolv.conf,ssl
 private-tmp
-noexec /tmp
diff --git a/etc/file-roller.profile b/etc/file-roller.profile
index 253b82cfe..9d84f07de 100644
--- a/etc/file-roller.profile
+++ b/etc/file-roller.profile
@@ -36,7 +36,7 @@ seccomp
 shell none
 tracelog
-private-bin 7z,7za,7zr,ar,arj,brotli,bzip2,compress,cpio,dpkg-deb,file-roller,gtar,gzip,isoinfo,lha,lrzip,lsar,lz4,lzip,lzma,lzop,rar,rzip,tar,unace,unalz,unar,uncompress,unrar,unsquashfs,unstuff,unzip,xz,zip,zoo
+private-bin 7z,7za,7zr,ar,arj,bash,brotli,bzip2,compress,cpio,dpkg-deb,file-roller,gtar,gzip,isoinfo,lha,lrzip,lsar,lz4,lzip,lzma,lzop,p7zip,rar,rzip,sh,tar,unace,unalz,unar,uncompress,unrar,unsquashfs,unstuff,unzip,xz,zip,zoo
 private-cache
 private-dev
 private-etc dconf,fonts,gtk-3.0,xdg
diff --git a/etc/firefox-esr.profile b/etc/firefox-esr.profile
index 6c1d77986..5e69fdb51 100644
--- a/etc/firefox-esr.profile
+++ b/etc/firefox-esr.profile
@@ -6,5 +6,7 @@ include firefox-esr.local
 # added by included profile
 #include globals.local
+whitelist /usr/share/firefox-esr
 # Redirect
 include firefox.profile
diff --git a/etc/firefox.profile b/etc/firefox.profile
index 0530516d8..4a2cb260f 100644
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@@ -15,6 +15,7 @@ whitelist ${HOME}/.cache/mozilla/firefox
 whitelist ${HOME}/.mozilla
 whitelist /usr/share/doc
+whitelist /usr/share/firefox
 whitelist /usr/share/gtk-doc/html
 whitelist /usr/share/mozilla
 whitelist /usr/share/webext
diff --git a/etc/mpv.profile b/etc/mpv.profile
index 56cd66199..80c45d20b 100644
--- a/etc/mpv.profile
+++ b/etc/mpv.profile
@@ -11,6 +11,8 @@ noblacklist ${HOME}/.config/mpv
 noblacklist ${HOME}/.config/youtube-dl
 noblacklist ${HOME}/.netrc
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
 include allow-python3.inc
diff --git a/etc/openshot.profile b/etc/openshot.profile
index 9d0b4c4c9..482528be1 100644
--- a/etc/openshot.profile
+++ b/etc/openshot.profile
@@ -23,8 +23,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
-#net none
+net none
-netfilter
 nodbus
 nodvd
 nogroups
diff --git a/etc/slack.profile b/etc/slack.profile
index 54069f657..9a10e38fe 100644
--- a/etc/slack.profile
+++ b/etc/slack.profile
@@ -28,7 +28,7 @@ noroot
 notv
 nou2f
 protocol unix,inet,inet6,netlink
-seccomp
+seccomp !chroot
 shell none
 disable-mnt
diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile
index 6e888c163..f6efcf1a4 100644
--- a/etc/thunderbird.profile
+++ b/etc/thunderbird.profile
@@ -47,6 +47,7 @@ whitelist ${HOME}/.thunderbird
 whitelist /usr/share/gnupg
 whitelist /usr/share/mozilla
+whitelist /usr/share/thunderbird
 whitelist /usr/share/webext
 include whitelist-usr-share-common.inc
diff --git a/etc/xournal.profile b/etc/xournal.profile
new file mode 100644
index 000000000..fa5200ea3
--- /dev/null
+++ b/etc/xournal.profile
@@ -0,0 +1,47 @@
+# Firejail profile for xournal
+# Description: Note taking and PDF editing
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xournal.local
+# Persistent global definitions
+include globals.local
+noblacklist ${DOCUMENTS}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+whitelist /usr/share/xournal
+whitelist /usr/share/poppler
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+caps.drop all
+machine-id
+net none
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+private-bin xournal
+private-cache
+private-dev
+private-etc alternatives,fonts,group,machine-id,passwd
+# TODO should use private-lib
+private-tmp
diff --git a/etc/zoom.profile b/etc/zoom.profile
index 6d312aff6..6eac10703 100644
--- a/etc/zoom.profile
+++ b/etc/zoom.profile
@@ -27,7 +27,7 @@ nodvd
 nonewprivs
 noroot
 notv
-protocol unix,inet,inet6
+protocol unix,inet,inet6,netlink
-seccomp
+seccomp !chroot
 private-tmp
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index adf66f008..4cd4fad6c 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -722,6 +722,7 @@ xmr-stak
 xonotic
 xonotic-glx
 xonotic-sdl
+xournal
 xpdf
 xplayer
 xplayer-audio-preview
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index cc5f01ead..7391a8994 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -359,6 +359,7 @@ char *guess_shell(void);
 // sandbox.c
 int sandbox(void* sandbox_arg);
 void start_application(int no_sandbox, FILE *fp);
+void set_apparmor(void);
 // network_main.c
 void net_configure_sandbox_ip(Bridge *br);
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index 500b6bf1b..fbce72429 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -157,9 +157,6 @@ static void create_link(const char *oldpath, const char *newpath) {
                fprintf(stderr, "Error: cannot create %s device\n", newpath);
                exit(1);
        }
-        if (chown(newpath, 0, 0) < 0) {;}
        fs_logger2("create", newpath);
        return;
 }
@@ -302,12 +299,10 @@ void fs_private_dev(void){
        fs_logger("clone /dev/pts");
        // stdin, stdout, stderr
-#if 0
        create_link("/proc/self/fd", "/dev/fd");
        create_link("/proc/self/fd/0", "/dev/stdin");
        create_link("/proc/self/fd/1", "/dev/stdout");
        create_link("/proc/self/fd/2", "/dev/stderr");
-#endif
        // symlinks for DVD/CD players
        if (stat("/dev/sr0", &s) == 0) {
diff --git a/src/firejail/join.c b/src/firejail/join.c
index 531f8c06a..fa1f64333 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -26,7 +26,11 @@
 #include <sys/prctl.h>
 #ifndef PR_SET_NO_NEW_PRIVS
-# define PR_SET_NO_NEW_PRIVS 38
+#define PR_SET_NO_NEW_PRIVS 38
+#endif
+#ifdef HAVE_APPARMOR
+#include <sys/apparmor.h>
 #endif
 static int apply_caps = 0;
@@ -50,6 +54,46 @@ static void install_handler(void) {
        sigaction(SIGTERM, &sga, NULL);
 }
+#ifdef HAVE_APPARMOR
+static void extract_apparmor(pid_t pid) {
+        if (checkcfg(CFG_APPARMOR)) {
+                EUID_USER();
+                if (aa_is_enabled() == 1) {
+                        // get pid of next child process
+                        pid_t child;
+                        if (find_child(pid, &child) == 1)
+                                child = pid; // no child, proceed with current pid
+                        // get name of AppArmor profile
+                        char *fname;
+                        if (asprintf(&fname, "/proc/%d/attr/current", child) == -1)
+                                errExit("asprintf");
+                        EUID_ROOT();
+                        int fd = open(fname, O_RDONLY|O_CLOEXEC);
+                        EUID_USER();
+                        free(fname);
+                        if (fd == -1)
+                                goto errexit;
+                        char buf[BUFLEN];
+                        ssize_t rv = read(fd, buf, sizeof(buf) - 1);
+                        close(fd);
+                        if (rv < 0)
+                                goto errexit;
+                        buf[rv] = '\0';
+                        // process confined by Firejail's AppArmor policy?
+                        if (strncmp(buf, "firejail-default", 16) == 0)
+                                arg_apparmor = 1;
+                }
+                EUID_ROOT();
+        }
+        return;
+errexit:
+        fprintf(stderr, "Error: cannot read /proc file\n");
+        exit(1);
+}
+#endif // HAVE_APPARMOR
 static void extract_x11_display(pid_t pid) {
        char *fname;
        if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_X11_DIR, pid) == -1)
@@ -388,6 +432,9 @@ void join(pid_t pid, int argc, char **argv, int index) {
                extract_cgroup(pid);
                extract_nogroups(pid);
                extract_user_namespace(pid);
+#ifdef HAVE_APPARMOR
+                extract_apparmor(pid);
+#endif
        }
        // set cgroup
@@ -501,6 +548,11 @@ void join(pid_t pid, int argc, char **argv, int index) {
                // kill the child in case the parent died
                prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
+#ifdef HAVE_APPARMOR
+                // add apparmor confinement after the execve
+                set_apparmor();
+#endif
                extract_command(argc, argv, index);
                if (cfg.command_line == NULL) {
                        assert(cfg.shell);
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index d1d98f636..d1879fd98 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -29,6 +29,7 @@
 #include <dirent.h>
 #include <errno.h>
 #include <fcntl.h>
+#include <syscall.h>
 #include <sched.h>
 #ifndef CLONE_NEWUSER
@@ -37,16 +38,15 @@
 #include <sys/prctl.h>
 #ifndef PR_SET_NO_NEW_PRIVS
-# define PR_SET_NO_NEW_PRIVS 38
+#define PR_SET_NO_NEW_PRIVS 38
 #endif
 #ifndef PR_GET_NO_NEW_PRIVS
-# define PR_GET_NO_NEW_PRIVS 39
+#define PR_GET_NO_NEW_PRIVS 39
 #endif
 #ifdef HAVE_APPARMOR
 #include <sys/apparmor.h>
 #endif
-#include <syscall.h>
 static int force_nonewprivs = 0;
@@ -125,6 +125,21 @@ static void set_caps(void) {
                caps_drop_dac_override();
 }
+#ifdef HAVE_APPARMOR
+void set_apparmor(void) {
+        EUID_ASSERT();
+        if (checkcfg(CFG_APPARMOR) && arg_apparmor) {
+                if (aa_change_onexec("firejail-default")) {
+                        fwarning("Cannot confine the application using AppArmor.\n"
+                                "Maybe firejail-default AppArmor profile is not loaded into the kernel.\n"
+                                "As root, run \"aa-enforce firejail-default\" to load it.\n");
+                }
+                else if (arg_debug)
+                        printf("AppArmor enabled\n");
+        }
+}
+#endif
 static void save_nogroups(void) {
        if (arg_nogroups == 0)
                return;
@@ -1203,17 +1218,10 @@ int sandbox(void* sandbox_arg) {
        if (app_pid == 0) {
 #ifdef HAVE_APPARMOR
-                if (checkcfg(CFG_APPARMOR) && arg_apparmor) {
+                // add apparmor confinement after the execve
-                        errno = 0;
+                set_apparmor();
-                        if (aa_change_onexec("firejail-default")) {
-                                fwarning("Cannot confine the application using AppArmor.\n"
-                                        "Maybe firejail-default AppArmor profile is not loaded into the kernel.\n"
-                                        "As root, run \"aa-enforce firejail-default\" to load it.\n");
-                        }
-                        else if (arg_debug)
-                                printf("AppArmor enabled\n");
-                }
 #endif
                // set nice and rlimits
                if (arg_nice)
                        set_nice(cfg.nice);
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c
index c3b68f3a8..0c7b13f1c 100644
--- a/src/firejail/sbox.c
+++ b/src/firejail/sbox.c
@@ -53,11 +53,17 @@ static struct sock_filter filter[] = {
 #ifdef SYS_ptrace
        BLACKLIST(SYS_ptrace), // trace processes
 #endif
+#ifdef SYS_process_vm_readv
+        BLACKLIST(SYS_process_vm_readv),
+#endif
+#ifdef SYS_process_vm_writev
+        BLACKLIST(SYS_process_vm_writev),
+#endif
 #ifdef SYS_kexec_file_load
-        BLACKLIST(SYS_kexec_file_load),
+        BLACKLIST(SYS_kexec_file_load), // loading a different kernel
 #endif
 #ifdef SYS_kexec_load
-        BLACKLIST(SYS_kexec_load), // loading a different kernel
+        BLACKLIST(SYS_kexec_load),
 #endif
 #ifdef SYS_name_to_handle_at
        BLACKLIST(SYS_name_to_handle_at),
@@ -83,9 +89,6 @@ static struct sock_filter filter[] = {
 #ifdef  SYS_ioperm
        BLACKLIST(SYS_ioperm),
 #endif
-#ifdef SYS_iopl
-        BLACKLIST(SYS_iopl), // io permissions
-#endif
 #ifdef  SYS_ioprio_set
        BLACKLIST(SYS_ioprio_set),
 #endif